Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

investigationFields rule params breaking change #165987

Closed
ymao1 opened this issue Sep 7, 2023 · 3 comments
Closed

investigationFields rule params breaking change #165987

ymao1 opened this issue Sep 7, 2023 · 3 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@ymao1
Copy link
Contributor

ymao1 commented Sep 7, 2023

It looks like security detection rules added a new investigationFields param in #163235 as a string array and then changed the type in #164133 to an object. In this new serverless world, this is a breaking change and is a ZDT upgrade issue.

We can see this show up as errors in serverless logs:

Executing Rule default:siem.eqlRule:7a961510-469d-11ee-a0b3-d7701b434d1d has resulted in Error: params invalid: Invalid value "[]" supplied to "investigationFields" - Error: params invalid: Invalid value "[]" supplied to "investigationFields"    at validateRule (/usr/share/kibana/node_modules/@kbn/alerting-plugin/server/task_runner/rule_loader.js:56:11)    at TaskRunner.prepareToRun (/usr/share/kibana/node_modules/@kbn/alerting-plugin/server/task_runner/task_runner.js:484:42)

We believe these are detection rules created prior to the change in params schema that can no longer run because of the destructive schema change.

For ZDT, we only support additive changes to rule type params so the appropriate mitigation would be to change investigationParams to support both a string array field and an object

To recreate locally:

  • Set xpack.task_manager.requeue_invalid_tasks.enabled: true in your kibana config
  • Run Kibana at commit hash a772ab7fa8facdb92ad35408ae17f489bc5ca595 and create a detection rule
  • Upgrade Kibana to main and see that the rule you created is now failing.
@botelastic botelastic bot added the needs-team Issues missing a team label label Sep 7, 2023
@ymao1 ymao1 added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area and removed needs-team Issues missing a team label labels Sep 7, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ymao1 ymao1 added the bug Fixes for quality problems that affect the customer experience label Sep 7, 2023
@yctercero yctercero self-assigned this Sep 7, 2023
@yctercero
Copy link
Contributor

Closing out as this was resolved during 8.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Development

No branches or pull requests

3 participants