Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Updating a FileSystem rule fails to update rule version #138876

Closed
jpdjere opened this issue Aug 16, 2022 · 2 comments · Fixed by #139287
Closed

[Security Solution][Detections] Updating a FileSystem rule fails to update rule version #138876

jpdjere opened this issue Aug 16, 2022 · 2 comments · Fixed by #139287
Assignees
@xcrzx
Labels
8.5 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.5.0

Comments

@jpdjere
Copy link
Contributor

jpdjere commented Aug 16, 2022
edited by banderror
Loading

Related to: #139095

Summary

When a pre-built File System (In-memory) rule is updated (in x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules), the UI correctly displays the callout for the user to update the rule.

However, when the button is clicked, the API call fails to update the version of the rules (other fields are correctly updated), and therefore our business logic understands that the rule still needs updating, and the callout is still displayed.

API request:

PUT /api/detection_engine/rules/prepackaged

Steps to reproduce:

  1. Install pre-packaged rules.
  2. In x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules, modify a rule: update name, risk_score and any other fields, and bump up the version.
  3. Navigate to the Rules page. The update callout should be visible on top.
  4. Click on the Update 1 Elastic prebuilt rule button.
  5. The rule should have all fields (except for version) updated. The callout should still be visible.

Expected behavior:

Once the update callout is displayed, and the user clicks on the Update 1 Elastic prebuilt rule button, the Rule should update all fields, including the bumped-up version.

The callout should then not be displayed anymore, as the rule needs no further update.

The saved object should have all fields (including version) correctly updated. Check with:

GET .kibana/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "type": "alert"
          }
        },
        {
          "term": {
            "alert.consumer": "siem"
          }
        },
        {
          "term": {
            "alert.params.ruleId": "{your-rule-id}"
          }
        }
      ]
    }
  }
}

Screenshots (if relevant):

Original unmodified rule and update callout:
image

Rule after updating, with updated name and risk score (but same version number)
Notice callout still visible.
image
@jpdjere jpdjere added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Aug 16, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror added Team:Detections and Resp Security Detection Response Team Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area 8.5 candidate and removed triage_needed labels Aug 16, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. v8.5.0 labels Aug 16, 2022
@banderror banderror mentioned this issue Aug 18, 2022
Closed
@banderror banderror self-assigned this Aug 18, 2022
@xcrzx xcrzx assigned xcrzx and unassigned banderror Aug 23, 2022
@xcrzx xcrzx mentioned this issue Aug 23, 2022
Merged
@xcrzx xcrzx mentioned this issue Aug 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

Labels
8.5 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Allow to udate rule version for prebuilt rules xcrzx/kibana
4 participants
@xcrzx @jpdjere @banderror @elasticmachine