Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Importing Prebuilt Rules Results in Rule ID Conflict Error #200828

Closed
pborgonovi opened this issue Nov 19, 2024 · 4 comments
Closed
Assignees
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@pborgonovi
Copy link
Contributor

pborgonovi commented Nov 19, 2024

Describe the bug:

When attempting to import an exported prebuilt rule (after customization), the system throws an error:
rule_id: "<rule_id>" already exists.

Kibana/Elasticsearch Stack version:

8.x

Current branch: 8.x  
Latest commit: 26bfdaef960 - [8.x] feat: update OTEL Node.js metrics dashboard (#199353) (#200810)  
Remote tracking: origin/8.x  
Status relative to remote: up to date (no pending commits)  

Steps to reproduce:

  1. Export a prebuilt rule.
  2. Customize the exported rule (e.g., modify its fields or parameters).
  3. Import the customized rule back into Kibana.

Current behavior:

The import process throws an error: rule_id: "<rule_id>" already exists.

Expected behavior:

The import logic should:

  • Recognize that the rule_id matches an existing prebuilt rule.
  • Compare the imported rule’s version with the existing rule’s version.
  • Dynamically calculate the rule_source and immutable fields as follows:
    -- If the rule_id and version match, allow the import and update the rule accordingly.
    -- If the rule_id matches but the version does not, treat the rule as prebuilt with an older version and mark it as:
{
  "immutable": true,
  "ruleSource": {
    "type": "external",
    "isCustomized": false
  }
}

-- If the rule has diverged (customized fields differ from the base version), mark it as:

{
  "immutable": true,
  "ruleSource": {
    "type": "external",
    "isCustomized": true
  }
}

-- If the rule_id does not match any known rule, treat it as a custom rule:

{
  "immutable": false,
  "ruleSource": {
    "type": "internal"
  }
}
}

Screenshots (if relevant):

Screen.Recording.2024-11-19.at.2.41.01.PM.mov
@pborgonovi pborgonovi added bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Nov 19, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror
Copy link
Contributor

@pborgonovi You should check the Overwrite existing detection rules with conflicting "rule_id" checkbox in order for it to work as expected.

@banderror banderror closed this as not planned Won't fix, can't repro, duplicate, stale Nov 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Development

No branches or pull requests

3 participants