Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detection Engine] make building alert ancestors type safe for ES|QL rule #205419

Open
vitaliidm opened this issue Jan 2, 2025 · 5 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature: ES|QL Rule impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@vitaliidm
Copy link
Contributor

vitaliidm commented Jan 2, 2025

Describe the bug:
Reproduced in 8.16+

https://github.com/elastic/kibana/blob/8.16/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts#L154

There is a casting for ALERT_ANCESTORS property("kibana.alert.ancestors") into array in buildAncestors function. This is not a safe operation.
If this value appears to be not array, rule execution would fail.

  const existingAncestors: AncestorLatest[] =
    (getField(doc, ALERT_ANCESTORS) as AncestorLatest[] | undefined) ?? [];
  return [...existingAncestors, newAncestor];

We need to avoid casting here and check whether existing ancestors is an array before creating new array.
Otherwise it might lead to rule failure: existingAncestors is not iterable

@vitaliidm vitaliidm added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed labels Jan 2, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@vitaliidm vitaliidm added sdh-linked Team:Detection Engine Security Solution Detection Engine Area labels Jan 2, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@vitaliidm vitaliidm added v8.16.1 and removed v8.16.1 labels Jan 2, 2025
@vitaliidm vitaliidm changed the title [Security Solution][Detection Engine] make building alert ancestors type safe [Security Solution][Detection Engine] make building alert ancestors type safe for ES|QL rule Jan 3, 2025
@vitaliidm
Copy link
Contributor Author

turned out, issue is a way how ES|QL rule build alert.

It converts results of ESQL query into object, fetches fields of source documents and merges them.
Alerts ancestors property in this case is returned as flattened object instead of array of objects. So it can't be processed correctly.
Solution is to enable fetching document source in https://github.com/elastic/kibana/blob/8.16/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/fetch_source_documents.ts#L57
Merges esql results into to it and follow the same procedure as for the rest of rule when building alert

@yctercero
Copy link
Contributor

@vitaliidm do we know if we'd hit this same issue with logsDB? Will enabling this resolve it for this instance as well?

cc @marshallmain

@yctercero yctercero added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Feature: ES|QL Rule and removed triage_needed labels Jan 3, 2025
@vitaliidm
Copy link
Contributor Author

alerts index does not use synthetic source, so it should not be an issue for ancestors in this case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature: ES|QL Rule impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Development

No branches or pull requests

3 participants