Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Index Rules API doesn't return the details of the errors while creating sigma rules #863

Closed
goyamegh opened this issue Feb 19, 2024 · 0 comments
Closed

[BUG] Index Rules API doesn't return the details of the errors while creating sigma rules #863

goyamegh opened this issue Feb 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@goyamegh
Copy link
Collaborator

What is the bug?

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Go to 'Detection rules page'
  2. Click on 'Create rules button'
  3. Choose the YAML editor format and enter the below input:
{
    "title": "Moriya Rootkit",
    "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
    "status": "experimental",
    "author": "Bhabesh Raj",
    "date": "2021/05/06",
    "modified": "2021/11/30",
    "references": [
        "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
    ],
    "tags": [
        "attack.persistence",
        "attack.privilege_escalation",
        "attack.t1543.003"
    ],
    "logsource": {
        "product": "custom-log-type1"
    },
    "detection": {
        "selection": {
            "Provider_Name": "Service Control Manager",
            "EventID": 7045,
            "ServiceName": "ZzNetSvc"
        },
        "condition": "selection"
    },
    "level": "test",
    "falsepositives": [
        "Unknown"
    ]
}
  1. The error returned doesn't provide the details about the level attribute being wrong. The backend API output looks like:
{
    "error": {
        "root_cause": [
            {
                "type": "security_analytics_exception",
                "reason": "Unknown error"
            }
        ],
        "type": "security_analytics_exception",
        "reason": "Unknown error",
        "caused_by": {
            "type": "exception",
            "reason": "org.opensearch.action.search.SearchPhaseExecutionException: "
        }
    },
    "status": 400
}

What is the expected behavior?
The output of the API should return the list of cx errors which can be interpreted by the frontend to display the right behavior on the UI.

What is your host/environment?

  • OS: [e.g. iOS]
  • Version [e.g. 22] 2.11
  • Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@praveensameneni @goyamegh