Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Rule execution fails after importing a rule with Security Solution data view in a different space #137841

Closed
MadameSheema opened this issue Aug 2, 2022 · 8 comments
Closed

[Security Solution] Rule execution fails after importing a rule with Security Solution data view in a different space #137841

MadameSheema opened this issue Aug 2, 2022 · 8 comments
Assignees
@dhurley14
Labels
8.5 candidate bug Fixes for quality problems that affect the customer experience Feature:Data Views Data Views code and UI - index patterns before 8.0 Feature:Detection Rules Security Solution rules and Detection Engine invalid Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • Rule execution fails after importing a rule with Security Solution data view in a different space.

Kibana/Elasticsearch Stack version:

  • 8.4.0 BC1

Initial setup:

  • To have a detection rule created with the Security Solution data view on the default space exported.
  • To have more than one space.

Steps to reproduce:

  1. Import the exported rule in a different space
  2. Wait for the rule to be executed

Current behavior:

  • The execution of the rule fails, even if you import the security solution default data view to the space where the rule was imported. After re-enabling the rule, still fails.

Screenshot 2022-08-02 at 15 01 23

Expected behavior:

  • The rule execution does not fail
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Security Solution Platform Security Solution Platform Team labels Aug 2, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@dhurley14
Copy link
Contributor

I'll look into this but I believe this could be due to the saved object id's being different between the two spaces? Or something with the saved object references for the exported rule..

@yctercero yctercero removed their assignment Aug 2, 2022
@yctercero yctercero mentioned this issue Aug 2, 2022
Closed
@yctercero
Copy link
Contributor

This is similar to the experience we deal with currently with rule action connectors. On export, we only export the id, so if the saved object does not exist where this is being re-imported, it will fail.

Would love some input here on what the experience should be. Ideally, a user would be able to completely export all their SOs with their rules and reimport into a new environment with no problem. In a more tiered approach I could see first updating the import/export UI to inform users of the behavior around data views and connectors. I'm not sure how portable the Kibana core import/export API is and if we can in any way begin to leverage it and move away from our own API as it is growing in complexity.

Given that we do still allow the rule to be imported and a pretty clear error message is displayed, I think we can think of some updates for 8.5+.

cc @peluja1012 @rylnd @jethr0null

@jethr0null
Copy link

Can we chat about this to explore options during the advanced correlation sync perhaps?

@yctercero
Copy link
Contributor

@jethr0null added it to next week's advanced correlation sync agenda.

@rylnd
Copy link
Contributor

rylnd commented Aug 17, 2022
edited
Loading

Note: users can share data views between spaces via the SOM. If the data view is shared between the exported space and the imported space, the newly-imported rule will behave as expected. NB that this won't work with cross-instance import/export.

@peluja1012 peluja1012 added the Feature:Data Views Data Views code and UI - index patterns before 8.0 label Oct 5, 2022
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Security Solution Platform Security Solution Platform Team labels May 14, 2023
@yctercero yctercero added the Feature:Detection Rules Security Solution rules and Detection Engine label Jun 5, 2024
@pborgonovi
Copy link
Contributor

If the data view is previously shared with the other space, then importing the rule will work as expected:

Screenshot 2024-07-24 at 10 36 05 AM
Screen.Recording.2024-07-24.at.10.37.55.AM.mov

Closing this bug as invalid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dhurley14 dhurley14

Labels
8.5 candidate bug Fixes for quality problems that affect the customer experience Feature:Data Views Data Views code and UI - index patterns before 8.0 Feature:Detection Rules Security Solution rules and Detection Engine invalid Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@peluja1012 @rylnd @dhurley14 @jethr0null @yctercero @elasticmachine @MadameSheema @pborgonovi