Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Users unable to upgrade prebuilt rules after switching to save query #209343

Open
Tracked by #201502
maximpn opened this issue Feb 3, 2025 · 4 comments
Open
Tracked by #201502

[Security Solution] Users unable to upgrade prebuilt rules after switching to save query #209343

maximpn opened this issue Feb 3, 2025 · 4 comments
Assignees
@maximpn
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0

Comments

@maximpn
Copy link
Contributor

maximpn commented Feb 3, 2025
edited by banderror
Loading

Epic: #174168

Summary

Users unable to upgrade custom query prebuilt rules after customizing rule's query by saving it's query i.e. converting rule to saved_query type.

Both UI and API don't support upgrading custom query rules converted to saved query rules.

Steps to reproduce

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
  • Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
  • Clear Elasticsearch data
  • Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
  • Install an outdated version of the security_detection_engine Fleet package
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
  • Install prebuilt rules
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform

  • Open some custom query rule for editing, for example AdminSDHolder Backdoor and covert it to saved_query rule type by saving its KQL query and check Load saved query "<saved query name>" dynamically on each rule execution checkbox.

  • Try to upgrade the rule via UI

ER: Rule upgrades without issues. It has saved_query or query type depending on what user selected in rule upgrade flyout while editing KQL query.
AR:

  • Rule Upgrade flyout doesn't allow to save resolved conflict for KQL query. A error appears in the console.
  • API fails with an error when KQL query doesn't have conflicts and UI allows to upgrade the rule.

Screenshots

Image

Screen.Recording.2025-02-03.at.15.35.57.mov

API errors

{"statusCode":400,"error":"Bad Request","message":"[request body]: rules.0.fields.kql_query.resolved_value.type: Invalid literal value, expected \"inline_query\", rules.0.fields.kql_query.resolved_value.query: Required, rules.0.fields.kql_query.resolved_value.language: Required, rules.0.fields.kql_query.resolved_value.filters: Required"}
@maximpn maximpn added 8.18 candidate 9.0 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Feb 3, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. v8.18.0 and removed triage_needed impact:critical This issue should be addressed immediately due to a critical level of impact on the product. 9.0 candidate labels Feb 4, 2025
@banderror banderror mentioned this issue Feb 4, 2025
Open
72 tasks
@banderror banderror assigned maximpn and unassigned banderror Feb 4, 2025
@banderror
Copy link
Contributor

@maximpn Thanks for catching this bug. I don't think it's a critical one since the affected feature hasn't been released yet. But I think it's a high impact one that we should try to fix before the first release of Milestone 3. Fixing it would be the 2nd priority right after finalizing the upgrade test coverage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximpn maximpn

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maximpn @banderror @elasticmachine