Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
72
stars
74
forks
source link
[BUG] Issue with detection rule creation using API #1411
What is the bug?
I can't create new detection rules using the API. I'm getting weird errors.
How can one reproduce the bug?
From the DevTools execute the following request :
`POST /_plugins/_security_analytics/rules?category=okta
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
logsource:
product: okta
title: Okta Admin Role Assignment Created
description: >-
Detects when a new admin role assignment is created. Which could be a sign of
privilege escalation or persistence.
tags:
attack.persistence
falsepositives:
Legitimate creation of a new admin role assignment
level: medium
status: experimental
references:
From CLI execute the following command (with rule above in the file) :
curl -v -H 'Authorization: Basic ...' -X 'POST' -H 'osd-xsrf: true' \
--data-binary '@../okta/okta_admin_role_assigment_created.yml' \
https://.../_plugins/_security_analytics/rules?category=okta
What is the expected behavior?
The rule syntax is correct and I can add it through the interface, so I don't see why it wouldn't work through the api. Same situation with our other rules.
What is actually happening?
From the DevTools i get the following error :
{ "error": { "root_cause": [ { "type": "security_analytics_exception", "reason": "Unknown error" } ], "type": "security_analytics_exception", "reason": "Unknown error", "caused_by": { "type": "exception", "reason": "org.opensearch.action.search.SearchPhaseExecutionException: " } }, "status": 500 }
From CLI using Curl i get the following error :
{"ok":false,"error":"Cannot read properties of undefined (reading 'length')"}
andrross
commented
4 days ago
What is the bug? I can't create new detection rules using the API. I'm getting weird errors.
How can one reproduce the bug? From the DevTools execute the following request : `POST /_plugins/_security_analytics/rules?category=okta id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c logsource: product: okta title: Okta Admin Role Assignment Created description: >- Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence. tags:
From CLI execute the following command (with rule above in the file) : curl -v -H 'Authorization: Basic ...' -X 'POST' -H 'osd-xsrf: true' \ --data-binary '@../okta/okta_admin_role_assigment_created.yml' \ https://.../_plugins/_security_analytics/rules?category=okta
What is the expected behavior? The rule syntax is correct and I can add it through the interface, so I don't see why it wouldn't work through the api. Same situation with our other rules.
What is actually happening? From the DevTools i get the following error :
{ "error": { "root_cause": [ { "type": "security_analytics_exception", "reason": "Unknown error" } ], "type": "security_analytics_exception", "reason": "Unknown error", "caused_by": { "type": "exception", "reason": "org.opensearch.action.search.SearchPhaseExecutionException: " } }, "status": 500 }From CLI using Curl i get the following error :
{"ok":false,"error":"Cannot read properties of undefined (reading 'length')"}What is your host/environment?
Do you have any screenshots?