You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
During testing of the new Kibana upload feature, we have identified that the index information on the TOML configuration does not propagate to the rules in the Kibana SIEM app.
To Reproduce
Steps to reproduce the behavior:
Create a TOML detection rule which follows the guidelines provided. Example:
[metadata]
creation_date = "2020/08/11"
ecs_version = ["1.5.0"]
maturity = "development"
updated_date = "2020/08/11"
[rule]
author = ["Rule export"]
description = "The contents of crontab have been modified by a non-root user."
tags = ["prod"]
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Cron - Crontab entry changed"
risk_score = 15
rule_id = "9bad9907-1969-4a70-bfbd-367f0dcc0203"
severity = "low"
type = "query"
query = '''
event.module: cron and event.action: changed and not user.name: root
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Expected behavior
The index should have propagated to the rule within the SIEM app, although as it can be seen from the screenshots above, that information is missing. The index field is empty.
Desktop (please complete the following information):
OS: MacOS
Version: 10.15.5
Python version: 3.6.8
ELK version: Tested on 7.8.0 and 7.8.1, the issue persist on both.
The text was updated successfully, but these errors were encountered:
Describe the bug
During testing of the new Kibana upload feature, we have identified that the index information on the TOML configuration does not propagate to the rules in the Kibana SIEM app.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The index should have propagated to the rule within the SIEM app, although as it can be seen from the screenshots above, that information is missing. The index field is empty.
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: