Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Issue with detection rule creation using API #1411

Open
antoine-enalean opened this issue Oct 31, 2024 · 1 comment
Open

[BUG] Issue with detection rule creation using API #1411

antoine-enalean opened this issue Oct 31, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@antoine-enalean
Copy link

What is the bug?
I can't create new detection rules using the API. I'm getting weird errors.

How can one reproduce the bug?
From the DevTools execute the following request :
`POST /_plugins/_security_analytics/rules?category=okta
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
logsource:
product: okta
title: Okta Admin Role Assignment Created
description: >-
Detects when a new admin role assignment is created. Which could be a sign of
privilege escalation or persistence.
tags:

From CLI execute the following command (with rule above in the file) :
curl -v -H 'Authorization: Basic ...' -X 'POST' -H 'osd-xsrf: true'
--data-binary '@../okta/okta_admin_role_assigment_created.yml'
https://.../_plugins/_security_analytics/rules?category=okta

What is the expected behavior?
The rule syntax is correct and I can add it through the interface, so I don't see why it wouldn't work through the api. Same situation with our other rules.

What is actually happening?
From the DevTools i get the following error :
{ "error": { "root_cause": [ { "type": "security_analytics_exception", "reason": "Unknown error" } ], "type": "security_analytics_exception", "reason": "Unknown error", "caused_by": { "type": "exception", "reason": "org.opensearch.action.search.SearchPhaseExecutionException: " } }, "status": 500 }

From CLI using Curl i get the following error :
{"ok":false,"error":"Cannot read properties of undefined (reading 'length')"}

What is your host/environment?

  • Version : OpenSearch 2.17
  • Plugin : Security Analytics

Do you have any screenshots?
image

@antoine-enalean antoine-enalean added bug Something isn't working untriaged labels Oct 31, 2024
@andrross
Copy link
Member

[Catch All Triage - 1, 2, 3, 4, 5]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants