Double whitespace in Exception's field's value

Elastic Security
1

Hi there,

I am trying to add an exception to a rule where these are the details given:

  • Field: winlog.event_data.ParentCommandLine
  • Operator: is
  • Value: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoProfile ... (truncated)

It is not obvious just by looking at the Value's content, but there are 2 whitespaces in between powershell.exe and -NoProfile.

After copying-and-pasting it into the box that requires it (i.e. it is added as a "custom option"), I saved it. Copying-and-pasting the content in Value that was now reflected back to me showed that there was only 1 whitespace.

There appears to be no other way for me at the moment to use another field or piece of content for this exception, and thus I would have to look at resolving this error/bug(?)

Thank you so much for reading!

2

I think the problem we have is that by default HTML/DOM displays multiple spaces as a single space and that we are doing it as well. We really shouldn't allow the HTML/DOM to change your value when displaying it back to you. We will want to fix the display issue.

Ref: formatting - Why does HTML require that multiple spaces show up as a single space in the browser? - Stack Overflow

The good news is that you should still be able to use exceptions even though you have multiple spaces in the value box. That part works.

I just tested it by adding data like this in dev tools:

Create a small mapping

DELETE delme-frank-1
PUT delme-frank-1
{
  "mappings": {
    "dynamic": "strict",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "winlog": {
        "properties": {
          "event_data": {
            "properties": {
              "ParentCommandLine": {
                "type": "keyword"
              }
            }
          }
        }
      }
    }
  }
}

Add two documents. One of which has multiple spaces in the value section

PUT delme-frank-1/_doc/1
{
  "@timestamp": "2021-07-16T17:10:28.902Z",
  "winlog": {
    "event_data": {
      "ParentCommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe  -NoProfile"
    }
  }
}

PUT delme-frank-1/_doc/2
{
  "@timestamp": "2021-07-16T17:10:29.902Z",
  "winlog": {
    "event_data": {
      "ParentCommandLine": "something else"
    }
  }
}

Make sure we see it

GET delme-frank-1/_search

Create a rule without activating that has long look back time to get our timestamp but dont activate until we add an exception.

Screen Shot 2021-07-16 at 11.36.19 AM
Screen Shot 2021-07-16 at 11.36.19 AM1850×984 58.1 KB

Add the exception:

Screen Shot 2021-07-16 at 11.36.29 AM
Screen Shot 2021-07-16 at 11.36.29 AM1790×1042 81.1 KB

I then checked to ensure it was there with two spaces in the network panel:

Screen Shot 2021-07-16 at 11.26.40 AM
Screen Shot 2021-07-16 at 11.26.40 AM2010×1246 405 KB

Checked to see that indeed HTML is hiding double spaces:

Screen Shot 2021-07-16 at 11.29.02 AM
Screen Shot 2021-07-16 at 11.29.02 AM1526×206 55.7 KB

Turned on the rule and saw that it is working and only signaling once:

Screen Shot 2021-07-16 at 11.39.19 AM
Screen Shot 2021-07-16 at 11.39.19 AM3230×1464 362 KB

I did write up a Kibana issue for the HTML display problem but again you should be ok using it, just don't copy and paste from the HTML/DOM as is, since it's truncating the spacing:

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.