Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Describe the issue:
When creating a custom Security Analytics rule with a specific rule ID, OpenSearch returns an error stating that the rule is actively used by one or more detectors, even though:
- The rule does not exist in OpenSearch
- The rule is not visible in the Security Analytics UI
- The rule is not referenced in any detector (verified via Detector APIs)
- Deleting the rule using the Rule Delete API returns 404 – Rule not found
This results in a contradictory state, where OpenSearch blocks rule creation due to detector usage, while simultaneously reporting that the rule does not exist.
This makes it impossible to create or manage the rule using the same rule ID.
Configuration:
Relevant Logs or Screenshots:
Rule creation request:
PUT /_plugins/_security_analytics/rules/044ba588-dff4-4918-9808-3f95e8160606?category=xdr_windows
{
"title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE",
"id": "044ba588-dff4-4918-9808-3f95e8160606",
"description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share",
"status": "TEST",
"author": "Nasreddine Bencherchali (Nextron Systems)",
"date": "2022-09-27 00:00:00.0",
"modified": "2023-09-12 00:00:00.0",
"references": [
"https://thedfirreport.com/2022/09/26/bumblebee-round-two/"
],
"tags": ["attack.credential-access"],
"logsource": {
"product": "xdr_windows",
"service": "",
"category": "process_creation"
},
"detection": {
"selection_img": [
{ "Image|endswith": "\\cmd.exe" },
{ "OriginalFileName": "Cmd.Exe" }
],
"selection_cli": {
"CommandLine|contains|all": ["copy ", " \\\\\\\\"],
"CommandLine|contains": [".dmp", ".dump", ".hdmp"]
},
"condition": "all of selection_*"
},
"level": "HIGH",
"falsepositives": ["Unknown"]
}
Rule creation response:
HTTP/1.1 400 Bad Request
{
"error": {
"root_cause": [
{
"type": "status_exception",
"reason": "Rule with id 044ba588-dff4-4918-9808-3f95e8160606 is actively used by detectors. Update can be forced by setting forced flag to true"
}
],
"type": "security_analytics_exception",
"reason": "Rule with id 044ba588-dff4-4918-9808-3f95e8160606 is actively used by detectors. Update can be forced by setting forced flag to true"
},
"status": 400
}
Rule delete request:
DELETE /_plugins/_security_analytics/rules/044ba588-dff4-4918-9808-3f95e8160606
Rule delete response:
HTTP/1.1 404 Not Found
{
"error": {
"root_cause": [
{
"type": "status_exception",
"reason": "Rule with 044ba588-dff4-4918-9808-3f95e8160606 is not found"
}
],
"type": "status_exception",
"reason": "Rule with 044ba588-dff4-4918-9808-3f95e8160606 is not found"
},
"status": 404
}
Additional observation:
When the rule creation API is invoked with forced=true, the rule gets created successfully.However, after creation, attempting to delete the same rule using the Rule Delete API results in a new error stating that:
Rule with id … is actively used by detectors. Delete can be forced by setting forced flag to true
This occurs even though:
- The rule was just created
- The rule is still not visible in the Security Analytics UI
- No detectors reference the rule ID (verified via Detector APIs)
This behavior further indicates an inconsistent or stale rule–detector association state, where OpenSearch treats the rule as actively used by detectors despite no observable linkage.
Can someone help me understand why this is happening and if I’m overlooking anything? Your insights would be very helpful.