Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Normalizes filters field before rule diff comparison #206344

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Security Solution] Normalizes filters field before rule diff comparison #206344

wants to merge 2 commits into from
+178 −4

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Jan 10, 2025
edited
Loading

Summary

Addresses #202966

The issue that causes the overarching problem mentioned in the ticket is that we add an extra alias: null property to the filter via the kibana filter utils instead of keeping the alias field unset. This is functionally the same rule but since the prebuilt rule objects are technically different (alias is set to undefined instead of null), we mark these rules as customized and causes the query fields to show as a modified field on update.

To address this, since changing the kibana util filter would be very invasive and touching a lot of code, we instead normalize the field on our side before version comparison. This fixes the bug reported and improves resiliency of rule upgrades in the future.

Testing (copied from ticket)

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
  • Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
  • Clear Elasticsearch data
  • Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
  • Install an outdated version of the security_detection_engine Fleet package
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
  • Install prebuilt rules
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
  • Open a threat_match rule for editing. For example Threat Intel Hash Indicator Match with rule_id aab184d3-72b3-4639-b242-6597c99d8bca.

With this fix, users should NOT see any extra fields in the rule upgrade flyout, nor should the rule be marked as "Modified" if opened and saved with no other modifications

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area backport:version Backport to applied version labels v8.18.0 labels Jan 10, 2025
@dplumlee dplumlee self-assigned this Jan 10, 2025
@dplumlee dplumlee requested review from a team as code owners January 10, 2025 20:30
@dplumlee dplumlee requested a review from nkhristinin January 10, 2025 20:30
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@dplumlee dplumlee requested a review from maximpn January 10, 2025 20:30
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 10, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #1 / Rules Management - Prebuilt Rules - Prebuilt Rules Management @ess @serverless @skipInServerlessMKI review prebuilt rules updates from package with mock rule assets kql_query fields when rule field has an update and a custom value that are different - scenario ABC when all versions are inline query type should show a non-solvable conflict in the upgrade/_review API response
  • [job] [logs] FTR Configs #115 / Rules Management - Prebuilt Rules - Prebuilt Rules Management @ess @serverless @skipInServerlessMKI review prebuilt rules updates from package with mock rule assets kql_query fields when rule field has an update and a custom value that are different - scenario ABC when all versions are inline query type should show a non-solvable conflict in the upgrade/_review API response
  • [job] [logs] FTR Configs #115 / Rules Management - Prebuilt Rules - Prebuilt Rules Management @ess @serverless @skipInServerlessMKI review prebuilt rules updates from package with mock rule assets kql_query fields when rule field has an update and a custom value that are different - scenario ABC when all versions are inline query type should show a non-solvable conflict in the upgrade/_review API response
  • [job] [logs] FTR Configs #1 / Rules Management - Prebuilt Rules - Prebuilt Rules Management @ess @serverless @skipInServerlessMKI review prebuilt rules updates from package with mock rule assets kql_query fields when rule field has an update and a custom value that are different - scenario ABC when all versions are inline query type should show a non-solvable conflict in the upgrade/_review API response

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 22.2MB 22.2MB +62.0B

History

cc @dplumlee

@dplumlee dplumlee requested a review from a team as a code owner January 10, 2025 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nkhristinin nkhristinin Awaiting requested review from nkhristinin nkhristinin is a code owner automatically assigned from elastic/security-detection-engine

@maximpn maximpn Awaiting requested review from maximpn

At least 1 approving review is required to merge this pull request.

Assignees

@dplumlee dplumlee

Labels
backport:version Backport to applied version labels bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dplumlee @elasticmachine