Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM][Detection Engine] - signals search endpoint not accepting size 0 requests #70613

Closed
yctercero opened this issue Jul 2, 2020 · 5 comments
Assignees
Labels
Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@yctercero
Copy link
Contributor

Kibana version:
7.8

Describe the bug:
On initial render of the SIEM pages, a 400 error was showing for POST http://localhost:5601/api/detection_engine/signals/search. This initial call is being used to populate the Last alert text that shows at the top of a number of the pages. The reason the size was 0 is because we weren't interested in the signals themselves, just the timestamp of the last alert. Teamed up with @XavierM and it seems to us that the issue is the server side validation. It may be Hapi misreading the 0 as false or our updated validation not accepting size 0.

Steps to reproduce:

  1. Go to Security/Alerts page
  2. Look in console network tab
  3. Notice 400 error for signals search

Expected behavior:
This request should be allowed through to Elastic, as size of 0 is a valid parameter

Screenshots (if relevant):
bug

Errors in browser console (if relevant):

POST http://localhost:5601/api/detection_engine/signals/search 400 (Bad Request)
error: "Bad Request"
message: "[request body]: Invalid value "0" supplied to "size""
statusCode: 400
@yctercero yctercero self-assigned this Jul 2, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@spong
Copy link
Member

spong commented Jul 7, 2020

or our updated validation not accepting size 0.

That appears to be the case -- looks like size is typed as PositiveIntegerGreaterThanZero for the querySignalsRoute 🙂

@yctercero
Copy link
Contributor Author

or our updated validation not accepting size 0.

That appears to be the case -- looks like size is typed as PositiveIntegerGreaterThanZero for the querySignalsRoute 🙂

Thanks @spong ! It's on my list to fix.

@spong
Copy link
Member

spong commented Jul 9, 2020

No problemo @yctercero -- thanks for the fix in #70618! 🙂 @XavierM and myself are speculating that this also fixed the empty Alerts table issue as well, as we might not have been handling that initial error correctly. Need to dig into it to verify, but we haven't seen that issue since your fix made it in.

@FrankHassanabad
Copy link
Contributor

Tested on the latest of master and this looks fixed, closing this now.

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Development

No branches or pull requests

5 participants