[Bug] Update rules to remove the logs-endpoint.events.* index to correct for unsupported file events #1608
Comments
devonakerr
added
bug
|
Any additional context here @devonakerr or can we close this out. Based on the description, I don't think that is the case, but maybe there is an edge case here. Is there a link to the valid SDH? |
|
Some more context here: #1673 |
|
We are aware of the fact that we do not have file access events on Linux, without using Auditbeat, Auditd or FIM. We will be addressing coverage gaps for file access events through FIM in the near future (working on it right now as we speak, as per https://github.com/elastic/ia-trade-team/issues/374). For now, I think this one may be closed. A full rule analysis for indices, event actions and descriptions in Linux should be performed to ensure our rules are up-to-date with what they are actually detecting. This will be part of a future tuning round. |
Describe the bug
Recently, and sdh-security-team issue was created for two rules that identify file object modification events but which include indices for the Elastic Endpoint. At this time, Elastic Endpoint does not include access or modification events for files. It may be possible that more than these two rules are impacted.
To Reproduce
sdh-security-team issue #232 outlines details for reproducing this behavior.
Expected behavior
We should remove the Elastic Endpoint index from any rule which implements file access or modification field values, at least until such time as the Elastic Endpoint returns those events.
Screenshots
N/A
Desktop (please complete the following information):
Pertains to various operating systems.
Additional context
N/A
The text was updated successfully, but these errors were encountered: