Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Detections] Sporadic 400's when using value lists with CIDR notation #205635

Open
dhurley14 opened this issue Jan 6, 2025 · 2 comments
Open

[Security Solution] [Detections] Sporadic 400's when using value lists with CIDR notation #205635

dhurley14 opened this issue Jan 6, 2025 · 2 comments
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. sdh-linked Team:Detections and Resp Security Detection Response Team triage_needed

Comments

@dhurley14
Copy link
Contributor

Describe the bug:
Some reported cases where sorting an ip value list using CIDR notation can lead to sporadic 400 errors coming back in the form of search_phase_exception. Have not been able reproduce reliably on my local machine nor identify the root cause. Opening this bug report to track other instances of this and associated work.

Kibana/Elasticsearch Stack version:
Originally reported on 8.15.1

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Security Solution - Detections and Response

Steps to reproduce:

  1. Navigate to value list modal on detection rules management page.
  2. Upload value list of ip ranges such as 198.51.100.0/22
  3. Attempt to sort the list, sorting may sporadically fail with errors logged in the network tab of browser dev tools.

Current behavior:
Sorting fails sporadically - unclear if values are not visible or remain visible on the UI.

Expected behavior:
Consistently successful sorting of ip ranges with CIDR notation in the given value list
Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

Request URL:
https://my-cloud-instance.cloud.es.io/api/lists/items/_find?page=1&per_page=25&sort_field=value&sort_order=asc&list_id=ip.txt&filter=
Request Method:
GET
Status Code:
400 Bad Request

Response: {"message":"search_phase_execution_exception: ","status_code":400}
@dhurley14 dhurley14 added bug Fixes for quality problems that affect the customer experience sdh-linked Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed labels Jan 6, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@dhurley14 dhurley14 added Team:Detections and Resp Security Detection Response Team and removed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jan 6, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@yctercero yctercero added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. sdh-linked Team:Detections and Resp Security Detection Response Team triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dhurley14 @yctercero @elasticmachine