[Security Solution] Wrong API return for detection Engine #94550

FormindGMO · 2021-03-15T10:06:04Z

Describe the bug:
Trying to submit a detection rule via API having param enabled: true fails with wrong error : {"message":"Unsupported scheme \"ApiKey\" for granting API Key","status_code":500}

Kibana/Elasticsearch Stack version:
ElastiCloud Deployment 7.11.1

Server OS version:
ElastiCloud

Browser and Browser OS versions:
N/A : curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3

Elastic Endpoint version:
N/A

Original install method (e.g. download page, yum, from source, etc.):
N/A

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Detection rules API

Steps to reproduce:

Create your APIKey with proper privileged account:

export ENDPOINT="https://8ac352e0f59b4d579f94eb09a4ee58b6.us-east-1.aws.found.io:9243"
curl --basic -u priviledged_account -XPOST -H'kbn-xsrf:kibana' -H'Content-Type: application/json' "$ENDPOINT/_security/api_key -d '{
  "name": "priviledged-key",
  "expiration": "1d"
}

And turn it into Base64-ready header... Test key with other requests.

Perform rule insertion:

$ curl -XPOST -H 'kbn-xsrf: true' -H'Content-Type: application/json;charset=UTF-8'
-H "Authorization: ApiKey $APIKEY" $ENDPOINT/api/detection_engine/rules -d '{some_rule, "enabled": true}


3. Try by disabling the rule:
```bash
$ curl -XPOST -H 'kbn-xsrf: true' -H'Content-Type: application/json;charset=UTF-8' \
 -H "Authorization: ApiKey $APIKEY" $ENDPOINT/api/detection_engine/rules -d '{some_rule, "enabled": false}

See it work.

Current behavior:
1st yields the error : {"message":"Unsupported scheme \"ApiKey\" for granting API Key","status_code":500}
2nd works.

Expected behavior:
Both requests return HTTP/200

The text was updated successfully, but these errors were encountered:

elasticmachine · 2021-03-15T10:06:06Z

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine · 2021-03-15T18:56:49Z

Pinging @elastic/security-detections-response (Team:Detections and Resp)

spong · 2021-04-29T00:54:42Z

This appears to be an instance of #96683. Based on the comments there Alerts cannot be created from API keys like this. Looks like this will require some ES changes, so we can follow along with elastic/elasticsearch#52244 & elastic/elasticsearch#59304 for progress.

FormindGMO added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. bug Fixes for quality problems that affect the customer experience labels Mar 15, 2021

MindyRS added the Team:Detections and Resp Security Detection Response Team label Mar 15, 2021

MindyRS assigned peluja1012 Mar 15, 2021

MadameSheema added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Mar 17, 2021

peluja1012 assigned dplumlee and unassigned peluja1012 Jun 7, 2021

peluja1012 added the Team:Detection Rule Management Security Detection Rule Management Team label Sep 15, 2021

peluja1012 added the Feature:Rule Management Security Solution Detection Rule Management area label Mar 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security Solution] Wrong API return for detection Engine #94550

[Security Solution] Wrong API return for detection Engine #94550

FormindGMO commented Mar 15, 2021

elasticmachine commented Mar 15, 2021

elasticmachine commented Mar 15, 2021

spong commented Apr 29, 2021

[Security Solution] Wrong API return for detection Engine #94550

[Security Solution] Wrong API return for detection Engine #94550

Comments

FormindGMO commented Mar 15, 2021

elasticmachine commented Mar 15, 2021

elasticmachine commented Mar 15, 2021

spong commented Apr 29, 2021