Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Event/Alert Details JSON View displays nested objects inaccurately #90355

Open
rylnd opened this issue Feb 4, 2021 · 9 comments
Open

[Security Solution] Event/Alert Details JSON View displays nested objects inaccurately #90355

rylnd opened this issue Feb 4, 2021 · 9 comments
Labels
enhancement New value added to drive a business result Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team triage_needed UX

Comments

@rylnd
Copy link
Contributor

rylnd commented Feb 4, 2021

The Event/Alert Details flyout displays nested objects (type: nested) as a single object, and in doing so loses information about the true underlying structure of those nested documents.

Affects Kibana 7.11+

Display in JSON View:
69cc1500-663e-11eb-a93b-d39c7477f8ec_-_Kibana

Document in the signals index:
Dev_Tools_-_Elastic
Note here that threat.indicator.url is unmapped.

Related to #90222, but distinct enough that I filed a separate issue.
@rylnd rylnd added bug Fixes for quality problems that affect the customer experience Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 4, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@rylnd rylnd mentioned this issue Feb 5, 2021
Merged
4 tasks
@stephmilovic stephmilovic mentioned this issue Feb 19, 2021
Merged
@MadameSheema
Copy link
Member

@karanbirsingh-qasource can you please validate the fix of this issue on 7.12.BC3? Thanks :)

@ghost
Copy link

ghost commented Mar 22, 2021
edited by ghost
Loading

Hi @MadameSheema & @rylnd

Thanks for the update.

we have validated this issue on 7.12.0 BC5 and Found it Fixed. However we have one Question regarding the ticket.

Build Details:

Version: 7.12.0 BC5
Commit:b7f9a41f486a2910ef22a1274ec734219c35ca3e
Version : 39309

Question:

Q1. On our Sample data Event/Alert Details JSON View , the JSON data is encoded , however we have Unescaped that same data and check the order and structuring was correct and matching to the one of GET Document signal .

So can you please confirm if this json data being encoded under Event/Alert Details can be also be concern part of this reported issue or not?
image

"threat": {
   "indicator": "{\"domain\":\"117.242.211.13\",\"matched\":{\"atomic\":\"117.242.211.13\",\"field\":\"mydata.domain\",\"id\":\"-TxzWXgBajxX6dLQFGo-\",\"index\":\"indicator\"}}"
 }
}

"threat_mapping": "{\"entries\":[{\"field\":\"mydata.domain\",\"type\":\"mapping\",\"value\":\"threatintel.indicator.domain\"}]}",

"threat": {
  "indicator": "{"domain":"117.242.211.13","matched":{"atomic":"117.242.211.13","field":"mydata.domain","id":"-TxzWXgBajxX6dLQFGo-","index":"indicator"}}"
}
}

    "threat" : {
      "indicator" : [
        {
          "domain" : "117.242.211.13",
          "matched" : {
            "atomic" : "117.242.211.13",
            "field" : "mydata.domain",
            "id" : "-TxzWXgBajxX6dLQFGo-",
            "index" : "indicator"
          }
        }
      ]
    }

Observations:

Steps followed to created Nested Data Detection Alert

  1. With the help of devtools, generate the following indexes and docs:

PUT indicator
PUT /indicator/_mapping
{
"properties": {
"@timestamp": {
"type": "date"
},
"threatintel": {
"properties" : {
"indicator": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
POST /indicator/_doc
{
"@timestamp": "2021-02-22T21:00:49.337Z",
"threatintel" : {
"indicator" : {
"domain" : "117.242.211.13"
}
}
}

PUT mydata
PUT /mydata/_mapping
{
"properties": {
"@timestamp": {
"type": "date"
},
"mydata": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
POST /mydata/_doc
{
"@timestamp": "2021-02-22T21:00:49.337Z",
"mydata": {
"domain": "117.242.211.13"
}
}

  1. Create an indicator match rule with the following details:

    index patterns: mydata
    indicator index patterns: indicator
    Indicator mapping field: mydata.domain
    Indicator index field: threatintel.indicator.domain
    Runs every: 10 seconds
    Additional look-back time: 30000h

  2. Wait for the rule to generate the alert

  3. With the customize columns option add: threat.indicator.domain

thanks !!

@MadameSheema
Copy link
Member

@rylnd correct me if I'm wrong but that is correct, right?

@MadameSheema MadameSheema added enhancement New value added to drive a business result triage_needed and removed v7.12.0 labels Mar 22, 2021
@rylnd
Copy link
Contributor Author

rylnd commented Mar 22, 2021

The escaping of nested objects is expected; there are several other examples of this:

Detections_-_Kibana

There is one outstanding issue here, which is that nested objects are missing the encapsulating array in the escaped string format. This is demonstrated in @karanbirsingh-qasource's example; you can see that the indicators: [{}] was indexed but indicators: {} was displayed.

I would say that the structure is not truly correct as asserted above, but as each object is presented and it's still valid JSON this is acceptable for now. Here's the basic format if you have multiple nested objects:

"threat": {
    "indicator": "{},{}"
  },

@MadameSheema I see you changing labels/assignees here. Would you like to close this issue, keep it open for the issue above, or something else?

@MadameSheema
Copy link
Member

Thanks @rylnd let's keep it opened as an enhancement know to finish the work on it ;)

@stephmilovic stephmilovic removed their assignment Apr 22, 2021
@XavierM XavierM added UX and removed triage_needed labels May 5, 2021
@XavierM
Copy link
Contributor

XavierM commented May 5, 2021

@rylnd and @monina-n should talk about how we are going to represent nest fields inside of the t-grid.

@XavierM XavierM added triage_needed Team:Detections and Resp Security Detection Response Team and removed bug Fixes for quality problems that affect the customer experience labels May 5, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team triage_needed UX
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@XavierM @rylnd @stephmilovic @elasticmachine @MadameSheema