What is the bug?
We do not throw an error when incompatible detectorType is mentioned with detector rules.
e.g.
How can one reproduce the bug?
Steps to reproduce the behavior:
- in the following detector payload,
POST /_plugins/_security_analytics/detectors
{
"inputs": [
{
"detector_input": {
"indices": ["ad_logs"],
"description": "ad_ldap logs detector for security analytics",
"pre_packaged_rules": [
{
"id": "31d68132-4038-47c7-8f8d-635a39a7c174"
},
{
"id": "11c767ae-500b-423b-bae3-b244450736ed"
},
{
"id": "ebbeb024-5b1d-4e16-9c1c-917f86c708a7"
},
{
"id": "4d136857-6a1a-432a-82ec-5dd497ee5e7c"
},
{
"id": "4f77e1d7-3972-4ee0-8489-abf2d6b75284"
},
{
"id": "9494bff8-959f-4440-abce-fb87a208d517"
},
{
"id": "5afa454e-030c-4ab4-9253-a90aa7fac581"
},
{
"id": "a0413867-daf3-43dd-9255-734b3a787942"
},
{
"id": "48739819-8230-4de3-a8ea-e0289d1fb0ff"
},
{
"id": "287a39fc-4914-4831-9ada-270e9dc12cb4"
},
{
"id": "dff74231-dbed-42ab-ba49-84289be2ac3a"
}
]
}
}
],
"type": "detector",
"schedule": {
"period": {
"interval": 1,
"unit": "MINUTES"
}
},
"enabled": true,
"name": "YzkMghCwxK",
"detector_type": "windows",
"triggers": [
{
"id": "PQt-M4YB6gsTwFE2d01o",
"tags": [],
"severity": "1",
"actions": [],
"ids": [],
"sev_levels": [],
"types": [
"ad_ldap"
],
"name": "test-trigger"
}
]
}
detector_type is windows while the rules are for ad_ldap category(
|
id: 31d68132-4038-47c7-8f8d-635a39a7c174 |
)
- when we search detectors, we see that the monitor did not get generated.
GET /.opensearch-sap-detectors-config/_search
{
"size": 20,
"query": {
"match_all": {
}
}
}
{
"_index": ".opensearch-sap-detectors-config",
"_id": "nEJyH4oBJTiwTm2SFwLH",
"_score": 1,
"_source": {
"detector": {
"type": "detector",
"name": "YzkMghCwxK",
"detector_type": "windows",
"user": {
"name": "admin",
"backend_roles": [
"admin"
],
"roles": [
"own_index",
"all_access"
],
"custom_attribute_names": [],
"user_requested_tenant": "__user__"
},
"enabled": true,
"enabled_time": 1692744685501,
"schedule": {
"period": {
"interval": 1,
"unit": "MINUTES"
}
},
"inputs": [
{
"detector_input": {
"description": "ad_ldap logs detector for security analytics",
"indices": [
"ad_logs"
],
"custom_rules": [],
"pre_packaged_rules": [
{
"id": "31d68132-4038-47c7-8f8d-635a39a7c174"
},
{
"id": "11c767ae-500b-423b-bae3-b244450736ed"
},
{
"id": "ebbeb024-5b1d-4e16-9c1c-917f86c708a7"
},
{
"id": "4d136857-6a1a-432a-82ec-5dd497ee5e7c"
},
{
"id": "4f77e1d7-3972-4ee0-8489-abf2d6b75284"
},
{
"id": "9494bff8-959f-4440-abce-fb87a208d517"
},
{
"id": "5afa454e-030c-4ab4-9253-a90aa7fac581"
},
{
"id": "a0413867-daf3-43dd-9255-734b3a787942"
},
{
"id": "48739819-8230-4de3-a8ea-e0289d1fb0ff"
},
{
"id": "287a39fc-4914-4831-9ada-270e9dc12cb4"
},
{
"id": "dff74231-dbed-42ab-ba49-84289be2ac3a"
}
]
}
}
],
"triggers": [
{
"id": "PQt-M4YB6gsTwFE2d01o",
"name": "test-trigger",
"severity": "1",
"types": [
"ad_ldap"
],
"ids": [],
"sev_levels": [],
"tags": [],
"actions": []
}
],
"last_update_time": 1692744685501,
**"monitor_id": [],
"bucket_monitor_id_rule_id": {},**
"rule_topic_index": ".opensearch-sap-windows-detectors-queries",
"alert_index": ".opensearch-sap-windows-alerts",
"alert_history_index": ".opensearch-sap-windows-alerts-history",
"alert_history_index_pattern": "<.opensearch-sap-windows-alerts-history-{now/d}-1>",
"findings_index": ".opensearch-sap-windows-findings",
"findings_index_pattern": "<.opensearch-sap-windows-findings-{now/d}-1>"
}
}
}
What is the expected behavior?
A clear and concise description of what you expected to happen.
What is your host/environment?
- OS: [e.g. iOS]
- Version [e.g. 22]
- Plugins
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.
What is the bug?
We do not throw an error when incompatible
detectorTypeis mentioned withdetector rules.e.g.
How can one reproduce the bug?
Steps to reproduce the behavior:
detector_typeiswindowswhile the rules are forad_ldapcategory(security-analytics/src/main/resources/rules/ad_ldap/win_ldap_recon.yml
Line 2 in 6d49245
What is the expected behavior?
A clear and concise description of what you expected to happen.
What is your host/environment?
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.