Update cardinality field in schema for threshold rules #1349
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brokensound77
added
bug
rw-access
reviewed
Jul 16, 2021
rw-access
reviewed
Jul 19, 2021
brokensound77
force-pushed
the
host-masquerading-rule
branch
from
fec8a23 to
9ba3c3b
Compare
Co-authored-by: Ross Wolf <[email protected]>
rw-access
reviewed
Jul 19, 2021
should be good to go now |
rw-access
approved these changes
Jul 21, 2021
threat-punter
approved these changes
Jul 21, 2021
rw-access
reviewed
Jul 21, 2021
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 21, 2021
* Make cardinality array in schema for threshold rules * update master, 7.12, 7.13, and 7.14 schemas with cardinality fix * fix 7.12 downgrade to handle cardinality as an array * Add two new rules to detect agent spoofing Co-authored-by: Ross Wolf <[email protected]> (cherry picked from commit 163d9e3)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 21, 2021
* Make cardinality array in schema for threshold rules * update master, 7.12, 7.13, and 7.14 schemas with cardinality fix * fix 7.12 downgrade to handle cardinality as an array * Add two new rules to detect agent spoofing Co-authored-by: Ross Wolf <[email protected]> (cherry picked from commit 163d9e3)
andrewkroh
reviewed
Jul 26, 2021
| """ | ||
| false_positives = [ | ||
| """ | ||
| This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the |
There was a problem hiding this comment.
One reason the security app never used host.id for identifying hosts is that it wasn't reliably unique (for beats) in environments where VM images are cloned without resetting /etc/machine-id. I would recommend mentioning this as a false positive.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
No issue for schema update
rules related to elastic/security-team#944
Summary
When the schema was updated to include
cardinality, it was not added as an array field, which should have been. From the Kibana change:This also limits it to a max of 3 strings to reflect the client side validation enforced within Kibana.
This also adds a couple of rules which depended on the field.