Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Allow to udate rule version for prebuilt rules #139287

Merged
merged 1 commit into from
Aug 25, 2022
Merged

[Security Solution] Allow to udate rule version for prebuilt rules #139287

merged 1 commit into from
Aug 25, 2022

Conversation

xcrzx
Copy link
Contributor

@xcrzx xcrzx commented Aug 23, 2022
edited by kibanamachine
Loading

Resolves: #139095
Resolves: #138876

Summary

Fixed logic that prevented rule version update for prebuilt rules and caused the rule upgrade banner to persist on the page.

Screen.Recording.2022-08-23.at.13.53.10.mov

Version update logic before:

version: nextParams.version ?? existingParams.immutable
    ? existingParams.version
    : shouldUpdateVersion(nextParams)
    ? existingParams.version + 1
    : existingParams.version,

After:

version: nextParams.version
    ? nextParams.version
    : shouldUpdateVersion(nextParams)
    ? existingParams.version + 1
    : existingParams.version,

Now, if a new version is passed with the rule params, it gets applied unconditionally. As a result, rule converters are no more aware of the rule immutability concept. Therefore, prebuilt rule immutability should be enforced on the business logic layer where needed.

How to test

  1. Install pre-packaged rules.
  2. In x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules, modify a rule: update name, risk_score and any other fields, and bump up the version.
  3. Navigate to the Rules page. The update callout should be visible on top.
  4. Click on the Update 1 Elastic prebuilt rule button.
  5. The rule should have all fields updated. The callout should disappear.

@xcrzx xcrzx added release_note:fix Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detection Alerts Security Detection Alerts Area Team v8.5.0 v8.4.1 labels Aug 23, 2022
@xcrzx xcrzx self-assigned this Aug 23, 2022
@xcrzx xcrzx requested review from a team as code owners August 23, 2022 11:39
@xcrzx xcrzx requested a review from vitaliidm August 23, 2022 11:39
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@xcrzx xcrzx force-pushed the fix-rule-version-bump branch from 69b45d2 to 0d75ffd Compare August 23, 2022 12:19
@xcrzx xcrzx requested a review from a team as a code owner August 23, 2022 12:19
@xcrzx xcrzx force-pushed the fix-rule-version-bump branch from 0d75ffd to fa07fc2 Compare August 23, 2022 12:21
@xcrzx xcrzx removed the request for review from a team August 23, 2022 12:22
@banderror banderror self-requested a review August 23, 2022 14:56
@xcrzx xcrzx force-pushed the fix-rule-version-bump branch from fa07fc2 to d3e11f0 Compare August 23, 2022 15:30
@xcrzx xcrzx requested a review from marshallmain August 23, 2022 15:31
@banderror banderror added bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area labels Aug 23, 2022
@xcrzx xcrzx force-pushed the fix-rule-version-bump branch from d3e11f0 to d379927 Compare August 25, 2022 10:53
banderror
banderror reviewed Aug 25, 2022
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out, reviewed the changes, and tested locally. LGTM 👍

Tested the fix twice in two different ways:

  • by upgrading from 8.4 to 8.5 while having some prebuilt rules installed in 8.4
  • by bumping the version in a filesystem rule

Left a few minor comments/nits.

@xcrzx do you think it's possible to write an integration test that would cover the logic of updating versions of prebuilt rules when addPrepackedRulesRoute is called?

x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.ts Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.ts Outdated
Comment on lines 437 to 442
// increment the version of mutable rules by 1.
version:
params.version ?? existingParams.immutable
? existingParams.version
: shouldUpdateVersion(params)
? existingParams.version + 1
: existingParams.version,
exceptionsList: params.exceptions_list ?? existingParams.exceptionsList,
version: nextParams.version
? nextParams.version
: shouldUpdateVersion(nextParams, existingParams)
? existingParams.version + 1
: existingParams.version,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like currently, our users are able to modify the rule version of prebuilt rules via CRUD endpoints. I think we need to create some follow-up tickets for disallowing that. Version updates should be done internally and controlled by the app on the server side.

Also, I believe this logic of incrementing the version should move to the routes like the add_prepackaged_rules_route.ts one. Here in the convertPatchAPIToInternalSchema it would become version: nextParams.version ?? existingParams.version. We can leave it as is in this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, we should disallow users to modify prebuilt rules via API. But given that we're working actively on the prebuilt rule customization epic and the immutability flag will be removed, probably it's not worth spending time to add extra validation to the routes 🤷‍♂️

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And as for the version increment logic, I hope we'll remove it once this task is finished.

x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.test.ts Outdated Show resolved Hide resolved
@xcrzx xcrzx force-pushed the fix-rule-version-bump branch from d379927 to f4bd7b7 Compare August 25, 2022 15:14
@xcrzx
Copy link
Contributor Author

xcrzx commented Aug 25, 2022
edited
Loading

@xcrzx do you think it's possible to write an integration test that would cover the logic of updating versions of prebuilt rules when addPrepackedRulesRoute is called?

++ We definitely need to cover that part with tests. Do you mind if we do it separately?

UPD: added issue #139533

@xcrzx xcrzx added the backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) label Aug 25, 2022
banderror
banderror approved these changes Aug 25, 2022
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks perfect! Thank you for addressing the comments.

@xcrzx xcrzx enabled auto-merge (squash) August 25, 2022 16:17
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #14 / endpoint When on the Endpoint Policy Details Page and the save button is clicked should have cleared the advanced section when the user deletes the value

Metrics [docs]

✅ unchanged

History

  • 💚 Build #67331 succeeded d3799273f22072c0ede00bd0e9b44e441f3aafe9
  • 💚 Build #66798 succeeded d3e11f0df6b2a96718e48c38c2d2fc7a60a23c43
  • 💔 Build #66731 failed fa07fc2a9e48a9b8f4356465f4a3856a3809949e
  • 💔 Build #66713 failed 69b45d284bfde6f27c46ef93889e81a1daee7710

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @xcrzx

@xcrzx xcrzx merged commit 7429f78 into elastic:main Aug 25, 2022
@kibanamachine kibanamachine mentioned this pull request Aug 25, 2022
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Aug 25, 2022
@xcrzx
Allow to bump rule version for prebuilt rules (elastic#139287)
752a970 
(cherry picked from commit 7429f78)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.4

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

@banderror banderror mentioned this pull request Aug 25, 2022
Closed
kibanamachine added a commit that referenced this pull request Aug 25, 2022
@kibanamachine @xcrzx @peluja1012
Allow to bump rule version for prebuilt rules (#139287) (#139498)
415cecc 
(cherry picked from commit 7429f78)

Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>
Co-authored-by: Pedro Jaramillo <pedro.jaramillo@elastic.co>
@xcrzx xcrzx deleted the fix-rule-version-bump branch August 26, 2022 08:45
Mpdreamz pushed a commit to Mpdreamz/kibana that referenced this pull request Sep 6, 2022
@xcrzx @Mpdreamz
Allow to bump rule version for prebuilt rules (elastic#139287)
e2ec0e3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vitaliidm vitaliidm vitaliidm left review comments

@jpdjere jpdjere jpdjere left review comments

@marshallmain marshallmain marshallmain approved these changes

@banderror banderror banderror approved these changes

Assignees

@xcrzx xcrzx

Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:fix Team:Detection Alerts Security Detection Alerts Area Team Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.4.1 v8.5.0
Projects
None yet
Milestone
No milestone
8 participants
@xcrzx @elasticmachine @kibana-ci @kibanamachine @jpdjere @banderror @marshallmain @vitaliidm