Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Alerts mappings conflict with experimental ECS threat fields #100510

Open
Tracked by #165878
rylnd opened this issue May 24, 2021 · 3 comments
Open
Tracked by #165878

[Security Solution][Detections] Alerts mappings conflict with experimental ECS threat fields #100510

rylnd opened this issue May 24, 2021 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Alert Mappings Feature:ecs Feature:Indicator Match Rule Security Solution Indicator Match rule type impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@rylnd
Copy link
Contributor

rylnd commented May 24, 2021

Summary

As CTI ECS fields and CTI features within SecSol continue to develop in parallel, changes during the RFC process are inevitably going to result in work on the SecSol side. elastic/ecs#1386 is the first example of such work!

While the history here is somewhat complicated, the summary is that:

  1. our threat.indicator enrichment data needs to move to a new field (currently: threat.enrichments, as proposed by the stage 1 RFC)
  2. our current threat.indicator mapping will now be in conflict with the "official" ECS mappings, as threat.indicator is not a nested field

Action Required

  1. We will need to migrate our existing enriched alerts' threat.indicator fields to the new location with an update_by_query or something similar
    • If this functionality is not going to be provided by RAC, we would need to develop data migration as part of the existing migration API
  2. Regarding the conflict above in 2., I think we have the following options:
    1. Do nothing, leave the mapping as it is with the ECS conflict
      • This would prevent one from searching threat.indicator across both our alerts indices and other ECS-compliant indices containing the "official" mapping
      • NB also that the threat.indicator mappings are still in stage 2 and are not yet official)
      • We could note this limitation and make the corresponding data migration as part of the RAC alerts migration
    2. Rollover the alerts index to the new, correct mappings
      • This will have the same effect as above, except the conflict would only be encountered when searching across the older indices
      • Users could then leverage the existing migration API to reindex their older alerts data and remove the conflicting mapping
    3. Rename the ECS threat.indicator field to something else prior to the ECS release
      • This would allow us to sidestep the conflict above, as our threat.indicator mapping would be both unused and not in conflict with official ECS.
@rylnd rylnd added bug Fixes for quality problems that affect the customer experience Feature:ecs Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. 7.14 candidate labels May 24, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@rylnd rylnd mentioned this issue May 24, 2021
Merged
2 tasks
@rylnd
Copy link
Contributor Author

rylnd commented Jun 17, 2021

As the indicator and enrichment RFCs continue to make progress, we're going to be moving this issue to 7.15, with the expectation that those RFCs will be official as part of ECS 1.11.

@MindyRS MindyRS added the Team:Detections and Resp Security Detection Response Team label Feb 24, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@peluja1012 peluja1012 added the Feature:Indicator Match Rule Security Solution Indicator Match rule type label Mar 21, 2022
@peluja1012 peluja1012 added Team:Detection Alerts Security Detection Alerts Area Team and removed Team: CTI labels Aug 3, 2022
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@yctercero yctercero mentioned this issue Sep 6, 2023
Closed
@yctercero yctercero added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Sep 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Alert Mappings Feature:ecs Feature:Indicator Match Rule Security Solution Indicator Match rule type impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peluja1012 @rylnd @MindyRS @sophiec20 @yctercero @elasticmachine