Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not Getting "file.path.text" and "file.EXt.code_signature" fields value under the Endpoint Exception Form #90725

Closed
ghost opened this issue Feb 9, 2021 · 8 comments
Closed

Not Getting "file.path.text" and "file.EXt.code_signature" fields value under the Endpoint Exception Form #90725

ghost opened this issue Feb 9, 2021 · 8 comments
Assignees
@dplumlee
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0

Comments

@ghost
Copy link

ghost commented Feb 9, 2021
edited by ghost
Loading

Description
Not Getting "file.path.text" and "file.EXt.code_signature" fields value under the Endpoint Exception Form

Build Details:

Version: 7.11.0 BC7
Build: 37897
Commit: 3f71ce7177a41e067ddb1e670ec4ace5f6d4f5fe
Artifacts: https://staging.elastic.co/7.11.0-657c0367/summary-7.11.0.html

Browser Details:
All

Preconditions:

  1. Cloud environment should exist
  2. Endpoint security should be installed.
  3. Mimikatz alert with signer should be generated. Link to the File is here

Steps to Reproduce:

  1. Navigate to the Detection tab of the security
  2. Execute the Mimikatz file on the endpoint
  3. Click on more action on the generated alert.
  4. Click on add endpoint exception.
  5. Observe that file.path.text and file.EXt.code_signature fields value are missing in the Add Endpoint Exception Form.

Note: The missing Fields though are present in Alert signal detailed view [ table view ]

Impacted Test case:

Actual Result:
Not Getting "file.path.text" and "file.EXt.code_signature" field value under the Add Endpoint Exception Form

Expected Result:
"file.path.text" and "file.EXt.code_signature value" field value should be present under the Add Endpoint Exception Form

What's working:

  • Required fields value are present the alert signal detailed view [ Table view ]
    alerts
    alerts_details

What's not working:

  • User is not even able to add missing field manually and get their value by auto-suggestion.
    fields

Screenshot:
signer_alert

Logs
N/A
@ghost ghost added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 9, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the v7.11.0 label Feb 9, 2021
@ghost
Copy link
Author

ghost commented Feb 9, 2021

@karanbirsingh-qasource Please review!!

@ghost ghost self-assigned this Feb 9, 2021
@ghost ghost changed the title [Security Solution]Not Getting file.path.text, process.name.text fields on the endpoint exception form fields and file.EXt.code_signature value is not displayed for signer alert. However, same field are present under the alert details [ click on " > " under the table form ] Not Getting "file.path.text" and "file.EXt.code_signature value" fields under the Endpoint Exception Form Feb 9, 2021
@ghost ghost changed the title Not Getting "file.path.text" and "file.EXt.code_signature value" fields under the Endpoint Exception Form Not Getting "file.path.text" and "file.EXt.code_signature" fields value under the Endpoint Exception Form Feb 9, 2021
@manishgupta-qasource
Copy link

Reviewed & Assigned to @peluja1012

@manishgupta-qasource manishgupta-qasource added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Feb 9, 2021
@dplumlee
Copy link
Contributor

dplumlee commented Feb 9, 2021

Related #90808

@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team and removed v7.11.0 labels Feb 10, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@peluja1012 peluja1012 assigned dplumlee and unassigned peluja1012, manishgupta-qasource and ghost Feb 26, 2021
@dplumlee
Copy link
Contributor

dplumlee commented Mar 3, 2021

@deepikakeshav-qasource I think this is ready to be tested again, we've made a few different changes in master that seem to solve the issues listed. For case C20386, we'll need to update it from file.path.text to file.path.caseless as well, we no longer have .text fields as exceptionable fields. Once that case is updated I believe everything should be good to go

@ghost
Copy link
Author

ghost commented Mar 4, 2021

Hi @dplumlee

We have validated this Ticket on 7.12.0 BC3 and found that issue is Fixed and We have updated below test case from file.path.text to file.path.caseless:

Test case Updated:

Build Details:

Version: 7.12.0-BC3
Platform: Production
Commit:08417cbd6c15e4c866651a7dcdfeded58845206d
Build:39134
https://staging.elastic.co/7.12.0-96914cb5/summary-7.12.0.html

Screenshot:

  • Alerts are not triggered after added the signed mimikatz alert.
    signed_alerts
    Table_view

  • Alerts are not triggerd after added only "file.path.caseless" field.
    file path caseless

Moreover, We have reported the issue for when clicking on the "file.Ext.code_signature" field delete icon, "trusted" field becomes the nested field of file.path.caseless under endpoint exception modal. [#93559]

Hence, we are closing this issue and will track the issue here

@ghost ghost closed this as completed Mar 4, 2021
@ghost ghost added the QA:Validated Issue has been validated by QA label Mar 4, 2021
@ghost
Copy link

ghost commented Mar 30, 2021

Bug Conversion :

Test case already exist for ticket:
https://elastic.testrail.io/index.php?/cases/view/20386

Thanks!!

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peluja1012 @elasticmachine @MadameSheema @dplumlee @manishgupta-qasource