Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Security rule snoozes do not work from/show up on Alerts and Insights screen #169131

Closed
Zacqary opened this issue Oct 17, 2023 · 1 comment · Fixed by #169180
Closed

[Security Solution] Security rule snoozes do not work from/show up on Alerts and Insights screen #169131

Zacqary opened this issue Oct 17, 2023 · 1 comment · Fixed by #169180
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@Zacqary
Copy link
Contributor

Zacqary commented Oct 17, 2023
edited
Loading

From an SDH request:

  1. Snoozing a security rule from the Security app works as expected:
image
  1. BUG: Snoozing the security rule from the rules table in Alert and insights > Rule, using the shortcut on top of the table, does NOT work. Despite a popup saying the rule has been updated, rule is not snoozed, no icon appears in the "notify" column
image
  1. Snoozing the security rule after opening it completely from the Alert and insights > Rule table works as expected:
image
  1. BUG: in all cases, the Notify column in the rules table in Alert and insights never shows a snoozed icon despite the rule being snoozed:
image
@Zacqary Zacqary added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Oct 17, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@Zacqary Zacqary added Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team labels Oct 17, 2023
@jpdjere jpdjere mentioned this issue Oct 17, 2023
Merged
1 task
Zacqary pushed a commit that referenced this issue Oct 18, 2023
@jpdjere
[ResponseOps] Allow bulk snoozing of Security Rules (#169180)
2f80ca2 
Fixes: #169131

## Summary

Bulk snoozing of SIEM (Security Rules) was previously silently skipped
in the Rules Client when bulk editing rules to snooze scheduling a rule.

Since then, the snoozing functionality was introduced in the Security
Solution, but the check that silently skipped this update was never
removed in the Rules Client side.

The issue was only noticeable when bulk editing Rules to add snoozing in
the **Alerts and Insights > Rules** page, since Security Solution
doesn't allow bulk snoozing (as of yet) and all other areas of the UI do
not use bulk but single snoozing.

Removing the check to skip SIEM rules sufficed to fix the issue.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 18, 2023
@jpdjere
[ResponseOps] Allow bulk snoozing of Security Rules (elastic#169180)
cba7e84 
Fixes: elastic#169131

## Summary

Bulk snoozing of SIEM (Security Rules) was previously silently skipped
in the Rules Client when bulk editing rules to snooze scheduling a rule.

Since then, the snoozing functionality was introduced in the Security
Solution, but the check that silently skipped this update was never
removed in the Rules Client side.

The issue was only noticeable when bulk editing Rules to add snoozing in
the **Alerts and Insights > Rules** page, since Security Solution
doesn't allow bulk snoozing (as of yet) and all other areas of the UI do
not use bulk but single snoozing.

Removing the check to skip SIEM rules sufficed to fix the issue.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 2f80ca2)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 18, 2023
@jpdjere
[ResponseOps] Allow bulk snoozing of Security Rules (elastic#169180)
0a5594b 
Fixes: elastic#169131

## Summary

Bulk snoozing of SIEM (Security Rules) was previously silently skipped
in the Rules Client when bulk editing rules to snooze scheduling a rule.

Since then, the snoozing functionality was introduced in the Security
Solution, but the check that silently skipped this update was never
removed in the Rules Client side.

The issue was only noticeable when bulk editing Rules to add snoozing in
the **Alerts and Insights > Rules** page, since Security Solution
doesn't allow bulk snoozing (as of yet) and all other areas of the UI do
not use bulk but single snoozing.

Removing the check to skip SIEM rules sufficed to fix the issue.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 2f80ca2)
kibanamachine referenced this issue Oct 18, 2023
@kibanamachine @jpdjere
[8.11] [ResponseOps] Allow bulk snoozing of Security Rules (#169180) (#…
8355fed 
…169266)

# Backport

This will backport the following commits from `main` to `8.11`:
- [[ResponseOps] Allow bulk snoozing of Security Rules
(#169180)](#169180)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Juan Pablo
Djeredjian","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-18T15:54:45Z","message":"[ResponseOps]
Allow bulk snoozing of Security Rules (#169180)\n\nFixes:
https://github.com/elastic/kibana/issues/169131\r\n\r\n##
Summary\r\n\r\nBulk snoozing of SIEM (Security Rules) was previously
silently skipped\r\nin the Rules Client when bulk editing rules to
snooze scheduling a rule.\r\n\r\nSince then, the snoozing functionality
was introduced in the Security\r\nSolution, but the check that silently
skipped this update was never\r\nremoved in the Rules Client
side.\r\n\r\nThe issue was only noticeable when bulk editing Rules to
add snoozing in\r\nthe **Alerts and Insights > Rules** page, since
Security Solution\r\ndoesn't allow bulk snoozing (as of yet) and all
other areas of the UI do\r\nnot use bulk but single
snoozing.\r\n\r\nRemoving the check to skip SIEM rules sufficed to fix
the issue.\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for
breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"2f80ca2ef89c7858fa2e7a544acc0402e460bbf2","branchLabelMapping":{"^v8.12.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:ResponseOps","Team:
SecuritySolution","v8.8.3","v8.11.0","v8.9.3","v8.12.0","v8.10.5"],"number":169180,"url":"https://github.com/elastic/kibana/pull/169180","mergeCommit":{"message":"[ResponseOps]
Allow bulk snoozing of Security Rules (#169180)\n\nFixes:
https://github.com/elastic/kibana/issues/169131\r\n\r\n##
Summary\r\n\r\nBulk snoozing of SIEM (Security Rules) was previously
silently skipped\r\nin the Rules Client when bulk editing rules to
snooze scheduling a rule.\r\n\r\nSince then, the snoozing functionality
was introduced in the Security\r\nSolution, but the check that silently
skipped this update was never\r\nremoved in the Rules Client
side.\r\n\r\nThe issue was only noticeable when bulk editing Rules to
add snoozing in\r\nthe **Alerts and Insights > Rules** page, since
Security Solution\r\ndoesn't allow bulk snoozing (as of yet) and all
other areas of the UI do\r\nnot use bulk but single
snoozing.\r\n\r\nRemoving the check to skip SIEM rules sufficed to fix
the issue.\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for
breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"2f80ca2ef89c7858fa2e7a544acc0402e460bbf2"}},"sourceBranch":"main","suggestedTargetBranches":["8.8","8.11","8.9","8.10"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.9","label":"v8.9.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.12.0","labelRegex":"^v8.12.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/169180","number":169180,"mergeCommit":{"message":"[ResponseOps]
Allow bulk snoozing of Security Rules (#169180)\n\nFixes:
https://github.com/elastic/kibana/issues/169131\r\n\r\n##
Summary\r\n\r\nBulk snoozing of SIEM (Security Rules) was previously
silently skipped\r\nin the Rules Client when bulk editing rules to
snooze scheduling a rule.\r\n\r\nSince then, the snoozing functionality
was introduced in the Security\r\nSolution, but the check that silently
skipped this update was never\r\nremoved in the Rules Client
side.\r\n\r\nThe issue was only noticeable when bulk editing Rules to
add snoozing in\r\nthe **Alerts and Insights > Rules** page, since
Security Solution\r\ndoesn't allow bulk snoozing (as of yet) and all
other areas of the UI do\r\nnot use bulk but single
snoozing.\r\n\r\nRemoving the check to skip SIEM rules sufficed to fix
the issue.\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for
breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"2f80ca2ef89c7858fa2e7a544acc0402e460bbf2"}},{"branch":"8.10","label":"v8.10.5","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Juan Pablo Djeredjian <[email protected]>
kibanamachine referenced this issue Oct 18, 2023
@kibanamachine @jpdjere
[8.10] [ResponseOps] Allow bulk snoozing of Security Rules (#169180) (#…
0d2d023 
…169264)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[ResponseOps] Allow bulk snoozing of Security Rules
(#169180)](#169180)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Juan Pablo
Djeredjian","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-10-18T15:54:45Z","message":"[ResponseOps]
Allow bulk snoozing of Security Rules (#169180)\n\nFixes:
https://github.com/elastic/kibana/issues/169131\r\n\r\n##
Summary\r\n\r\nBulk snoozing of SIEM (Security Rules) was previously
silently skipped\r\nin the Rules Client when bulk editing rules to
snooze scheduling a rule.\r\n\r\nSince then, the snoozing functionality
was introduced in the Security\r\nSolution, but the check that silently
skipped this update was never\r\nremoved in the Rules Client
side.\r\n\r\nThe issue was only noticeable when bulk editing Rules to
add snoozing in\r\nthe **Alerts and Insights > Rules** page, since
Security Solution\r\ndoesn't allow bulk snoozing (as of yet) and all
other areas of the UI do\r\nnot use bulk but single
snoozing.\r\n\r\nRemoving the check to skip SIEM rules sufficed to fix
the issue.\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for
breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"2f80ca2ef89c7858fa2e7a544acc0402e460bbf2","branchLabelMapping":{"^v8.12.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:ResponseOps","Team:
SecuritySolution","v8.8.3","v8.11.0","v8.9.3","v8.12.0","v8.10.5"],"number":169180,"url":"https://github.com/elastic/kibana/pull/169180","mergeCommit":{"message":"[ResponseOps]
Allow bulk snoozing of Security Rules (#169180)\n\nFixes:
https://github.com/elastic/kibana/issues/169131\r\n\r\n##
Summary\r\n\r\nBulk snoozing of SIEM (Security Rules) was previously
silently skipped\r\nin the Rules Client when bulk editing rules to
snooze scheduling a rule.\r\n\r\nSince then, the snoozing functionality
was introduced in the Security\r\nSolution, but the check that silently
skipped this update was never\r\nremoved in the Rules Client
side.\r\n\r\nThe issue was only noticeable when bulk editing Rules to
add snoozing in\r\nthe **Alerts and Insights > Rules** page, since
Security Solution\r\ndoesn't allow bulk snoozing (as of yet) and all
other areas of the UI do\r\nnot use bulk but single
snoozing.\r\n\r\nRemoving the check to skip SIEM rules sufficed to fix
the issue.\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for
breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"2f80ca2ef89c7858fa2e7a544acc0402e460bbf2"}},"sourceBranch":"main","suggestedTargetBranches":["8.8","8.11","8.9","8.10"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.9","label":"v8.9.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.12.0","labelRegex":"^v8.12.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/169180","number":169180,"mergeCommit":{"message":"[ResponseOps]
Allow bulk snoozing of Security Rules (#169180)\n\nFixes:
https://github.com/elastic/kibana/issues/169131\r\n\r\n##
Summary\r\n\r\nBulk snoozing of SIEM (Security Rules) was previously
silently skipped\r\nin the Rules Client when bulk editing rules to
snooze scheduling a rule.\r\n\r\nSince then, the snoozing functionality
was introduced in the Security\r\nSolution, but the check that silently
skipped this update was never\r\nremoved in the Rules Client
side.\r\n\r\nThe issue was only noticeable when bulk editing Rules to
add snoozing in\r\nthe **Alerts and Insights > Rules** page, since
Security Solution\r\ndoesn't allow bulk snoozing (as of yet) and all
other areas of the UI do\r\nnot use bulk but single
snoozing.\r\n\r\nRemoving the check to skip SIEM rules sufficed to fix
the issue.\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for
breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"2f80ca2ef89c7858fa2e7a544acc0402e460bbf2"}},{"branch":"8.10","label":"v8.10.5","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Juan Pablo Djeredjian <[email protected]>
@Zacqary Zacqary mentioned this issue Oct 18, 2023
Closed
Zacqary pushed a commit to Zacqary/kibana that referenced this issue Oct 18, 2023
@jpdjere
[ResponseOps] Allow bulk snoozing of Security Rules (elastic#169180)
d9a5384 
Fixes: elastic#169131

## Summary

Bulk snoozing of SIEM (Security Rules) was previously silently skipped
in the Rules Client when bulk editing rules to snooze scheduling a rule.

Since then, the snoozing functionality was introduced in the Security
Solution, but the check that silently skipped this update was never
removed in the Rules Client side.

The issue was only noticeable when bulk editing Rules to add snoozing in
the **Alerts and Insights > Rules** page, since Security Solution
doesn't allow bulk snoozing (as of yet) and all other areas of the UI do
not use bulk but single snoozing.

Removing the check to skip SIEM rules sufficed to fix the issue.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 2f80ca2)

# Conflicts:
#	x-pack/plugins/alerting/server/application/rule/methods/bulk_edit/bulk_edit_rules.ts
#	x-pack/plugins/alerting/server/rules_client/tests/bulk_edit.test.ts
#	x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/bulk_edit.ts
Zacqary pushed a commit to Zacqary/kibana that referenced this issue Oct 18, 2023
@jpdjere
[ResponseOps] Allow bulk snoozing of Security Rules (elastic#169180)
d88e77d 
Fixes: elastic#169131

## Summary

Bulk snoozing of SIEM (Security Rules) was previously silently skipped
in the Rules Client when bulk editing rules to snooze scheduling a rule.

Since then, the snoozing functionality was introduced in the Security
Solution, but the check that silently skipped this update was never
removed in the Rules Client side.

The issue was only noticeable when bulk editing Rules to add snoozing in
the **Alerts and Insights > Rules** page, since Security Solution
doesn't allow bulk snoozing (as of yet) and all other areas of the UI do
not use bulk but single snoozing.

Removing the check to skip SIEM rules sufficed to fix the issue.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 2f80ca2)

# Conflicts:
#	x-pack/plugins/alerting/server/application/rule/methods/bulk_edit/bulk_edit_rules.ts
#	x-pack/plugins/alerting/server/rules_client/tests/bulk_edit.test.ts
#	x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/bulk_edit.ts
@Zacqary Zacqary mentioned this issue Oct 18, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[ResponseOps] Allow bulk snoozing of Security Rules jpdjere/kibana
2 participants
@Zacqary @elasticmachine