Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Users can't upgrade rules without customizations when rule type changed #202967

Closed
Tracked by #201502
maximpn opened this issue Dec 4, 2024 · 4 comments
Closed
Tracked by #201502

[Security Solution] Users can't upgrade rules without customizations when rule type changed #202967

maximpn opened this issue Dec 4, 2024 · 4 comments
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@maximpn
Copy link
Contributor

maximpn commented Dec 4, 2024

Summary

Users can't upgrade Elastic rules without customizations but with rule type change rule update preview flyout.

Steps to reproduce:

  1. Setup the environment as described below
  2. Open Okta User Sessions Started from Different Geolocations rule in rule update preview flyout
  3. Notice Rule type change warning message
  4. Try to upgrade the rule by clicking Update rule button in table row or by bulk upgrading

Expected behavior: The rule gets upgraded

Actual behavior: Rule is upgradable only from the rule update preview flyout

Screenshots (if relevant):

Image

Image

Setup the environment

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
  • Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
  • Clear Elasticsearch data
  • Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
  • Install an outdated version of the security_detection_engine Fleet package
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
  • Install prebuilt rules
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
@maximpn maximpn added 8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Dec 4, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror mentioned this issue Dec 5, 2024
Open
@banderror banderror removed the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Dec 5, 2024
@banderror banderror mentioned this issue Dec 5, 2024
Open
@banderror
Copy link
Contributor

@maximpn I think this is expected, intentional behavior at this stage. It's not a high-impact bug.

When discussing with @approksiu and @xcrzx what would be the simplest and easiest to implement MVP solution, we came up with #180395. We should revisit and improve this UI as part of Milestone 4, here's a new ticket for that:

I'm gonna close this one. Feel free to reopen if anyone disagrees.

@banderror banderror closed this as not planned Won't fix, can't repro, duplicate, stale Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maximpn @banderror @elasticmachine