Unable to load not more than 65K events in event-queue

[greycel]

Hi n3tsurge,

Noticed that the events are easily loaded in the queue page when the volume is below 65K, Added new log inputs, and now when the event volume is above 65K (even for a day or two) the data is not loading in the queue and receiving search_phase_execution_exception in the API backend logs while querying OpenSearch.

Using my own instance of OpenSearch as backend, with Reflex Version 2023.09.28-rc0, Is there any configuration to be made on the OpenSearch side, pls advise...

reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:28 +0000] "GET /api/v2.0/organization?page=1&page_size=1000&sort_by=created_at&sort_direction=asc HTTP/1.1" 200 680 "https://192.168.10.202/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "192.168.10.205"
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:28 +0000] "GET /api/v2.0/event/stats?q=&status=New&metrics=title,observable,source,tag,status,severity,data_type,organization,event_rule,signature HTTP/1.1" 200 12182 "https://192.168.10.202/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "192.168.10.205"
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:28 +0000] "GET /api/v2.0/event_rule?page=1&page_size=500&sort_by=created_at&sort_direction=asc HTTP/1.1" 200 20605 "https://192.168.10.202/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "192.168.10.205"
reflex-api         | 2023-10-23 07:53:31,856 - opensearch - WARNING - POST https://192.168.10.170:9200/reflex-events/_search [status:503 request:3.828s]
reflex-api         | 2023-10-23 07:53:35,884 - opensearch - WARNING - POST https://192.168.10.170:9200/reflex-events/_search [status:503 request:4.027s]
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:36 +0000] "GET /api/v2.0/plugin HTTP/1.1" 200 3 "-" "reflexsoar-agent/2023.09.28-rc0" "172.19.0.4"
reflex-api         | 2023-10-23 07:53:37,076 - opensearch - WARNING - POST https://192.168.10.170:9200/reflex-events/_search [status:503 request:1.190s]
reflex-api         | 2023-10-23 07:53:38,066 - opensearch - WARNING - POST https://192.168.10.170:9200/reflex-events/_search [status:503 request:0.989s]
reflex-api         | [2023-10-23 07:53:38 +0000] [47] [ERROR] Exception on /api/v2.0/event [GET]
reflex-api         | Traceback (most recent call last):
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask/app.py", line 1523, in full_dispatch_request
reflex-api         |     rv = self.dispatch_request()
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask/app.py", line 1509, in dispatch_request
reflex-api         |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask_restx/api.py", line 404, in wrapper
reflex-api         |     resp = resource(*args, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask/views.py", line 84, in view
reflex-api         |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask_restx/resource.py", line 46, in dispatch_request
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:38 +0000] "GET /api/v2.0/event?grouped=true&sort_by=original_date&sort_direction=desc&status=New&search=&page=1&page_size=10 HTTP/1.1" 500 37 "https://192.168.10.202/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36" "192.168.10.205"
reflex-api         |     resp = meth(*args, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask_restx/marshalling.py", line 244, in wrapper
reflex-api         |     resp = f(*args, **kwargs)
reflex-api         |   File "/app/api_v2/utils.py", line 223, in wrapper
reflex-api         |     return f(*args, **kwargs, current_user=current_user)
reflex-api         |   File "/app/api_v2/utils.py", line 354, in wrapper
reflex-api         |     return f(*args, **kwargs)
reflex-api         |   File "/app/api_v2/resource/event.py", line 366, in get
reflex-api         |     events = search.execute()
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearch_dsl/search.py", line 721, in execute
reflex-api         |     opensearch.search(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/client/utils.py", line 177, in _wrapped
reflex-api         |     return func(*args, params=params, headers=headers, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/client/__init__.py", line 1593, in search
reflex-api         |     return self.transport.perform_request(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/transport.py", line 405, in perform_request
reflex-api         |     raise e
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/transport.py", line 368, in perform_request
reflex-api         |     status, headers_response, data = connection.perform_request(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/connection/http_urllib3.py", line 275, in perform_request
reflex-api         |     self._raise_error(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/connection/base.py", line 300, in _raise_error
reflex-api         |     raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
reflex-api         | opensearchpy.exceptions.TransportError: TransportError(503, 'search_phase_execution_exception')
reflex-api         | 2023-10-23 07:53:38,067 - app - ERROR - Exception on /api/v2.0/event [GET]
reflex-api         | Traceback (most recent call last):
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask/app.py", line 1523, in full_dispatch_request
reflex-api         |     rv = self.dispatch_request()
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask/app.py", line 1509, in dispatch_request
reflex-api         |     return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask_restx/api.py", line 404, in wrapper
reflex-api         |     resp = resource(*args, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask/views.py", line 84, in view
reflex-api         |     return current_app.ensure_sync(self.dispatch_request)(*args, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask_restx/resource.py", line 46, in dispatch_request
reflex-api         |     resp = meth(*args, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/flask_restx/marshalling.py", line 244, in wrapper
reflex-api         |     resp = f(*args, **kwargs)
reflex-api         |   File "/app/api_v2/utils.py", line 223, in wrapper
reflex-api         |     return f(*args, **kwargs, current_user=current_user)
reflex-api         |   File "/app/api_v2/utils.py", line 354, in wrapper
reflex-api         |     return f(*args, **kwargs)
reflex-api         |   File "/app/api_v2/resource/event.py", line 366, in get
reflex-api         |     events = search.execute()
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearch_dsl/search.py", line 721, in execute
reflex-api         |     opensearch.search(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/client/utils.py", line 177, in _wrapped
reflex-api         |     return func(*args, params=params, headers=headers, **kwargs)
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/client/__init__.py", line 1593, in search
reflex-api         |     return self.transport.perform_request(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/transport.py", line 405, in perform_request
reflex-api         |     raise e
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/transport.py", line 368, in perform_request
reflex-api         |     status, headers_response, data = connection.perform_request(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/connection/http_urllib3.py", line 275, in perform_request
reflex-api         |     self._raise_error(
reflex-api         |   File "/root/.local/share/virtualenvs/-x-v5uFv0/lib/python3.8/site-packages/opensearchpy/connection/base.py", line 300, in _raise_error
reflex-api         |     raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
reflex-api         | opensearchpy.exceptions.TransportError: TransportError(503, 'search_phase_execution_exception')
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:43 +0000] "GET /api/v2.0/agent/5914e829-c636-468e-a385-c96182b71bb5 HTTP/1.1" 200 11122 "-" "reflexsoar-agent/2023.09.28-rc0" "172.19.0.4"
reflex-agent-demo  | 2023-10-23 07:53:43.246 | INFO     | __main__:<module>:163 - Checking runner module status
reflex-agent-demo  | 2023-10-23 07:53:43.247 | INFO     | __main__:<module>:196 - Running input Win-Security Alerts
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:43 +0000] "GET /api/v2.0/credential/bf0ee629-711a-4e9c-ac06-10384614b18f HTTP/1.1" 200 226 "-" "reflexsoar-agent/2023.09.28-rc0" "172.19.0.4"
reflex-ui          | 172.19.0.1 - - [23/Oct/2023:07:53:43 +0000] "GET /api/v2.0/credential/decrypt/bf0ee629-711a-4e9c-ac06-10384614b18f HTTP/1.1" 200 31 "-" "reflexsoar-agent/2023.09.28-rc0" "172.19.0.4"

[n3tsurge]

It would appear you have too many signatured events that are open and are reaching max agg or max terms. Let me find some diagnostic queries for you

[n3tsurge]

You can run this query in Dev Tools in Kibana/Opensearch Dashboards. If you have more than 10000 unique signatures it means you are not effectively signaturing your events and are hitting Elastic/Opensearches max_buckets setting.

GET reflex-events/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "status.name: New"
          }
        },
        {
          "range": {
            "created_at": {
              "gte": "now-7d"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "unique_sigs": {
      "cardinality": {
        "field": "signature"
      }
    }
  },
  "size": 0
}

[greycel]

Yeah, ran the query and there are more than 95K unique signatures for the last 10 days.

Initially, while creating inputs for Windows sysmon, system, or security events, I wasn't sure which fields to include as part of the signature fields and left it blank as the system would generate default signatures for incoming events.

Can you help me understand how to handle this and effectively maintain signatures on all incoming events? Thank you...

[n3tsurge]

So it sounds like you are consuming all your Windows Event logs as Events into Reflex. This is not how Reflex is designed. Theres 3 operational modes for Reflex.

1. Alert polling
2. Detections
3. Hybrid (Alert Polling + Detectons)

Alert Polling mode you define your Inputs and assign them to Agents with the poller role. When you do this you should be pointing at Alert indices not raw event indices.

Detections, you define your inputs to your raw event indices but DO NOT assign them to agents. Agents with detector roles will query these inputs and run rules against them.

In the hybrid mode you just mix up the 2 above and do both

[greycel]

I've configured three inputs (Windows sysmon, security, system) to poll from the common alert index, but there are way too many false-positive alerts due to which the volume of the incoming events is high.

If I update the existing inputs with the required signature fields like process.name, process.command_line, will that resolve this issue...? Also any suggestion on effectively maintaining signatures?

[n3tsurge]

It may, it may not. By default the system will signature based on the event title and that is it. I typically recommend using the hostname, username, process name and other fields that may be distinct across events as signature fields. THis way you have the events rolled up by per host per user at least by default.

You can signature too little or signature too much...you partly need to understand your data and how you want things rolled up.

[greycel]

This is helpful, will try it out. Thank you...

[greycel]

Couldn't add signature fields to an existing input, appears like a UI bug while updating inputs. This is happening only for the signature field maybe is it because the field is empty from the beginning.

I was able to add them directly from the advanced editing, but after saving the input changes added fields aren't visible in the UI under Event Base Configuration:

  "signature": [
    "host.name",
    "user.name",
    "process.name"
  ],

[n3tsurge]

The setting is signature_fields instead of signature if you go to Advanced Edit again and change it. I will see about the UI error you shared

[greycel]

That worked... Thank you so much!

Signature fields added from advanced editing are now visible in Event Base Configuration and I'm able to add new tags directly from the Event Base Configuration section now.