Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Support rule type changes in the rule upgrade workflow #161247

Conversation

banderror
Copy link
Contributor

@banderror banderror commented Jul 5, 2023

Fixes: #161094

Summary

  • Adds support for rule type changes in the /internal/detection_engine/prebuilt_rules/upgrade/_review endpoint.
  • Previously, if any rule had a different type in its current_version compared to its target_version the request would fail with 500.
  • This PR:
    • updates this behaviour to accept rule type changes
    • creates a new calculateAllFieldsDiff method that is responsible for calculating diffs among all fields of all rule types. Used exclusively when there has been a rule type change between the current version and the target version (which can normally happen through upgrades of the security_detection_engine package) OR when the base version has a different type as the current version (which should not happen under normal conditions and user behaviour).
    • updates the diffable fields types for each specifc rule type (e.g.: DiffableCustomQueryFields,DiffableEqlFields,DiffableThreatMatchFields, etc) , replacing the data_query field name for either eql_query (for EQL type rules) or kql_query (for all others).

How to test

  1. With a clean Kibana state, use the xpack.securitySolution.prebuiltRulesPackageVersion config to force Kibana to install a package that contains the rules with their original type:
xpack.securitySolution.prebuiltRulesPackageVersion: '8.3.1'
  1. Install the four "offending" rules, listed below.
  2. Remove the config, restart Kibana and navigate to the Rules Page so that the latest package is installed.
  3. Navigate to the Rule Updates table. The four installed rules should have updates available. Update them.
  4. All the listed rule types should be updated, as well as their corresponding fields.

For maintainers

@banderror banderror added bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area v8.9.0 v8.10.0 labels Jul 5, 2023
@jpdjere
Copy link
Contributor

jpdjere commented Jul 5, 2023

Tested for all rules that changed rule types with 8.9.1, and all were succesfully updated:

Rule ID Name Version Query Language Type Change
2d8043ed-5bda-4caf-801c-c1feb7410504 Enumeration of Kernel Modules 104 eql eql PR Diff
a00681e3-9ed6-447c-ab2c-be648821c622 First Time Seen AWS Secret Value Accessed in Secrets Manager 206 kuery new_terms PR Diff
cd66a5af-e34b-4bb0-8931-57d0a043f2ef Kernel Module Removal 104 eql eql PR DIff
d76b02ef-fc95-4001-9297-01cb7412232f Interactive Terminal Spawned via Python 105 eql eql PR Diff

@jpdjere jpdjere marked this pull request as ready for review July 5, 2023 16:56
@jpdjere jpdjere requested a review from a team as a code owner July 5, 2023 16:56
@jpdjere jpdjere self-requested a review July 5, 2023 16:56
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Unknown metric groups

ESLint disabled line counts

id before after diff
enterpriseSearch 14 16 +2
securitySolution 410 414 +4
total +6

Total ESLint disabled count

id before after diff
enterpriseSearch 15 17 +2
securitySolution 489 493 +4
total +6

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jpdjere @banderror

@banderror
Copy link
Contributor Author

banderror commented Jul 5, 2023

@jpdjere I tested the changes locally. The bug seems to be partially fixed. I found another one, which is probably unrelated to this one, but would still be critical for releasing 8.9.0. I'm going to open a new GH issue for it, and merge this PR.

UPD: #161305

@banderror banderror merged commit 9e52f70 into elastic:main Jul 5, 2023
@banderror banderror deleted the support-rule-type-changes-in-rule-upgrade-workflow branch July 5, 2023 20:43
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Jul 5, 2023
…kflow (elastic#161247)

**Fixes: elastic#161094

## Summary

- Adds support for rule type changes in the
`/internal/detection_engine/prebuilt_rules/upgrade/_review` endpoint.
- Previously, if any rule had a different `type` in its
`current_version` compared to its `target_version` the request would
fail with `500`.
- This PR:
    - updates this behaviour to accept rule type changes
- creates a new `calculateAllFieldsDiff` method that is responsible for
calculating diffs among all fields of all rule types. Used exclusively
when there has been a rule type change between the current version and
the target version (which can normally happen through upgrades of the
`security_detection_engine` package) OR when the base version has a
different type as the current version (which should not happen under
normal conditions and user behaviour).
- updates the diffable fields types for each specifc rule type (e.g.:
`DiffableCustomQueryFields`,`DiffableEqlFields`,`DiffableThreatMatchFields`,
etc) , replacing the `data_query` field name for either `eql_query` (for
EQL type rules) or `kql_query` (for all others).

## How to test
1. With a clean Kibana state, use the
`xpack.securitySolution.prebuiltRulesPackageVersion` config to force
Kibana to install a package that contains the rules with their original
type:
```
xpack.securitySolution.prebuiltRulesPackageVersion: '8.3.1'
```
2. Install the four "offending" rules, [listed
below.](elastic#161247 (comment))
3. Remove the config, restart Kibana and navigate to the Rules Page so
that the latest package is installed.
4. Navigate to the Rule Updates table. The four installed rules should
have updates available. Update them.
5. All the listed rule types should be updated, as well as their
corresponding fields.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: jpdjere <[email protected]>
(cherry picked from commit 9e52f70)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.9

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Jul 5, 2023
…de workflow (#161247) (#161304)

# Backport

This will backport the following commits from `main` to `8.9`:
- [[Security Solution] Support rule type changes in the rule upgrade
workflow (#161247)](#161247)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Georgii
Gorbachev","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-07-05T20:42:21Z","message":"[Security
Solution] Support rule type changes in the rule upgrade workflow
(#161247)\n\n**Fixes:
https://github.com/elastic/kibana/issues/161094**\r\n\r\n##
Summary\r\n\r\n- Adds support for rule type changes in
the\r\n`/internal/detection_engine/prebuilt_rules/upgrade/_review`
endpoint.\r\n- Previously, if any rule had a different `type` in
its\r\n`current_version` compared to its `target_version` the request
would\r\nfail with `500`.\r\n- This PR:\r\n - updates this behaviour to
accept rule type changes\r\n- creates a new `calculateAllFieldsDiff`
method that is responsible for\r\ncalculating diffs among all fields of
all rule types. Used exclusively\r\nwhen there has been a rule type
change between the current version and\r\nthe target version (which can
normally happen through upgrades of the\r\n`security_detection_engine`
package) OR when the base version has a\r\ndifferent type as the current
version (which should not happen under\r\nnormal conditions and user
behaviour).\r\n- updates the diffable fields types for each specifc rule
type
(e.g.:\r\n`DiffableCustomQueryFields`,`DiffableEqlFields`,`DiffableThreatMatchFields`,\r\netc)
, replacing the `data_query` field name for either `eql_query`
(for\r\nEQL type rules) or `kql_query` (for all others).\r\n\r\n\r\n##
How to test\r\n1. With a clean Kibana state, use
the\r\n`xpack.securitySolution.prebuiltRulesPackageVersion` config to
force\r\nKibana to install a package that contains the rules with their
original\r\ntype:\r\n```\r\nxpack.securitySolution.prebuiltRulesPackageVersion:
'8.3.1'\r\n```\r\n2. Install the four \"offending\" rules,
[listed\r\nbelow.](https://github.com/elastic/kibana/pull/161247#issuecomment-1622132120)\r\n3.
Remove the config, restart Kibana and navigate to the Rules Page
so\r\nthat the latest package is installed.\r\n4. Navigate to the Rule
Updates table. The four installed rules should\r\nhave updates
available. Update them.\r\n5. All the listed rule types should be
updated, as well as their\r\ncorresponding fields.\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
jpdjere
<[email protected]>","sha":"9e52f7064f4016b9c52606ab865149d6b48f5ae4","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:critical","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.9.0","v8.10.0"],"number":161247,"url":"https://github.com/elastic/kibana/pull/161247","mergeCommit":{"message":"[Security
Solution] Support rule type changes in the rule upgrade workflow
(#161247)\n\n**Fixes:
https://github.com/elastic/kibana/issues/161094**\r\n\r\n##
Summary\r\n\r\n- Adds support for rule type changes in
the\r\n`/internal/detection_engine/prebuilt_rules/upgrade/_review`
endpoint.\r\n- Previously, if any rule had a different `type` in
its\r\n`current_version` compared to its `target_version` the request
would\r\nfail with `500`.\r\n- This PR:\r\n - updates this behaviour to
accept rule type changes\r\n- creates a new `calculateAllFieldsDiff`
method that is responsible for\r\ncalculating diffs among all fields of
all rule types. Used exclusively\r\nwhen there has been a rule type
change between the current version and\r\nthe target version (which can
normally happen through upgrades of the\r\n`security_detection_engine`
package) OR when the base version has a\r\ndifferent type as the current
version (which should not happen under\r\nnormal conditions and user
behaviour).\r\n- updates the diffable fields types for each specifc rule
type
(e.g.:\r\n`DiffableCustomQueryFields`,`DiffableEqlFields`,`DiffableThreatMatchFields`,\r\netc)
, replacing the `data_query` field name for either `eql_query`
(for\r\nEQL type rules) or `kql_query` (for all others).\r\n\r\n\r\n##
How to test\r\n1. With a clean Kibana state, use
the\r\n`xpack.securitySolution.prebuiltRulesPackageVersion` config to
force\r\nKibana to install a package that contains the rules with their
original\r\ntype:\r\n```\r\nxpack.securitySolution.prebuiltRulesPackageVersion:
'8.3.1'\r\n```\r\n2. Install the four \"offending\" rules,
[listed\r\nbelow.](https://github.com/elastic/kibana/pull/161247#issuecomment-1622132120)\r\n3.
Remove the config, restart Kibana and navigate to the Rules Page
so\r\nthat the latest package is installed.\r\n4. Navigate to the Rule
Updates table. The four installed rules should\r\nhave updates
available. Update them.\r\n5. All the listed rule types should be
updated, as well as their\r\ncorresponding fields.\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
jpdjere
<[email protected]>","sha":"9e52f7064f4016b9c52606ab865149d6b48f5ae4"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161247","number":161247,"mergeCommit":{"message":"[Security
Solution] Support rule type changes in the rule upgrade workflow
(#161247)\n\n**Fixes:
https://github.com/elastic/kibana/issues/161094**\r\n\r\n##
Summary\r\n\r\n- Adds support for rule type changes in
the\r\n`/internal/detection_engine/prebuilt_rules/upgrade/_review`
endpoint.\r\n- Previously, if any rule had a different `type` in
its\r\n`current_version` compared to its `target_version` the request
would\r\nfail with `500`.\r\n- This PR:\r\n - updates this behaviour to
accept rule type changes\r\n- creates a new `calculateAllFieldsDiff`
method that is responsible for\r\ncalculating diffs among all fields of
all rule types. Used exclusively\r\nwhen there has been a rule type
change between the current version and\r\nthe target version (which can
normally happen through upgrades of the\r\n`security_detection_engine`
package) OR when the base version has a\r\ndifferent type as the current
version (which should not happen under\r\nnormal conditions and user
behaviour).\r\n- updates the diffable fields types for each specifc rule
type
(e.g.:\r\n`DiffableCustomQueryFields`,`DiffableEqlFields`,`DiffableThreatMatchFields`,\r\netc)
, replacing the `data_query` field name for either `eql_query`
(for\r\nEQL type rules) or `kql_query` (for all others).\r\n\r\n\r\n##
How to test\r\n1. With a clean Kibana state, use
the\r\n`xpack.securitySolution.prebuiltRulesPackageVersion` config to
force\r\nKibana to install a package that contains the rules with their
original\r\ntype:\r\n```\r\nxpack.securitySolution.prebuiltRulesPackageVersion:
'8.3.1'\r\n```\r\n2. Install the four \"offending\" rules,
[listed\r\nbelow.](https://github.com/elastic/kibana/pull/161247#issuecomment-1622132120)\r\n3.
Remove the config, restart Kibana and navigate to the Rules Page
so\r\nthat the latest package is installed.\r\n4. Navigate to the Rule
Updates table. The four installed rules should\r\nhave updates
available. Update them.\r\n5. All the listed rule types should be
updated, as well as their\r\ncorresponding fields.\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by:
jpdjere
<[email protected]>","sha":"9e52f7064f4016b9c52606ab865149d6b48f5ae4"}}]}]
BACKPORT-->

Co-authored-by: Georgii Gorbachev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:critical This issue should be addressed immediately due to a critical level of impact on the product. release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.9.0 v8.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security Solution] Rule Updates table has broken and users can't upgrade prebuilt rules
5 participants