-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solutions][Detection Engine] Fixes pre-packaged rules which contain exception lists to not overwrite user defined lists #80592
[Security Solutions][Detection Engine] Fixes pre-packaged rules which contain exception lists to not overwrite user defined lists #80592
Conversation
Pinging @elastic/siem (Team:SIEM) |
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGreatTM! Thanks so much for all the added tests. I pulled down and tested loading prebuilt rules, adding an exception to one, incrementing it's version, updating it, and confirming that my exception was still there. 💯
Comments are super super nit.
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
@@ -7,15 +7,67 @@ | |||
import { AddPrepackagedRulesSchemaDecoded } from '../../../../common/detection_engine/schemas/request/add_prepackaged_rules_schema'; | |||
import { RuleAlertType } from './types'; | |||
|
|||
/** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome, thanks for the added context.
expect(update.exceptions_list).toEqual(ruleFromFileSystem1.exceptions_list); | ||
}); | ||
|
||
test('should not remove an additional exception_list if an additional one was added by the end user on an immutable rule during an upgrade', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious, is there a scenario where the rules have mismatching endpoint lists? I don't know exactly what the scenario would be, but curious as to how we might deal with that since right now we can only have one global endpoint list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You cannot have a pre-packaged rule which overwrites an existing list or deletes a list only add a new list to the array. Talked to @spong and I think we need to have a way to associate/de-associate lists as well as delete them from a separate UI/UX such as a table very very soon.
if (installedRule != null && installedRule.params.exceptionsList != null) { | ||
const installedExceptionList = installedRule.params.exceptionsList; | ||
const fileSystemExceptions = ruleFromFileSystem.exceptions_list.filter((potentialDuplicate) => | ||
installedExceptionList.every((item) => item.list_id !== potentialDuplicate.list_id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this answers my question from earlier. So in the case of endpoint exception lists, it would flag it as duplicate because we control the endpoint exception list id
and nothing should change for the user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I use list_id as what it should skip if it already exists on the list so we don't accidentally add duplicates. If we end up messing this part up and adding duplicates we are totally 🍞 (toast) as we don't have UI/UX to de-associate lists really as well as delete lists.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
… contain exception lists to not overwrite user defined lists (elastic#80592) ## Summary Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: elastic#80417 * Fixes the merge logic so that any exception lists from pre-packaged rules will be additive if they do not already exist on the rule. User based exception lists will not be lost. * Added new backend integration tests for exception lists that did not exist before including ones that test the functionality of exception lists * Refactored some of the code in the `get_rules_to_update.ts` * Refactored some of the integration tests to use helper utils of `countDownES`, and `countDownTest` which simplify the retry logic within the integration tests * Added unit tests to exercise the bug and then the fix. * Added integration tests that fail this logic and then fixed the logic ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
… contain exception lists to not overwrite user defined lists (#80592) (#80734) ## Summary Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: #80417 * Fixes the merge logic so that any exception lists from pre-packaged rules will be additive if they do not already exist on the rule. User based exception lists will not be lost. * Added new backend integration tests for exception lists that did not exist before including ones that test the functionality of exception lists * Refactored some of the code in the `get_rules_to_update.ts` * Refactored some of the integration tests to use helper utils of `countDownES`, and `countDownTest` which simplify the retry logic within the integration tests * Added unit tests to exercise the bug and then the fix. * Added integration tests that fail this logic and then fixed the logic ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
… contain exception lists to not overwrite user defined lists (#80592) (#80733) ## Summary Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: #80417 * Fixes the merge logic so that any exception lists from pre-packaged rules will be additive if they do not already exist on the rule. User based exception lists will not be lost. * Added new backend integration tests for exception lists that did not exist before including ones that test the functionality of exception lists * Refactored some of the code in the `get_rules_to_update.ts` * Refactored some of the integration tests to use helper utils of `countDownES`, and `countDownTest` which simplify the retry logic within the integration tests * Added unit tests to exercise the bug and then the fix. * Added integration tests that fail this logic and then fixed the logic ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* master: (115 commits) [ML] Transforms/DF Analytics: Fix data grid column sorting. (elastic#80618) added brace import to vis editor (elastic#80652) Fix error rate sorting in services list (elastic#80764) Emit info log when using custom registry URL (elastic#80768) [Reporting] Config Schema Validation for rules[N].protocol strings (elastic#80766) Add Storybook a11y addon (elastic#80069) Fix anomaly alert selection text (elastic#80746) [Security Solution] [Maps] Kibana index pattern, comma bug fix (elastic#80208) [kbn/optimizer] tweak split chunks options (elastic#80444) update template to use the new team label (elastic#80748) [Security Solution] Fix the Field dropdown in Timeline data providers resets when scrolled (elastic#80718) Adjusts observability alerting perms to require "all" (elastic#79896) [Security Solutions][Detection Engine] Fixes pre-packaged rules which contain exception lists to not overwrite user defined lists (elastic#80592) [data.ui] Fix flaky test & lazy loading rendering artifacts. (elastic#80612) Licensed feature usage for connectors (elastic#77679) [Security Solution] Cypress template creation (elastic#80180) [APM] Hide service if only data is from ML (elastic#80145) Fix role mappings test for ESS (elastic#80604) [Maps] Add support for envelope (elastic#80614) [Security Solution] Update button text according to status (elastic#80389) ...
Summary
Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: #80417
get_rules_to_update.ts
countDownES
, andcountDownTest
which simplify the retry logic within the integration testsChecklist
Delete any items that are not applicable to this PR.