Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Integration status isn't shown for some rules #187199

Closed
maximpn opened this issue Jun 29, 2024 · 5 comments
Closed

[Security Solution] Integration status isn't shown for some rules #187199

maximpn opened this issue Jun 29, 2024 · 5 comments
Assignees
Labels
8.15 candidate bug Fixes for quality problems that affect the customer experience fixed Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@maximpn
Copy link
Contributor

maximpn commented Jun 29, 2024

Relates to: #173595

Summary

Integration status isn't shown for some prebuilt rules, e.g. Web Application Suspicious Activity: Unauthorized Method. The rule has APM related integration but it's status isn't shown in the installation rule preview popover neither on the rule details page. KIbana 8.14 doesn't have this issue which may say #178295 is the cause of this bug.

Screenshots

Installation rule preview popover:
image

Rule details page:
image

@maximpn maximpn added bug Fixes for quality problems that affect the customer experience Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team 8.15 candidate labels Jun 29, 2024
@maximpn maximpn self-assigned this Jun 29, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

maximpn added a commit that referenced this issue Jul 15, 2024
…tion per package (#187200)

**Resolves:** #187199

## Summary

This PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.

## Details

This fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.

For packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.

There are different packages with integrations

- a package with multiple integrations
- a package without integrations
- a package with only one integration which name matches with the package name
- a package with only one integration which name doesn't match with the package name

The latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.

### Screenshots before

Installation rule preview popover:
<img width="1715" alt="image" src="https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033">

Rule details page:
<img width="1722" alt="image" src="https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248">

### Screenshots after

Installation rule preview popover:
<img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35">

Rule details page:
<img width="1723" alt="image" src="https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae">

Rule details page (Elastic APM integration is installed and enabled):
<img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc">
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Jul 15, 2024
…tion per package (elastic#187200)

**Resolves:** elastic#187199

## Summary

This PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.

## Details

This fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.

For packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.

There are different packages with integrations

- a package with multiple integrations
- a package without integrations
- a package with only one integration which name matches with the package name
- a package with only one integration which name doesn't match with the package name

The latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.

### Screenshots before

Installation rule preview popover:
<img width="1715" alt="image" src="https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033">

Rule details page:
<img width="1722" alt="image" src="https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248">

### Screenshots after

Installation rule preview popover:
<img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35">

Rule details page:
<img width="1723" alt="image" src="https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae">

Rule details page (Elastic APM integration is installed and enabled):
<img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc">

(cherry picked from commit 875d6e9)
kibanamachine referenced this issue Jul 16, 2024
…integration per package (#187200) (#188336)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Security Solution] Fix showing integration status for single
integration per package
(#187200)](#187200)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-07-15T17:13:14Z","message":"[Security
Solution] Fix showing integration status for single integration per
package (#187200)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/187199\r\n\r\n##
Summary\r\n\r\nThis PR fixes displaying related integration status for
rules referring packages with a single integration. A good example is
`Web Application Suspicious Activity: Unauthorized Method` rule which
refers `APM` integration. Package and integration names don't match but
the prebuilt rule only refers a package name omitting the integration
name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET
/internal/detection_engine/fleet/integrations/all` internal API endpoint
by adding an additional integration for packages having a single
integration which name doesn't match the package name.\r\n\r\nFor
packages with a single integration and matching package and integration
names there is only one integration returned with integration name and
title omitted.\r\n\r\nThere are different packages with
integrations\r\n\r\n- a package with multiple integrations\r\n- a
package without integrations\r\n- a package with only one integration
which name matches with the package name\r\n- a package with only one
integration which name doesn't match with the package name\r\n\r\nThe
latter case is `apm` package which has `apmServer` integration. For
example `Web Application Suspicious Activity: Unauthorized Method`
prebuilt rule specifies only `apm` package name which integration name
is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview
popover:\r\n<img width=\"1715\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule
details page:\r\n<img width=\"1722\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n###
Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img
width=\"1718\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule
details page:\r\n<img width=\"1723\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule
details page (Elastic APM integration is installed and enabled):\r\n<img
width=\"1718\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","v8.15.0","v8.16.0"],"title":"[Security Solution] Fix
showing integration status for single integration per
package","number":187200,"url":"https://github.com/elastic/kibana/pull/187200","mergeCommit":{"message":"[Security
Solution] Fix showing integration status for single integration per
package (#187200)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/187199\r\n\r\n##
Summary\r\n\r\nThis PR fixes displaying related integration status for
rules referring packages with a single integration. A good example is
`Web Application Suspicious Activity: Unauthorized Method` rule which
refers `APM` integration. Package and integration names don't match but
the prebuilt rule only refers a package name omitting the integration
name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET
/internal/detection_engine/fleet/integrations/all` internal API endpoint
by adding an additional integration for packages having a single
integration which name doesn't match the package name.\r\n\r\nFor
packages with a single integration and matching package and integration
names there is only one integration returned with integration name and
title omitted.\r\n\r\nThere are different packages with
integrations\r\n\r\n- a package with multiple integrations\r\n- a
package without integrations\r\n- a package with only one integration
which name matches with the package name\r\n- a package with only one
integration which name doesn't match with the package name\r\n\r\nThe
latter case is `apm` package which has `apmServer` integration. For
example `Web Application Suspicious Activity: Unauthorized Method`
prebuilt rule specifies only `apm` package name which integration name
is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview
popover:\r\n<img width=\"1715\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule
details page:\r\n<img width=\"1722\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n###
Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img
width=\"1718\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule
details page:\r\n<img width=\"1723\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule
details page (Elastic APM integration is installed and enabled):\r\n<img
width=\"1718\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253"}},"sourceBranch":"main","suggestedTargetBranches":["8.15"],"targetPullRequestStates":[{"branch":"8.15","label":"v8.15.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187200","number":187200,"mergeCommit":{"message":"[Security
Solution] Fix showing integration status for single integration per
package (#187200)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/187199\r\n\r\n##
Summary\r\n\r\nThis PR fixes displaying related integration status for
rules referring packages with a single integration. A good example is
`Web Application Suspicious Activity: Unauthorized Method` rule which
refers `APM` integration. Package and integration names don't match but
the prebuilt rule only refers a package name omitting the integration
name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET
/internal/detection_engine/fleet/integrations/all` internal API endpoint
by adding an additional integration for packages having a single
integration which name doesn't match the package name.\r\n\r\nFor
packages with a single integration and matching package and integration
names there is only one integration returned with integration name and
title omitted.\r\n\r\nThere are different packages with
integrations\r\n\r\n- a package with multiple integrations\r\n- a
package without integrations\r\n- a package with only one integration
which name matches with the package name\r\n- a package with only one
integration which name doesn't match with the package name\r\n\r\nThe
latter case is `apm` package which has `apmServer` integration. For
example `Web Application Suspicious Activity: Unauthorized Method`
prebuilt rule specifies only `apm` package name which integration name
is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview
popover:\r\n<img width=\"1715\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule
details page:\r\n<img width=\"1722\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n###
Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img
width=\"1718\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule
details page:\r\n<img width=\"1723\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule
details page (Elastic APM integration is installed and enabled):\r\n<img
width=\"1718\" alt=\"image\"
src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253"}}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <[email protected]>
@maximpn maximpn added the fixed label Jul 16, 2024
@maximpn
Copy link
Contributor Author

maximpn commented Jul 16, 2024

Hi @pborgonovi, the bug was fixed in #187200 and backported to 8.15 in #188336. Could you validate the bugfix?

@pborgonovi
Copy link
Contributor

Hi @maximpn . I've validated the fix on both latest 8.15 BC and 8.16 snapshot. Below are the evidences:

BEFORE:

Installation Rule Preview:

Screenshot 2024-07-23 at 9 59 46 AM

Rule Details:

Screenshot 2024-07-23 at 9 57 41 AM

AFTER:

Fix backported to 8.15:

Installation Rule Preview:

Screenshot 2024-07-23 at 10 08 26 AM

Rule Details:

Screenshot 2024-07-23 at 10 08 59 AM Screenshot 2024-07-23 at 10 09 11 AM

8.16 Snapshot:

Installation Rule Preview:

image

Rule Details:

image image

I'm closing this issue as fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.15 candidate bug Fixes for quality problems that affect the customer experience fixed Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Development

No branches or pull requests

3 participants