Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Exceptions does not apply to new events #172892

Open
admiralbenbou opened this issue Apr 20, 2022 · 1 comment
Open

[Bug] Exceptions does not apply to new events #172892

admiralbenbou opened this issue Apr 20, 2022 · 1 comment
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@admiralbenbou
Copy link

Describe the bug
Exceptions are not applied to new events and alerts are generated. At the same time, alerts are closed manually by saving the exception unchanged with the checkbox "Close all alerts that match this exception and were generated by this rule"

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'Security\Detect\Exceptions'
  2. Click on 'Net command via SYSTEM account'
  3. Click on 'Exceptions'
  4. Click on 'Add new Exception'
  5. Field - process.parent.command_line, operator - is , value - 'some value', in our case it may be '"C:\WINDOWS\system32\cmd.exe" /c whoami /all | findstr /I /C:"S-1-5-32-544"'
  6. Press 'Save'
  7. Run this command on the host with elastic agent
  8. See an alert in Security\Detect\Alerts
  9. Go to 'Security\Detect\Exceptions'
  10. Click on 'Exceptions'
  11. Click on 'Edit' in our exception added in p.4
  12. Switch checkbox "Close all alerts that match this exception and were generated by this rule" and click 'Save'
  13. See that alert from p.8 is closed now
  14. That also works for duplicates of built-in rules - 'Net command via SYSTEM account [Duplicate]'

Expected behavior
Alert from p.8 is not generated

Screenshots

Desktop (please complete the following information):

  • OS:
  • Version:

Additional context
Kibana v 7.16.3
@admiralbenbou admiralbenbou added the bug Fixes for quality problems that affect the customer experience label Apr 20, 2022
@brokensound77 brokensound77 transferred this issue from elastic/detection-rules Dec 7, 2023
@botelastic botelastic bot added the needs-team Issues missing a team label label Dec 7, 2023
@jsanz jsanz added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Dec 11, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Dec 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsanz @elasticmachine @admiralbenbou