[Security Solution] [CTI] Indicator Match "field matching" logic ignored when a saved query is used in rule configuration #107986
Description
Describe the bug:
When an Indicator Match rule is configured with a saved query (i.e. a saved_id), the field matching logic (i.e. field.x matches field.y) is not taken in account when processing the rule. This leads to unexpected alerts being generated.
Kibana/Elasticsearch Stack version:
7.14
Steps to reproduce:
-
Create an Indicator Match rule with the following configuration:
-
Using Kibana -> Dev Tools, create
test-filebeatandtest-indicator-indexindices as shown belowDev Tools commands
PUT test-indicator-index { "mappings" : { "properties" : { "@timestamp" : { "type" : "date" }, "url" : { "properties" : { "full" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } } } } } } } PUT test-filebeat { "mappings" : { "properties" : { "@timestamp" : { "type" : "date" }, "url": { "properties": { "original" : { "type" : "keyword", "ignore_above" : 1024, "fields" : { "text" : { "type" : "text", "norms" : false } } } } } } } } -
Using Kibana -> Dev Tools, index some test documents into the
test-filebeatandtest-indicator-indexindices as shown belowDev Tools commands
POST test-indicator-index/_doc { "@timestamp": "2021-07-27T08:51:49.337Z", "url": { "full": "foo.test.com/" } } POST test-filebeat/_doc { "@timestamp": "2021-07-27T08:51:49.337Z", "url": { "original": "http://test" } } -
Activate the rule. Notice that no alerts are generated as expected.
-
Edit the rule. Under the
Custom querysection, click on the saved query icon and then click onSave current query. Finally save the changes to the rule configuration.
-
Deactive/Activate the rule to force it to execute again. Notice that an alert is created unexpectedly. The generated alert has no Threat Intel data.
