Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] NullPointerException while inserting Orphan findings when detector type is missing in Log type index #1415

Closed
goyamegh opened this issue Feb 8, 2024 · 1 comment
Closed

[BUG] NullPointerException while inserting Orphan findings when detector type is missing in Log type index #1415

goyamegh opened this issue Feb 8, 2024 · 1 comment
Labels
bug Something isn't working untriaged

Comments

@goyamegh
Copy link
Collaborator

goyamegh commented Feb 8, 2024

What is the bug?
NullPointerException is thrown when Correlations are running, and the flow to insert Orphan findings is invoked. This is happening when detector type is missing in the Log types index

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Go to Security Analytics and create a detector.
  2. Follow up with correlation rules
  3. See errors in the logs:
[2024-02-07T15:38:48,116][ERROR][o.o.s.u.SecurityAnalyticsException] [25c1ef95a376d5b13cdbde33eaa50bbe] Security Analytics error:
java.lang.NullPointerException: Cannot invoke "org.opensearch.securityanalytics.model.CustomLogType.getTags()" because the return value of "java.util.Map.get(Object)" is null
        at org.opensearch.securityanalytics.correlation.VectorEmbeddingsEngine.insertOrphanFindings(VectorEmbeddingsEngine.java:229)
        at org.opensearch.securityanalytics.transport.TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.onResponse(TransportCorrelateFindingAction.java:629)
        at org.opensearch.securityanalytics.transport.TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.onResponse(TransportCorrelateFindingAction.java:605)
        at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:113)
        at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:107)
        at org.opensearch.performanceanalyzer.action.PerformanceAnalyzerActionListener.onResponse(PerformanceAnalyzerActionListener.java:55)
        at org.opensearch.action.support.TimeoutTaskCancellationUtility$TimeoutRunnableListener.onResponse(TimeoutTaskCancellationUtility.java:132)
        at org.opensearch.action.search.TransportSearchAction.lambda$executeRequest$0(TransportSearchAction.java:453)
        at org.opensearch.core.action.ActionListener$1.onResponse(ActionListener.java:82)
        at org.opensearch.core.action.ActionListener$5.onResponse(ActionListener.java:268)
        at org.opensearch.action.search.AbstractSearchAsyncAction.sendSearchResponse(AbstractSearchAsyncAction.java:707)
        at org.opensearch.action.search.ExpandSearchPhase.run(ExpandSearchPhase.java:132)
        at org.opensearch.action.search.SearchPhase.recordAndRun(SearchPhase.java:59)
        at org.opensearch.action.search.AbstractSearchAsyncAction.executePhase(AbstractSearchAsyncAction.java:456)
        at org.opensearch.action.search.AbstractSearchAsyncAction.executeNextPhase(AbstractSearchAsyncAction.java:440)
        at org.opensearch.action.search.FetchSearchPhase.moveToNextPhase(FetchSearchPhase.java:298)
        at org.opensearch.action.search.FetchSearchPhase.lambda$innerRun$1(FetchSearchPhase.java:138)
        at org.opensearch.action.search.CountedCollector.countDown(CountedCollector.java:66)
        at org.opensearch.action.search.ArraySearchPhaseResults.consumeResult(ArraySearchPhaseResults.java:61)
        at org.opensearch.action.search.CountedCollector.onResult(CountedCollector.java:74)
        at org.opensearch.action.search.FetchSearchPhase$2.innerOnResponse(FetchSearchPhase.java:243)
        at org.opensearch.action.search.FetchSearchPhase$2.innerOnResponse(FetchSearchPhase.java:238)
        at org.opensearch.action.search.SearchActionListener.onResponse(SearchActionListener.java:59)
        at org.opensearch.action.search.SearchActionListener.onResponse(SearchActionListener.java:44)
        at org.opensearch.action.ActionListenerResponseHandler.handleResponse(ActionListenerResponseHandler.java:70)
        at org.opensearch.action.search.SearchTransportService$ConnectionCountingHandler.handleResponse(SearchTransportService.java:744)
        at org.opensearch.transport.TransportService$6.handleResponse(TransportService.java:897)
        at org.opensearch.security.transport.SecurityInterceptor$RestoringTransportResponseHandler.handleResponse(SecurityInterceptor.java:412)
        at org.opensearch.transport.TransportService$ContextRestoreResponseHandler.handleResponse(TransportService.java:1516)
        at org.opensearch.transport.InboundHandler.doHandleResponse(InboundHandler.java:411)
        at org.opensearch.transport.InboundHandler.handleResponse(InboundHandler.java:403)
        at org.opensearch.transport.InboundHandler.messageReceived(InboundHandler.java:168)
        at org.opensearch.transport.InboundHandler.inboundMessage(InboundHandler.java:123)
        at org.opensearch.transport.TcpTransport.inboundMessage(TcpTransport.java:770)
        at org.opensearch.transport.InboundPipeline.forwardFragments(InboundPipeline.java:175)
        at org.opensearch.transport.InboundPipeline.doHandleBytes(InboundPipeline.java:150)
        at org.opensearch.transport.InboundPipeline.handleBytes(InboundPipeline.java:115)
        at org.opensearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:95)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:280)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1471)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383)

What is the expected behavior?
A clear and concise description of what you expected to happen.

What is your host/environment?

  • OS: [e.g. iOS]
  • Version [e.g. 22]
  • Plugins SAP and Correlations

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.
@goyamegh goyamegh added bug Something isn't working untriaged labels Feb 8, 2024
@goyamegh
Copy link
Collaborator Author

goyamegh commented Feb 8, 2024

Moving to SAP backlog: opensearch-project/security-analytics#844

@goyamegh goyamegh closed this as completed Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@goyamegh