Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detection Engine] When sets of documents have identical timestamps, they can potentially be skipped during alert creation #164233

Open
dplumlee opened this issue Aug 17, 2023 · 2 comments
Open

[Security Solution][Detection Engine] When sets of documents have identical timestamps, they can potentially be skipped during alert creation #164233

dplumlee opened this issue Aug 17, 2023 · 2 comments
Labels
bug Fixes for quality problems that affect the customer experience consider-next Feature:Detection Alerts Security Solution Detection Alerts Feature impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@dplumlee
Copy link
Contributor

dplumlee commented Aug 17, 2023
edited
Loading

Overview

During alert creation within the detection engine, sets of alerts that have the same timestamp can potentially be skipped over. This occurs if a set of alerts that have identical timestamps are present at the end of a search window, overlapping between the current and next pages. We use the search_after es parameter to paginate through the search results, but if there are any remaining alerts that have an identical timestamp remaining past the end of the search window, they will be skipped when retrieving the next result.

Example

[...]
{
  "@timestamp": "2023-08-17T20:53:35.462Z" // 98
},
{
  "@timestamp": "2023-08-17T20:53:35.462Z" // 99
},
-----search stops here-----
{
  "@timestamp": "2023-08-17T20:53:35.462Z" // 100 (skipped)
},
{
  "@timestamp": "2023-08-17T20:53:35.462Z" // 101 (skipped)
},
-----and will start again here-----
{
  "@timestamp": "2023-08-17T20:53:35.598Z" // 102
},
[...]

Possible solutions

A solution to this might be incorporating a PIT for the search to ensure events don't get skipped when paginating through search results.

Related occurrences
@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area labels Aug 17, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror added triage_needed Team:Detections and Resp Security Detection Response Team labels Aug 21, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@marshallmain marshallmain mentioned this issue May 8, 2024
Closed
7 tasks
@yctercero yctercero removed their assignment Jun 5, 2024
@yctercero yctercero added the Feature:Detection Alerts Security Solution Detection Alerts Feature label Jun 5, 2024
@yctercero yctercero added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Sep 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience consider-next Feature:Detection Alerts Security Solution Detection Alerts Feature impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
Security Bug Audit
Status: To do
Milestone
No milestone
Development

No branches or pull requests
4 participants
@banderror @yctercero @elasticmachine @dplumlee