Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PUT /api/detection_engine/rules/prepackaged API endpoint error #133983

Closed
Tracked by #174167
colin-stubbs opened this issue Jun 9, 2022 · 5 comments
Closed
Tracked by #174167

PUT /api/detection_engine/rules/prepackaged API endpoint error #133983

colin-stubbs opened this issue Jun 9, 2022 · 5 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@colin-stubbs
Copy link

colin-stubbs commented Jun 9, 2022
edited
Loading

Kibana version: 8.2.0

Elasticsearch version: 8.2.0

Server OS version: Not applicable, using Elastic Cloud.

Browser version: Not applicable

Browser OS version: Not applicable

Original install method (e.g. download page, yum, from source, etc.): Elastic Cloud

Describe the bug:

Using API endpoint PUT /api/detection_engine/rules/prepackaged returns an error and fails to deploy the "Endpoint Security" rule.

This appears to be related to the rule requiring the creation of the endpoint list as part of the rule, if it does not already exist.

    "exceptions_list": [
      {
        "id": "endpoint_list",
        "list_id": "endpoint_list",
        "namespace_type": "agnostic",
        "type": "endpoint"
      }
    ],

The error returned from that PUT request is simply a HTTP 400 with the following content returned,

{
    "message": "Error creating rule: could not create API key - Unsupported scheme \"ApiKey\" for granting API Key",
    "status_code": 400
}

When deploying prepackaged rules via the Kibana webUI this error DOES NOT happen, indicating something to do with the active user session allows creation/interaction with the endpoint_list object that is not permitted otherwise via direct API request.

NOTE: We're using Postman to interact with the API and automate deployment and update of detection rules. Postman is using ApiKey based authentication to interact with the API, so my conclusion is that this particular API endpoint accepts ApiKey based auth... but something else that it does internally does not like ApiKey as an acceptable authentication token.

After the "Endpoint Security" rule has been deployed via Kiban webUI the API can be called again without error, e.g. it'll start to return a normal HTTP 200 with content like,

{
    "rules_installed": 0,
    "rules_updated": 0,
    "timelines_installed": 0,
    "timelines_updated": 0
}

Steps to reproduce:

  1. Fresh Elastic 8.2.0 deployment
  2. Attempt to deploy prepackaged security rules via API request only
  3. Experience error

Expected behavior:

We should simply be able to use PUT /api/detection_engine/rules/prepackaged to install or update all prepackaged rules.

Screenshots (if relevant): Not applicable.

Errors in browser console (if relevant): Not applicable.

Provide logs and/or server output (if relevant): No obvious logged errors.

Any additional context:
@colin-stubbs colin-stubbs added the bug Fixes for quality problems that affect the customer experience label Jun 9, 2022
@botelastic botelastic bot added the needs-team Issues missing a team label label Jun 9, 2022
@colin-stubbs
Copy link
Author

colin-stubbs commented Jun 10, 2022
edited
Loading

This includes any interaction with the "Endpoint Security" rule actually, e.g. even if simply using PATCH /api/detection_engine/rules in order to add actions to the rule AFTER it has already been deployed by a human in Kibana webUI, the API will respond with exactly the same error about not liking ApiKey based auth for this rule and only this rule. Of the 691 Elastic prebuilt rules it's only this one rule that does this... 690 of them never have an issue.

@kertal kertal added triage_needed Team:Detection Rule Management Security Detection Rule Management Team labels Jun 13, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jun 13, 2022
@peluja1012 peluja1012 added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Aug 3, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@peluja1012 peluja1012 added the Team:Detections and Resp Security Detection Response Team label Aug 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror self-assigned this Aug 10, 2022
@banderror banderror added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area 8.5 candidate and removed triage_needed needs:triage labels Aug 12, 2022
@banderror banderror removed their assignment Aug 12, 2022
@banderror
Copy link
Contributor

@colin-stubbs Thank you for opening this issue, appreciate the details! I have a few further questions to answer which might help us to localize the potential bug.

When deploying prepackaged rules via the Kibana webUI this error DOES NOT happen, indicating something to do with the active user session allows creation/interaction with the endpoint_list object that is not permitted otherwise via direct API request.

Are you sure that the requests you send to the API directly (from your scripts or Postman) are authorized on behalf of exactly the same user that can successfully install prebuilt rules from the UI?

In case of any doubt what user privileges are required to use Security rules, please refer to this page in the docs.

It might be helpful if you could share the privileges of the UI user and the API user so we could inspect and compare them.

NOTE: We're using Postman to interact with the API and automate deployment and update of detection rules. Postman is using ApiKey based authentication to interact with the API, so my conclusion is that this particular API endpoint accepts ApiKey based auth... but something else that it does internally does not like ApiKey as an acceptable authentication token.

Could you share your Postman request here so we could check the HTTP headers you use when calling this endpoint?

It looks like the endpoint might only support bearer and basic auth schemes (although the docs tell us to use the ApiKey scheme). This is where this error is thrown in the code:

kibana/x-pack/plugins/security/server/authentication/api_keys/api_keys.ts

Lines 343 to 368 in d30f367

private getGrantParams(
createParams: CreateAPIKeyParams,
authorizationHeader: HTTPAuthorizationHeader
): GrantAPIKeyParams {
if (authorizationHeader.scheme.toLowerCase() === 'bearer') {
return {
api_key: createParams,
grant_type: 'access_token',
access_token: authorizationHeader.credentials,
};
}
if (authorizationHeader.scheme.toLowerCase() === 'basic') {
const basicCredentials = BasicHTTPAuthorizationHeaderCredentials.parseFromCredentials(
authorizationHeader.credentials
);
return {
api_key: createParams,
grant_type: 'password',
username: basicCredentials.username,
password: basicCredentials.password,
};
}
throw new Error(`Unsupported scheme "${authorizationHeader.scheme}" for granting API Key`);
}

After the "Endpoint Security" rule has been deployed via Kiban webUI the API can be called again without error

This includes any interaction with the "Endpoint Security" rule actually, e.g. even if simply using PATCH /api/detection_engine/rules in order to add actions to the rule AFTER it has already been deployed by a human in Kibana webUI, the API will respond with exactly the same error about not liking ApiKey based auth for this rule and only this rule. Of the 691 Elastic prebuilt rules it's only this one rule that does this... 690 of them never have an issue.

This is really weird. Let's talk more in order to understand why this happens.

Thank you!

@banderror banderror added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed 8.7 candidate impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Feb 22, 2023
@banderror
Copy link
Contributor

@colin-stubbs Please reopen if this is still an issue for you and you can provide additional info for troubleshooting.

@banderror banderror closed this as not planned Won't fix, can't repro, duplicate, stale Sep 13, 2023
@banderror banderror mentioned this issue Jan 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kertal @peluja1012 @colin-stubbs @banderror @elasticmachine