You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the bug?
The "total" count returned by the ListIOCs API currently maxes at 10,000. This count should be the total number of IOCs that match the query.
The "numFindings" count for each IOC also currently maxes at 10,000. The query used to collect this count should ideally be refactored to an aggregation. Only the count of findings for each IOC needs to be returned.
The text was updated successfully, but these errors were encountered:
The "total" count returned by the ListIOCs API currently maxes at 10,000. This count should be the total number of IOCs that match the query.
Started troubleshooting this locally by ingesting 10k IOCs in addition to the 609 IOCs that are ingested by the prepackaged AlienVault source.
GET localhost:9200/_cat/indices/.opensearch-sap-iocs-*?expand_wildcards=all&v
...
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open .opensearch-sap-iocs-alienvault_reputation_ip_database-1729036845680 NLD2d9EmSN2XJFQVQyd6KA 1 1 609 0 253.7kb 253.7kb
yellow open .opensearch-sap-iocs-uocgkpibvxtjl5g-zmls-1729036868686 GHLTDu7jSEGTYi7Z9CLMRg 1 1 10000 0 2.4mb 2.4mb
As called out above, the ListIOCs API incorrectly returns a maximum total of 10k.
GET localhost:9200/_plugins/_security_analytics/threat_intel/iocs?size=0
...
{
"total": 10000,
"iocs": []
}
However, even a general search query against the .opensearch-sap-iocs-* index pattern returns a total hit count of 10k.
What is the bug?
The "total" count returned by the ListIOCs API currently maxes at 10,000. This count should be the total number of IOCs that match the query.
The "numFindings" count for each IOC also currently maxes at 10,000. The query used to collect this count should ideally be refactored to an aggregation. Only the count of findings for each IOC needs to be returned.
The text was updated successfully, but these errors were encountered: