Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Rule execution marked as failed when the rule is modified meanwhile is executed #82320

Closed
MadameSheema opened this issue Nov 2, 2020 · 2 comments
Closed

[Security Solution] Rule execution marked as failed when the rule is modified meanwhile is executed #82320

MadameSheema opened this issue Nov 2, 2020 · 2 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0

Comments

@MadameSheema
Copy link
Member

Describe the bug:
Rule execution fails when the rule is modified meanwhile is executed. This is more likely to happen with rules that takes time to be processed.

Kibana/Elasticsearch Stack version:

  • 7.10.0 - BC4

Initial status:

  • To have an indicator match rule created with a big look-back time (i.e. 30000 hours) and a small execution time (i.e. 10 seconds)

Steps to reproduce:

  1. Edit the existing adding a new Indicator Index Pattern
  2. Save the changes
  3. Wait for the rule to be executed

Current behavior:

Screenshot 2020-11-02 at 16 43 10

Expected behavior:

  • No error message is displayed

Additional information:

  • The rule seems to recover well and to execute properly but the error message is still visible for the user
  • Although the execution of the rule is successful, when you deactivate the rule the rule is marked as failed.
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Nov 2, 2020
@peluja1012 peluja1012 added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Nov 2, 2020
@peluja1012
Copy link
Contributor

We think this might be resolved by this Alerting PR #80149

@spong spong added the v7.11.0 label Nov 6, 2020
@spong
Copy link
Member

spong commented Nov 6, 2020

Since #80149 isn't targeted for 7.10.1 and a fix won't be available to users till 7.11 we'll want to either add a note to our documentation outlining this behavior (and workaround of disabling/checking rule isn't running before editing) and/or reference it in known issues for this release (although technically this is pre-existing so inline in docs might be best).

cc @jmikell821 @Donnater

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peluja1012 @spong @MadameSheema