[Security Solution] Related Integration shows as not installed even when it is
#149644
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Feature:Related Integrations
Security Solution Detection Rules Related Integrations feature
fixed
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
QA:Validated
Issue has been validated by QA
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.7.0
Comments
spong
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Feb 17, 2023
…t installed` even when they are (elastic#149646) ## Summary Resolves elastic#149644 by adding a fallback for package policies without a policy_template. (cherry picked from commit ba5634e)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Feb 17, 2023
…t installed` even when they are (elastic#149646) ## Summary Resolves elastic#149644 by adding a fallback for package policies without a policy_template. (cherry picked from commit ba5634e)
kibanamachine
added a commit
that referenced
this issue
Feb 17, 2023
…as `not installed` even when they are (#149646) (#151535) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)](#149646) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-02-16T23:53:26Z","message":"[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)\n\n## Summary\r\n\r\nResolves #149644 by adding a\r\nfallback for package policies without a policy_template.","sha":"ba5634eda6b18ae3d809ba50d21878526c97a8dc","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Endpoint Response","Feature:Detection Rules","Team: SecuritySolution","Team:Detection Rules","backport:prev-minor","v8.6.0","v8.7.0","v8.8.0"],"number":149646,"url":"https://github.com/elastic/kibana/pull/149646","mergeCommit":{"message":"[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)\n\n## Summary\r\n\r\nResolves #149644 by adding a\r\nfallback for package policies without a policy_template.","sha":"ba5634eda6b18ae3d809ba50d21878526c97a8dc"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/149646","number":149646,"mergeCommit":{"message":"[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)\n\n## Summary\r\n\r\nResolves #149644 by adding a\r\nfallback for package policies without a policy_template.","sha":"ba5634eda6b18ae3d809ba50d21878526c97a8dc"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <[email protected]>
kibanamachine
added a commit
that referenced
this issue
Feb 17, 2023
…as `not installed` even when they are (#149646) (#151536) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)](#149646) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-02-16T23:53:26Z","message":"[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)\n\n## Summary\r\n\r\nResolves #149644 by adding a\r\nfallback for package policies without a policy_template.","sha":"ba5634eda6b18ae3d809ba50d21878526c97a8dc","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Endpoint Response","Feature:Detection Rules","Team: SecuritySolution","Team:Detection Rules","backport:prev-minor","v8.6.0","v8.7.0","v8.8.0"],"number":149646,"url":"https://github.com/elastic/kibana/pull/149646","mergeCommit":{"message":"[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)\n\n## Summary\r\n\r\nResolves #149644 by adding a\r\nfallback for package policies without a policy_template.","sha":"ba5634eda6b18ae3d809ba50d21878526c97a8dc"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/149646","number":149646,"mergeCommit":{"message":"[Security Solution] Fixes certain Related Integrations showing as `not installed` even when they are (#149646)\n\n## Summary\r\n\r\nResolves #149644 by adding a\r\nfallback for package policies without a policy_template.","sha":"ba5634eda6b18ae3d809ba50d21878526c97a8dc"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <[email protected]>
banderror
added
impact:medium
|
@MadameSheema Can folks please verify that #149646 fixes this bug? The fix should be available in 8.7 BC. @spong I also noticed that the fix has been backported to 8.6 and targets 8.6.3, but I couldn't find the 8.6.3 version in the release schedule. Is the label wrong or the spreadsheet? :) |
|
@karanbirsingh-qasource @sukhwindersingh-qasource may you please help to validate this issue? |
No, you're correct that there's no scheduled
Just a heads up that there are still these issues (#150968 & #149644) with related integrations, so not everything is resolved here just yet. I'm working these issues for the next BC, but let me know if you come across anything extra in testing and I can try to address along with those fixes. |
|
FYI: I have a user who encountered this issue on version |
|
We have validated this issue on 8.7.0 BC4 build and observed that issue is not occurring, It is Fixed. ✔️ Please find the below Testing Details: Build info Screen-Recording Rules.-.Kibana.Mozilla.Firefox.2023-02-23.16-29-32.mp4Hence, We are marking it as QA Validated!! Thanks!! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First reported in
8.6.1, but also reproduced in8.5.0, theElastic DefendorEndpointintegration will show asNot installedwhen it is in fact installed.Debugging this, we can work our way back from the client since it appears the
detection_engine/fleet/integrations/installedAPI is returning back that it's actually installed.Here we determine if the integration is
installedby seeing if the related integration from the Rule is within the list of installed packages returned by fleet. The package name check ends up being truthy, however the integration name check fails since the rule doesn't provide an related integration name (since there isn't one forElastic Defend), yet the our data model is including integration details with an''integration_name.kibana/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integration_details.ts
Lines 81 to 84 in 21de750
Now heading to the server, we set the
integration_namefrom thepolicy.input[].policy_template, however this is undefined for theElastic Defendintegration, and so ends up as emptystring''.kibana/x-pack/plugins/security_solution/server/lib/detection_engine/fleet_integrations/api/get_installed_integrations/installed_integration_set.ts
Line 129 in 21de750
As a result, when determining if we need to augment the package with integration details, we now have a mismatch between
packageInfo.package_name&integrationInfo.integration_name, which results in us adding integration details, but with an invalidintegration_name.kibana/x-pack/plugins/security_solution/server/lib/detection_engine/fleet_integrations/api/get_installed_integrations/installed_integration_set.ts
Line 88 in 21de750
which is why the client is determining that the integration is not installed.
So looks like the root cause here is that there's no
policy_templatebeing returned on the packagePolicies'inputobject for theElastic Defendintegration:We can see this directly with the
/kbn/api/fleet/package_policiesfleet API as well:Elastic Defend integration on the left, Fleet Server integration on the right:
I haven't found any specific fleet/package-registry changes yet that would explain why the
Elastic DefendpackagePolicies don't include apolicy_template(maybe it happened as part of the refactor from Elastic Security -> Elastic Defend?), so if not a change introduced in the interim, perhaps we missed this in our initial testing @banderror?Either way, looks like we can either use the root
input.typeor the nestedconfig.integration_config.typeoff of the packagePolicy if thepolicy_templateisn't present. Will need to test with lone packages and packages+integrations to see the behavior here.The text was updated successfully, but these errors were encountered: