Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Unable to upgrade Threat Match prebuilt rules #203365

Closed
Tracked by #201502
maximpn opened this issue Dec 9, 2024 · 4 comments · Fixed by #203366
Closed
Tracked by #201502

[Security Solution] Unable to upgrade Threat Match prebuilt rules #203365

maximpn opened this issue Dec 9, 2024 · 4 comments · Fixed by #203366
Assignees
@maximpn
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@maximpn
Copy link
Contributor

maximpn commented Dec 9, 2024
edited
Loading

Summary

It's not possible to upgrade Threat Match rules without customizations in any possible way.

Steps to reproduce:

  • Prepare the environment
  • Open Rule Upgrade flyout for a Threat Match rule, for example Threat Intel URL Indicator Match)
  • Press Install rule button

Expected behavior: Rule upgrades successfully.

Actual behavior: Rule fails to upgrade.

Screenshots:

Image

Setup the environment

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
  • Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
  • Clear Elasticsearch data
  • Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
  • Install an outdated version of the security_detection_engine Fleet package
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
  • Install prebuilt rules
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
@maximpn maximpn added 8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team labels Dec 9, 2024
@maximpn maximpn self-assigned this Dec 9, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

This was referenced Dec 9, 2024
Merged
Open
maximpn added a commit that referenced this issue Dec 10, 2024
@maximpn
[Security Solution] Fix Threat Match rules inability to upgrade (#203366
b9addc2 
)

**Resolves:** #203365

## Summary

This PR fixes a bug preventing Threat Match rules from being upgraded.

## Details

It's expected that users can upgrade Elastic prebuilt rules without any customizations in any possible way (in flyout, rules upgrade table, bulk actions). This operation was blocked due to wrong Threat Match fields conversions to Diffable rule. This PR fixes rule type specific fiels conversions and merged `threat_query` field with `threat_query`.

## Screen recording (with the fix)

https://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 10, 2024
@maximpn
[Security Solution] Fix Threat Match rules inability to upgrade (elas…
3469183 
…tic#203366)

**Resolves:** elastic#203365

## Summary

This PR fixes a bug preventing Threat Match rules from being upgraded.

## Details

It's expected that users can upgrade Elastic prebuilt rules without any customizations in any possible way (in flyout, rules upgrade table, bulk actions). This operation was blocked due to wrong Threat Match fields conversions to Diffable rule. This PR fixes rule type specific fiels conversions and merged `threat_query` field with `threat_query`.

## Screen recording (with the fix)

https://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f
(cherry picked from commit b9addc2)
@JoseLuisGJ JoseLuisGJ mentioned this issue Dec 10, 2024
Merged
@banderror banderror linked a pull request Dec 10, 2024 that will close this issue
[Security Solution] Fix Threat Match rules inability to upgrade #203366
Merged
@maximpn
Copy link
Contributor Author

maximpn commented Dec 10, 2024

The bug was fixed in #203366 and backported to 8.x branch targeting 8.18 in #203519.

@maximpn maximpn closed this as completed Dec 10, 2024
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 12, 2024
@maximpn @CAWilson94
[Security Solution] Fix Threat Match rules inability to upgrade (elas…
c47b066 
…tic#203366)

**Resolves:** elastic#203365

## Summary

This PR fixes a bug preventing Threat Match rules from being upgraded.

## Details

It's expected that users can upgrade Elastic prebuilt rules without any customizations in any possible way (in flyout, rules upgrade table, bulk actions). This operation was blocked due to wrong Threat Match fields conversions to Diffable rule. This PR fixes rule type specific fiels conversions and merged `threat_query` field with `threat_query`.

## Screen recording (with the fix)

https://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximpn maximpn

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Fix Threat Match rules inability to upgrade maximpn/kibana
2 participants
@maximpn @elasticmachine