[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

sbcd90 · 2023-08-22T22:59:47Z

What is the bug?
We do not throw an error when incompatible detectorType is mentioned with detector rules.
e.g.

How can one reproduce the bug?
Steps to reproduce the behavior:

in the following detector payload,

POST /_plugins/_security_analytics/detectors
{
  "inputs": [
    {
      "detector_input": {
          "indices": ["ad_logs"],
        "description": "ad_ldap logs detector for security analytics",
        "pre_packaged_rules": [
          {
            "id": "31d68132-4038-47c7-8f8d-635a39a7c174"
          },
          {
            "id": "11c767ae-500b-423b-bae3-b244450736ed"
          },
          {
            "id": "ebbeb024-5b1d-4e16-9c1c-917f86c708a7"
          },
          {
            "id": "4d136857-6a1a-432a-82ec-5dd497ee5e7c"
          },
          {
            "id": "4f77e1d7-3972-4ee0-8489-abf2d6b75284"
          },
          {
            "id": "9494bff8-959f-4440-abce-fb87a208d517"
          },
          {
            "id": "5afa454e-030c-4ab4-9253-a90aa7fac581"
          },
          {
            "id": "a0413867-daf3-43dd-9255-734b3a787942"
          },
          {
            "id": "48739819-8230-4de3-a8ea-e0289d1fb0ff"
          },
          {
            "id": "287a39fc-4914-4831-9ada-270e9dc12cb4"
          },
          {
            "id": "dff74231-dbed-42ab-ba49-84289be2ac3a"
          }
        ]
      }
    }
  ],
  "type": "detector",
  "schedule": {
    "period": {
      "interval": 1,
      "unit": "MINUTES"
    }
  },
  "enabled": true,
  "name": "YzkMghCwxK",
  "detector_type": "windows",
  "triggers": [
    {
      "id": "PQt-M4YB6gsTwFE2d01o",
      "tags": [],
      "severity": "1",
      "actions": [],
      "ids": [],
      "sev_levels": [],
      "types": [
        "ad_ldap"
      ],
      "name": "test-trigger"
    }
  ]
}

detector_type is windows while the rules are for ad_ldap category(

security-analytics/src/main/resources/rules/ad_ldap/win_ldap_recon.yml

Line 2 in 6d49245

id: 31d68132-4038-47c7-8f8d-635a39a7c174

)

when we search detectors, we see that the monitor did not get generated.

GET /.opensearch-sap-detectors-config/_search
{
  "size": 20,
  "query": {
    "match_all": {
      
    }
  }
}

{
        "_index": ".opensearch-sap-detectors-config",
        "_id": "nEJyH4oBJTiwTm2SFwLH",
        "_score": 1,
        "_source": {
          "detector": {
            "type": "detector",
            "name": "YzkMghCwxK",
            "detector_type": "windows",
            "user": {
              "name": "admin",
              "backend_roles": [
                "admin"
              ],
              "roles": [
                "own_index",
                "all_access"
              ],
              "custom_attribute_names": [],
              "user_requested_tenant": "__user__"
            },
            "enabled": true,
            "enabled_time": 1692744685501,
            "schedule": {
              "period": {
                "interval": 1,
                "unit": "MINUTES"
              }
            },
            "inputs": [
              {
                "detector_input": {
                  "description": "ad_ldap logs detector for security analytics",
                  "indices": [
                    "ad_logs"
                  ],
                  "custom_rules": [],
                  "pre_packaged_rules": [
                    {
                      "id": "31d68132-4038-47c7-8f8d-635a39a7c174"
                    },
                    {
                      "id": "11c767ae-500b-423b-bae3-b244450736ed"
                    },
                    {
                      "id": "ebbeb024-5b1d-4e16-9c1c-917f86c708a7"
                    },
                    {
                      "id": "4d136857-6a1a-432a-82ec-5dd497ee5e7c"
                    },
                    {
                      "id": "4f77e1d7-3972-4ee0-8489-abf2d6b75284"
                    },
                    {
                      "id": "9494bff8-959f-4440-abce-fb87a208d517"
                    },
                    {
                      "id": "5afa454e-030c-4ab4-9253-a90aa7fac581"
                    },
                    {
                      "id": "a0413867-daf3-43dd-9255-734b3a787942"
                    },
                    {
                      "id": "48739819-8230-4de3-a8ea-e0289d1fb0ff"
                    },
                    {
                      "id": "287a39fc-4914-4831-9ada-270e9dc12cb4"
                    },
                    {
                      "id": "dff74231-dbed-42ab-ba49-84289be2ac3a"
                    }
                  ]
                }
              }
            ],
            "triggers": [
              {
                "id": "PQt-M4YB6gsTwFE2d01o",
                "name": "test-trigger",
                "severity": "1",
                "types": [
                  "ad_ldap"
                ],
                "ids": [],
                "sev_levels": [],
                "tags": [],
                "actions": []
              }
            ],
            "last_update_time": 1692744685501,
            **"monitor_id": [],
            "bucket_monitor_id_rule_id": {},**
            "rule_topic_index": ".opensearch-sap-windows-detectors-queries",
            "alert_index": ".opensearch-sap-windows-alerts",
            "alert_history_index": ".opensearch-sap-windows-alerts-history",
            "alert_history_index_pattern": "<.opensearch-sap-windows-alerts-history-{now/d}-1>",
            "findings_index": ".opensearch-sap-windows-findings",
            "findings_index_pattern": "<.opensearch-sap-windows-findings-{now/d}-1>"
          }
        }
      }

What is the expected behavior?
A clear and concise description of what you expected to happen.

What is your host/environment?

OS: [e.g. iOS]
Version [e.g. 22]
Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.

The text was updated successfully, but these errors were encountered:

* [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#491 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Provide empty states for Findings and Alerts page opensearch-project#471 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor and move field mapping to first the page of create detector feature opensearch-project#495 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#493 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#493 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor alert triggers per mocks opensearch-project#498 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#493 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create global state object for async requests opensearch-project#493 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor alert triggers per mocks opensearch-project#498 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Create detector \ Refactor alert triggers per mocks opensearch-project#498 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Update detector details component opensearch-project#502 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Update detector details component opensearch-project#502 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Update detector details component opensearch-project#502 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [FEATURE] Update detector details component opensearch-project#502 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Feature] update detector details component opensearch-project#504 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Feature] update detector details component opensearch-project#504 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * Update detector details component opensearch-project#504 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [BUG] No space between the detector details and the rule panel opensearch-project#522 [BUG] A rule flyout without references have an empty link opensearch-project#521 [FEATURE] Update header size to use euiTitle--small opensearch-project#520 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * [BUG] No space between the detector details and the rule panel opensearch-project#522 [BUG] A rule flyout without references have an empty link opensearch-project#521 [FEATURE] Update header size to use euiTitle--small opensearch-project#520 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * updated create detectors cypress specs Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * refactored util methods into cypress commands Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * refactored util methods into cypress commands Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> * cypress tests wait interval updated to 400 Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> --------- Signed-off-by: Jovan Cvetkovic <jovanca.cvetkovic@gmail.com> Signed-off-by: Amardeepsingh Siglani <amardeep7194@gmail.com> Co-authored-by: Amardeepsingh Siglani <amardeep7194@gmail.com>

sbcd90 added bug Something isn't working untriaged labels Aug 22, 2023

praveensameneni removed the untriaged label Aug 25, 2023

jowg-amazon mentioned this issue Aug 29, 2023

Fixes detectorType incompatibility with detector rules #524

Merged

5 tasks

sbcd90 closed this as completed Sep 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

sbcd90 commented Aug 22, 2023 •

edited

Loading

[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

[BUG] Security Analytics do not throw an error when incompatible detectorType is mentioned with detector rules #518

Comments

sbcd90 commented Aug 22, 2023 • edited Loading

sbcd90 commented Aug 22, 2023 •

edited

Loading