[Security Solution] Integration status isn't shown for some rules #187199
Assignees
Labels
8.15 candidate
bug
Fixes for quality problems that affect the customer experience
fixed
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
maximpn
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
maximpn
added a commit
that referenced
this issue
Jul 15, 2024
…tion per package (#187200) **Resolves:** #187199 ## Summary This PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name. ## Details This fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name. For packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted. There are different packages with integrations - a package with multiple integrations - a package without integrations - a package with only one integration which name matches with the package name - a package with only one integration which name doesn't match with the package name The latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty. ### Screenshots before Installation rule preview popover: <img width="1715" alt="image" src="https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033"> Rule details page: <img width="1722" alt="image" src="https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248"> ### Screenshots after Installation rule preview popover: <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35"> Rule details page: <img width="1723" alt="image" src="https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae"> Rule details page (Elastic APM integration is installed and enabled): <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc">
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Jul 15, 2024
…tion per package (elastic#187200) **Resolves:** elastic#187199 ## Summary This PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name. ## Details This fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name. For packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted. There are different packages with integrations - a package with multiple integrations - a package without integrations - a package with only one integration which name matches with the package name - a package with only one integration which name doesn't match with the package name The latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty. ### Screenshots before Installation rule preview popover: <img width="1715" alt="image" src="https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033"> Rule details page: <img width="1722" alt="image" src="https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248"> ### Screenshots after Installation rule preview popover: <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35"> Rule details page: <img width="1723" alt="image" src="https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae"> Rule details page (Elastic APM integration is installed and enabled): <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc"> (cherry picked from commit 875d6e9)
kibanamachine
referenced
this issue
Jul 16, 2024
…integration per package (#187200) (#188336) # Backport This will backport the following commits from `main` to `8.15`: - [[Security Solution] Fix showing integration status for single integration per package (#187200)](#187200) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-07-15T17:13:14Z","message":"[Security Solution] Fix showing integration status for single integration per package (#187200)\n\n**Resolves:** https://github.com/elastic/kibana/issues/187199\r\n\r\n## Summary\r\n\r\nThis PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.\r\n\r\nFor packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.\r\n\r\nThere are different packages with integrations\r\n\r\n- a package with multiple integrations\r\n- a package without integrations\r\n- a package with only one integration which name matches with the package name\r\n- a package with only one integration which name doesn't match with the package name\r\n\r\nThe latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1715\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule details page:\r\n<img width=\"1722\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n### Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule details page:\r\n<img width=\"1723\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule details page (Elastic APM integration is installed and enabled):\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","v8.15.0","v8.16.0"],"title":"[Security Solution] Fix showing integration status for single integration per package","number":187200,"url":"https://github.com/elastic/kibana/pull/187200","mergeCommit":{"message":"[Security Solution] Fix showing integration status for single integration per package (#187200)\n\n**Resolves:** https://github.com/elastic/kibana/issues/187199\r\n\r\n## Summary\r\n\r\nThis PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.\r\n\r\nFor packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.\r\n\r\nThere are different packages with integrations\r\n\r\n- a package with multiple integrations\r\n- a package without integrations\r\n- a package with only one integration which name matches with the package name\r\n- a package with only one integration which name doesn't match with the package name\r\n\r\nThe latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1715\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule details page:\r\n<img width=\"1722\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n### Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule details page:\r\n<img width=\"1723\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule details page (Elastic APM integration is installed and enabled):\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253"}},"sourceBranch":"main","suggestedTargetBranches":["8.15"],"targetPullRequestStates":[{"branch":"8.15","label":"v8.15.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187200","number":187200,"mergeCommit":{"message":"[Security Solution] Fix showing integration status for single integration per package (#187200)\n\n**Resolves:** https://github.com/elastic/kibana/issues/187199\r\n\r\n## Summary\r\n\r\nThis PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.\r\n\r\nFor packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.\r\n\r\nThere are different packages with integrations\r\n\r\n- a package with multiple integrations\r\n- a package without integrations\r\n- a package with only one integration which name matches with the package name\r\n- a package with only one integration which name doesn't match with the package name\r\n\r\nThe latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1715\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule details page:\r\n<img width=\"1722\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n### Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule details page:\r\n<img width=\"1723\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule details page (Elastic APM integration is installed and enabled):\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253"}}]}] BACKPORT--> Co-authored-by: Maxim Palenov <[email protected]>
|
Hi @pborgonovi, the bug was fixed in #187200 and backported to |
|
Hi @maximpn . I've validated the fix on both latest 8.15 BC and 8.16 snapshot. Below are the evidences: BEFORE: Installation Rule Preview: 
Rule Details: 
AFTER: Fix backported to 8.15: Installation Rule Preview: 
Rule Details: 
8.16 Snapshot: Installation Rule Preview: 
Rule Details: 
I'm closing this issue as fixed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Relates to: #173595
Summary
Integration status isn't shown for some prebuilt rules, e.g.
Web Application Suspicious Activity: Unauthorized Method. The rule hasAPMrelated integration but it's status isn't shown in the installation rule preview popover neither on the rule details page. KIbana8.14doesn't have this issue which may say #178295 is the cause of this bug.Screenshots
Installation rule preview popover:
Rule details page:
The text was updated successfully, but these errors were encountered: