search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.39k stars 1.59k forks source link

Internal error while ordering the vulnerability events #20959

Closed pereyra-m closed 8 months ago

pereyra-m commented 8 months ago

Description

During the E2E test, it was found that ordering the alerts using a vulnerability field in the Threat Hunting panel, generated an internal error

2023-12-19_17-52

2023-12-19_17-52_1

unsupported_operation_exception
null
Error: Internal Server Error
    at fetch_Fetch.fetchResponse (https://demo-480-ct-wazuh-db177eddeaa0c3f6.elb.us-west-1.amazonaws.com/48001/bundles/core/core.entry.js:15:177223)
    at async interceptResponse (https://demo-480-ct-wazuh-db177eddeaa0c3f6.elb.us-west-1.amazonaws.com/48001/bundles/core/core.entry.js:15:172641)
    at async https://demo-480-ct-wazuh-db177eddeaa0c3f6.elb.us-west-1.amazonaws.com/48001/bundles/core/core.entry.js:15:175121

Related to this problem, the events panel of the new vulnerability detector section doesn't show any vulnerability alert

2023-12-19_17-58

DoD

gdiazlo commented 8 months ago

We have reproduced this on the platform Discover as well.

jbiset commented 8 months ago

Research

Only in a demo environment have these problems been reproduced. In the development environment it has not been possible to reproduce these problems. Evidence is added below the tests in the demo environment. We have found that it does not only happen with fields in the vulnerabilities module. The origin of this difference between the development environment and the demo continues to be investigated.

Evidences

Ordering `data.vulnerability.cve` field on Events tab in Vulnerability detection :green_circle: ![Test_DEMO_1](https://github.com/wazuh/wazuh/assets/43619595/406ead22-a49d-4b2d-af6c-05b06246ec28) ![Test_DEMO_1_B](https://github.com/wazuh/wazuh/assets/43619595/ef43827c-c5d4-41fb-a9ca-5d4480fc0687) ![Test_DEMO_1_C](https://github.com/wazuh/wazuh/assets/43619595/f23dfc12-e750-4d8b-87e8-114fadc8a603)
Ordering `data.vulnerability.status` field on Events tab in Vulnerability detection :red_circle: ![Test_DEMO_2](https://github.com/wazuh/wazuh/assets/43619595/0d0212ea-3caf-423c-bb81-73ebb5b19d60) ![Test_DEMO_2_B](https://github.com/wazuh/wazuh/assets/43619595/5027f13d-d370-4fa4-8677-10cbea04720d) ![Test_DEMO_2_C](https://github.com/wazuh/wazuh/assets/43619595/887860e2-c5c3-416a-8de0-e09c0b820eef)
Ordering `data.win.system.message` field on Events tab in MITRE ATT&CK :red_circle: ![Test_DEMO_3](https://github.com/wazuh/wazuh/assets/43619595/4c97e69a-f6e4-48cd-83db-62bf990bca41) ![Test_DEMO_3_B](https://github.com/wazuh/wazuh/assets/43619595/cb260b20-6a93-45ee-ad32-8d5b022dfdaf)
Ordering `data.win.evendata.logonProcessName` field on Discover :red_circle: ![Test_DEMO_4](https://github.com/wazuh/wazuh/assets/43619595/24c5c9e5-8203-4b14-9cac-73d73e251a16)
asteriscos commented 8 months ago

We have been unable to replicate this issue in other environments. We believe this error comes from the pre-alpha environment it was tested on.