Bug?? Alerts hidden until "Temporily enable advanced interface features" is selected.

[DebianGuru]

Version

2.4.50

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

18GB

Storage for /

166G

Storage for /nsm

3.4TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have a Playbook play that I wrote to send me alerts. The Elastalert is sending alerts to SOC, but they are not visible until "Temporily enable advanced interface features" is selected. I've been working on this for 2 days. I'm wondering if it's a bug???
See the images below:

NOTE: in the upper righ hand corner it even says there's 4 events, but only 2 are showing.

I can ungroup these and the Playbook rules show:

Again, 4 alerts and indeed all 4 are shown here.

I can select "Group by Name, Module" again, but this time select "Temporily enable advanced interface features".


(Sorry I couldn't capture the whole page in one capture)
Under "group metrics", only one item shown.
But, all 4 events shown on the bottom of the screen now.

Can we confirm if this is a bug?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[DebianGuru]

I have additional infomation. If I choose to use OQL to query, and use "* | groupby rule.name event.module* event.severity_label" I see only 2 events. If I remove the "event.severity_label" and just use "* | groupby rule.name event.module*" I can see all the events. My thought was that the "event.severity_label" field was missing from my misbehaving alerts, but they do show up as can be seen above as "critical". Why don't the events show up when the field is clearly present? Thanks for any additional help.

[DebianGuru]

I have added an elasticagent agent to a Linux endpoint and enabled a few community plays. I verified what I had though. Some field must not be putting in for playbook alerts, that the 'Alerts" in SOC is looking for.

[DebianGuru]

I hope this helps the analysis. Any time I add a "|groupby" (any field) in a search string, all the alerts from Playbook disappear. My guess is something in the "groupby" code is choking.

[reyesj2]

I am not able to replicate. I created a test playbook rule named TEST and just navigating to my Alerts page I can see the alert populate as expected. Along with my Suricata alerts. Can you share your custom play and I can test with that one aswell

[DebianGuru]

reyesj2, I really appreciate the input. I gave up on a custom alert, thinking that was the issue and I just enabled a community rule. I got the same results. Again, you can see over 1500+ in the "Total Found" in the upper right hand corner, but only the 6 Suricata events listed below:

Here's something else strange. I had selected the advanced options and then I can see the alerts from Playbook also.
A portion of my screenshot shows that the Suricata alerts are under the "Group Metrics" section, but no Playbook. Under the "Events" you can see all the Playbook alerts.

This is even stranger. Look at the custom query in the bar.... It returns NO results.

But if I remove the end of the query (event.severity_label), the results are returned.

It's like the event.severity_label is preventing if from displaying, but obviously when they are down in the "event", you can clearly see that field is populated with a reasonable value.

I've tried looking through a lot of logs and even a good bit of the source code to find out where these fields are being queried and populated into the web page. Unfortunately, my working knowledge of the inner workings of SO isn't sufficient.