-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Rule type changes on update are no longer supported #123859
Comments
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
On the Alerts area side we've discussed the implications of allowing rule type changes vs requiring a new rule in order to change the type. The 2 options can be summarized as:
Initially I was leaning towards not supporting rule type changes, as it seemed simpler to require a new rule. There's a possibility that some Detection Engine features (e.g. value list exceptions) now and in the future may be supported by some rule types but not others, so allowing arbitrary rule type changes could complicate those features. In addition, rule state like However, since users could upgrade from any previous version of prepackaged detection rules to the current version, prepackaged rule type changes that shipped in the past may still need to be applied by future versions of Kibana. In addition, the automated process of "create a new rule with the new type then delete the old one" doesn't seem too risky overall. In the individual rule type executors we can check to see if features not supported by the rule type are being used and display warnings if unsupported features are found on the rule configuration - EQL rules already have a check like this for value list exceptions. So to summarize, my recommendation would be support rule type changes by updating any rules routes that could change the type of a rule ( |
Can you reference these - we could probably push some constraints to the rules repo. Also, would this be something specific that should also be exposed via API |
The example that could happen right now would be user defined value list exceptions that are supported for KQL rules but not for EQL. When the rule gets converted, the value list exceptions would no longer be evaluated for the rule and on execution users would get a warning that the rule has unsupported exceptions. Since the exceptions are user defined I don't know if we'd be able to implement a check on the rule definition itself. Value list exceptions are the only case that I can think of right now that would transfer between rules but have different levels of support on different rule types - but it's possible that other cases could pop up in the future. Actions, for example, are user defined - right now the same actions are supported across all rule types so it's not an issue, but if a new action is introduced in the future that only supports some rule types that could be an issue if we expect the actions to be moved seamlessly. Similarly in that case, though, at rule execution time we could check to see if unsupported actions are attached to the rule and warn users.
I think it should be transparent to users as much as possible, so the API would make it appear as though the rule has been updated in place. It's just behind the scenes that the rule was deleted and replaced with a rule that has the same IDs but a different type. |
awesome, thanks for the update. Doesn't look there would be anything to tighten up within the rules repo wrt that scenario 👍 |
Uncovered in testing
8.0.0
rule updates (#123786 (comment)), rule type changes on-update are no longer supported since changing from a single alerting rule type (siem.signals
) to separate dedicated types for each security rule, e.g.siem.queryRule
andsiem.eqlRule
.As @marshallmain detailed:
Proposed change to add back support would likely be "delete the old rule then make a new one with the same rule_id" rather than modifying the existing rule.
Note: Will need to ensure migration of actions/exceptions. See this issue for history around how unsupported exceptions are handled when types are migrated.
Impact
If a type change is performed, the UX is as follows:
Looks like because of the
language
/type
change this rule is failing to update, and must be deleted before it can be updated/re-installed. The tricky thing here is that the error doesn't tell you it's theInteractive Terminal Spawned via Python
rule that is failing the update, so it's not clear to the user how they can fix it and theupdate 1 rule
callout will persist and can't be dismissed.The text was updated successfully, but these errors were encountered: