Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Source.ip array values cause SIEM - Network - http tab to crash with ip.replace is not a function error #110844

Closed
TheRiffRafi opened this issue Sep 1, 2021 · 10 comments
Closed

[Security Solution] Source.ip array values cause SIEM - Network - http tab to crash with ip.replace is not a function error #110844

TheRiffRafi opened this issue Sep 1, 2021 · 10 comments
Assignees
@stephmilovic
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team v7.17.0

Comments

@TheRiffRafi
Copy link

Describe the bug:

If the source.ip field in an index being referenced by the "Network" section under SIEM contains an array value, the http tab causes the section to crash:

Kibana/Elasticsearch Stack version: 7.14.0

Functional Area (e.g. Endpoint management, timelines, resolver, etc.): SIEM

Steps to reproduce:

  1. Create an index and document with the following config:
Mapping 
PUT httptest1

PUT httptest1/_mapping
{
  "properties": {
    "source": {
      "properties": {
        "ip": {
          "type": "ip"
        }
      }
    },
    "host": {
      "properties":{
        "name":{
          "type": "keyword"
        }
      }
    },
    "destination": {
      "properties": {
        "geo": {
          "properties": {
            "location": {
              "type": "geo_point"
            }
          }
        }
      }
    },
    "@timestamp": {
      "type": "date",
      "store": true
    },
    "url": {
      "properties": {
        "path": {
          "type": "keyword"
        },
        "domain": {
          "type": "keyword"
        }
      }
    },
    "http": {
      "properties": {
        "request": {
          "properties": {
            "method": {
              "type": "keyword"
            }
          }
        },
        "response": {
          "properties": {
            "status_code": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}
Create document 
PUT httptest1/_doc/106
{
    "destination": {
      "geo": {
        "continent_name": "North America",
        "region_iso_code": "US-FL",
        "city_name": "Celebration",
        "country_iso_code": "US",
        "country_name": "United States",
        "region_name": "Florida",
        "location": {
          "lon": -98.4935,
          "lat": 29.4247
        }
      },
      "as": {
        "number": 8015,
        "organization": {
          "name": "Some Org"
        }
      },
      "bytes": 754,
      "ip": 
       "22.222.22.222"
      
    },
    "source": {
      "bytes": 1666,
      "ip": [ 
        "111.11.111.11"
      ]
    },
    "host": {
      "name": "host.domain.com"
    },
    "url": {
      "original": "web.domain.com/path/to/whatever",
      "path": "/path/to/whatever",
      "domain": "domain.com"
    },
    "@timestamp": "2021-09-01T13:09:47.000Z",
    "http": {
      "request": {
        "referrer": "None",
        "method":["Allowed","POST"]
      },
      "response":{
        "status_code": 200
      }
    }
  }

  1. Create index pattern for index.

  2. Navigate to Kibana -> SIEM -> Network.

  3. Modify the "Data Sources" drop down to include the test index pattern.

  4. Click on "Http" tab, and get the ip.replace is not a function error.

Current behavior:
http tab crashes SIEM app.

Expected behavior:
http tab is able to handle array values for source.ip field.

Screenshots (if relevant):
Screen Shot 2021-09-01 at 11 24 16

Provide logs and/or server output (if relevant):

full stack 
Error

Error: ip.replace is not a function
encodeIpv6@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.6.js:62:284584
NetworkDetailsLinkComponent@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.6.js:3:18166
us@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:59332
Ys@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:67554
qs@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:67373
$s@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:67092
wa@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:107826
ml@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:90020
fl@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:89943
ol@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:87291
Gr/<@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:45733
__kbnSharedDeps__</t.unstable_runWithPriority@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:398:3462
$r@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:45442
Gr@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:45680
Yr@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:45613
el@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:84080
Es@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:390:62991
next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.6.js:83:333473
__kbnSharedDeps__</d</t.prototype.__tryOrUnsub@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:55574
__kbnSharedDeps__</d</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:54719
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</di</t.prototype.notifyNext@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:123111
__kbnSharedDeps__</a</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:62010
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</xi</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:125130
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</d</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:298:51747
__kbnSharedDeps__</u</t.prototype.nextInfiniteTimeWindow@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:298:990969
next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:117543
__kbnSharedDeps__</d</t.prototype.__tryOrUnsub@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:55574
__kbnSharedDeps__</d</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:54719
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</xi</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:125130
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</u</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53795
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</vi</t.prototype.nextOrComplete@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:124344
__kbnSharedDeps__</vi</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:124219
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</xi</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:125130
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</it</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:99915
__kbnSharedDeps__</it</t.prototype.notifyNext@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:100466
__kbnSharedDeps__</a</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:62010
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
__kbnSharedDeps__</di</t.prototype.notifyNext@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:329:123111
__kbnSharedDeps__</a</t.prototype._next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:62010
__kbnSharedDeps__</u</t.prototype.next@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:21:53466
u/</<@https://monitoring-e5f850.kb.us-west1.gcp.cloud.es.io:9243/42747/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:298:470126
@TheRiffRafi TheRiffRafi added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Sep 1, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@FrankHassanabad FrankHassanabad added the Team:Threat Hunting Security Solution Threat Hunting Team label Sep 1, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@stephmilovic stephmilovic mentioned this issue Oct 26, 2021
Merged
1 task
@MadameSheema
Copy link
Member

@karanbirsingh-qasource can you please validate the fix of this issue on 7.16 BC4? Thanks :)

@ghost
Copy link

ghost commented Nov 15, 2021
edited by ghost
Loading

hi @MadameSheema

we have validated this issue on 7.16.0 BC4 Self Managed and found that issue is still occuring 🔴 on adding the mentioned test index under network data source.

Build Details:

Version: 7.16.0 BC4
Commit:e50bc2eded568ff3ceaebdbe616f84b3987be975
Build:45952

Screen-Cast:

network.mp4

@stephmilovic
Copy link
Contributor

stephmilovic commented Nov 15, 2021
edited
Loading

I believe that error is happening because their mappings are incorrect. can you post the mapping? i remember now the mapping is above. need to remember what i did to fix it brb ;P

@stephmilovic
Copy link
Contributor

ok, posting the full correct ECS mapping for the source/destination fields corrects this issue:

Mapping 
PUT httptest1/_mapping
{
  "properties": {
  "source": {
      "properties": {
        "address": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "as": {
          "properties": {
            "number": {
              "type": "long"
            },
            "organization": {
              "properties": {
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024,
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  }
                }
              }
            }
          }
        },
        "bytes": {
          "type": "long"
        },
        "domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "geo": {
          "properties": {
            "city_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "location": {
              "type": "geo_point"
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "postal_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "ip": {
          "type": "ip"
        },
        "mac": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "nat": {
          "properties": {
            "ip": {
              "type": "ip"
            },
            "port": {
              "type": "long"
            }
          }
        },
        "packets": {
          "type": "long"
        },
        "port": {
          "type": "long"
        },
        "registered_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "service": {
          "properties": {
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "subdomain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "top_level_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "user": {
          "properties": {
            "domain": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "email": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "full_name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "group": {
              "properties": {
                "domain": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "roles": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    },
    "host": {
      "properties":{
        "name":{
          "type": "keyword"
        }
      }
    },
    "destination": {
      "properties": {
        "address": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "as": {
          "properties": {
            "number": {
              "type": "long"
            },
            "organization": {
              "properties": {
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024,
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  }
                }
              }
            }
          }
        },
        "bytes": {
          "type": "long"
        },
        "domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "geo": {
          "properties": {
            "city_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "location": {
              "type": "geo_point"
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "postal_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "ip": {
          "type": "ip"
        },
        "mac": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "nat": {
          "properties": {
            "ip": {
              "type": "ip"
            },
            "port": {
              "type": "long"
            }
          }
        },
        "packets": {
          "type": "long"
        },
        "port": {
          "type": "long"
        },
        "registered_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "service": {
          "properties": {
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "subdomain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "top_level_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "user": {
          "properties": {
            "domain": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "email": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "full_name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "group": {
              "properties": {
                "domain": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "roles": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    },
    "@timestamp": {
      "type": "date",
      "store": true
    },
    "url": {
      "properties": {
        "path": {
          "type": "keyword"
        },
        "domain": {
          "type": "keyword"
        }
      }
    },
    "http": {
      "properties": {
        "request": {
          "properties": {
            "method": {
              "type": "keyword"
            }
          }
        },
        "response": {
          "properties": {
            "status_code": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}

@ghost
Copy link

ghost commented Nov 16, 2021

thanks @stephmilovic for sharing the updated mapping however the issue is still occuring.

we are getting below error on setting the test index.

image

Error Logs:

{
  "message": "status_exception",
  "statusCode": 400,
  "attributes": {
    "type": "status_exception",
    "reason": "error while executing search",
    "caused_by": {
      "type": "search_phase_execution_exception",
      "reason": "all shards failed",
      "phase": "query",
      "grouped": true,
      "failed_shards": [
        {
          "shard": 0,
          "index": "httptest1",
          "node": "HfosdqR_Q6m4ks27yxpnbg",
          "reason": {
            "type": "illegal_argument_exception",
            "reason": "Field [http.response.status_code] of type [keyword] does not support custom formats"
          }
        }
      ],
      "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "Field [http.response.status_code] of type [keyword] does not support custom formats",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "Field [http.response.status_code] of type [keyword] does not support custom formats"
        }
      }
    }
  }
}

Steps Followed :

Created Index 
PUT httptest1
Mapping 
PUT httptest1/_mapping
{
  "properties": {
  "source": {
      "properties": {
        "address": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "as": {
          "properties": {
            "number": {
              "type": "long"
            },
            "organization": {
              "properties": {
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024,
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  }
                }
              }
            }
          }
        },
        "bytes": {
          "type": "long"
        },
        "domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "geo": {
          "properties": {
            "city_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "location": {
              "type": "geo_point"
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "postal_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "ip": {
          "type": "ip"
        },
        "mac": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "nat": {
          "properties": {
            "ip": {
              "type": "ip"
            },
            "port": {
              "type": "long"
            }
          }
        },
        "packets": {
          "type": "long"
        },
        "port": {
          "type": "long"
        },
        "registered_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "service": {
          "properties": {
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "subdomain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "top_level_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "user": {
          "properties": {
            "domain": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "email": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "full_name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "group": {
              "properties": {
                "domain": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "roles": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    },
    "host": {
      "properties":{
        "name":{
          "type": "keyword"
        }
      }
    },
    "destination": {
      "properties": {
        "address": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "as": {
          "properties": {
            "number": {
              "type": "long"
            },
            "organization": {
              "properties": {
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024,
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  }
                }
              }
            }
          }
        },
        "bytes": {
          "type": "long"
        },
        "domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "geo": {
          "properties": {
            "city_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "location": {
              "type": "geo_point"
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "postal_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "ip": {
          "type": "ip"
        },
        "mac": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "nat": {
          "properties": {
            "ip": {
              "type": "ip"
            },
            "port": {
              "type": "long"
            }
          }
        },
        "packets": {
          "type": "long"
        },
        "port": {
          "type": "long"
        },
        "registered_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "service": {
          "properties": {
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "subdomain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "top_level_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "user": {
          "properties": {
            "domain": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "email": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "full_name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "group": {
              "properties": {
                "domain": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "roles": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    },
    "@timestamp": {
      "type": "date",
      "store": true
    },
    "url": {
      "properties": {
        "path": {
          "type": "keyword"
        },
        "domain": {
          "type": "keyword"
        }
      }
    },
    "http": {
      "properties": {
        "request": {
          "properties": {
            "method": {
              "type": "keyword"
            }
          }
        },
        "response": {
          "properties": {
            "status_code": {
              "type": "keyword"
            }
          }
        }
      }
    }
  }
}
Created Document 
PUT httptest1/_doc/106
{
    "destination": {
      "geo": {
        "continent_name": "North America",
        "region_iso_code": "US-FL",
        "city_name": "Celebration",
        "country_iso_code": "US",
        "country_name": "United States",
        "region_name": "Florida",
        "location": {
          "lon": -98.4935,
          "lat": 29.4247
        }
      },
      "as": {
        "number": 8015,
        "organization": {
          "name": "Some Org"
        }
      },
      "bytes": 754,
      "ip": 
       "22.222.22.222"
      
    },
    "source": {
      "bytes": 1666,
      "ip": [ 
        "111.11.111.11"
      ]
    },
    "host": {
      "name": "host.domain.com"
    },
    "url": {
      "original": "web.domain.com/path/to/whatever",
      "path": "/path/to/whatever",
      "domain": "domain.com"
    },
    "@timestamp": "2021-09-01T13:09:47.000Z",
    "http": {
      "request": {
        "referrer": "None",
        "method":["Allowed","POST"]
      },
      "response":{
        "status_code": 200
      }
    }
  }

Screen-Cast:

file.mp4

please let us known if we are missing something.

thanks !!

@stephmilovic
Copy link
Contributor

@karanbirsingh-qasource can you please try to change the status_code mapping to be of type long??

PUT httptest1/_mapping
{
  "properties": {
  "source": {
      "properties": {
        "address": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "as": {
          "properties": {
            "number": {
              "type": "long"
            },
            "organization": {
              "properties": {
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024,
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  }
                }
              }
            }
          }
        },
        "bytes": {
          "type": "long"
        },
        "domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "geo": {
          "properties": {
            "city_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "location": {
              "type": "geo_point"
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "postal_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "ip": {
          "type": "ip"
        },
        "mac": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "nat": {
          "properties": {
            "ip": {
              "type": "ip"
            },
            "port": {
              "type": "long"
            }
          }
        },
        "packets": {
          "type": "long"
        },
        "port": {
          "type": "long"
        },
        "registered_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "service": {
          "properties": {
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "subdomain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "top_level_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "user": {
          "properties": {
            "domain": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "email": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "full_name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "group": {
              "properties": {
                "domain": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "roles": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    },
    "host": {
      "properties":{
        "name":{
          "type": "keyword"
        }
      }
    },
    "destination": {
      "properties": {
        "address": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "as": {
          "properties": {
            "number": {
              "type": "long"
            },
            "organization": {
              "properties": {
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024,
                  "fields": {
                    "text": {
                      "type": "match_only_text"
                    }
                  }
                }
              }
            }
          }
        },
        "bytes": {
          "type": "long"
        },
        "domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "geo": {
          "properties": {
            "city_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "continent_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "country_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "location": {
              "type": "geo_point"
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "postal_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_iso_code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "region_name": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "ip": {
          "type": "ip"
        },
        "mac": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "nat": {
          "properties": {
            "ip": {
              "type": "ip"
            },
            "port": {
              "type": "long"
            }
          }
        },
        "packets": {
          "type": "long"
        },
        "port": {
          "type": "long"
        },
        "registered_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "service": {
          "properties": {
            "name": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },
        "subdomain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "top_level_domain": {
          "type": "keyword",
          "ignore_above": 1024
        },
        "user": {
          "properties": {
            "domain": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "email": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "full_name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "group": {
              "properties": {
                "domain": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "name": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "name": {
              "type": "keyword",
              "ignore_above": 1024,
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              }
            },
            "roles": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        }
      }
    },
    "@timestamp": {
      "type": "date",
      "store": true
    },
    "url": {
      "properties": {
        "path": {
          "type": "keyword"
        },
        "domain": {
          "type": "keyword"
        }
      }
    },
    "http": {
      "properties": {
        "request": {
          "properties": {
            "method": {
              "type": "keyword"
            }
          }
        },
        "response": {
          "properties": {
            "status_code": {
              "type": "long"
            }
          }
        }
      }
    }
  }
}

@ghost
Copy link

ghost commented Dec 22, 2021

Hi @stephmilovic

we have validated this issue on 8.0.0-SNAPSHOT with the updated mapping and found it Fixed 🟢 . No Error faced on network page for mentioned custom index.

Build Details:

Version: 8.0.0-SNAPSHOT
commit:002f9fae38acdf71d6df88d808a742976de22cc8
Build:48805

Snap-Shoot:

status_code.mp4

Hence we are closing this issue.

thanks !!

@ghost ghost closed this as completed Dec 22, 2021
@ghost
Copy link

ghost commented Jan 20, 2022

Hi @MadameSheema

we have validated this issue on 7.17.0 BC2 Self Managed and found it Fixed 🟢

Build Details:

Version:7.17.0 BC2
Commit:a6fd029464413f6979099d7a3d4232c5194a269d
Build:46488

Snap-Shoot:
image
image

We are pending to validated this issue on cloud , if you think it is not required please feel to close the issue.

thanks !!

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephmilovic stephmilovic

Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team v7.17.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@FrankHassanabad @stephmilovic @elasticmachine @MadameSheema @TheRiffRafi