[Security Solution] Error when importing a duplicated Endpoint Security rule with default exceptions #198461
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Rule Exceptions
Security Solution Detection Rule Exceptions area
Feature:Rule Import/Export
Security Solution Detection Rule Import & Export workflow
sdh-linked
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
banderror
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
|
I've reproduced this scenario by updating/not updating rule name to validate observation in step 2:
Updating rule name:
Not updating rule name:
Same error is observed in all the scenarios: existing list_id exception error is thrown, rule is imported and reference is removed: {
"exceptions_success": false,
"exceptions_success_count": 0,
"exceptions_errors": [
{
"list_id": "a3b80051-f69e-4988-88df-6a5d1575affc",
"error": {
"status_code": 409,
"message": "Found that list_id: \"a3b80051-f69e-4988-88df-6a5d1575affc\" already exists. Import of list_id: \"a3b80051-f69e-4988-88df-6a5d1575affc\" skipped."
}
},
{
"list_id": "a3b80051-f69e-4988-88df-6a5d1575affc",
"item_id": "f78f75eb-ed1e-4d6f-96ac-0990fd71bba8",
"error": {
"status_code": 409,
"message": "Found that item_id: \"f78f75eb-ed1e-4d6f-96ac-0990fd71bba8\" already exists. Import of item_id: \"f78f75eb-ed1e-4d6f-96ac-0990fd71bba8\" skipped."
}
}
],
"rules_count": 1,
"success": false,
"success_count": 1,
"errors": [
{
"rule_id": "c72725e0-0d35-4059-ba2b-2fa240c9d3a3",
"error": {
"status_code": 400,
"message": "Rule with rule_id: \"c72725e0-0d35-4059-ba2b-2fa240c9d3a3\" references a non existent exception list of list_id: \"a3b80051-f69e-4988-88df-6a5d1575affc\". Reference has been removed."
}
}
],
"action_connectors_errors": [],
"action_connectors_warnings": [],
"action_connectors_success": true,
"action_connectors_success_count": 0
}
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Nov 13, 2024
…le types of exception lists (elastic#198868) ## Summary Fixes elastic#198461 When a rule import file has both single-namespace and namespace-agnostic exception lists, there was a bug in the logic that fetched the existing exception lists after importing them. A missing set of parentheses caused a KQL query that should have read `(A OR B) AND (C OR D)` to be `(A OR B) AND C OR D`, meaning that the logic was satisfied by `D` alone instead of requiring `A` or `B` to be true along with `D`. In this case `A` and `B` are filters on `exception-list` and `exception-list-agnostic` SO attributes so that we (should) only be looking at the list container objects, i.e. `exception-list.attributes.list_type: list`. `C` and `D` are filters by `list_id`, e.g. `exception-list.attributes.list_id: (test_list_id)`. Without the extra parentheses around `C OR D`, the query finds both `list` and `item` documents for the list IDs specified in `D`. When the `findExceptionList` logic encounters a list item unexpectedly, it still tries to convert the SO into our internal representation of an exception list with `transformSavedObjectToExceptionList`. Most fields are shared between lists and items, which makes it confusing to debug. However, the `type` of items can only be `simple`, whereas lists have a variety of types. During the conversion, the `type` field of the resulting object is defaulted to `detection` if the `type` field of the SO doesn't match the allowed list type values. Since the related SDH involved importing a `rule_default` exception list instead, the list types didn't match up when the import route compared the exception list on the rule to import vs the "existing list" (which was actually a list item coerced into a list container schema with `type: detection`) and import fails. (cherry picked from commit 0cc2e56)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Nov 13, 2024
…le types of exception lists (elastic#198868) ## Summary Fixes elastic#198461 When a rule import file has both single-namespace and namespace-agnostic exception lists, there was a bug in the logic that fetched the existing exception lists after importing them. A missing set of parentheses caused a KQL query that should have read `(A OR B) AND (C OR D)` to be `(A OR B) AND C OR D`, meaning that the logic was satisfied by `D` alone instead of requiring `A` or `B` to be true along with `D`. In this case `A` and `B` are filters on `exception-list` and `exception-list-agnostic` SO attributes so that we (should) only be looking at the list container objects, i.e. `exception-list.attributes.list_type: list`. `C` and `D` are filters by `list_id`, e.g. `exception-list.attributes.list_id: (test_list_id)`. Without the extra parentheses around `C OR D`, the query finds both `list` and `item` documents for the list IDs specified in `D`. When the `findExceptionList` logic encounters a list item unexpectedly, it still tries to convert the SO into our internal representation of an exception list with `transformSavedObjectToExceptionList`. Most fields are shared between lists and items, which makes it confusing to debug. However, the `type` of items can only be `simple`, whereas lists have a variety of types. During the conversion, the `type` field of the resulting object is defaulted to `detection` if the `type` field of the SO doesn't match the allowed list type values. Since the related SDH involved importing a `rule_default` exception list instead, the list types didn't match up when the import route compared the exception list on the rule to import vs the "existing list" (which was actually a list item coerced into a list container schema with `type: detection`) and import fails. (cherry picked from commit 0cc2e56)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Nov 13, 2024
…le types of exception lists (elastic#198868) ## Summary Fixes elastic#198461 When a rule import file has both single-namespace and namespace-agnostic exception lists, there was a bug in the logic that fetched the existing exception lists after importing them. A missing set of parentheses caused a KQL query that should have read `(A OR B) AND (C OR D)` to be `(A OR B) AND C OR D`, meaning that the logic was satisfied by `D` alone instead of requiring `A` or `B` to be true along with `D`. In this case `A` and `B` are filters on `exception-list` and `exception-list-agnostic` SO attributes so that we (should) only be looking at the list container objects, i.e. `exception-list.attributes.list_type: list`. `C` and `D` are filters by `list_id`, e.g. `exception-list.attributes.list_id: (test_list_id)`. Without the extra parentheses around `C OR D`, the query finds both `list` and `item` documents for the list IDs specified in `D`. When the `findExceptionList` logic encounters a list item unexpectedly, it still tries to convert the SO into our internal representation of an exception list with `transformSavedObjectToExceptionList`. Most fields are shared between lists and items, which makes it confusing to debug. However, the `type` of items can only be `simple`, whereas lists have a variety of types. During the conversion, the `type` field of the resulting object is defaulted to `detection` if the `type` field of the SO doesn't match the allowed list type values. Since the related SDH involved importing a `rule_default` exception list instead, the list types didn't match up when the import route compared the exception list on the rule to import vs the "existing list" (which was actually a list item coerced into a list container schema with `type: detection`) and import fails. (cherry picked from commit 0cc2e56)
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Nov 18, 2024
…le types of exception lists (elastic#198868) ## Summary Fixes elastic#198461 When a rule import file has both single-namespace and namespace-agnostic exception lists, there was a bug in the logic that fetched the existing exception lists after importing them. A missing set of parentheses caused a KQL query that should have read `(A OR B) AND (C OR D)` to be `(A OR B) AND C OR D`, meaning that the logic was satisfied by `D` alone instead of requiring `A` or `B` to be true along with `D`. In this case `A` and `B` are filters on `exception-list` and `exception-list-agnostic` SO attributes so that we (should) only be looking at the list container objects, i.e. `exception-list.attributes.list_type: list`. `C` and `D` are filters by `list_id`, e.g. `exception-list.attributes.list_id: (test_list_id)`. Without the extra parentheses around `C OR D`, the query finds both `list` and `item` documents for the list IDs specified in `D`. When the `findExceptionList` logic encounters a list item unexpectedly, it still tries to convert the SO into our internal representation of an exception list with `transformSavedObjectToExceptionList`. Most fields are shared between lists and items, which makes it confusing to debug. However, the `type` of items can only be `simple`, whereas lists have a variety of types. During the conversion, the `type` field of the resulting object is defaulted to `detection` if the `type` field of the SO doesn't match the allowed list type values. Since the related SDH involved importing a `rule_default` exception list instead, the list types didn't match up when the import route compared the exception list on the rule to import vs the "existing list" (which was actually a list item coerced into a list container schema with `type: detection`) and import fails.
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Nov 18, 2024
…le types of exception lists (elastic#198868) ## Summary Fixes elastic#198461 When a rule import file has both single-namespace and namespace-agnostic exception lists, there was a bug in the logic that fetched the existing exception lists after importing them. A missing set of parentheses caused a KQL query that should have read `(A OR B) AND (C OR D)` to be `(A OR B) AND C OR D`, meaning that the logic was satisfied by `D` alone instead of requiring `A` or `B` to be true along with `D`. In this case `A` and `B` are filters on `exception-list` and `exception-list-agnostic` SO attributes so that we (should) only be looking at the list container objects, i.e. `exception-list.attributes.list_type: list`. `C` and `D` are filters by `list_id`, e.g. `exception-list.attributes.list_id: (test_list_id)`. Without the extra parentheses around `C OR D`, the query finds both `list` and `item` documents for the list IDs specified in `D`. When the `findExceptionList` logic encounters a list item unexpectedly, it still tries to convert the SO into our internal representation of an exception list with `transformSavedObjectToExceptionList`. Most fields are shared between lists and items, which makes it confusing to debug. However, the `type` of items can only be `simple`, whereas lists have a variety of types. During the conversion, the `type` field of the resulting object is defaulted to `detection` if the `type` field of the SO doesn't match the allowed list type values. Since the related SDH involved importing a `rule_default` exception list instead, the list types didn't match up when the import route compared the exception list on the rule to import vs the "existing list" (which was actually a list item coerced into a list container schema with `type: detection`) and import fails.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to: #143864
Summary
If you try to import a duplicated Endpoint Security rule (so, it means it's a custom one) that has an exception item added to its default exception list (not the endpoint list), then overall the import fails, and:
Steps to reproduce:
Endpoint Securityrule.Endpoint Securityrule. Rename the duplicate fromEndpoint Security [Duplicate]toEndpoint Security(not sure if the renaming matters).Endpoint Security.Endpoint Securityrule.Details
Use this minimal ndjson to reproduce the bug:
When you try to import it, it will call the following import API endpoint which will respond with the following error:
{ "exceptions_success": false, "exceptions_success_count": 0, "exceptions_errors": [ { "list_id": "3fa90098-d556-4c38-863f-644c99766126", "error": { "status_code": 409, "message": "Found that list_id: \"3fa90098-d556-4c38-863f-644c99766126\" already exists. Import of list_id: \"3fa90098-d556-4c38-863f-644c99766126\" skipped." } }, { "list_id": "3fa90098-d556-4c38-863f-644c99766126", "item_id": "ee0b2657-e4bf-4d02-9528-d92e5eb8aa26", "error": { "status_code": 409, "message": "Found that item_id: \"ee0b2657-e4bf-4d02-9528-d92e5eb8aa26\" already exists. Import of item_id: \"ee0b2657-e4bf-4d02-9528-d92e5eb8aa26\" skipped." } } ], "rules_count": 1, "success": false, "success_count": 1, "errors": [ { "rule_id": "e456b162-a64f-4b62-a344-ca3cd589cf6d", "error": { "status_code": 400, "message": "Rule with rule_id: \"e456b162-a64f-4b62-a344-ca3cd589cf6d\" references a non existent exception list of list_id: \"endpoint_list\". Reference has been removed." } }, { "rule_id": "e456b162-a64f-4b62-a344-ca3cd589cf6d", "error": { "status_code": 400, "message": "Rule with rule_id: \"e456b162-a64f-4b62-a344-ca3cd589cf6d\" references a non existent exception list of list_id: \"3fa90098-d556-4c38-863f-644c99766126\". Reference has been removed." } } ], "action_connectors_errors": [], "action_connectors_warnings": [], "action_connectors_success": true, "action_connectors_success_count": 0 }The text was updated successfully, but these errors were encountered: