Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detection Engine] Errors from rule querying are not being populated in the UI #77254

Closed
FrankHassanabad opened this issue Sep 10, 2020 · 1 comment · Fixed by #78004
Closed

[Security Solution][Detection Engine] Errors from rule querying are not being populated in the UI #77254

FrankHassanabad opened this issue Sep 10, 2020 · 1 comment · Fixed by #78004
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@FrankHassanabad
Copy link
Contributor

Kibana version:
7.9.0

Describe the bug:
If you happen to have a bug with a query anywhere, then Elastic Search returns documents but sometimes also returns both documents and errors and other times just errors with no results. At the moment the detection engine does not show the errors.

This is due to code around the lines here:
https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts#L62

It will figure out when an exception is thrown and report that as an error but you have situations where you have partial results or no results and one or more errors.

Steps to reproduce:
Go to a detections rule and add an invalid value within the exceptions such as this one below:
Screen Shot 2020-09-10 at 12 10 40 PM

Notice that rsa.internal.level value is not a numeric but a text string.

Now, if you open up the single_search_after.ts and add this line of code:

    console.log('****** SEARCH RESULT *****', JSON.stringify(nextSearchAfterResult, null, 2));
    return { searchResult: nextSearchAfterResult, searchDuration: makeFloatString(end - start) };

You will begin seeing errors in addition to the queries being returned. However, you don't get any errors showing up in the UI for the rule its self. The rule still looks like it is functioning completely correctly when in reality it does have errors that require users to fix within exceptions.

Errors, but you also get result hits back as well.

****** SEARCH RESULT ***** {
  "took": 1120,
  "timed_out": false,
  "_shards": {
    "total": 21,
    "successful": 20,
    "skipped": 12,
    "failed": 1,
    "failures": [
      {
        "shard": 0,
        "index": "filebeat-8.0.0-2020.09.02-000001",
        "node": "UmFIfD_iQfepBl6sUyEk2g",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: For input string: \"blah\"",
          "index_uuid": "F5LVi0LMTOa72Ma0otsXMA",
          "index": "filebeat-8.0.0-2020.09.02-000001",
          "caused_by": {
            "type": "number_format_exception",
            "reason": "For input string: \"blah\""
          }
        }
      }
    ]

Expected behavior:
At the very least we should bubble up the errors even if we decide to create the signals themselves.
@FrankHassanabad FrankHassanabad added bug Fixes for quality problems that affect the customer experience Team:SIEM Feature:Detection Rules Security Solution rules and Detection Engine labels Sep 10, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@FrankHassanabad FrankHassanabad mentioned this issue Sep 21, 2020
Merged
1 task
FrankHassanabad added a commit that referenced this issue Sep 23, 2020
@FrankHassanabad
[Security Solution][Detection Engine] Bubbles up more error messages …
d79fbb3 
…from ES queries to the UI (#78004)

## Summary

Fixes: #77254

Bubbles up error messages from ES queries that have _shards.failures in them. For example if you have errors in your exceptions list you will need to see them bubbled up.

Steps to reproduce:
Go to a detections rule and add an invalid value within the exceptions such as this one below:
<img width="1523" alt="Screen Shot 2020-09-21 at 7 52 59 AM" src="https://user-images.githubusercontent.com/1151048/93817197-d1a53780-fc15-11ea-8cf2-4dd7fd5a3c13.png">

Notice that rsa.internal.level value is not a numeric but a text string. You should now see this error message where before you could not:
<img width="1503" alt="Screen Shot 2020-09-21 at 7 52 44 AM" src="https://user-images.githubusercontent.com/1151048/93817231-e1bd1700-fc15-11ea-9038-99668233191a.png">

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this issue Sep 23, 2020
@FrankHassanabad
[Security Solution][Detection Engine] Bubbles up more error messages …
8df963c 
…from ES queries to the UI (elastic#78004)

## Summary

Fixes: elastic#77254

Bubbles up error messages from ES queries that have _shards.failures in them. For example if you have errors in your exceptions list you will need to see them bubbled up.

Steps to reproduce:
Go to a detections rule and add an invalid value within the exceptions such as this one below:
<img width="1523" alt="Screen Shot 2020-09-21 at 7 52 59 AM" src="https://user-images.githubusercontent.com/1151048/93817197-d1a53780-fc15-11ea-8cf2-4dd7fd5a3c13.png">

Notice that rsa.internal.level value is not a numeric but a text string. You should now see this error message where before you could not:
<img width="1503" alt="Screen Shot 2020-09-21 at 7 52 44 AM" src="https://user-images.githubusercontent.com/1151048/93817231-e1bd1700-fc15-11ea-9038-99668233191a.png">

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit that referenced this issue Sep 23, 2020
@FrankHassanabad
[Security Solution][Detection Engine] Bubbles up more error messages …
775b7de 
…from ES queries to the UI (#78004) (#78244)

## Summary

Fixes: #77254

Bubbles up error messages from ES queries that have _shards.failures in them. For example if you have errors in your exceptions list you will need to see them bubbled up.

Steps to reproduce:
Go to a detections rule and add an invalid value within the exceptions such as this one below:
<img width="1523" alt="Screen Shot 2020-09-21 at 7 52 59 AM" src="https://user-images.githubusercontent.com/1151048/93817197-d1a53780-fc15-11ea-8cf2-4dd7fd5a3c13.png">

Notice that rsa.internal.level value is not a numeric but a text string. You should now see this error message where before you could not:
<img width="1503" alt="Screen Shot 2020-09-21 at 7 52 44 AM" src="https://user-images.githubusercontent.com/1151048/93817231-e1bd1700-fc15-11ea-9038-99668233191a.png">

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
3 participants
@FrankHassanabad @MindyRS @elasticmachine