[BUG] Creating a custom detection rule + detector for that rule first breaks findings generation

[engechas]

What is the bug?
Creating a custom detection rule, then a detector for that rule before creating any other detectors will prevent findings from being generated for all detectors.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Start with a fresh cluster running security analytics
2. Create the following detection rule

id: 25b9c01c-350d-4b95-bed1-836d04a4f473
logsource:
  product: cloudtrail
title: AWS User Login Profile Was Modified - Chase
description: my rule
tags:
  - attack.persistence
  - attack.t1098
falsepositives:
  - Legit User Account Administration
level: high
status: experimental
references:
  - 'https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation'
author: Chase
detection:
  selection_source:
    eventSource: iam.amazonaws.com
    eventName: UpdateLoginProfile
  filter:
    userIdentity.arn|contains: requestParameters.userName
  condition: selection_source and not filter

3. Create a detector with only the above rule
4. Index the following document that should generate a finding:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA6ON6E4XEGITEXAMPLE",
        "arn": "arn:aws:iam::888888888888:user/Mary",
        "accountId": "888888888888",
        "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "userName": "Mary",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-07-19T21:11:57Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-07-19T21:25:09Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "UpdateLoginProfile",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user",
    "requestParameters": {
        "userName": "Richard"
    },
    "responseElements": {
        "user": {
            "path": "/",
            "arn": "arn:aws:iam::888888888888:user/Richard",
            "userId": "AIDA6ON6E4XEP7EXAMPLE",
            "createDate": "Jul 19, 2023 9:25:09 PM",
            "userName": "Richard"
        }
    },
    "requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc",
    "eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "888888888888",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "iam.amazonaws.com"
    },
    "sessionCredentialFromConsole": "true"
}

5. Verify no finding is generated

What is the expected behavior?
Findings should still be generated when a custom detection rule is used in the initially created detector

What is your host/environment?

• OS: macOS
• Version: 3.0.0 snapshot
• Plugins: Security Analytics

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
When a detector is created with a default rule first, then a second detector is created with a custom rule, findings are generated. It looks specific to the first detector using a custom rule.

[tallyoh]

@engechas good afternoon. I did not quite understand this post. Are you saying that after creating a custom rule, that all the pre-built rules are no longer finding alerts anymore?

[praveensameneni]

@eirsep , can you please confirm if this is an issue after the bug fixes