willemdh
November 23, 2020, 8:11pm
1
Hello,
Just wondering what's the purpose of the extra info / metadata in the filter of for example:
[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/26"
[rule]
author = ["Elastic"]
description = "A request to a web application server contained no identifying user agent string."
false_positives = [
"""
Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet
contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is
unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
""",
]
index = ["apm-*-transaction*"]
language = "kuery"
license = "Elastic License"
name = "Web Application Suspicious Activity: No User Agent"
show original
I can't find this info in the SIEM rule when I duplicate it:
{
"$state": {
"store": "appState"
},
"exists": {
"field": "user_agent.original"
},
"meta": {
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "user_agent.original",
"negate": true,
"type": "exists",
"value": "exists"
}
}
What does the meta and $state do exactly? And why can't I find this info in the rule configuration?
Grtz
Willem
Andrew_G
November 24, 2020, 10:58pm
2
Hi @willemdh ,
The meta and $state entries are used to serialize and deserialize the state of the search bar filters shown in the Custom query section of the rule configuration.
Let's explore how the JSON in the previous post maps to the screenshot of the rule configuration:
the value of the key entry in the meta section of the JSON:
"key": "user_agent.original"
corresponds with the search bar filter's Field user_agent.original in the screenshot you provided (EDIT FILTER popover):
willemdh:
the value for the type entry in the meta section of the JSON:
"type": "exists",
is combined with the negate entry (also in the meta section of the JSON):
"negate": true,
to become Operator does not exist in the screenshot:
willemdh:
Thanks for your question!
willemdh
November 26, 2020, 9:11pm
3
Hello @Andrew_G ,
Thanks a lot for the detailed explanation. Just to get to the bottom of this...
(EDIT FILTER popover):
When I click 'Edit filter' I do not see the meta and $state keys:
This is normal right? (The rule has been duplicated and edited, but I did not touch this filter)
I just find it weird that pasting
{
"exists": {
"field": "user_agent.original"
}
}
Seems to have the same result as pasting
{
"$state": {
"store": "appState"
},
"exists": {
"field": "user_agent.original"
},
"meta": {
"disabled": false,
"indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"key": "user_agent.original",
"negate": true,
"type": "exists",
"value": "exists"
}
}
After saving any of the above and going back to 'Edit filter', I always see:
Grtz
Willem
Andrew_G
November 30, 2020, 3:55pm
4
willemdh:
When I click 'Edit filter' I do not see the meta and $state keys:
This is normal right? (The rule has been duplicated and edited, but I did not touch this filter)
Yes, this is normal; the meta and $state fields are internal, and not intended to be editable via the UI.
system
December 28, 2020, 3:55pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
focus on the EDIT FILTER popover):
