[Security Solution] Prebuilt rules' Related Integrations: Azure and GCP are shown as not installed #142081
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Feature:Related Integrations
Security Solution Detection Rules Related Integrations feature
fixed
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
QA:Validated
Issue has been validated by QA
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.7.0
Comments
banderror
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@banderror - TRaDE may be able to help with this based on some changes we did for this release regarding the following PR below:
In short, we are only suggesting the least "major" compatible now instead of least compatible in general based on Kibana version. When we build the Before with these, it could have been a case where we did the least compatible, instead of least major compatible and that manifest reference did not have I need to spend some more time looking at this on our side to determine if there is a way to be more accurate with this. |
|
@terrancedejesus Thank you, it would be great if we could specify a I'm still wondering, is there a legitimate situation when a concrete |
banderror
added
the
Feature:Related Integrations
1 task
spong
added a commit
that referenced
this issue
Mar 1, 2023
…ed or enabled when they actually are (#152055) ## Summary Resolves: #142081 #149970 #150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Mar 1, 2023
…ed or enabled when they actually are (elastic#152055) ## Summary Resolves: elastic#142081 elastic#149970 elastic#150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]> (cherry picked from commit b833b10)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Mar 1, 2023
…ed or enabled when they actually are (elastic#152055) ## Summary Resolves: elastic#142081 elastic#149970 elastic#150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]> (cherry picked from commit b833b10)
kibanamachine
referenced
this issue
Mar 1, 2023
…nstalled or enabled when they actually are (#152055) (#152411) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)](#152055) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-03-01T01:47:28Z","message":"[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)\n\n## Summary\r\n\r\nResolves: https://github.com/elastic/kibana/issues/142081\r\nhttps://github.com/elastic/kibana/issues/149970\r\nhttps://github.com/elastic/kibana/issues/150968\r\n\r\nBy adding an initial query for installed integrations and augments the\r\nexisting `InstalledIntegrationArray` constructed using\r\n`PackagePolicy`'s. Also removes `version` from the `packageKey` when\r\ncalculating installed integrations as there can be mis-matches between\r\ndifferent policy versions and the integration itself, and I believe the\r\nintended behavior here is to not have multiple `relatedIntegrations`\r\nreturned for different versions. We may want to expand the response here\r\nto include all the different policy versions that exist (and perhaps #\r\nof agents assigned the policy).\r\n\r\nLastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base\r\n`package` details in addition to the policy_template details, as this is\r\nwhat ensure base packages show as `Installed: enabled` if they have an\r\nintegration policy assigned (vs just showing as `Installed` like when\r\nthere isn't an integration policy).\r\n\r\nNote: This PR also adds the `getPackages()` method to the\r\n`PackageClient` as it didn't currently exist, and was only available via\r\nthe fleet API via the `/api/fleet/epm/packages` route.\r\n\r\n\r\n### Before:\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n### After\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: Georgii Gorbachev <[email protected]>","sha":"b833b108215c858177535fd3feee406cc628bca8","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Fleet","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.7.0","v8.8.0","v8.6.3","Feature:Related Integrations"],"number":152055,"url":"https://github.com/elastic/kibana/pull/152055","mergeCommit":{"message":"[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)\n\n## Summary\r\n\r\nResolves: https://github.com/elastic/kibana/issues/142081\r\nhttps://github.com/elastic/kibana/issues/149970\r\nhttps://github.com/elastic/kibana/issues/150968\r\n\r\nBy adding an initial query for installed integrations and augments the\r\nexisting `InstalledIntegrationArray` constructed using\r\n`PackagePolicy`'s. Also removes `version` from the `packageKey` when\r\ncalculating installed integrations as there can be mis-matches between\r\ndifferent policy versions and the integration itself, and I believe the\r\nintended behavior here is to not have multiple `relatedIntegrations`\r\nreturned for different versions. We may want to expand the response here\r\nto include all the different policy versions that exist (and perhaps #\r\nof agents assigned the policy).\r\n\r\nLastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base\r\n`package` details in addition to the policy_template details, as this is\r\nwhat ensure base packages show as `Installed: enabled` if they have an\r\nintegration policy assigned (vs just showing as `Installed` like when\r\nthere isn't an integration policy).\r\n\r\nNote: This PR also adds the `getPackages()` method to the\r\n`PackageClient` as it didn't currently exist, and was only available via\r\nthe fleet API via the `/api/fleet/epm/packages` route.\r\n\r\n\r\n### Before:\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n### After\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: Georgii Gorbachev <[email protected]>","sha":"b833b108215c858177535fd3feee406cc628bca8"}},"sourceBranch":"main","suggestedTargetBranches":["8.7","8.6"],"targetPullRequestStates":[{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/152055","number":152055,"mergeCommit":{"message":"[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)\n\n## Summary\r\n\r\nResolves: https://github.com/elastic/kibana/issues/142081\r\nhttps://github.com/elastic/kibana/issues/149970\r\nhttps://github.com/elastic/kibana/issues/150968\r\n\r\nBy adding an initial query for installed integrations and augments the\r\nexisting `InstalledIntegrationArray` constructed using\r\n`PackagePolicy`'s. Also removes `version` from the `packageKey` when\r\ncalculating installed integrations as there can be mis-matches between\r\ndifferent policy versions and the integration itself, and I believe the\r\nintended behavior here is to not have multiple `relatedIntegrations`\r\nreturned for different versions. We may want to expand the response here\r\nto include all the different policy versions that exist (and perhaps #\r\nof agents assigned the policy).\r\n\r\nLastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base\r\n`package` details in addition to the policy_template details, as this is\r\nwhat ensure base packages show as `Installed: enabled` if they have an\r\nintegration policy assigned (vs just showing as `Installed` like when\r\nthere isn't an integration policy).\r\n\r\nNote: This PR also adds the `getPackages()` method to the\r\n`PackageClient` as it didn't currently exist, and was only available via\r\nthe fleet API via the `/api/fleet/epm/packages` route.\r\n\r\n\r\n### Before:\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n### After\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: Georgii Gorbachev <[email protected]>","sha":"b833b108215c858177535fd3feee406cc628bca8"}},{"branch":"8.6","label":"v8.6.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Garrett Spong <[email protected]>
kibanamachine
referenced
this issue
Mar 1, 2023
…nstalled or enabled when they actually are (#152055) (#152412) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)](#152055) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-03-01T01:47:28Z","message":"[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)\n\n## Summary\r\n\r\nResolves: https://github.com/elastic/kibana/issues/142081\r\nhttps://github.com/elastic/kibana/issues/149970\r\nhttps://github.com/elastic/kibana/issues/150968\r\n\r\nBy adding an initial query for installed integrations and augments the\r\nexisting `InstalledIntegrationArray` constructed using\r\n`PackagePolicy`'s. Also removes `version` from the `packageKey` when\r\ncalculating installed integrations as there can be mis-matches between\r\ndifferent policy versions and the integration itself, and I believe the\r\nintended behavior here is to not have multiple `relatedIntegrations`\r\nreturned for different versions. We may want to expand the response here\r\nto include all the different policy versions that exist (and perhaps #\r\nof agents assigned the policy).\r\n\r\nLastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base\r\n`package` details in addition to the policy_template details, as this is\r\nwhat ensure base packages show as `Installed: enabled` if they have an\r\nintegration policy assigned (vs just showing as `Installed` like when\r\nthere isn't an integration policy).\r\n\r\nNote: This PR also adds the `getPackages()` method to the\r\n`PackageClient` as it didn't currently exist, and was only available via\r\nthe fleet API via the `/api/fleet/epm/packages` route.\r\n\r\n\r\n### Before:\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n### After\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: Georgii Gorbachev <[email protected]>","sha":"b833b108215c858177535fd3feee406cc628bca8","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Fleet","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.7.0","v8.8.0","v8.6.3","Feature:Related Integrations"],"number":152055,"url":"https://github.com/elastic/kibana/pull/152055","mergeCommit":{"message":"[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)\n\n## Summary\r\n\r\nResolves: https://github.com/elastic/kibana/issues/142081\r\nhttps://github.com/elastic/kibana/issues/149970\r\nhttps://github.com/elastic/kibana/issues/150968\r\n\r\nBy adding an initial query for installed integrations and augments the\r\nexisting `InstalledIntegrationArray` constructed using\r\n`PackagePolicy`'s. Also removes `version` from the `packageKey` when\r\ncalculating installed integrations as there can be mis-matches between\r\ndifferent policy versions and the integration itself, and I believe the\r\nintended behavior here is to not have multiple `relatedIntegrations`\r\nreturned for different versions. We may want to expand the response here\r\nto include all the different policy versions that exist (and perhaps #\r\nof agents assigned the policy).\r\n\r\nLastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base\r\n`package` details in addition to the policy_template details, as this is\r\nwhat ensure base packages show as `Installed: enabled` if they have an\r\nintegration policy assigned (vs just showing as `Installed` like when\r\nthere isn't an integration policy).\r\n\r\nNote: This PR also adds the `getPackages()` method to the\r\n`PackageClient` as it didn't currently exist, and was only available via\r\nthe fleet API via the `/api/fleet/epm/packages` route.\r\n\r\n\r\n### Before:\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n### After\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: Georgii Gorbachev <[email protected]>","sha":"b833b108215c858177535fd3feee406cc628bca8"}},"sourceBranch":"main","suggestedTargetBranches":["8.7","8.6"],"targetPullRequestStates":[{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/152055","number":152055,"mergeCommit":{"message":"[Security Solution] Fixes Related Integrations showing as not installed or enabled when they actually are (#152055)\n\n## Summary\r\n\r\nResolves: https://github.com/elastic/kibana/issues/142081\r\nhttps://github.com/elastic/kibana/issues/149970\r\nhttps://github.com/elastic/kibana/issues/150968\r\n\r\nBy adding an initial query for installed integrations and augments the\r\nexisting `InstalledIntegrationArray` constructed using\r\n`PackagePolicy`'s. Also removes `version` from the `packageKey` when\r\ncalculating installed integrations as there can be mis-matches between\r\ndifferent policy versions and the integration itself, and I believe the\r\nintended behavior here is to not have multiple `relatedIntegrations`\r\nreturned for different versions. We may want to expand the response here\r\nto include all the different policy versions that exist (and perhaps #\r\nof agents assigned the policy).\r\n\r\nLastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base\r\n`package` details in addition to the policy_template details, as this is\r\nwhat ensure base packages show as `Installed: enabled` if they have an\r\nintegration policy assigned (vs just showing as `Installed` like when\r\nthere isn't an integration policy).\r\n\r\nNote: This PR also adds the `getPackages()` method to the\r\n`PackageClient` as it didn't currently exist, and was only available via\r\nthe fleet API via the `/api/fleet/epm/packages` route.\r\n\r\n\r\n### Before:\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n### After\r\n<p align=\"center\">\r\n<img width=\"500\"\r\nsrc=\"https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: Georgii Gorbachev <[email protected]>","sha":"b833b108215c858177535fd3feee406cc628bca8"}},{"branch":"8.6","label":"v8.6.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Garrett Spong <[email protected]>
|
@terrancedejesus So we ended up adding support for parent packages (like Now the logic is as follows. If a given top-level package is specified as a related integration, for example: // instead of this:
related_integrations: [{
package: 'azure',
version: '^1.1.0',
integration: 'activitylogs'
}]
// we have this in a rule:
related_integrations: [{
package: 'azure',
version: '^1.1.0'
}]Then we should be able to correctly identify the status of this related integration:
That said, I'm not sure if from the UX perspective, it makes any sense to specify top-level packages (like Azure) instead of their concrete integrations because I guess it's the concrete integrations that determine what source events will be indexed into ES. cc @approksiu |
|
@MadameSheema Could you please make sure this bug + #150968 + #149970 are verified against the next BC? These three should be fixed by #152055. |
|
@karanbirsingh-qasource @sukhwindersingh-qasource can you please help to validate this ticket on the current BC? Thanks! |
|
We have validated this issue on 8.7.0 BC4 build and observed that issue is not occurring, It is Fixed. ✔️ Please find the below Testing Details: Build info Screen-Shot
Hence, We are marking it as QA Validated!! Thanks!! |
bmorelli25
pushed a commit
to bmorelli25/kibana
that referenced
this issue
Mar 10, 2023
![https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n###](https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png\"\r\n/>\r\n</p>\r\n\r\n\r\n\r\n###){kind=link}
![https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by](https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png\"\r\n/>\r\n</p>\r\n\r\n\r\n---------\r\n\r\nCo-authored-by){kind=link}
…ed or enabled when they actually are (elastic#152055) ## Summary Resolves: elastic#142081 elastic#149970 elastic#150968 By adding an initial query for installed integrations and augments the existing `InstalledIntegrationArray` constructed using `PackagePolicy`'s. Also removes `version` from the `packageKey` when calculating installed integrations as there can be mis-matches between different policy versions and the integration itself, and I believe the intended behavior here is to not have multiple `relatedIntegrations` returned for different versions. We may want to expand the response here to include all the different policy versions that exist (and perhaps # of agents assigned the policy). Lastly, updates `getIntegrationsInfoFromPolicy()` to also pull the base `package` details in addition to the policy_template details, as this is what ensure base packages show as `Installed: enabled` if they have an integration policy assigned (vs just showing as `Installed` like when there isn't an integration policy). Note: This PR also adds the `getPackages()` method to the `PackageClient` as it didn't currently exist, and was only available via the fleet API via the `/api/fleet/epm/packages` route. ### Before: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221066781-be7aa1c6-1728-4200-98b2-d40946e48bbe.png" /> </p> ### After <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/221323469-e24081f9-0741-41fd-8227-9e319c98b0d3.png" /> </p> --------- Co-authored-by: Georgii Gorbachev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Epic: https://github.com/elastic/security-team/issues/2108 (internal)
Summary
If a prebuilt rule in one of its related integrations references the whole composite package (e.g.
azure) without specifying a concrete integration (e.g.activitylogs)and this integration (
activitylogs) is installed in Fleet, on the Rules page this related integration will be shown as not installed:We need to determine the path forward: either support it in Kibana or fix the prebuilt rules.
Details
Background
Fleet integrations like AWS and Azure are known to be distributed via composite packages that contain multiple integrations inside. For example:
azurepackage containsactivitylogs,platformlogs,adlogsand other integrationsawspackage contains integrations likecloudfront,cloudtrail,cloudwatch,dynamodb, etcgcpcontainscompute,gke, etcNOTE: Some of the cloud integrations are shipped via their own packages, for example
Custom Google Pub/Sub Logsintegration is shipped via a separategcp_pubsubpackage, not thegcpone.When the user installs integrations like
Azure activity logsthrough the UI, Fleet actually installs its parent package (azure) with all the integrations that it contains:activitylogs,platformlogs,adlogs, etc. But we're able to distinguish enabled integrations from the disabled ones:This doesn't work
What doesn't work in the app is: if a rule references the whole composite package (e.g.
azure) without specifying a concrete integration (e.g.activitylogs), we show such related integration as not installed. Example:This works
There's an exception from this: if a rule references the whole package that only contains a single integration of the same name (e.g.
system), then it works and we show it as installed:Schema of a related integration
When we built the related integrations feature, we added support for single-integration packages like
windowsandsystem, but not composite integrations likeawsandazure:The text was updated successfully, but these errors were encountered: