Issue with Scheduled job for detectors

Plugins Security Analytics
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch version 2.7.0

Describe the issue:

I tried to implement a Detector in the security analytics module.
After choosing the windows security rules I wanted to test, for simplicity I used the whoami rules, it asked me to map the fiels, but there was a field a I could not map (server-user-hash) because we do not have it. Mapped the others and click on next, defined my trigger and channel and when I clicked on “create” the creation failed (see screenshot attached) but it nonetheless created the scheduled job linked to the detector that was not created and it is spamming my slack channel despite not the fact that there is nothing in the logs to trigger it ( and as is said the detector was not created)
I can’t find a way to disable or delete the scheduled job:

Scheduling jobId : gPwYdogBdZE5aO3DTZsm, name: whoami

Configuration:

image
image1748×545 30.2 KB

image
image1727×766 62.3 KB

Relevant Logs or Screenshots:

image
image835×192 9.36 KB

Thank you in advance for your hlep

2

Turns out I just could not see the detector with the user that created it (despite having admin rights) but I could find using the security admin with the request :

https://localhost:9200/.opendistro-alerting-config/_search

The only issue left is the field that I cannot map and that is responsible for the failed creation of the detector.

3

Apparently when I select some sigma rules, the detector configuration thinks that CommandLine refers to “server-user-hash” any idea why ?

4

Hey @florent

Probably from here.

image
image1043×353 21 KB

I found this, not sure if it will help with this issue.

https://github.com/opensearch-project/security-analytics/blob/main/src/main/resources/OSMapping/windows/fieldmappings.yml

5

I also found it, but still I don’t understand why they are mapped together, that’s weird, there is an issue regarding this on the github, I also tried to do pull request to fix it.

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.