Kibana: [SIEM] Wrong detection logic in "SSH (Secure Shell) from the Internet" rule
Kibana version: 7.6.0
Describe the bug:
Detection rule: "SSH (Secure Shell) from the Internet", contains wrong logical operator which causes the rule to be triggered when SSH is used from local networks. This is clearly undesired outcome from the rule name and description.
Diff between original and (probably) fixed rule.
https://github.com/j91321/kibana/commit/da286dfa544fe51aefe1be1b5da850fca8062761
Steps to reproduce:
- Have one linux server with auditbeat running
- Activate Detection rule SSH (Secure Shell) from the Internet
- SSH into the target server with source IP from local range e.g. 10.0.0.0/8
- Signal is triggered
Expected behavior:
Local networks should be excluded from triggering the rule.
Screenshots (if relevant):
j91321
All 3 comments
Pinging @elastic/siem (Team:SIEM)
elasticmachine
on 12 Feb 2020
@j91321 thanks for filing the issue. This has actually already been fixed (1246a98) and will be in the next patch release of Kibana. The issue is with how the network.direction field is defined, as auditbeat uses the semantics of an endpoint agent, whereas network-centric logs like Zeek, Suricata, and netflow use observer semantics of traffic relative to network boundaries. We hope to further refine this logic as new capabilities are developed in the detection engine.
Meanwhile, the suggested workaround is to clone that rule (and disable it) and either limit the detections to the filebeat-* index pattern, or remove the network.direction field from the detection logic in your copy. You should also adjust the CIDR masks as is appropriate for your network for better fidelity.
dcode
on 12 Feb 2020
Ah that makes sense now. Thanks for the explanation, I'll apply the workaround.
j91321
on 12 Feb 2020
Related issues
treussart
路
3Comments
timroes
路
3Comments
Ginja
路
3Comments
stacey-gammon
路
3Comments
cafuego
路
3Comments
Most helpful comment
Ah that makes sense now. Thanks for the explanation, I'll apply the workaround.