search

opensearch-project / security-analytics

Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72 stars 74 forks source link

[BUG] Creating a custom detection rule + detector for that rule first breaks findings generation #805

Open engechas opened 9 months ago

engechas commented 9 months ago

What is the bug? Creating a custom detection rule, then a detector for that rule before creating any other detectors will prevent findings from being generated for all detectors.

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Start with a fresh cluster running security analytics
  2. Create the following detection rule 
    id: 25b9c01c-350d-4b95-bed1-836d04a4f473
logsource:
product: cloudtrail
title: AWS User Login Profile Was Modified - Chase
description: my rule
tags:
- attack.persistence
- attack.t1098
falsepositives:
- Legit User Account Administration
level: high
status: experimental
references:
- 'https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation'
author: Chase
detection:
selection_source:
eventSource: iam.amazonaws.com
eventName: UpdateLoginProfile
filter:
userIdentity.arn|contains: requestParameters.userName
condition: selection_source and not filter
  3. Create a detector with only the above rule
  4. Index the following document that should generate a finding: 
    {
"eventVersion": "1.08",
"userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDA6ON6E4XEGITEXAMPLE",
    "arn": "arn:aws:iam::888888888888:user/Mary",
    "accountId": "888888888888",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "userName": "Mary",
    "sessionContext": {
        "sessionIssuer": {},
        "webIdFederationData": {},
        "attributes": {
            "creationDate": "2023-07-19T21:11:57Z",
            "mfaAuthenticated": "false"
        }
    }
},
"eventTime": "2023-07-19T21:25:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "UpdateLoginProfile",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user",
"requestParameters": {
    "userName": "Richard"
},
"responseElements": {
    "user": {
        "path": "/",
        "arn": "arn:aws:iam::888888888888:user/Richard",
        "userId": "AIDA6ON6E4XEP7EXAMPLE",
        "createDate": "Jul 19, 2023 9:25:09 PM",
        "userName": "Richard"
    }
},
"requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc",
"eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "888888888888",
"eventCategory": "Management",
"tlsDetails": {
    "tlsVersion": "TLSv1.2",
    "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
    "clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
  5. Verify no finding is generated

What is the expected behavior? Findings should still be generated when a custom detection rule is used in the initially created detector

What is your host/environment?

Do you have any screenshots? If applicable, add screenshots to help explain your problem.

Do you have any additional context? When a detector is created with a default rule first, then a second detector is created with a custom rule, findings are generated. It looks specific to the first detector using a custom rule.

tallyoh commented 9 months ago

@engechas good afternoon. I did not quite understand this post. Are you saying that after creating a custom rule, that all the pre-built rules are no longer finding alerts anymore?

praveensameneni commented 6 months ago

@eirsep , can you please confirm if this is an issue after the bug fixes