[Security Solution] Not able to create an EQL rule due to validation error #125059

MadameSheema · 2022-02-09T11:32:24Z

Describe the bug:

Not able to create an EQL rule due to validation error

Kibana/Elasticsearch Stack version:

7.17 latest branch (45be560)
7.17.1 latest snapshot

Steps to reproduce:

Navigate to the rules page
Click on create new rule
Select Event Correlation type
Enter a valid EQL query

Current behavior:

A validation error is returned
You cannot proceed with the rule creation
The rule cannot be created

Expected behavior:

No validation error is displayed
The rule can be correctly created

Additional information:

The displayed error:

{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"request [/apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_eql/search] contains unrecognized parameter: [enable_fields_emulation]"}],"type":"illegal_argument_exception","reason":"request [/apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_eql/search] contains unrecognized parameter: [enable_fields_emulation]"},"status":400}

{
  "name": "Error",
  "message": "{\"error\":{\"root_cause\":[{\"type\":\"illegal_argument_exception\",\"reason\":\"request [/apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_eql/search] contains unrecognized parameter: [enable_fields_emulation]\"}],\"type\":\"illegal_argument_exception\",\"reason\":\"request [/apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_eql/search] contains unrecognized parameter: [enable_fields_emulation]\"},\"status\":400}",
  "stack": "Error: {\"error\":{\"root_cause\":[{\"type\":\"illegal_argument_exception\",\"reason\":\"request [/apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_eql/search] contains unrecognized parameter: [enable_fields_emulation]\"}],\"type\":\"illegal_argument_exception\",\"reason\":\"request [/apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*/_eql/search] contains unrecognized parameter: [enable_fields_emulation]\"},\"status\":400}\n    at u (https://upgrades.kb.us-central1.gcp.qa.cld.elstc.co:9243/46574/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.12.js:3:16800)\n    at async f (https://upgrades.kb.us-central1.gcp.qa.cld.elstc.co:9243/46574/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.12.js:3:17361)"
}

After the upgrade of a 7.17 EQL rule to 7.17.1 version, the rule still works and generate alerts
After the upgrade of a 7.17 EQL rule to 7.17.1 version, the same error validation error is displayed when trying to edit the rule. So the rule cannot be edited.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2022-02-09T11:32:26Z

Pinging @elastic/security-solution (Team: SecuritySolution)

@timestamp

**Fixes:** #125059 ## Summary Fixes a bug in the EQL search strategy presumably introduced in #123267. ## Screenshots **Before** (request to EQL search strategy is failing, and the rule creation form can't perform validation) ![](https://puu.sh/II2fT/0ffde0f0d6.png) **After** (request to EQL search strategy is returning results, and the rule creation form can properly validate the query) ![](https://puu.sh/II2gJ/060ff92e77.png) ![](https://puu.sh/II2ex/d7fbb31517.png) ![](https://puu.sh/II2f2/09cc4483a3.png) ## Notes on testing Create a test index and write a few documents to it: ``` PUT /test-eql { "mappings": { "properties": { "@timestamp": { "type": "date" }, "process": { "type": "object", "properties": { "name": { "type": "keyword" } } } } } } POST /test-eql/_doc { "@timestamp": "2022-02-05T10:00:08Z", "process": { "name": "mdworker" } } ```

MadameSheema · 2022-02-14T09:46:26Z

This is working fine now on 7.17 latest branch (0ba6347). Thanks @banderror!!

banderror self-assigned this Feb 9, 2022

banderror mentioned this issue Feb 9, 2022

Fix EQL search strategy: omit enable_fields_emulation #125076

Merged

MadameSheema removed the triage_needed label Feb 9, 2022

MadameSheema mentioned this issue Feb 10, 2022

[Security Solution] Adding new dependencies #125187

Merged

banderror added fixed v7.17.1 labels Feb 10, 2022

MadameSheema closed this as completed Feb 14, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security Solution] Not able to create an EQL rule due to validation error #125059

[Security Solution] Not able to create an EQL rule due to validation error #125059

MadameSheema commented Feb 9, 2022

elasticmachine commented Feb 9, 2022

MadameSheema commented Feb 14, 2022

[Security Solution] Not able to create an EQL rule due to validation error #125059

[Security Solution] Not able to create an EQL rule due to validation error #125059

Comments

MadameSheema commented Feb 9, 2022

elasticmachine commented Feb 9, 2022

MadameSheema commented Feb 14, 2022