Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] It is not possible to update a detector containing only custom rules #952

Closed
agoerl opened this issue Mar 26, 2024 · 1 comment
Closed

[BUG] It is not possible to update a detector containing only custom rules #952

agoerl opened this issue Mar 26, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@agoerl
Copy link

agoerl commented Mar 26, 2024
edited
Loading

What is the bug?
Updating a detector (PUT request via API) with only custom rules results in an error (kotlin.collections.EmptyMap cannot be cast to kotlin.collections.MutableMap).

How can one reproduce the bug?
Create detector only containing custom rules via API. Update that detector in any way (see example below).

What is the expected behavior?
No error if no pre-packaged rules are specified.

What is your host/environment?

  • OS: Ubuntu 22.04
  • Version 2.12
  • Plugins Security Analytics Plugin

Do you have any screenshots?
No, but i have the following example:

Create detector (you have to customize this a bit to your setup, ie. replacing the detector_type and indices array):

{
    "detector": {
    "type": "detector",
    "detector_type": "CUSTOM_LOGTYPE",
    "name": "detector-test",
    "enabled": true,
    "schedule": {
      "period": {
        "interval": 1,
        "unit": "MINUTES"
      }
    },
    "inputs": [
      {
        "detector_input": {
          "description": "windows detector for security analytics",
          "indices": [
            "SOME_INDEX"
          ],
          "custom_rules": [
            {
                "id": "YOUR_RULE_ID"
            }
          ],
          "pre_packaged_rules": [ ]
        }
      }
    ]
  }

Then update that detector:

{
    "detector": {
    "type": "detector",
    "detector_type": "CUSTOM_LOGTYPE",
    "name": "detector-test",
    "enabled": true,
    "schedule": {
      "period": {
        "interval": 1,
        "unit": "MINUTES"
      }
    },
    "inputs": [
      {
        "input": {
          "description": "windows detector for security analytics",
          "indices": [
            "SOME_INDEX"
          ],
          "custom_rules": [
            {
                "id": "YOUR_RULE_ID"
            }
          ],
          "pre_packaged_rules": [
            {
              "id": "73a883d0-0348-4be4-a8d8-51031c2564f8"
            },
            {
              "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4"
            }
          ]
        }
      }
    ]
  }

The update will work, but only as long as there is content in the "pre_packaged_rules" section. Remove them and you will see a 500 error with the above stated error. As a workaround you can include pre-packaged rules.

Do you have any additional context?
@agoerl agoerl added bug Something isn't working untriaged labels Mar 26, 2024
@agoerl agoerl changed the title [BUG] Newly created detector definition breaks OpenSearch detectors alltogether [BUG] It is not possible to update a detector containing only custom rules Mar 27, 2024
@agoerl
Copy link
Author

agoerl commented Mar 27, 2024

I have issues updating detectors but at the present time I am unable to provide a good enough analysis.

@agoerl agoerl closed this as completed Mar 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@praveensameneni @agoerl