You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the bug?
I can't create new detection rules using the API. I'm getting weird errors.
How can one reproduce the bug?
From the DevTools execute the following request :
`POST /_plugins/_security_analytics/rules?category=okta
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
logsource:
product: okta
title: Okta Admin Role Assignment Created
description: >-
Detects when a new admin role assignment is created. Which could be a sign of
privilege escalation or persistence.
tags:
attack.persistence
falsepositives:
Legitimate creation of a new admin role assignment
level: medium
status: experimental
references:
From CLI execute the following command (with rule above in the file) :
curl -v -H 'Authorization: Basic ...' -X 'POST' -H 'osd-xsrf: true'
--data-binary '@../okta/okta_admin_role_assigment_created.yml'
https://.../_plugins/_security_analytics/rules?category=okta
What is the expected behavior?
The rule syntax is correct and I can add it through the interface, so I don't see why it wouldn't work through the api. Same situation with our other rules.
What is actually happening?
From the DevTools i get the following error : { "error": { "root_cause": [ { "type": "security_analytics_exception", "reason": "Unknown error" } ], "type": "security_analytics_exception", "reason": "Unknown error", "caused_by": { "type": "exception", "reason": "org.opensearch.action.search.SearchPhaseExecutionException: " } }, "status": 500 }
From CLI using Curl i get the following error : {"ok":false,"error":"Cannot read properties of undefined (reading 'length')"}
What is your host/environment?
Version : OpenSearch 2.17
Plugin : Security Analytics
Do you have any screenshots?
The text was updated successfully, but these errors were encountered:
What is the bug?
I can't create new detection rules using the API. I'm getting weird errors.
How can one reproduce the bug?
From the DevTools execute the following request :
`POST /_plugins/_security_analytics/rules?category=okta
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
logsource:
product: okta
title: Okta Admin Role Assignment Created
description: >-
Detects when a new admin role assignment is created. Which could be a sign of
privilege escalation or persistence.
tags:
falsepositives:
level: medium
status: experimental
references:
author: Nikita Khalimonenkov
detection:
selection:
okta_event.eventType: iam.resourceset.bindings.add
condition: selection`
From CLI execute the following command (with rule above in the file) :
curl -v -H 'Authorization: Basic ...' -X 'POST' -H 'osd-xsrf: true'
--data-binary '@../okta/okta_admin_role_assigment_created.yml'
https://.../_plugins/_security_analytics/rules?category=okta
What is the expected behavior?
The rule syntax is correct and I can add it through the interface, so I don't see why it wouldn't work through the api. Same situation with our other rules.
What is actually happening?
From the DevTools i get the following error :
{ "error": { "root_cause": [ { "type": "security_analytics_exception", "reason": "Unknown error" } ], "type": "security_analytics_exception", "reason": "Unknown error", "caused_by": { "type": "exception", "reason": "org.opensearch.action.search.SearchPhaseExecutionException: " } }, "status": 500 }
From CLI using Curl i get the following error :
{"ok":false,"error":"Cannot read properties of undefined (reading 'length')"}
What is your host/environment?
Do you have any screenshots?
The text was updated successfully, but these errors were encountered: