Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Known issue][Security Solution][Detection Engine] Exception item comment validation on newline chars #233

Closed
wants to merge 12 commits into from
61 changes: 61 additions & 0 deletions serverless/serverless-changelog.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,67 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e
[[serverless-changelog-12032024]]
== December 3, 2024

[discrete]
[[known-issues-12032024]]
=== Known issues

// tag::known-issue[201820]
[discrete]
.In {sec-serverless}, the **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`)
[%collapsible]
====
*Details* +
On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`) ({kibana-issue}[#201820]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

*Workaround* +

For custom rules:

. From the **Rules** page, <<import-export-rules-ui,export>> the rule or rules with the affected exception lists.
. Modify the `.ndjson` file so `comments` no longer contain newline characters.
. Return to the **Rules** page and <<import-export-rules-ui,re-import>> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option.

For prebuilt rules:
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved

NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <<security-shared-exception-lists,**Shared Exception Lists**>> page.

. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule:
.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`.
.. Specify the `id` when fetching the rule's details using the {api-kibana-serverless}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`:
+
[source,console]
----
curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e
----
+
.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list.
+
[source,console]
----
{
"id": "167a5f6f-2148-4792-8226-b5e7a58ef46e",
"exceptions_list": [
{
"id": "490525a2-eb66-4320-95b5-88bdd1302dc4",
"list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d",
"namespace_type": "single"
}
]
}
----
+
. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call:
+
[source,console]
----
curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson
----
+
. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`).
. Re-import the modified exception list using **Import exception lists** option on the <<security-shared-exception-lists,**Shared Exception Lists**>> page. The import will initially fail because the exception list already exists and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
====
// end::known-issue[201820]

[discrete]
[[features-enhancements-12032024]]
=== Features and enhancements
Expand Down