Just a question about a siem rule filter

willemdh · November 23, 2020, 8:11pm

Hello,

Just wondering what's the purpose of the extra info / metadata in the filter of for example:

elastic/detection-rules/blob/main/rules/apm/apm_null_user_agent.toml

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/26"

[rule]
author = ["Elastic"]
description = "A request to a web application server contained no identifying user agent string."
false_positives = [
    """
    Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet
    contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is
    unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
    """,
]
index = ["apm-*-transaction*"]
language = "kuery"
license = "Elastic License"
name = "Web Application Suspicious Activity: No User Agent"

This file has been truncated. show original

I can't find this info in the SIEM rule when I duplicate it:

{
    "$state": {
        "store": "appState"
    },
    "exists": {
        "field": "user_agent.original"
    },
    "meta": {
        "disabled": false,
        "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
        "key": "user_agent.original",
        "negate": true,
        "type": "exists",
        "value": "exists"
    }
}

What does the meta and $state do exactly? And why can't I find this info in the rule configuration?

Grtz

Willem

Andrew_G · November 24, 2020, 10:58pm

Hi @willemdh,

The meta and $state entries are used to serialize and deserialize the state of the search bar filters shown in the Custom query section of the rule configuration.

Let's explore how the JSON in the previous post maps to the screenshot of the rule configuration:

the value of the key entry in the meta section of the JSON:

"key": "user_agent.original"

corresponds with the search bar filter's Field user_agent.original in the screenshot you provided ( focus on the EDIT FILTER popover):

the value for the type entry in the meta section of the JSON:

"type": "exists",

is combined with the negate entry (also in the meta section of the JSON):

"negate": true,

to become Operator does not exist in the screenshot:

Thanks for your question!

willemdh · November 26, 2020, 9:11pm

Hello @Andrew_G,

Thanks a lot for the detailed explanation. Just to get to the bottom of this...

( focus on the EDIT FILTER popover):

When I click 'Edit filter' I do not see the meta and $state keys:

This is normal right? (The rule has been duplicated and edited, but I did not touch this filter)

I just find it weird that pasting

{
  "exists": {
    "field": "user_agent.original"
  }
}

Seems to have the same result as pasting

{
    "$state": {
        "store": "appState"
    },
    "exists": {
        "field": "user_agent.original"
    },
    "meta": {
        "disabled": false,
        "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
        "key": "user_agent.original",
        "negate": true,
        "type": "exists",
        "value": "exists"
    }
}

After saving any of the above and going back to 'Edit filter', I always see:

Grtz

Willem

Andrew_G · November 30, 2020, 3:55pm

Yes, this is normal; the meta and $state fields are internal, and not intended to be editable via the UI.

Topic		Replies	Views
Cannot filter data in elastic SIEM SIEM	6	853	November 17, 2020
Question on the capability of elastic SIEM SIEM	2	434	December 8, 2020
Managing SIEM rules is harder then it should SIEM	3	490	March 11, 2021
Security Detection Rules ( SIEM ) Elasticsearch	0	142	May 24, 2024
Rules don't trigger and preview window is empty SIEM	7	1630	April 21, 2022

Just a question about a siem rule filter

Related topics