We are using Elasticsearch and Kibana version 7.16.3.
We have defined a security rule and added some exceptions to this rule.
Some of the exceptions are working fine, filtering the events that match the exception and not generating any new alerts, but one of them is not. The field used for all the exceptions is the same, rule.name of type keyword.
This are two of the exceptions created for the rule, the one on top is working but the one marked as red is the one failing to filter the events:
@masuel I have not been able to reproduce this behavior on 7.16.3 using the messages above. When creating the exception, did you select the text from the dropdown, or did you enter it manually? Are you sure the text is matching exactly?
If you can provide the exact text used in the exception, along with an example alert JSON that was not filtered, I'd be happy to check those on my end.
I copied the text from the exception and used it to filter, as it was shown on the screenshot in my first post, so it should match exaclty. The text is:
ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
The JSON:
"_source": {
...
},
"rule": {
"name": "ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File",
"id": "2025705",
"category": "Potentially Bad Traffic"
}
..
Another question regarding the exceptions, is it planed to support partial match on the exception value? When creating an exception the only options available only allow to filter by the full value, in this case "ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File". It would be nice to allow the use of wildcards, for example "ET POLICY SMB2 NT Create AndX Request*".
@masuel I'm still not able to reproduce this behavior on 7.16.3. Can you confirm that new alerts are still being generated AFTER adding the exception?
Unfortunately, we do not support wildcards in rule exceptions at this time. But there is a workaround below. This workaround should give you the same behavior that you'd expect from using exceptions above, but maybe you'll have better results:
The alerts were still being generated after the exception was added.
We removed the alert, recreated it and recreated all the exceptions, and now it seems to be working fine.
Just in case we find a similar issue in the future, is there some log or any way to debug the alerts/exception execution?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.