Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Failing to Add Threat Intelligence when environment is upgraded. #1253

Closed
givilleneuve opened this issue Aug 15, 2024 · 4 comments
Closed

[BUG] Failing to Add Threat Intelligence when environment is upgraded. #1253

givilleneuve opened this issue Aug 15, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@givilleneuve
Copy link

What is the bug?
We have upgraded two of our environments (one from 2.15 and another one from 2.11) to 2.16. When trying to create a Threat Intelligence source local (using the Documentation sample and also a custom stix2), it fails.

The error message:
[exception] Error occurred while ingesting IOCs to [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697] with an error failure in bulk execution: [0]: index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697], id [dfdc4b83-6b2c-4bc6-b06c-e4b30158f542], message [[.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697] IndexNotFoundException[no such index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697]]] [1]: index [.opensearch-sap-iocs-ux1uv5ebhudpy2h-aqmh-1723747035697], id [d3706759-5567-4551-ac28-59823d4b8140]

However, the index ends up being created (empty, but it gets created).

This goes a very long list for each IOC in the STIX json.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Ensure the environment is an Upgraded environment. ( The error doesn't happen in a fresh install )
  2. Go to 'Security Analytics / Threat Intelligence'
  3. Click on 'Add Threat Intel Source'
  4. Select Local File Upload
  5. Upload the file
  6. Select all checkboxes and add a name
  7. Click on Add Threat Intel Source

What is the expected behavior?
It should completed the creation of the TI Source and show in the list. The IOCs should be ingested in the index .opensearch-sap-iocs-randomindex.

What is your host/environment?

  • OS: [Windows 11]
  • Version [2.16 - Ugpraded]

Do you have any screenshots?
image

Do you have any additional context?
In the OSD logs, I can also see the error (besides the one above) - Alerting - MonitorService - searchMonitor: StatusCodeError: [alerting_exception] Configured indices are not found: [.opendistro-alerting-config]
@givilleneuve givilleneuve added bug Something isn't working untriaged labels Aug 15, 2024
@givilleneuve
Copy link
Author

Adding more info.
My cluster has auto index creation denied, after enabling it I was able to create.

@dblock dblock removed the untriaged label Sep 2, 2024
@dblock
Copy link
Member

dblock commented Sep 2, 2024

[Weekly Catch All Triage - 1]

@eirsep
Copy link
Member

eirsep commented Sep 17, 2024

index creation denied, a

Hi @givilleneuve
Is the issue fully resolved?

@eirsep eirsep closed this as completed Sep 17, 2024
@eirsep eirsep reopened this Sep 17, 2024
@eirsep eirsep removed the untriaged label Sep 17, 2024
@eirsep
Copy link
Member

eirsep commented Sep 17, 2024
edited
Loading

you can message me at https://opensearch.slack.com/team/U052WCKACH3 on OpenSearch Slack where I can better understand your set up over a call
Closing issue since you have resolved your problem by unblocking index creation for the .opensearch-sap* pattern

@eirsep eirsep closed this as completed Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dblock @eirsep @givilleneuve