-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Integration status isn't shown for some rules #187199
Comments
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
…tion per package (#187200) **Resolves:** #187199 ## Summary This PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name. ## Details This fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name. For packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted. There are different packages with integrations - a package with multiple integrations - a package without integrations - a package with only one integration which name matches with the package name - a package with only one integration which name doesn't match with the package name The latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty. ### Screenshots before Installation rule preview popover: <img width="1715" alt="image" src="https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033"> Rule details page: <img width="1722" alt="image" src="https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248"> ### Screenshots after Installation rule preview popover: <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35"> Rule details page: <img width="1723" alt="image" src="https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae"> Rule details page (Elastic APM integration is installed and enabled): <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc">
…tion per package (elastic#187200) **Resolves:** elastic#187199 ## Summary This PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name. ## Details This fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name. For packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted. There are different packages with integrations - a package with multiple integrations - a package without integrations - a package with only one integration which name matches with the package name - a package with only one integration which name doesn't match with the package name The latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty. ### Screenshots before Installation rule preview popover: <img width="1715" alt="image" src="https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033"> Rule details page: <img width="1722" alt="image" src="https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248"> ### Screenshots after Installation rule preview popover: <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35"> Rule details page: <img width="1723" alt="image" src="https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae"> Rule details page (Elastic APM integration is installed and enabled): <img width="1718" alt="image" src="https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc"> (cherry picked from commit 875d6e9)
…integration per package (#187200) (#188336) # Backport This will backport the following commits from `main` to `8.15`: - [[Security Solution] Fix showing integration status for single integration per package (#187200)](#187200) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-07-15T17:13:14Z","message":"[Security Solution] Fix showing integration status for single integration per package (#187200)\n\n**Resolves:** https://github.com/elastic/kibana/issues/187199\r\n\r\n## Summary\r\n\r\nThis PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.\r\n\r\nFor packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.\r\n\r\nThere are different packages with integrations\r\n\r\n- a package with multiple integrations\r\n- a package without integrations\r\n- a package with only one integration which name matches with the package name\r\n- a package with only one integration which name doesn't match with the package name\r\n\r\nThe latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1715\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule details page:\r\n<img width=\"1722\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n### Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule details page:\r\n<img width=\"1723\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule details page (Elastic APM integration is installed and enabled):\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","v8.15.0","v8.16.0"],"title":"[Security Solution] Fix showing integration status for single integration per package","number":187200,"url":"https://github.com/elastic/kibana/pull/187200","mergeCommit":{"message":"[Security Solution] Fix showing integration status for single integration per package (#187200)\n\n**Resolves:** https://github.com/elastic/kibana/issues/187199\r\n\r\n## Summary\r\n\r\nThis PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.\r\n\r\nFor packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.\r\n\r\nThere are different packages with integrations\r\n\r\n- a package with multiple integrations\r\n- a package without integrations\r\n- a package with only one integration which name matches with the package name\r\n- a package with only one integration which name doesn't match with the package name\r\n\r\nThe latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1715\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule details page:\r\n<img width=\"1722\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n### Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule details page:\r\n<img width=\"1723\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule details page (Elastic APM integration is installed and enabled):\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253"}},"sourceBranch":"main","suggestedTargetBranches":["8.15"],"targetPullRequestStates":[{"branch":"8.15","label":"v8.15.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187200","number":187200,"mergeCommit":{"message":"[Security Solution] Fix showing integration status for single integration per package (#187200)\n\n**Resolves:** https://github.com/elastic/kibana/issues/187199\r\n\r\n## Summary\r\n\r\nThis PR fixes displaying related integration status for rules referring packages with a single integration. A good example is `Web Application Suspicious Activity: Unauthorized Method` rule which refers `APM` integration. Package and integration names don't match but the prebuilt rule only refers a package name omitting the integration name.\r\n\r\n## Details\r\n\r\nThis fix changes response from `GET /internal/detection_engine/fleet/integrations/all` internal API endpoint by adding an additional integration for packages having a single integration which name doesn't match the package name.\r\n\r\nFor packages with a single integration and matching package and integration names there is only one integration returned with integration name and title omitted.\r\n\r\nThere are different packages with integrations\r\n\r\n- a package with multiple integrations\r\n- a package without integrations\r\n- a package with only one integration which name matches with the package name\r\n- a package with only one integration which name doesn't match with the package name\r\n\r\nThe latter case is `apm` package which has `apmServer` integration. For example `Web Application Suspicious Activity: Unauthorized Method` prebuilt rule specifies only `apm` package name which integration name is empty.\r\n\r\n### Screenshots before\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1715\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/80f3d01f-5276-425b-835a-c78b69eab033\">\r\n\r\nRule details page:\r\n<img width=\"1722\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/85c833f9-b841-4016-8db9-43d4c68f1248\">\r\n\r\n### Screenshots after\r\n\r\nInstallation rule preview popover:\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/a0ca1b4b-ebab-4de5-a169-1f6e55c74f35\">\r\n\r\nRule details page:\r\n<img width=\"1723\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/f647e536-2bc6-4ab8-8f4e-b4e923afb9ae\">\r\n\r\nRule details page (Elastic APM integration is installed and enabled):\r\n<img width=\"1718\" alt=\"image\" src=\"https://github.com/elastic/kibana/assets/3775283/33d12f7d-d9b9-43c3-9162-9bf7c6e015fc\">","sha":"875d6e99f0304b3febb675faafadd60a1f9e2253"}}]}] BACKPORT--> Co-authored-by: Maxim Palenov <[email protected]>
Hi @pborgonovi, the bug was fixed in #187200 and backported to |
Hi @maximpn . I've validated the fix on both latest 8.15 BC and 8.16 snapshot. Below are the evidences: BEFORE: Installation Rule Preview: Rule Details: AFTER: Fix backported to 8.15: Installation Rule Preview: Rule Details: 8.16 Snapshot: Installation Rule Preview: Rule Details: I'm closing this issue as fixed. |
Relates to: #173595
Summary
Integration status isn't shown for some prebuilt rules, e.g.
Web Application Suspicious Activity: Unauthorized Method
. The rule hasAPM
related integration but it's status isn't shown in the installation rule preview popover neither on the rule details page. KIbana8.14
doesn't have this issue which may say #178295 is the cause of this bug.Screenshots
Installation rule preview popover:
Rule details page:
The text was updated successfully, but these errors were encountered: