Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Prebuilt rules being duplicated on upgrade #174847

Open
Tracked by #179907
zkink opened this issue Jan 15, 2024 · 15 comments
Open
Tracked by #179907

[Security Solution] Prebuilt rules being duplicated on upgrade #174847

zkink opened this issue Jan 15, 2024 · 15 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@zkink
Copy link

zkink commented Jan 15, 2024

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #179907
Kibana version: 8.11.3
Elasticsearch version: 8.11.3
Server OS version: Cloud
Browser version: Edge
Browser OS version: 120.0.2210.133
Original install method (e.g. download page, yum, from source, etc.): Cloud

Summary

Describe the bug:
When updating rules, instances appear to be duplicating some rules as part of the update. Within our cluster, we can see the same rule exist multiple times. Both rules appear to be prebuilt rules that have been created by the author "Elastic". This is a few example rules where this can be seen to have occurred.

Steps to reproduce:
Go to Detection Rules (SIEM)
Click on Rule Updates
Click on Update All
Once updates have been performed, sometimes (this appears to be an interment issue), rules can be found in Custom rather than prebuilt.

Expected behavior:
What would be expected is for rules to update rather than creating a new record/ID.

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:
This appears to be a long-term issue that has been intermittent. It appears only sometimes when rules are updated, and looking in a different instance, a different rule could be duplicated. When looking, it appears to be randomly occurring rather than occurring for the same rule each time.

Reference: elastic/detection-rules#3383

Rule with same Rule ID existing in instance with 2 different alerts IDS:
"hits": [
{
"_index": ".kibana_alerting_cases_8.8.0_001",
"_id": "alert:1b6df8c0-2599-11ee-8571-99b83d216ac8",
"_score": 26.424747,
"_source": {
"alert": {
"params": {
"ruleId": "cac91072-d165-11ec-a764-f661ea17fbce"
}
}
}
},
{
"_index": ".kibana_alerting_cases_8.8.0_001",
"_id": "alert:d76ede10-402c-11ee-bc86-b1f97eb72d5d",
"_score": 26.424747,
"_source": {
"alert": {
"params": {
"ruleId": "cac91072-d165-11ec-a764-f661ea17fbce"
}
}

@zkink zkink added the bug Fixes for quality problems that affect the customer experience label Jan 15, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label Jan 15, 2024
@zkink
Copy link
Author

zkink commented Jan 15, 2024

@jpdjere

Requested ticket be moved to this repo

@jpdjere jpdjere added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area and removed needs-team Issues missing a team label labels Jan 15, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@jpdjere
Copy link
Contributor

jpdjere commented Jan 15, 2024

Reference from elastic/detection-rules#3383

Duplicated rules:
Enumeration of Kernel Modules
Rule ID 1: aeffacb0-199f-11ee-be89-1b8cf30adee4
Rule ID 2: 2d8aaff0-4027-11ee-bc86-b1f97eb72d5d

Abnormal Process ID or Lock File Created
Rule ID 1: 1b6df8c0-2599-11ee-8571-99b83d216ac8
Rule ID 2: d76ede10-402c-11ee-bc86-b1f97eb72d5d

@jpdjere
Copy link
Contributor

jpdjere commented Jan 15, 2024

@zkink

Thanks for reopening the ticket in this repo, and for the provided data on the duplicated rules. One more ask: could you tell me which version of the Prebuilt Rules package are/were you on? Right before and after the rule updates appeared. As your deployment is on cloud, the Prebuilt Rules package is independent from the Kibana version, as it is distributed out-of-band via Fleet. You can navigate to the Integrations page and search for Prebuilt Security Detection Rules. Click on it to see the current installed version.

@zkink
Copy link
Author

zkink commented Jan 15, 2024

We are currently on 8.10.9. This has not been updated for a few of the more recent versions due to finding issues like this in the past few updates that we have performed.

As far of versions, I am unsure where some of these occurred from as we have seen it intermittently for different rules in different environments over the last year.

@jpdjere
Copy link
Contributor

jpdjere commented Jan 16, 2024

Hi @zkink

I'm investigating a possible bug of rules being duplicated while updating in cases in which the updates change a rule's type (for example, from EQL to New Terms). Would you mind running one more request for me in an instance where you have duplicated rules and paste the result here?

GET .kibana_alerting_cases/_search
{
  "_source": [
    "alert.params.ruleId",
    "alert.params.type",
    "alert.params.version",
    "alert.name"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "type": "alert"
          }
        },
        {
          "match_phrase": {
            "alert.name": "Abnormal Process ID or Lock File Created" // <--- name of the duplicated rule here
          }
        }
      ]
    }
  }
}

@jpdjere
Copy link
Contributor

jpdjere commented Jan 16, 2024

Also @zkink , just wanted to note that what you are describing was a known issue that was fixed in 8.9. See the first bullet in the Release Notes.

I'm moving forward with the investigation of these duplications-while-upgrading that you reported with the assumption that they happened in a version that was 8.9 or higher, but please double check and let me know if it wasn't. We might be seeing a bug that was fixed already.

@zkink
Copy link
Author

zkink commented Jan 16, 2024

Do you have a date for when 8.9 would of been released? I can go through and confirm rules we are seeing this with after that time window.

@jpdjere
Copy link
Contributor

jpdjere commented Jan 16, 2024

@zkink
Copy link
Author

zkink commented Jan 16, 2024

From what I can tell, we are seeing this activity with rule updates we performed on aug 21st. This is when it states the new rule was created at.

@jpdjere
Copy link
Contributor

jpdjere commented Jan 16, 2024

@zkink Is there a way you could check and be sure whether you had already updated Kibana to 8.9 by the time that you upgraded the rule and the duplication issue happened? It's a pretty close date, from the release on July 25th to August 21st, maybe the update to 8.9 had not yet taken place on your side.

If we can make sure that you were in a version previous to 8.9 on August 21st, we know that what you are reporting is a fixed bug; and you could have certainty that the issue won't be happening again.

@zkink
Copy link
Author

zkink commented Jan 16, 2024

IT appears that our updates for 8.9 occurred around the date of 8/3/2023

@tdurden82
Copy link

This behavior was observed when upgrading from 8.10.2 to 8.12.2. Deleting the older index made alerting functional again. Rules were duplicated in lists, but we were unable to view, edit, create, or delete rules.

{"statusCode":400,"error":"Bad Request","message":"alias [.kibana_alerting_cases_8.12.2] has more than one index associated with it [.kibana_alerting_cases_8.10.2_001, .kibana_alerting_cases_8.12.2_001], can't execute a single index op: illegal_argument_exception

@banderror banderror changed the title Rules being duplicated when updated [Security Solution] Prebuilt rules being duplicated on upgrade Apr 13, 2024
@banderror banderror added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team 8.14 candidate 8.15 candidate labels Apr 13, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Development

No branches or pull requests

5 participants