Managing SIEM rules is harder then it should

willemdh · February 10, 2021, 12:01pm

Hello,

I'd like to make some suggestions about the Elastic SIEM rule management.

Monday we had a major hardware failure of a network card of on of our hot data nodes. The node in particular was not completely offline and had about 20 to 80 % packet loss. Very long story short, we got through a lot of issues and for now this node has been removed from the cluster.

But a result of the issues was that all of our SIEM rules generated search errors (which was weird as the red indices causing issues were from several weeks ago)..

To reduce the load, I had to temporarily deactivate all SIEM rules. Today I want to enable them all again and I'm struggling to find a way to only enable the rules which have not been duplicated, but not enable the default rules which have been duplicated. I thought I could filter on the Elastic tag, but some rules (such as AWS) don't have the Elastic tag. Also there seems to be no way to select all rules which do NOT have a certain tag. Anway, I'm going to have to browse through all rules manually and only select those which have not been duplicated, which is a very annoying job.

Thanks for considering a way in the future to be able to filter on rules which do NOT have a certain tag and or maybe add a 'default' tag to rules which have been imported, but not edited or cloned (or at least add Elastic everywhere). We can/could of course remove this 'default' tag (or Elastic) when duplicating a rule.

It would also be nice if we could sort on 'Severity', 'Risk Score' , 'last Run', 'Last Response'.

One more thing, when you select a tag, then select all rules with that tag and delete them, you end up with 0 rules in the Rule overview and it's impossible to deselect the selected tag, because it's not there any more.. (only solution is a hard refresh.. or go back and return to this page..)

Grtz

Willem

Mike_Paquette · February 11, 2021, 11:59am

Hi @willemdh, thanks for once again taking time to share your experience and suggestions with us!

We agree that there is room for improvement in the rule management experience, and we've received similar feedback from other users.

Detection engineers, rule authors, and rule managers have told us that they need fully flexible searching (with logical operators like NOT, OR, AND) across the entire set of prebuilt and custom rules, based on things like rule names, embedded rule metadata (e.g., ATT&CK tactics, techniques, severity, risk_score, etc.), tags, and rule attributes (e.g., last updated time, last_run, etc.).

Although we cannot commit to releases or dates, our roadmap calls for improvements along these lines, as well as other rule management feature such as bulk editing of rules, and improved rule monitoring. Please stay tuned!

To a couple of your specific points:

I thought I could filter on the Elastic tag, but some rules (such as AWS) don't have the Elastic tag.

I'm not sure what version you're using, but I just checked in 7.11, and all the AWS rules do have the "elastic" tag on them. (Note: you need to click on see more to see it.)

One more thing, when you select a tag, then select all rules with that tag and delete them, you end up with 0 rules in the Rule overview and it's impossible to deselect the selected tag, because it's not there any more.. (only solution is a hard refresh.. or go back and return to this page..)

Thanks for reporting this. I think this was fixed in [Security Solution][Detections] Deleting all rules when filtered to a tag locks in tag selection · Issue #79566 · elastic/kibana · GitHub. I just tried to reproduce this in 7.11, and the problem is indeed fixed there.

Finally, sometimes I have worked around this challenge by sorting my rule list by "Version" or "Last Updated" columns and finding the subset of rules I am looking for. Maybe you'll have some luck!

Thanks again!

willemdh · February 11, 2021, 2:40pm

Thank you @Mike_Paquette for listening to my concerns and taking the time to answer me.

We are currently on 7.10.2.

I'm looking forward to update to 7.11, but we actually only updated last week to 7.10.2 and my management thinks we already spend too much time updating Elastic... Also it has been my personal experience that we better wait before updating to a new major release untill at least x.x.1 has been released, as we had too many bad update experiences in the past..

Looking forward to:

"fully flexible searching (with logical operators like NOT, OR, AND) across the entire set of prebuilt and custom rules, based on things like rule names, embedded rule metadata (e.g., ATT&CK tactics, techniques, severity, risk_score, etc.), tags, and rule attributes (e.g., last updated time, last_run, etc.)"

Best regards,

Willem

system · March 11, 2021, 2:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.