Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Actions do not import from .ndjson imports through API or Web Interface [Security Solution] #116363

Closed
s-m-martin opened this issue Oct 26, 2021 · 2 comments
Closed

Actions do not import from .ndjson imports through API or Web Interface [Security Solution] #116363

s-m-martin opened this issue Oct 26, 2021 · 2 comments
Assignees
@rylnd
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@s-m-martin
Copy link

Describe the bug
I discovered this when trying to create rules that would automatically alert to slack on import - not sure this is the right place to report, so if it isn't please let me know.

You can add the following to a rule .toml to enable slack reporting:


[[rule.actions]]
action_type_id = ".slack"
group = "default"
id = "<Insert correct Slack ID here>"
[rule.actions.params]
message = "Rule {{context.rule.name}} generated {{state.signals_count}} alerts {{context.results_link}}"

Generating the rule for export via python -m detection_rules export-rules --directory rules --outfile test_rules.ndjson results in a valid .ndjson with valid entries that show the rule actions.

But when you import the rules into either the UI using the Import button or via the API:

curl -X POST "<KibanaURL>/api/detection_engine/rules/_import"
-u <username>:<password> -H 'kbn-xsrf: true'
-H 'Content-Type: multipart/form-data'
--form "file=@<link to file>"

Then the rule actions are missing...

Even stranger, if you use the create rule API and you load the same rules one by one from the .ndjson where the actions aren't being imported, the rule actions are present and work as expected.

Kibana/Elasticsearch Stack version:
v 7.15.0

Original install method (e.g. download page, yum, from source, etc.):
Not installed - purchased through Elastic Cloud

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Detection rules

To Reproduce

  1. Add rule actions to the end of a .toml rule as shown above in the description
  2. Generate the rules .ndjson and then import it via the UI or via API import
  3. Check the rule actions
  4. See that your actions are not present

Expected behavior
When I import a rules .ndjson with rule actions, I expect the rule actions to be present on the imported rule. This is the same behavior I see when I import rules that have rule actions using the create rule API.
@s-m-martin s-m-martin added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed labels Oct 26, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@rylnd
Copy link
Contributor

rylnd commented Oct 27, 2021

@AspenScythe thank you for the detailed info! Import of rule actions is not supported in 7.15. However, this functionality has been added in 7.16.0 via #115243.

@rylnd rylnd closed this as completed Oct 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rylnd rylnd

Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rylnd @elasticmachine @s-m-martin