-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] [security_analytics_exception] Workflow with xxx not found, cannot stop or delete the Detector Rule #618
Comments
@StefanSa Can you add some details about how you are trying to delete the detector? Is it using the UX or the API? Thanks! |
Hi @amsiglan ,
But the alarm configuration still exists (Firewalls).
|
@StefanSa, from the UI, did you first try to disable or delete the detector? Also did the error message, |
@lezzago |
@StefanSa Thanks for letting me know. Also did you enable the |
@lezzago |
@StefanSa are you able to replicate this behavior or was this a one time issue? Also is the detector still showing up on the UI? Or is the problem that it shows it was deleted, but you keep seeing findings being created? |
Also if you do not mind, can you share any error logs from the cluster to here that is around when you faced the error? Ideally they should be related to Alerting or Security-Analytics. |
Hi @lezzago, yes the detector still showing up on the UI.
|
@lezzago |
Hi @StefanSa - I'm looking into this. If your setup is still intact, could you check if the Alerting monitor associated with the detector still exists? I was able to get a similar error by deleting the underlying monitor created by the detector. Here was my process:
With the above steps, I get an exception in the UX saying The backend has these exceptions which look the same as the ones you posted above:
I am going to work on a PR to treat 404 on getting the workflow the same as if it had been deleted successfully. Then the stop/delete detector logic can continue instead of throwing this exception. Based on the exceptions you posted, I think this solution will work for your case as well, regardless of if the underlying cause is the same (monitor being deleted). It would be good to confirm that the monitor is deleted in your setup as well. If it is not, then there may be another layer to this bug that I have not identified yet. |
…ate as AckAlertRequest (opensearch-project#618) (opensearch-project#619) Signed-off-by: Surya Sashank Nistala <[email protected]> Signed-off-by: Surya Sashank Nistala <[email protected]> (cherry picked from commit 2005185fcbbd36e41dc8344ab5a8c717c3043a1a) Co-authored-by: Surya Sashank Nistala <[email protected]>
Resolved by above PRs |
What is the bug?
Have successfully created a "custom log types" with dector rule. Due to dector rule went online and had quite a few findings.
I now wanted to stop or delete the Detector rule, both do not work.
get this error message:
[security_analytics_exception] Workflow with wuCa0YoByCThRGzPDLxU is not found
What is the expected behavior?
Create, stop and delete Detector rules without problems
What is your host/environment?
Do you have any additional context?
For your note, the rule was created without alarm triggers.
The text was updated successfully, but these errors were encountered: