Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Related Integrations title doesn't always match title shown in Fleet Integrations UI #152408

Open
spong opened this issue Mar 1, 2023 · 4 comments
Open

[Security Solution] Related Integrations title doesn't always match title shown in Fleet Integrations UI #152408

spong opened this issue Mar 1, 2023 · 4 comments
Assignees
@jkelas
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Related Integrations Security Solution Detection Rules Related Integrations feature impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@spong
Copy link
Member

spong commented Mar 1, 2023
edited
Loading

As discussed in #152055 (comment), now that we're querying for all the packages, we should be able to resolve the appropriate Package/Integration Title within the Related Integrations UI in Security.

Currently we're trying to reconstruct it from the policy_template, and this doesn't always match what is displayed in the Fleet Integration UI. For example, the o365-1.3.0 package displays as Office 365 Logs in Fleet:

However we resolve it as O365 in our UI's:

Note: This fix could be more involved if assuming a large number of uninstalled integrations. Probably not reasonable to return titles for all integrations(?), so may need to pass the rule's integrations to our API and only return those? Alternatively, perhaps we just need to add them to the prebuilt rules?
@spong spong added bug Fixes for quality problems that affect the customer experience triage_needed Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Related Integrations Security Solution Detection Rules Related Integrations feature labels Mar 1, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong mentioned this issue Mar 1, 2023
Merged
1 task
@spong spong mentioned this issue Mar 20, 2023
Open
@banderror banderror added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area and removed triage_needed labels Mar 23, 2023
@banderror
Copy link
Contributor

banderror commented Mar 23, 2023
edited
Loading

Here's a note about that from the epic:

If a related integration is not installed, we might show an incorrect title. We get integration titles from Fleet via our installed integrations endpoint. If an integration is not installed, we don't return its data => don't get the correct title.

Now that we fetch all existing Fleet integrations (bot installed and not installed) in this endpoint, we could:

  1. Either return all of them in the response
  2. Or, as @spong suggested in the description, pass package names in the request parameters to this endpoint, so that it will return info about all their integrations.

I'd vote for the 2nd option.

Also, for the Rule Management page, we could do it a bit differently. When fetching integration data on the Management page, we could omit passing any package names in the request parameters. Then, the endpoint would find the names of all related packages of all rules in the current Kibana space (we can do this now efficiently because we have support for aggregations in the RulesClient). Using these package names, fetch data for all those packages and their integrations.

I think this would also fix #134625

@banderror banderror added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Mar 23, 2023
@maximpn maximpn mentioned this issue Apr 9, 2024
Merged
maximpn added a commit that referenced this issue May 2, 2024
@maximpn
[Security Solution] Allow users to edit related_integrations field fo…
e27066d 
…r custom rules (#178295)

**Resolves: #173595

## Summary

This PR adds an ability to add and edit custom rule's related integrations. Functionality is necessary to start working on [Prebuilt Rule Customization Epic Milestone 3](#174168).

## Details

Rule's related integrations represent optional dependencies on [Elastic integrations](https://docs.elastic.co/en/integrations) to ingest data. Currently prebuilt rule's related integrations are shown on rule details page. This information contains integration's name, installation status and a version mismatch warning when related integration's version dependency doesn't match with an installed integration's version. A subset of [Semver](https://semver.org/) is used to specify version dependency. Elastic prebuilt rules use only caret syntax like `^1.2.3`.

To make it possible to add and edit related integrations for custom rules the following has been done

- New internal endpoint `/internal/detection_engine/fleet/integrations/all` has been added. It returns the full list of available integrations containing title, latest available version and installed version if available. This is necessary to display an options list where users can pick a desired integration. Since some Elastic Prebuilt rules depend not only on integrations from `security` category this endpoint returns all available integrations (not only related to Security Solution).
- Rule create form has been adjusted by adding `Related Integrations` form controls
- Rule edit form has been adjusted by adding `Related Integrations` form controls
- Related integrations installation status has been adjusted to conform with the design
- Functional Jest tests have been added
- Functional tests have been added to make sure it's possible to (bulk) `create`/`patch`/`update`/`export`/`import` with related integrations
- A limited number of Cypress tests have been added

### Integration installation status

Integration installation status has been adjusted. There are following statuses shown

- `Enabled` for installed and enabled integrations. Enabled integrations are detected by checking Elastic Agent policies for presence of such an integration. It's not guaranteed the policy is picked by agents and data is being ingested.
- `Disabled` for installed and disabled integrations. An agent policy containing such an integration isn't found.
- `Not installed` for  not installed integrations.
- Nothing is shown for unknown integrations. If there is no such integration found in `/internal/detection_engine/fleet/integrations/all` result it's considered as unknown.

### Version dependency

[Semver](https://semver.org/) allows a wide range of version range declaration. Such flexibility will complicate constructing of an integration link on rule details page. Since Elastic Prebuilt rules use only caret version dependency like `^1.2.3` related integration's version dependency is limited to a subset of semver semantic. The following is supported

- A plain version dependency e.g. `1.2.3`
- Tilde version dependency  e.g. `~1.2.3`
- Caret version dependency e.g. `^1.2.3`

### Misc

- #152408 has been fixed by this PR.
- `/internal/detection_engine/fleet/integrations/installed` endpoint hasn't been removed. We need to make sure it's not needed anymore.
- E2e testing of the current functionality is complicated by dependency on EPR and difficulties to mock it. EPR periodically may respond with an error resulting in flaky Cypress tests.

### Flaky test runner results

- 🟢  [Create rule](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5632) (100 runs ESS and 100 runs in Serverless)
- 🟢  [Rule Management related integrations](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5632) (100 runs ESS and 100 runs in Serverless)

### Screenshots

![Screenshot 2024-04-16 at 10 01 25](https://github.com/elastic/kibana/assets/3775283/f41574cb-c806-4e49-97bf-9b27bf4c0f39)

![Screenshot 2024-04-16 at 10 02 03](https://github.com/elastic/kibana/assets/3775283/cf15580e-169f-4823-a579-257509c806a4)

![Screenshot 2024-04-16 at 10 02 16](https://github.com/elastic/kibana/assets/3775283/03a21eea-1014-484f-b1d2-3db81c46b8ef)

![Screenshot 2024-04-16 at 10 04 19](https://github.com/elastic/kibana/assets/3775283/06385ef4-458f-4562-bb8f-d98db9bb1fe3)

![Screenshot 2024-04-16 at 10 02 33](https://github.com/elastic/kibana/assets/3775283/edec85bf-d020-4afb-a999-4eb21255c3b6)

![Screenshot 2024-04-16 at 10 04 40](https://github.com/elastic/kibana/assets/3775283/a21c55a8-9947-44b0-ba1f-6624cd410d3e)

![Screenshot 2024-04-16 at 10 05 03](https://github.com/elastic/kibana/assets/3775283/05928a15-961b-4f67-9968-d2a32ceb86dc)
@jkelas jkelas mentioned this issue Dec 30, 2024
Open
@jkelas
Copy link
Contributor

jkelas commented Dec 31, 2024
edited
Loading

@banderror
After analysis of the code I have a few findings:

  • The endpoint in question is not used any more. We no longer use /fleet/integrations/installed endpoint. As of today we use /fleet/integrations/all, which was introduced in PR 178295 in May 2024.
  • I cannot see the issue from the description of this ticket. Both the Fleet UI and our UI show the same name (title) which is Microsoft Office 365, the behavior seems correct. See the point below, however.
  • There is a different issue, which might require a separate ticket. Although we display properly Microsoft Office 365 in our UI and this is consistent with what is displayed in Fleet (Integrations page), when I click the integration name (trying to install it), it takes me to a page that says Microsoft 365, has different version (2.0.0 instead of 2.8.0) and says Version 2.0.0 is out of date. The latest version of this integration is available to be installed.
    Please see the video: https://github.com/user-attachments/assets/9dd3d151-148c-4a1c-8fbe-d391a8870dc8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkelas jkelas

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Related Integrations Security Solution Detection Rules Related Integrations feature impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@spong @banderror @elasticmachine @jkelas