Security Detection exception MATCHES not working properly

Elastic Security
1

Hi,

have this issue with exception. Have 2 parameters with IS operator, and one parameter with MATCHES. If I Edit that exception, do no changes, and then check "Close all alerts...", save, then all alerts are closed, so it means it matches, but new Detection is created anyway, like it does not work while Rule is run. Other exceptions on this rule work correctly, even with MATCHES operator. Kibana is 8.11.4

This is example string from log, consisnting of multiple special characters:
process.command_line:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\ ......

This is MATCHES value of that field in exception:

C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\*

Even tried to escape " ( ' characters (which is not required by docs) but same result. Any ideas what am i missing? Thanks.

2

Hi @stanley783 !

Thanks for reaching out. When we see issues where the alerts are matching the exception and closing out, but alerts continue to be generated on subsequent rule runs - it is often due to a mapping issue. Can you use the field caps endpoint to see what the target fields are mapped as? If the field is not mapped or mismapped on a matching source index, this can result in the exception not taking.

You can also check in the exceptions UI to see if a warning is being shown letting you know that the field is mapped differently across indices or unmapped somewhere.

Screenshot 2024-03-08 at 12.09.27 AM
Screenshot 2024-03-08 at 12.09.27 AM634×666 64.9 KB

3

Hi @yctercero ,

thanks for reply! Unfortunately this was not an issue. There was no mapping issue/conflict marking in Data View and all fields used are mapped as keyword. This is example of one of the field, two more fields (user.name and host.name) used in exception have same output.

"fields": {
    "process.command_line": {
      "keyword": {
        "type": "keyword",
        "metadata_field": false,
        "searchable": true,
        "aggregatable": true
      }
    },
    "process": {
      "object": {
        "type": "object",
        "metadata_field": false,
        "searchable": false,
        "aggregatable": false
      }
    }
  }
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.