[Security Solution] Prebuilt rule's exceptions are lost when the rule is upgraded to a new version in which the rule's type is different #169480
Assignees
Labels
8.13 candidate
bug
Fixes for quality problems that affect the customer experience
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
fixed
impact:high
Addressing this issue will have a high level of impact on the quality/strength of our product.
QA:Validated
Issue has been validated by QA
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.12.2
v8.13.0
Comments
banderror
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
List of rules that have had query changes. Query Type rules:
|
2 tasks
|
Checking the code it's not so hard to find
Looking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore I made testing and discovered that We may need to restore another fields as well. This ticket contains fields list and might help to anylize what should be preserved. As minimum @banderror @approksiu do you have in mind the other fields (besides |
|
@maximpn do we have any fields related to actions and their settings? those should stay. |
|
@approksiu enabled state, actions and alerts don't disappear after upgrade. |
|
@maximpn I don't see other fields we should preserve. |
|
Had a chat on that today with Maxim and also read the comment carefully. @maximpn I have nothing to add. For transparency, fields to preserve we talked about:
Fields we can drop:
|
|
Thank you for the comment @banderror 👍 I've checked the rules client and currently there is no such an option to specify saved object references. The docs say the following about this field
I played around and noticed only exception SO references are saved in the field "references": [
{
"name": "param:exceptionsList_0",
"id": "0a3c4d42-97c7-4ed8-a52c-5459a8035d7a",
"type": "exception-list"
},
{
"name": "param:exceptionsList_1",
"id": "d2620ba8-e09b-4f4c-a545-ea5b0afddf6a",
"type": "exception-list"
}
]In this case it's not necessary to restore this field because we pass exceptions list via the API and the field will be filled in by the SO client under the hood. |
@maximpn Can you elaborate on that please, not sure I got when this happens and what API do you mean. |
|
@banderror Sure. I omitted some details for simplicity but let me explain.
By passing I also doubled checked via create rule API. Exceptions are in place after all manipulations as expected. You can check out extractReferences() on Security Solution side used in createSecurityRuleTypeWrapper() and createRule() at Alerting framework side for more details. |
maximpn
added a commit
that referenced
this issue
Feb 12, 2024
…ew version in which the rule's type is different (#176421) **Fixes:** #169480 ## Summary This PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different - Saved Object id - exceptions list (default and shared) - Timeline id - Timeline title ## Details The problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type. Checking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment > If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule. Looking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade. On top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade. This PR fixes the problem by restoring rule bound data after upgrade. FTR tests were restructured to accommodate extra tests to cover this bug fix. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
maximpn
added a commit
to maximpn/kibana
that referenced
this issue
Feb 13, 2024
…ew version in which the rule's type is different (elastic#176421) **Fixes:** elastic#169480 ## Summary This PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different - Saved Object id - exceptions list (default and shared) - Timeline id - Timeline title ## Details The problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type. Checking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment > If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule. Looking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade. On top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade. This PR fixes the problem by restoring rule bound data after upgrade. FTR tests were restructured to accommodate extra tests to cover this bug fix. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit ffdcc34) # Conflicts: # x-pack/plugins/security_solution/docs/testing/test_plans/detection_response/prebuilt_rules/installation_and_upgrade.md # x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/install_and_upgrade_prebuilt_rules.ts # x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/install_prebuilt_rules.ts # x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/install_prebuilt_rules_with_historical_versions.ts # x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/upgrade_prebuilt_rules.ts # x-pack/test/security_solution_api_integration/test_suites/detections_response/default_license/prebuilt_rules/management/upgrade_prebuilt_rules_with_historical_versions.ts # x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/export_rules.ts
maximpn
referenced
this issue
Feb 13, 2024
… to a new version in which the rule's type is different (#176421) (#176811) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] Fix losing data upon prebuilt rule upgrade to a new version in which the rule's type is different (#176421)](#176421) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-02-12T13:09:23Z","message":"[Security Solution] Fix losing data upon prebuilt rule upgrade to a new version in which the rule's type is different (#176421)\n\n**Fixes:** https://github.com/elastic/kibana/issues/169480\r\n\r\n## Summary\r\n\r\nThis PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different\r\n\r\n- Saved Object id\r\n- exceptions list (default and shared)\r\n- Timeline id\r\n- Timeline title\r\n\r\n## Details\r\n\r\nThe problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type.\r\n\r\nChecking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment\r\n\r\n> If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule.\r\n\r\nLooking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade.\r\n\r\nOn top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade.\r\n\r\nThis PR fixes the problem by restoring rule bound data after upgrade.\r\n\r\nFTR tests were restructured to accommodate extra tests to cover this bug fix. \r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios","sha":"ffdcc34d0d4f05aad8ad979775e8b0f503af313d","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","impact:high","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","v8.13.0","v8.12.2"],"number":176421,"url":"https://github.com/elastic/kibana/pull/176421","mergeCommit":{"message":"[Security Solution] Fix losing data upon prebuilt rule upgrade to a new version in which the rule's type is different (#176421)\n\n**Fixes:** https://github.com/elastic/kibana/issues/169480\r\n\r\n## Summary\r\n\r\nThis PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different\r\n\r\n- Saved Object id\r\n- exceptions list (default and shared)\r\n- Timeline id\r\n- Timeline title\r\n\r\n## Details\r\n\r\nThe problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type.\r\n\r\nChecking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment\r\n\r\n> If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule.\r\n\r\nLooking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade.\r\n\r\nOn top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade.\r\n\r\nThis PR fixes the problem by restoring rule bound data after upgrade.\r\n\r\nFTR tests were restructured to accommodate extra tests to cover this bug fix. \r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios","sha":"ffdcc34d0d4f05aad8ad979775e8b0f503af313d"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/176421","number":176421,"mergeCommit":{"message":"[Security Solution] Fix losing data upon prebuilt rule upgrade to a new version in which the rule's type is different (#176421)\n\n**Fixes:** https://github.com/elastic/kibana/issues/169480\r\n\r\n## Summary\r\n\r\nThis PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different\r\n\r\n- Saved Object id\r\n- exceptions list (default and shared)\r\n- Timeline id\r\n- Timeline title\r\n\r\n## Details\r\n\r\nThe problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type.\r\n\r\nChecking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment\r\n\r\n> If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule.\r\n\r\nLooking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade.\r\n\r\nOn top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade.\r\n\r\nThis PR fixes the problem by restoring rule bound data after upgrade.\r\n\r\nFTR tests were restructured to accommodate extra tests to cover this bug fix. \r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios","sha":"ffdcc34d0d4f05aad8ad979775e8b0f503af313d"}},{"branch":"8.12","label":"v8.12.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
|
@vgomez-el Could you please validate the fix? It has been backported to 8.12 and will be released in 8.12.2. |
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this issue
Feb 15, 2024
…ew version in which the rule's type is different (elastic#176421) **Fixes:** elastic#169480 ## Summary This PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different - Saved Object id - exceptions list (default and shared) - Timeline id - Timeline title ## Details The problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type. Checking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment > If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule. Looking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade. On top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade. This PR fixes the problem by restoring rule bound data after upgrade. FTR tests were restructured to accommodate extra tests to cover this bug fix. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
|
I have deployed a 8.10.4 version and activated the 
REC-20240301182245.mp4and after upgrading the version to 8.12.2 rules are updated and they keep their exceptions. So we can consider the bug fixed and validated for 8.12.2: REC-20240301184426.mp4Thanks @maximpn and @banderror and the rest of people who contributed to fix this bug! |
fkanout
pushed a commit
to fkanout/kibana
that referenced
this issue
Mar 4, 2024
…ew version in which the rule's type is different (elastic#176421) **Fixes:** elastic#169480 ## Summary This PR fixes losing the following rule data upon prebuilt rule upgrade to a new version in which the rule's type is different - Saved Object id - exceptions list (default and shared) - Timeline id - Timeline title ## Details The problem occurs when user upgrades a prebuilt rule to a newer version which has a different rule type. Checking the code it's not so hard to find [`upgradeRule()`](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts#L49) function which performs prebuilt rule upgrade. It has the following comment > If we're trying to change the type of a prepackaged rule, we need to delete the old one and replace it with the new rule, keeping the enabled setting, actions, throttle, id, and exception lists from the old rule. Looking below in the code it's clear that only enabled state and actions get restored upon rule upgrade. Missing to restore `exceptions lists` leads to disappearing exceptions upon rule upgrade. On top of this `execution results` and `execution events` also get lost due to missing to restore saved object `id`. Execution log isn't gone anywhere but can't be bound to a new id. Direct links to rule details page won't work neither after upgrade. This PR fixes the problem by restoring rule bound data after upgrade. FTR tests were restructured to accommodate extra tests to cover this bug fix. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
The bug occurs when:
As a result, any exceptions added to rule X by the user will be lost after the upgrade.
Expected behavior:
Todo
Real example
This just happened to one of our users who upgraded the following prebuilt rule: https://www.elastic.co/guide/en/security/8.10/prebuilt-rule-8-10-4-enumeration-of-privileged-local-groups-membership.html
Indeed, the rule type of this rule was changed recently as you can see from commits: https://github.com/elastic/detection-rules/commits/9f41c9f35cd568c397c1f81bafc997e92bbf2df0/rules/windows/discovery_privileged_localgroup_membership.toml
Before upgrade:
After upgrade:
The text was updated successfully, but these errors were encountered: