Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Detection rules with actions cannot be created #155146

Closed
MadameSheema opened this issue Apr 18, 2023 · 3 comments · Fixed by #154680
Closed

[Security Solution] Detection rules with actions cannot be created #155146

MadameSheema opened this issue Apr 18, 2023 · 3 comments · Fixed by #154680
Assignees
@Zacqary
Labels
bug Fixes for quality problems that affect the customer experience impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • Detection rules with actions cannot be created

Kibana/Elasticsearch Stack version:

Initial Setup:

  • To have at least one connector created

Steps to reproduce:

  1. Navigate to the Rules page
  2. Click on Create new rule
  3. Fill the mandatory fields of the Define rule step
  4. Fill the mandatory fields of the About rule step
  5. Click the Continue button of the Schedule rule step
  6. Select a frequency different from Perform no actions
  7. Select the connector type you have already created
  8. Click on Send alert notification with the selected time frame only
  9. Click again on Send alert notification with the selected time frame only
  10. Fill the mandatory fields of the action
  11. Click on Create & enable rule

Current behavior:
Screenshot 2023-04-18 at 14 18 15

  • An error is displayed
  • The rule is not created

Expected behavior:

  • No error should be displayed
  • The rule should be correctly created

Additional information:

  • If the same flow is done without using Send alert notification with the selected time frame only the rule is created properly
Failed to validate actions due to the following error: Action's alertsFilter must have either "query" or "timeframe" : 60d62e68-7f0d-4953-abbe-c3f561cb0e3a (400) 
{
  "name": "Error",
  "body": {
    "message": "Failed to validate actions due to the following error: Action's alertsFilter  must have either \"query\" or \"timeframe\" : 60d62e68-7f0d-4953-abbe-c3f561cb0e3a",
    "status_code": 400
  },
  "message": "Bad Request",
  "stack": "Error: Bad Request\n    at Fetch.fetchResponse (http://localhost:5620/9007199254740991/bundles/core/core.entry.js:14212:13)\n    at async interceptResponse (http://localhost:5620/9007199254740991/bundles/core/core.entry.js:14511:10)\n    at async http://localhost:5620/9007199254740991/bundles/core/core.entry.js:14114:39"
}
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Alerts Security Detection Alerts Area Team labels Apr 18, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ersin-erdal ersin-erdal mentioned this issue Apr 20, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Zacqary Zacqary

Labels
bug Fixes for quality problems that affect the customer experience impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[RAM] Add query conditional action filter to Security Solution UI Zacqary/kibana
4 participants
@Zacqary @elasticmachine @MadameSheema @marshallmain