Simple Detection Error Codes
Troubleshoot Simple Detections errors
Overview
Error codes from the Simple Detections model are stable, meaning they do not change over time and are formatted consistently.
Error codes have 10 characters, and each character group represents something different. To demonstrate this, take the error code SD00100001
. It is broken down as follows:
First and second characters: Always
SD
Third, fourth, and fifth characters: Represent the category:
001
- generalSixth through tenth characters: Unique error code:
00001
- no rule specified
001 errors: general
SD00100001
This error code is returned when a rule is not specified in the provided Simple Detections YAML. For example, if a Simple Detections YAML file has a top level key of Detection
but there's no content under it.
SD00100002
This error code is returned when a file could not be read at the specified path.
SD00100003
This error code is returned when an unexpected type is encountered. This usually happens when you try to use a Condition
like IsLessThanOrEquals
with a non-numeric value.
SD00100004
This error code is returned when a Condition
expected an integer value but got something else.
SD00100005
This error code is returned when a Condition
expected a float value but got something else.
SD00100006
This error code is returned when a Condition
expected a boolean value but got something else.
SD00100007
This error code is returned when a Condition
expected a string value but got something else.
002 errors: unmarshaler
SD00200001
This error code is returned when a YAML file could not be unmarshaled. This most often occurs when the YAML file is malformed.
SD00200002
This error code is returned when a YAML node could not be unmarshaled. This most often occurs when the Condition
is invalid or the match expression is malformed.
SD00200003
This error code is returned when the key specifier is invalid. This occurs when:
A multi-key match expression has a malformed entry under the
Values
key:
A
GroupBy
statement has a malformed entry under theGroupBy
key:
An
AlertContext
has a malformed entry in theValue
that specifies which key's context to capture:
SD00200004
This error code is returned when the YAML match expression for an existence Condition
is malformed. Usually, this occurs when a Value
or Values
key is specified in the YAML:
SD00200005
This error code is returned when, after we finish unmarshaling the YAML, the resulting struct is invalid. Simple Detections runs a number of validations at this stage, including:
Validation that the specified key specifier format is correct
Validation that absolute Conditions (
AlwaysTrue
,AlwaysFalse
) are only used with absolute match expressionsValidation that a specified
KeyPath
is using valid syntaxValidation that a specified
Key
is using valid syntax
003 errors: core
SD00300001
This error is returned when a Simple Detection Rule Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300002
This error is returned when a Simple Detection Filter Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300003
This error is returned when Simple Detections was able to unmarshal the provided YAML but was unable to create a valid Simple Detections data model. This error should rarely occur, but if it does, it is likely due to a bug in the Simple Detections data models.
SD00300004
This error is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the constructed match expression. Validations that are run on constructed match expressions include, by type:
Existence conditions:
only a key specifier and
Condition
are provided
Absolute conditions:
only a
Condition
is provided
Scalar conditions:
a key specifier,
Condition,
andValue
are provided
List conditions:
a key specifier,
Condition
, andValues
are provided
Condition
andValues
are provided
List comprehension conditions:
a key specifier,
Condition
, andExpressions
are providedExpressions
contains:One or more nested list comprehensions, i.e., a list comprehension calling another list comprehension
One or more simpler (i.e., not list comprehension) match expressions
SD00300005
This error code is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the GroupBy
statement. Validations that are run on the GroupBy
statement include:
At least one key specifier is provided
SD00300006
This error code is returned when a Simple Detection GroupBy
Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300007
This error code is returned when a Match Expression was expected to be a list comprehension but is not a list comprehension. This is most commonly returned when:
A dynamic severity is specified
List comprehensions are not allowed in
DynamicSeverities
A list comprehension is attempted to be used in an Inline Filter
List comprehensions are not allowed in
InlineFilters
SD00300008
This error code is returned when a Simple Detection Alert Context Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300009
This error code is returned when Simple Detections was able to create a valid Simple Detections data model but was unable to validate the AlertContext
statement. Validations that are run on the AlertContext
statement include:
A minimum of one (1) key/value pair is provided if
AlertContext
is specified
SD00300010
This error code is returned when Simple Detections was unable to validate the provided AlertTitle
. Validations that are run on the AlertTitle
include:
The
AlertTitle
is not empty
SD00300011
This error code is returned when a Simple Detection AlertTitle
Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300012
This error code is returned when a Simple Detection Dynamic Severities Data Model could not be created. Most commonly, this will be a catch all for less specific errors. Check the "Inner Error" for additional details.
SD00300013
This error code is returned when a Dynamic Severity is specified but has no conditions:
SD00300014
This error code is returned when Simple Detections was able to create the Dynamic Severities Data Model, but was unable to validate it. Validations that are run on the Dynamic Severities include:
If
DynamicSeverities
is specified, at least one Dynamic Severity is specifiedNo list comprehensions are used in the
Conditions
No combinators are used in the
Conditions
(e.g.Any
,All
,OnlyOne
,None
)No Absolute Conditions are used in the
Conditions
No multi-key match expressions are used in the
Conditions
004 errors: transpiler
SD00400001
This error code is returned when a match expression could not be converted to Python. See the "Inner Error" for additional details.
SD00400002
This error code is returned when a match expression could not be converted to a Python comment. This is unlikely to occur and is probably a bug in Simple Detections.
SD00400003
This error code is returned when Simple Detections was able to convert all of the match expressions under the Detection
key into Python, but was unable to construct the full Python rule. This is unlikely to occur and is probably a bug in Simple Detections.
SD00400004
This error code is returned when a Match Expression is not yet supported for transpilation to Python. This is unlikely to occur and is probably a bug in Simple Detections.
SD00400013
This error code is returned when a Correlation rule could not be converted properly. Only relevant to Correlations Detections.
005 errors: filters
SD00500001
This error code is returned when a match expression could not be converted to an Inline Filter. See the "Inner Error" for additional details. Most commonly, this occurs when the provided Match Expression uses an unsupported Match Expression form or Condition
for Inline Filters.
Inline Filters only support the following conditions:
Equals
DoesNotEqual
IsGreaterThan
IsGreaterThanOrEquals
IsLessThan
IsLessThanOrEquals
Contains
DoesNotContain
StartsWith
EndsWith
IsIPAddressInCIDR
IsIPAddressNotInCIDR
CIDRContainsIPAddresses
CIDRDoesNotContainIPAddresses
IsIn
IsNotIn
IsIPAddressPublic
IsIPAddressPrivate
IsNullOrEmpty
IsNotNullOrEmpty
Inline Filters only support the following Match Expression forms:
SD00500002
This error code is returned when a Inline Filter could not be converted to a match expression. This is unlikely to occur and is probably a bug in Simple Detections.
Last updated