opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[BUG] Creating a custom detection rule + detector for that rule first breaks findings generation #805

Open engechas opened 9 months ago

engechas commented 9 months ago

What is the bug? Creating a custom detection rule, then a detector for that rule before creating any other detectors will prevent findings from being generated for all detectors.

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Start with a fresh cluster running security analytics
  2. Create the following detection rule
    id: 25b9c01c-350d-4b95-bed1-836d04a4f473
    logsource:
    product: cloudtrail
    title: AWS User Login Profile Was Modified - Chase
    description: my rule
    tags:
    - attack.persistence
    - attack.t1098
    falsepositives:
    - Legit User Account Administration
    level: high
    status: experimental
    references:
    - 'https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation'
    author: Chase
    detection:
    selection_source:
    eventSource: iam.amazonaws.com
    eventName: UpdateLoginProfile
    filter:
    userIdentity.arn|contains: requestParameters.userName
    condition: selection_source and not filter
  3. Create a detector with only the above rule
  4. Index the following document that should generate a finding:
    {
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA6ON6E4XEGITEXAMPLE",
        "arn": "arn:aws:iam::888888888888:user/Mary",
        "accountId": "888888888888",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "Mary",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-07-19T21:11:57Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-07-19T21:25:09Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "UpdateLoginProfile",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user",
    "requestParameters": {
        "userName": "Richard"
    },
    "responseElements": {
        "user": {
            "path": "/",
            "arn": "arn:aws:iam::888888888888:user/Richard",
            "userId": "AIDA6ON6E4XEP7EXAMPLE",
            "createDate": "Jul 19, 2023 9:25:09 PM",
            "userName": "Richard"
        }
    },
    "requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc",
    "eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "888888888888",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "iam.amazonaws.com"
    },
    "sessionCredentialFromConsole": "true"
    }
  5. Verify no finding is generated

What is the expected behavior? Findings should still be generated when a custom detection rule is used in the initially created detector

What is your host/environment?

Do you have any screenshots? If applicable, add screenshots to help explain your problem.

Do you have any additional context? When a detector is created with a default rule first, then a second detector is created with a custom rule, findings are generated. It looks specific to the first detector using a custom rule.

tallyoh commented 9 months ago

@engechas good afternoon. I did not quite understand this post. Are you saying that after creating a custom rule, that all the pre-built rules are no longer finding alerts anymore?

praveensameneni commented 6 months ago

@eirsep , can you please confirm if this is an issue after the bug fixes