Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

Closed
sbcd90 opened this issue Aug 22, 2023 · 0 comments
Closed

[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

sbcd90 opened this issue Aug 22, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@sbcd90
Copy link
Collaborator

sbcd90 commented Aug 22, 2023
edited
Loading

What is the bug?
We do not throw an error when incompatible detectorType is mentioned with detector rules.
e.g.

How can one reproduce the bug?
Steps to reproduce the behavior:

  • in the following detector payload,
POST /_plugins/_security_analytics/detectors
{
  "inputs": [
    {
      "detector_input": {
          "indices": ["ad_logs"],
        "description": "ad_ldap logs detector for security analytics",
        "pre_packaged_rules": [
          {
            "id": "31d68132-4038-47c7-8f8d-635a39a7c174"
          },
          {
            "id": "11c767ae-500b-423b-bae3-b244450736ed"
          },
          {
            "id": "ebbeb024-5b1d-4e16-9c1c-917f86c708a7"
          },
          {
            "id": "4d136857-6a1a-432a-82ec-5dd497ee5e7c"
          },
          {
            "id": "4f77e1d7-3972-4ee0-8489-abf2d6b75284"
          },
          {
            "id": "9494bff8-959f-4440-abce-fb87a208d517"
          },
          {
            "id": "5afa454e-030c-4ab4-9253-a90aa7fac581"
          },
          {
            "id": "a0413867-daf3-43dd-9255-734b3a787942"
          },
          {
            "id": "48739819-8230-4de3-a8ea-e0289d1fb0ff"
          },
          {
            "id": "287a39fc-4914-4831-9ada-270e9dc12cb4"
          },
          {
            "id": "dff74231-dbed-42ab-ba49-84289be2ac3a"
          }
        ]
      }
    }
  ],
  "type": "detector",
  "schedule": {
    "period": {
      "interval": 1,
      "unit": "MINUTES"
    }
  },
  "enabled": true,
  "name": "YzkMghCwxK",
  "detector_type": "windows",
  "triggers": [
    {
      "id": "PQt-M4YB6gsTwFE2d01o",
      "tags": [],
      "severity": "1",
      "actions": [],
      "ids": [],
      "sev_levels": [],
      "types": [
        "ad_ldap"
      ],
      "name": "test-trigger"
    }
  ]
}

detector_type is windows while the rules are for ad_ldap category(

security-analytics/src/main/resources/rules/ad_ldap/win_ldap_recon.yml

Line 2 in 6d49245

id: 31d68132-4038-47c7-8f8d-635a39a7c174
)

  • when we search detectors, we see that the monitor did not get generated.
GET /.opensearch-sap-detectors-config/_search
{
  "size": 20,
  "query": {
    "match_all": {
      
    }
  }
}

{
        "_index": ".opensearch-sap-detectors-config",
        "_id": "nEJyH4oBJTiwTm2SFwLH",
        "_score": 1,
        "_source": {
          "detector": {
            "type": "detector",
            "name": "YzkMghCwxK",
            "detector_type": "windows",
            "user": {
              "name": "admin",
              "backend_roles": [
                "admin"
              ],
              "roles": [
                "own_index",
                "all_access"
              ],
              "custom_attribute_names": [],
              "user_requested_tenant": "__user__"
            },
            "enabled": true,
            "enabled_time": 1692744685501,
            "schedule": {
              "period": {
                "interval": 1,
                "unit": "MINUTES"
              }
            },
            "inputs": [
              {
                "detector_input": {
                  "description": "ad_ldap logs detector for security analytics",
                  "indices": [
                    "ad_logs"
                  ],
                  "custom_rules": [],
                  "pre_packaged_rules": [
                    {
                      "id": "31d68132-4038-47c7-8f8d-635a39a7c174"
                    },
                    {
                      "id": "11c767ae-500b-423b-bae3-b244450736ed"
                    },
                    {
                      "id": "ebbeb024-5b1d-4e16-9c1c-917f86c708a7"
                    },
                    {
                      "id": "4d136857-6a1a-432a-82ec-5dd497ee5e7c"
                    },
                    {
                      "id": "4f77e1d7-3972-4ee0-8489-abf2d6b75284"
                    },
                    {
                      "id": "9494bff8-959f-4440-abce-fb87a208d517"
                    },
                    {
                      "id": "5afa454e-030c-4ab4-9253-a90aa7fac581"
                    },
                    {
                      "id": "a0413867-daf3-43dd-9255-734b3a787942"
                    },
                    {
                      "id": "48739819-8230-4de3-a8ea-e0289d1fb0ff"
                    },
                    {
                      "id": "287a39fc-4914-4831-9ada-270e9dc12cb4"
                    },
                    {
                      "id": "dff74231-dbed-42ab-ba49-84289be2ac3a"
                    }
                  ]
                }
              }
            ],
            "triggers": [
              {
                "id": "PQt-M4YB6gsTwFE2d01o",
                "name": "test-trigger",
                "severity": "1",
                "types": [
                  "ad_ldap"
                ],
                "ids": [],
                "sev_levels": [],
                "tags": [],
                "actions": []
              }
            ],
            "last_update_time": 1692744685501,
            **"monitor_id": [],
            "bucket_monitor_id_rule_id": {},**
            "rule_topic_index": ".opensearch-sap-windows-detectors-queries",
            "alert_index": ".opensearch-sap-windows-alerts",
            "alert_history_index": ".opensearch-sap-windows-alerts-history",
            "alert_history_index_pattern": "<.opensearch-sap-windows-alerts-history-{now/d}-1>",
            "findings_index": ".opensearch-sap-windows-findings",
            "findings_index_pattern": "<.opensearch-sap-windows-findings-{now/d}-1>"
          }
        }
      }

What is the expected behavior?
A clear and concise description of what you expected to happen.

What is your host/environment?

  • OS: [e.g. iOS]
  • Version [e.g. 22]
  • Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.
@sbcd90 sbcd90 added bug Something isn't working untriaged labels Aug 22, 2023
@jowg-amazon jowg-amazon mentioned this issue Aug 29, 2023
Merged
5 tasks
@sbcd90 sbcd90 closed this as completed Sep 2, 2023
riysaxen-amzn pushed a commit to riysaxen-amzn/security-analytics that referenced this issue Feb 20, 2024
@jovancvetkovic3006 @amsiglan
cypress | create detector specs update (opensearch-project#518)
e90b633 
* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#491

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Provide empty states for Findings and Alerts page opensearch-project#471

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#493

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#493

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor alert triggers per mocks opensearch-project#498

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#493

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create global state object for async requests opensearch-project#493

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor alert triggers per mocks opensearch-project#498

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Create detector \ Refactor alert triggers per mocks opensearch-project#498

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Update detector details component opensearch-project#502

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Update detector details component opensearch-project#502

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Update detector details component opensearch-project#502

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [FEATURE] Update detector details component opensearch-project#502

Signed-off-by: Jovan Cvetkovic <[email protected]>

* Feature] update detector details component opensearch-project#504

Signed-off-by: Jovan Cvetkovic <[email protected]>

* Feature] update detector details component opensearch-project#504

Signed-off-by: Jovan Cvetkovic <[email protected]>

* Update detector details component opensearch-project#504

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [BUG] No space between the detector details and the rule panel opensearch-project#522
[BUG] A rule flyout without references have an empty link opensearch-project#521
[FEATURE] Update header size to use euiTitle--small opensearch-project#520

Signed-off-by: Jovan Cvetkovic <[email protected]>

* [BUG] No space between the detector details and the rule panel opensearch-project#522
[BUG] A rule flyout without references have an empty link opensearch-project#521
[FEATURE] Update header size to use euiTitle--small opensearch-project#520

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* updated create detectors cypress specs

Signed-off-by: Jovan Cvetkovic <[email protected]>

* refactored util methods into cypress commands

Signed-off-by: Jovan Cvetkovic <[email protected]>

* refactored util methods into cypress commands

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests

Signed-off-by: Jovan Cvetkovic <[email protected]>

* cypress tests wait interval updated to 400

Signed-off-by: Jovan Cvetkovic <[email protected]>

---------

Signed-off-by: Jovan Cvetkovic <[email protected]>
Signed-off-by: Amardeepsingh Siglani <[email protected]>
Co-authored-by: Amardeepsingh Siglani <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sbcd90 @praveensameneni