Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Detector for System Activity: Microsoft Windows times out, then gets created twice #1475

Open
mmguero opened this issue Feb 13, 2025 · 0 comments
Open

[BUG] Detector for System Activity: Microsoft Windows times out, then gets created twice #1475

mmguero opened this issue Feb 13, 2025 · 0 comments
Labels
bug Something isn't working untriaged

Comments

@mmguero
Copy link

mmguero commented Feb 13, 2025

What is the bug?

I'm attempting to create a detector for the rules under System Activity: Microsoft Windows rulesets, the "attempting to create detector" action never returns in the UI, then after a long time two copies of the detector are created. (See screencap posted below).

How can one reproduce the bug?

see screencap posted below

  1. I am using a composable template with a component containing mappings for some fields from winlogbeats normalized with some fields from fluent-bit winevtlog and evtx. I don't know if my template has anything to do with it, but I've specifically made the template to line up with the winlog fields in the OSMapping/windows_logtype.json file. The template has an alias associated with it.
  2. I have windows event logs trickling in to logstash and indexed into OpenSearch
  3. Go to Create Detector
  4. Put in a Name
  5. Choose the alias for the index containing the winlog documents
  6. Select Logging Type System Activity : Microsoft Windows
  7. Leave the default rules enabled
  8. I had one additional mapping to do, but I don't know if that makes a difference.
  9. Click Next
  10. Create a trigger with the default settings
  11. Click "create detector"
  12. After 5 minutes or so, with no change to the UI that says "Attempting to Create the detector" I clicked away to the Threat Detectors page.
  13. Click Refresh for about another 7 or 8 minutes, the detector will finally show up in the list
  14. wait another minute or so
  15. Another copy of the detector shows up with the same name and settings but a creation time of about two minutes later

What is the expected behavior?

  • Only one copy of the detector is created
  • The UI to not time out and respond eventually without reloading
  • The creation of the detector to take less than 10 minutes

What is your host/environment?

  • OS: Linux x86_64 with the OpenSearch Docker image with minor modifications
  • Version: v2.19.0
  • Plugins: Standard plugins installed in the Docker image minus opensearch security and opensearch-performance-analyzer

Do you have any screenshots?

See this video: I've cut the parts where we're just waiting for several minutes down, total elapsed time was about 11 minutes.

winlogcreationbug.mp4

Logs from dashboards and opensearch during the time period in question:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero