What is the bug?
NullPointerException is thrown when Correlations are running, and the flow to insert Orphan findings is invoked. This is happening when detector type is missing in the Log types index
How can one reproduce the bug?
Steps to reproduce the behavior:
- Go to Security Analytics and create a detector.
- Follow up with correlation rules
- See errors in the logs:
[2024-02-07T15:38:48,116][ERROR][o.o.s.u.SecurityAnalyticsException] [25c1ef95a376d5b13cdbde33eaa50bbe] Security Analytics error:
java.lang.NullPointerException: Cannot invoke "org.opensearch.securityanalytics.model.CustomLogType.getTags()" because the return value of "java.util.Map.get(Object)" is null
at org.opensearch.securityanalytics.correlation.VectorEmbeddingsEngine.insertOrphanFindings(VectorEmbeddingsEngine.java:229)
at org.opensearch.securityanalytics.transport.TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.onResponse(TransportCorrelateFindingAction.java:629)
at org.opensearch.securityanalytics.transport.TransportCorrelateFindingAction$AsyncCorrelateFindingAction$4$2.onResponse(TransportCorrelateFindingAction.java:605)
at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:113)
at org.opensearch.action.support.TransportAction$1.onResponse(TransportAction.java:107)
at org.opensearch.performanceanalyzer.action.PerformanceAnalyzerActionListener.onResponse(PerformanceAnalyzerActionListener.java:55)
at org.opensearch.action.support.TimeoutTaskCancellationUtility$TimeoutRunnableListener.onResponse(TimeoutTaskCancellationUtility.java:132)
at org.opensearch.action.search.TransportSearchAction.lambda$executeRequest$0(TransportSearchAction.java:453)
at org.opensearch.core.action.ActionListener$1.onResponse(ActionListener.java:82)
at org.opensearch.core.action.ActionListener$5.onResponse(ActionListener.java:268)
at org.opensearch.action.search.AbstractSearchAsyncAction.sendSearchResponse(AbstractSearchAsyncAction.java:707)
at org.opensearch.action.search.ExpandSearchPhase.run(ExpandSearchPhase.java:132)
at org.opensearch.action.search.SearchPhase.recordAndRun(SearchPhase.java:59)
at org.opensearch.action.search.AbstractSearchAsyncAction.executePhase(AbstractSearchAsyncAction.java:456)
at org.opensearch.action.search.AbstractSearchAsyncAction.executeNextPhase(AbstractSearchAsyncAction.java:440)
at org.opensearch.action.search.FetchSearchPhase.moveToNextPhase(FetchSearchPhase.java:298)
at org.opensearch.action.search.FetchSearchPhase.lambda$innerRun$1(FetchSearchPhase.java:138)
at org.opensearch.action.search.CountedCollector.countDown(CountedCollector.java:66)
at org.opensearch.action.search.ArraySearchPhaseResults.consumeResult(ArraySearchPhaseResults.java:61)
at org.opensearch.action.search.CountedCollector.onResult(CountedCollector.java:74)
at org.opensearch.action.search.FetchSearchPhase$2.innerOnResponse(FetchSearchPhase.java:243)
at org.opensearch.action.search.FetchSearchPhase$2.innerOnResponse(FetchSearchPhase.java:238)
at org.opensearch.action.search.SearchActionListener.onResponse(SearchActionListener.java:59)
at org.opensearch.action.search.SearchActionListener.onResponse(SearchActionListener.java:44)
at org.opensearch.action.ActionListenerResponseHandler.handleResponse(ActionListenerResponseHandler.java:70)
at org.opensearch.action.search.SearchTransportService$ConnectionCountingHandler.handleResponse(SearchTransportService.java:744)
at org.opensearch.transport.TransportService$6.handleResponse(TransportService.java:897)
at org.opensearch.security.transport.SecurityInterceptor$RestoringTransportResponseHandler.handleResponse(SecurityInterceptor.java:412)
at org.opensearch.transport.TransportService$ContextRestoreResponseHandler.handleResponse(TransportService.java:1516)
at org.opensearch.transport.InboundHandler.doHandleResponse(InboundHandler.java:411)
at org.opensearch.transport.InboundHandler.handleResponse(InboundHandler.java:403)
at org.opensearch.transport.InboundHandler.messageReceived(InboundHandler.java:168)
at org.opensearch.transport.InboundHandler.inboundMessage(InboundHandler.java:123)
at org.opensearch.transport.TcpTransport.inboundMessage(TcpTransport.java:770)
at org.opensearch.transport.InboundPipeline.forwardFragments(InboundPipeline.java:175)
at org.opensearch.transport.InboundPipeline.doHandleBytes(InboundPipeline.java:150)
at org.opensearch.transport.InboundPipeline.handleBytes(InboundPipeline.java:115)
at org.opensearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:95)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:280)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1471)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383)
What is the expected behavior?
A clear and concise description of what you expected to happen.
What is your host/environment?
- OS: [e.g. iOS]
- Version [e.g. 22]
- Plugins SAP and Correlations
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.
What is the bug?
NullPointerException is thrown when Correlations are running, and the flow to insert Orphan findings is invoked. This is happening when detector type is missing in the Log types index
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
A clear and concise description of what you expected to happen.
What is your host/environment?
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
Add any other context about the problem.