Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] [Maps] Network Map fails to create layers for Kibana Index Patterns containing multiple indices or exclusions #70914

Open
spong opened this issue Jul 7, 2020 · 7 comments
Open

[Security] [Maps] Network Map fails to create layers for Kibana Index Patterns containing multiple indices or exclusions #70914

spong opened this issue Jul 7, 2020 · 7 comments
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@spong
Copy link
Member

spong commented Jul 7, 2020
edited
Loading

As part of #52565 (and fix), support was added for pattern matching Kibana Index Patterns against securitySolution:defaultIndex when generating layers for the Network Map.

What this implementation doesn't take into account is that Kibana Index Patterns can contain multiple comma-separated Elasticsearch indices, e.g. filebeat-*,auditbeat-*, and with CCS + wildcards as *:filebeat-*,*:auditbeat-*, or even CCS + wildcards + exclusions as *:filebeat-*,-*:filebeat-7.6.0*.

This affects both the Elastic Security implementation as well as the Maps implementation (cc @nreese), since they use the non-split Kibana Index Pattern title as the pattern and the split securitySolution:defaultIndex as the path.

As example, for the given:

securitySolution:defaultIndex: cluster2:filebeat-*, cluser1:auditbeat-*
Kibana Index Pattern: *:filebeat-*,*:auditbeat-*

The matching sequence would be:

minimatch('cluster2:filebeat-*', '*:filebeat-*,*:auditbeat-*'); // false
minimatch('cluster1:auditbeat-*', '*:filebeat-*,*:auditbeat-*'); // false

which would result in no matches, and thus no generated map layers.

If we were to comma split the Kibana Index Pattern title, use each of those as the pattern and remove the duplicate matches we should then create layers for the correct Kibana Index Patterns that exist. Note: this would need to include logic for the exclusion case as well, which could be done using a filter on matched paths against patterns with a leading -.

This behavior is present since v7.6.0.
@spong spong added bug Fixes for quality problems that affect the customer experience [Deprecated-Use Team:Presentation]Team:Geo Former Team Label for Geo Team. Now use Team:Presentation Team:SIEM labels Jul 7, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-gis (Team:Geo)

@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@MadameSheema MadameSheema added Team:Threat Hunting Security Solution Threat Hunting Team and removed [Deprecated-Use Team:Presentation]Team:Geo Former Team Label for Geo Team. Now use Team:Presentation labels Oct 7, 2020
@stephmilovic
Copy link
Contributor

@spong to confirm the results we want...

Case 1:
should "auditbeat-*" be included in the matching patterns??

// Kibana Index Patterns
["filebeat-*,auditbeat-*", "auditbeat-*"]

// SIEM indexes
["apm-*-transaction*",  "auditbeat-*", "endgame-*","filebeat-*","packetbeat-*","winlogbeat-*"]

// Matching Patterns
["filebeat-*,auditbeat-*", "auditbeat-*"]

Case 2:

// Kibana Index Patterns
["filebeat-*,-filebeat-7.6.0*", "auditbeat-*"]

// SIEM indexes
["apm-*-transaction*",  "auditbeat-*", "endgame-*","filebeat-*","packetbeat-*","winlogbeat-*"]

// Matching Patterns
["filebeat-*,-filebeat-7.6.0*", "auditbeat-*"]

Case 3:

// Kibana Index Patterns
["*:filebeat-*,*:auditbeat-*", "auditbeat-*"]

// SIEM indexes
['cluster2:filebeat-*', 'cluster1:auditbeat-*']

// Matching Patterns
["*:filebeat-*,*:auditbeat-*"]

@stephmilovic stephmilovic mentioned this issue Oct 12, 2020
Merged
1 task
@stephmilovic
Copy link
Contributor

Fixed by this PR: #80208

@stephmilovic
Copy link
Contributor

Merged, going to unassign myself and mark this as fixed 👍

@stephmilovic stephmilovic removed their assignment Oct 15, 2020
@stephmilovic
Copy link
Contributor

stephmilovic commented Oct 16, 2020
edited
Loading

Assigning to @MadameSheema to confirm fix!

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@MadameSheema MadameSheema removed the fixed label Nov 6, 2020
@MadameSheema
Copy link
Member

@stephmilovic we need to continue working on this issue :)

@MadameSheema MadameSheema removed their assignment Nov 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MindyRS @spong @stephmilovic @elasticmachine @MadameSheema