[Security Detection Engine] Incorrect Indices for "Suspicious Web Browser Sensitive File Access" Rule
Opened this issue · 7 comments
Issue:
The detection rule "Suspicious Web Browser Sensitive File Access" is currently configured to query the logs-endpoint.events.file.* indices, but it is a process-related rule and needs to instead be looking at the logs-endpoint.events.process.* indices. As the rule is currently configured, execution results in an error:
Suggestion:
Change the defined index in the detection rule. I will open a PR for this momentarily.
Hi @MakoWish, I think the source for the rule is actually at
and, then the Detections team generates the content of the package based off that. So I think you want to make a PR to that change that file.
That is strange that what is in the Integrations repo shows logs-endpoint.events.file.* which is both the incorrect index, and incorrectly has a trailing .*.
But what is in the Detection Rules repo shows logs-endpoint.events.file-* which has the incorrect index, but the trailing -* would be proper.
There seems to be a disconnect somewhere.
There seems to be a disconnect somewhere.
Maybe some kind of translation problem then...
@elastic/threat-research-and-detection-engineering, can you please take a look.
There actually seems to be more issues with this rule. Not only is it looking at process.* details, which would be in the logs-endpoint.events.process-* indices, but it is also looking for a file.name which does not exist in the logs-endpoint.events.process-* indices. I'll need to dig into this one a bit more.
Yeah, I cannot find any instances where process.Ext.effective_parent.executable: exists and file.name: exists in any of the logs-endpoint.events.* indices. Unless I am missing something, this seems to be an impossible query.
Hey everyone - To fix the rule, we can open an issue in the Detection Rules repository. Integrations is where we put the prebuilt package for these rules so they can follow the same package release process to EPR where fleet pulls them in.
Im away from my desk but happy to take an initial look when I return later.
this PR elastic/detection-rules#4029 should fix the error, the index is correct, the process.Ext.effective_parent.executable (not populated in file events for macos) was replaced by Effective_process.executable (populated in file event for macos 8.11.1+)