-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Misleading SIEM Warning When Attaching Custom Roles With Valid But Complex RegEx #193204
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Hi @wathian ! Thanks for the post. Could you attach the video on the ticket? I unfortunately can't access the link. |
Hi @yctercero, I've set the video to unlisted visibility, hopefully you can see it now. |
@yctercero See if you are able to access the video here? |
Hi @wathian I noticed in your video you have the role Can you try updating this role or removing it from the user you test with and then re-enable the rule? The warning should disappear after re-enabling it. cc: @yctercero @louisong |
Hi @dhurley14 , I am following up on the issue. User has two roles assigned,
I have verified by login to the user with the two roles, I am able to read index with pattern Are you saying both roles need to have explicit access to Regards |
Hi @tianlang8158 and @wathian , My apologies I just saw the customer support thread related to this issue. I have one question - is the objective to block access to the filebeat index or to allow access to it? I'm guessing block access but want to double check. From what I can tell, this looks like there might be a discrepancy with how elasticsearch compares user privileges for data streams. I used auditbeat instead of filebeat for testing but I believe the issue is still the same. The code that renders the warning you reference in the video checks the kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts Lines 178 to 198 in 2664ccf
Replicating this in the Kibana Dev Tools I get the following:
The above request is what the security rule executes. And just like you saw in your deployment there are alerts generated / the search yields results. This is because when I check privileges for the auditbeat datastream I have read access.
Now when I check for read privileges on the
This definitely is confusing. To remedy this would require a change in how elasticsearch checks data stream privileges. And again, I just want to confirm that I'm understanding correctly, you would like to block read access to filebeat with this regex, right? |
After playing around with the provided regex I believe I have figured out the issue. The warning on the rule's details page regarding
The section The reason we are seeing the data still come back is because the data stream part of the regular expression does not cover Give this, I came up with the following which I believe is the desired outcome
Note the additional This will prevent the rule from querying any filebeat data stream, which will match with what the error message said. I hope this covers your use case! |
Hi @dhurley14 , The original pattern MATCH ANY BUT MONITORING DATA which is to allow all indices while block below indice pattern:
With your new pattern For your advice please. |
Hi @louisong @dhurley14 , following up on this, we have related tickets pending for this issue, please see the last comment from my colleague @tianlang8158 . Would appreciate it if you can provide an update. Thank you. |
Hello @electra06 👋 Apologies for the delay. Thank you for clarifying which exact indices you wish to exclude. That is helpful. Knowing that you are NOT trying to exclude all As I mentioned in my earlier comment the yellow warning banner on the rule details page is correct due to the reasons I outlined in the above comment:
Given this above information I believe that warning on the rule details page is not a bug and is not preventing the rule from running correctly, which I believe was confirmed by the rule generating correct alerts. If you know that the regex is performing as expected then I think we can close out this ticket. I believe you can double check this though by testing out the original regular expression using the scripts I posted in the above comment within Kibana Dev Tools. |
Hello @dhurley14, Yes the yellow warning banner is not preventing the rule from running correctly, however, it is misleading to our users which we received a lot of feedback on this, and its not just Below screenshot is from tenant which all AWS custom rules hit the same warning. Is there a better way to achieve the same without this warning? Regards |
Hi @tianlang8158 ! Thanks for reaching out. Catching up on the thread and Devin's investigation. Existing workaroundsIt seems our only existing workaround at this time is to adjust the index patterns to specify the indices you DO want hit. If the rules are prebuilt rules, this will require duplicating the rule to adjust. I should add that we are working on making prebuilt rules customizable, while not losing out on future prebuilt rule updates, but do not have a release date to share. EnhancementsIt may be best to chat with the elasticsearch team to put in an enhancement request similar to this one for the has_privileges endpoint. Sharing that issue for reference to the right tags to utilize. I am curious - would you prefer to be able to set whether or not to warn in this scenario? I do foresee an issue with not warning in that someone may be under the impression that they are receiving alerts for all indices under cc @approksiu (PM who would receive the enhancement request on our end) |
@yctercero Thanks for your advice! The workaround using index pattern to cover all existing indices explicitly without those mentioned earlier might not be feasible. As it could brings a very long list of index patterns (including system indices), and even need to cover index patterns which user defined for themselves.. To answer your question, we would rather not seeing the warning message, since the user role with the regex patten do grant user the necessary permission to the indices even its not explicitly defined. The expectation is clear that as long as user can access the logs, create SIEM rules for the logs and receive alerts, they should not see any permission related warning in SIEM rules. The warning message is quite misleading in the case, and would appreciate the enhancement request can cover the above mentioned pain-points. @louisong Thanks! |
I've filed a ER with elasticseach team, ref:23168 for tracking purposes. |
@tianlang8158 definitely understand the inconvenience of the workaround. I'll follow up on the ER to get feedback on it. |
@yctercero - do you have feedback on the ER? We have just received another user's reported related with the same issue. Thank you. |
Describe the bug:
Observed the following SIEM warning when login as a user with custom roles (Refer to video link below)
It seems like the warning is shown because the role's index pattern is unable to view the indices, where in reality, it did permit the indices which made us believed it's a misleading visual bug. (Refer to video link below)
If possible, we would like the team to confirm whether said warnings are impeding the functionality of the rules or that it's actually a bug. Our suspicion is the latter where we think it is only doing a naive check and it does not actually impedes the functionality since it has sufficient privilege as shown in the video.
Kibana/Elasticsearch Stack version:
Elastic Cloud SaaS v8.12.2
Steps to reproduce:
Current behavior:
Misleading warnings are shown despite the rule "working"
Expected behavior:
SIEM Rule should raise alerts properly
Warnings are not shown when the RBAC is sufficient
No functionality of the rules are affected.
Screenshots (if relevant):
Video Link: https://youtu.be/8A8Du31NwEs
The text was updated successfully, but these errors were encountered: