wazuh-dashboard-plugins icon indicating copy to clipboard operation
wazuh-dashboard-plugins copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Malformed table row, a cell is undefined error while generating PDF report for Rule ID 11

Open sakib789 opened this issue 11 months ago • 2 comments

Wazuh version Component Install type Install method Platform
4.7.2 PDF Report - - -

Hello Team,

I've identified an issue while working on this community . It appears that whenever the number of events surpasses the average alerts by a significant margin, an alert with Rule ID 11 at level 4 is triggered. Strangely, this alert lacks any description, and it doesn't seem to be generated by any specific rule.

image

Upon investigation, it seems that the Check_Hour() function, responsible for this alert, can be found here. This function is called by w_process_event_thread (source) and triggers an alert whenever the number of events exceeds the average by a considerable margin.

However, due to the missing alert description, attempts to generate a PDF report including the alert (Rule ID: 11) result in an error: 'Malformed table row; a cell is undefined.'

Please refer to the attached screenshots for visual details. image

A potential workaround is to deselect or filter out Rule ID 11 before generating the report.

image

I look forward to further investigation on this issue, aiming to ensure smoother generation of PDF reports.

sakib789 avatar Feb 28 '24 18:02 sakib789

Another user also reported this https://github.com/wazuh/community/issues/24072

sakib789 avatar Apr 22 '24 04:04 sakib789

Research

The Summary table included in the module reports, aggregates data using some fields as rule.description. If the response matches with results without this field, the current algorithm transforms the API response to a table row and causes it does not add the values for the missing columns.

For example, the summary table on Modules > Security events > Dashboard (or Threat Hunting > Dashboard on 4.9.0) has the following columns:

  • Rule ID: aggregation by rule.id
  • Description: aggregation by rule.description
  • Level: aggregation by rule.level
  • Count: doc_count of rule.level aggregation

If the query matches with results without rule.description field, the aggregation of rule.id the algorithm to transform the API response to the table row, generates a row with the rule.id and the count. The values for the rule.description and rule.level are missing.

I solved in: https://github.com/wazuh/wazuh-dashboard-plugins/pull/6558/commits/3c742c09a7d19b3aa906a333ac6ade56b6e0d497

Desvelao avatar May 06 '24 14:05 Desvelao