[Security Solution] Prebuilt rules' Related Integrations: Microsoft Office 365 are shown as not installed (0/1) in Rules UI #150968
Comments
nicpenning
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
MadameSheema
added
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
spong
added
v8.7.0
Feature:Related Integrations
banderror
added
impact:medium
…ed or enabled when they actually are (#152055) ## Summary Resolves: #142081 #149970 #150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]>
…ed or enabled when they actually are (elastic#152055) ## Summary Resolves: elastic#142081 elastic#149970 elastic#150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]> (cherry picked from commit b833b10)
…ed or enabled when they actually are (elastic#152055) ## Summary Resolves: elastic#142081 elastic#149970 elastic#150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]> (cherry picked from commit b833b10)
|
Fixed by #152055 |
|
Hi @banderror We were trying to regress this issue and on enabling the so can you please share the what field value to put in in order to enable the related integration and regress this issue.
Rules.-.Kibana.Mozilla.Firefox.2023-03-06.11-09-23.mp4 |
|
Hi @banderror Just for update on adding test under the mandate field, we are able to add the integration to the policy and after that we are getting Related integration as installed ✔️ .
|
|
@karanbirsingh-qasource Great. You can put anything in this field, it doesn't matter for the code that shows related integrations and their installation status. |
|
Awesome!! Can we close the ticket @karanbirsingh-qasource @banderror? |
|
@karanbirsingh-qasource Please reopen if needed |
|
thanks @banderror for the confirmation 👍 |
…ed or enabled when they actually are (elastic#152055) ## Summary Resolves: elastic#142081 elastic#149970 elastic#150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]>
|
FYI, the 0/1 integrations installed is still a problem when navigating to the rules.
Inside of the rules and hovering it shows it is installed but not at a glance. |
|
@karanbirsingh-qasource Pinging for visibility. |
|
FYI - Running version 8.9.0 and latest version of the integration 1.17.1 |
|
Thanks @nicpenning, and sorry for that. Would you mind updating the description with the fresh info, such as the versions you mentioned and anything else you think could be helpful? For instance, it could be useful to know how many integration policies you have created for Microsoft 365, how many agent policies include these integration policies, how many agents are assigned to these policies, etc. Any screenshots or screen recordings, etc. |
nicpenning
changed the title
|
Current state: Upon upgrading, it also states that there are 0 agents with a policy that has this integration. This has been an issue also for quite some time (we have never seen this work on some integrations).
After upgrade, proof we have this integration in a policy This shows the M365 Integration installed. But another issue with this is that the assets do not show under the assets tab either. This is an increasing issue across our integrations. |
|
Issue with UI where an integration is installed and I believe to be enabled because it is assigned to an agent and successfully ingesting data, however it is still only showing up as "installed" and the integration ticker is still only showing "0/1". I have attached a screen grab as well.
|
|
Hi @nicpenning My procedure was:
Note: I am doing this on Mac, not Windows. I don't think this plays a role here, however I am not 100% sure. @nicpenning Please check if you can reproduce the error. This bug was reported in Feb 2023.
FYI @banderror |
|
I will take a look. I think the main issue was that the integrations previously were version specific. So if you were running 1.12.0 for example, the integration was looking for 1.3.0 specifically as mentioned in my initial post. |
|
@nicpenning Thank you. Looking forward to seeing your observations on this one. |
|
@banderror When working on ticket 152408 I noticed that the ticket originated from a PR 152055 which declares to be fixing this issue. I thought that this might be the reason why I am not able to reproduce it today, buy I discovered that in this PR 178295 we stopped using this endpoint |
Describe the bug:
Quite a few O365 rules are showing not installed and the link will navigate the user to: https://kibana/app/integrations/detail/o365-1.3.0/overview
Kibana/Elasticsearch Stack version:
8.6.1
Server OS version:
Windows Server 2016
Browser and Browser OS versions:
Latest Chrome or Edge
Elastic Endpoint version:
N/A
Original install method (e.g. download page, yum, from source, etc.):
Download Page -> Extract -> Execute
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Detection Rules
Steps to reproduce:
Current behavior:
Rules are showing the integrations are missing
Expected behavior:
Rules should show the integrations are installed.
Screenshots (if relevant):
The text was updated successfully, but these errors were encountered: