[Security Solution] Implement rule upgrade concurrency control #200134

xcrzx · 2024-11-14T09:54:49Z

Summary

The UpgradePrebuiltRulesTableContext currently doesn’t consider rule revisions and target versions. It's possible for users to start resolving rule upgrades in the UI while a new package version is installed in the background. In such cases, all user-resolved values should be invalidated to prevent potential issues. Without this, users may unknowingly apply updates to an outdated version, resulting in unpredictable outcomes and difficult-to-debug situations.

User-resolved values should be invalidated in the following situations:

A rule with a higher revision has been fetched. In this case, another user concurrently edited the rule
A target rule with a higher version has been fetched. In this case, a newer rule package version was installed asynchronously

The text was updated successfully, but these errors were encountered:

elasticmachine · 2024-11-14T09:54:51Z

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine · 2024-11-14T09:54:52Z

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine · 2024-11-14T09:54:52Z

Pinging @elastic/security-detections-response (Team:Detections and Resp)

…e workflow (#203604) **Resolves:** #200134 ## Summary This PR implements concurrency control to make sure user has the recent rule updates data in Rule Upgrade flyout. Any modifications saved in Rule Upgrade flyout are reset upon new `revision` or `version` detected. ## Details Concurrency control is important to provide better UX. Multiple users work in Kibana in parallel and new prebuilt rules package version can be released in any time. Attempts to upgrade a rule with outdated `revision` and/or `version` results in failed request. Users may experience multiple rule upgrade failure in that case causing a lot of confusion. More experienced users may guess to reload the page to continue. Typical reasons leading to `revision` and/or `version` change are the following - Current rule has been edited will bump rule's `revision`. For example the rule currently shown in Rule Upgrade flyout has been edited by someone else. - Prebuilt rules package got released will give provide rule assets with higher `version`. Rules having upgrades in the currently installed package and in a new one are affected. This PR mitigates the described issues by implementing concurrency control. It sets up `_review` API endpoint refetch interval to 5 minutes to fetch fresh data. In case a higher `revision` or `version` is detected for some rule this rule's resolved conflicts and customizations performed in Rule Upgrade flyout get cleared. ## Screenshots - `revision` change (refresh interval was reduced to 30 seconds to make the video shorter) https://github.com/user-attachments/assets/98d2a22f-9338-482a-a7b2-1e170b9642ce - `version` change (refresh interval was reduced to 1 minute to make the video shorter) https://github.com/user-attachments/assets/2b7c23f0-5a50-471e-aa7f-8d9b2aecc957 ## How to test locally There are two cases for testing - `revision` change - `version` change ### Test `revision` change Revision change means the rule has been edited. Use the following steps to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for some rule - Make changes to rule field(s) and save them (do not upgrade the rule) - Open the other web browser tab with Kibana - Navigate to the same rule's editing page - Change any field and save the changes - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got reverted ### Test `version` change Version change means a new package version was released. Do the following to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.15.2` in `kibana.dev.yaml` - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for a rule having updates in packages `v8.15.2` and `.8.17.1-beta.1` for example `Suspicious Web Browser Sensitive File Access` - Make changes to rule field(s) and save them (do not upgrade the rule) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.17.1-beta.1` in `kibana.dev.yaml` - Open the other web browser tab with Kibana - Navigate to Security Solution plugin to install the OR install the package `8.17.1-beta.1` via API request ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.17.1-beta.1 ``` - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got the recent target rule values Alternatively you can spin up EPR locally and publish package updates with rule's version bumped.

…e workflow (elastic#203604) **Resolves:** elastic#200134 ## Summary This PR implements concurrency control to make sure user has the recent rule updates data in Rule Upgrade flyout. Any modifications saved in Rule Upgrade flyout are reset upon new `revision` or `version` detected. ## Details Concurrency control is important to provide better UX. Multiple users work in Kibana in parallel and new prebuilt rules package version can be released in any time. Attempts to upgrade a rule with outdated `revision` and/or `version` results in failed request. Users may experience multiple rule upgrade failure in that case causing a lot of confusion. More experienced users may guess to reload the page to continue. Typical reasons leading to `revision` and/or `version` change are the following - Current rule has been edited will bump rule's `revision`. For example the rule currently shown in Rule Upgrade flyout has been edited by someone else. - Prebuilt rules package got released will give provide rule assets with higher `version`. Rules having upgrades in the currently installed package and in a new one are affected. This PR mitigates the described issues by implementing concurrency control. It sets up `_review` API endpoint refetch interval to 5 minutes to fetch fresh data. In case a higher `revision` or `version` is detected for some rule this rule's resolved conflicts and customizations performed in Rule Upgrade flyout get cleared. ## Screenshots - `revision` change (refresh interval was reduced to 30 seconds to make the video shorter) https://github.com/user-attachments/assets/98d2a22f-9338-482a-a7b2-1e170b9642ce - `version` change (refresh interval was reduced to 1 minute to make the video shorter) https://github.com/user-attachments/assets/2b7c23f0-5a50-471e-aa7f-8d9b2aecc957 ## How to test locally There are two cases for testing - `revision` change - `version` change ### Test `revision` change Revision change means the rule has been edited. Use the following steps to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for some rule - Make changes to rule field(s) and save them (do not upgrade the rule) - Open the other web browser tab with Kibana - Navigate to the same rule's editing page - Change any field and save the changes - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got reverted ### Test `version` change Version change means a new package version was released. Do the following to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.15.2` in `kibana.dev.yaml` - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for a rule having updates in packages `v8.15.2` and `.8.17.1-beta.1` for example `Suspicious Web Browser Sensitive File Access` - Make changes to rule field(s) and save them (do not upgrade the rule) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.17.1-beta.1` in `kibana.dev.yaml` - Open the other web browser tab with Kibana - Navigate to Security Solution plugin to install the OR install the package `8.17.1-beta.1` via API request ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.17.1-beta.1 ``` - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got the recent target rule values Alternatively you can spin up EPR locally and publish package updates with rule's version bumped. (cherry picked from commit 1929279)

…e workflow (elastic#203604) **Resolves:** elastic#200134 ## Summary This PR implements concurrency control to make sure user has the recent rule updates data in Rule Upgrade flyout. Any modifications saved in Rule Upgrade flyout are reset upon new `revision` or `version` detected. ## Details Concurrency control is important to provide better UX. Multiple users work in Kibana in parallel and new prebuilt rules package version can be released in any time. Attempts to upgrade a rule with outdated `revision` and/or `version` results in failed request. Users may experience multiple rule upgrade failure in that case causing a lot of confusion. More experienced users may guess to reload the page to continue. Typical reasons leading to `revision` and/or `version` change are the following - Current rule has been edited will bump rule's `revision`. For example the rule currently shown in Rule Upgrade flyout has been edited by someone else. - Prebuilt rules package got released will give provide rule assets with higher `version`. Rules having upgrades in the currently installed package and in a new one are affected. This PR mitigates the described issues by implementing concurrency control. It sets up `_review` API endpoint refetch interval to 5 minutes to fetch fresh data. In case a higher `revision` or `version` is detected for some rule this rule's resolved conflicts and customizations performed in Rule Upgrade flyout get cleared. ## Screenshots - `revision` change (refresh interval was reduced to 30 seconds to make the video shorter) https://github.com/user-attachments/assets/98d2a22f-9338-482a-a7b2-1e170b9642ce - `version` change (refresh interval was reduced to 1 minute to make the video shorter) https://github.com/user-attachments/assets/2b7c23f0-5a50-471e-aa7f-8d9b2aecc957 ## How to test locally There are two cases for testing - `revision` change - `version` change ### Test `revision` change Revision change means the rule has been edited. Use the following steps to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for some rule - Make changes to rule field(s) and save them (do not upgrade the rule) - Open the other web browser tab with Kibana - Navigate to the same rule's editing page - Change any field and save the changes - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got reverted ### Test `version` change Version change means a new package version was released. Do the following to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.15.2` in `kibana.dev.yaml` - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for a rule having updates in packages `v8.15.2` and `.8.17.1-beta.1` for example `Suspicious Web Browser Sensitive File Access` - Make changes to rule field(s) and save them (do not upgrade the rule) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.17.1-beta.1` in `kibana.dev.yaml` - Open the other web browser tab with Kibana - Navigate to Security Solution plugin to install the OR install the package `8.17.1-beta.1` via API request ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.17.1-beta.1 ``` - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got the recent target rule values Alternatively you can spin up EPR locally and publish package updates with rule's version bumped.

maximpn · 2025-01-08T14:30:46Z

The functionality is implemented in #203604 and backported to 8.x in #205877.

…e workflow (elastic#203604) **Resolves:** elastic#200134 ## Summary This PR implements concurrency control to make sure user has the recent rule updates data in Rule Upgrade flyout. Any modifications saved in Rule Upgrade flyout are reset upon new `revision` or `version` detected. ## Details Concurrency control is important to provide better UX. Multiple users work in Kibana in parallel and new prebuilt rules package version can be released in any time. Attempts to upgrade a rule with outdated `revision` and/or `version` results in failed request. Users may experience multiple rule upgrade failure in that case causing a lot of confusion. More experienced users may guess to reload the page to continue. Typical reasons leading to `revision` and/or `version` change are the following - Current rule has been edited will bump rule's `revision`. For example the rule currently shown in Rule Upgrade flyout has been edited by someone else. - Prebuilt rules package got released will give provide rule assets with higher `version`. Rules having upgrades in the currently installed package and in a new one are affected. This PR mitigates the described issues by implementing concurrency control. It sets up `_review` API endpoint refetch interval to 5 minutes to fetch fresh data. In case a higher `revision` or `version` is detected for some rule this rule's resolved conflicts and customizations performed in Rule Upgrade flyout get cleared. ## Screenshots - `revision` change (refresh interval was reduced to 30 seconds to make the video shorter) https://github.com/user-attachments/assets/98d2a22f-9338-482a-a7b2-1e170b9642ce - `version` change (refresh interval was reduced to 1 minute to make the video shorter) https://github.com/user-attachments/assets/2b7c23f0-5a50-471e-aa7f-8d9b2aecc957 ## How to test locally There are two cases for testing - `revision` change - `version` change ### Test `revision` change Revision change means the rule has been edited. Use the following steps to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for some rule - Make changes to rule field(s) and save them (do not upgrade the rule) - Open the other web browser tab with Kibana - Navigate to the same rule's editing page - Change any field and save the changes - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got reverted ### Test `version` change Version change means a new package version was released. Do the following to test it - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.15.2` in `kibana.dev.yaml` - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Open Rule upgrade flyout for a rule having updates in packages `v8.15.2` and `.8.17.1-beta.1` for example `Suspicious Web Browser Sensitive File Access` - Make changes to rule field(s) and save them (do not upgrade the rule) - Set `xpack.securitySolution.prebuiltRulesPackageVersion: 8.17.1-beta.1` in `kibana.dev.yaml` - Open the other web browser tab with Kibana - Navigate to Security Solution plugin to install the OR install the package `8.17.1-beta.1` via API request ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.17.1-beta.1 ``` - Return back to the first tab and wait for data to be refetched (data refresh interval is 5 minutes, wait for `_review` request in the Dev Tool's Network tab) - Make sure the changes you made for field(s) got the recent target rule values Alternatively you can spin up EPR locally and publish package updates with rule's version bumped.

This was referenced Nov 14, 2024

[Security Solution] Users can Customize Prebuilt Detection Rules: Milestone 3 #174168

Open

[Security Solution] Integrate Prebuilt Rules Customization UI with the _perform upgrade API #199761

Merged

banderror assigned maximpn Nov 15, 2024

banderror added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Nov 15, 2024

banderror mentioned this issue Nov 23, 2024

[Security Solution] Users can Customize Prebuilt Detection Rules: Milestone 3 bugs #201502

Open

banderror added the v8.18.0 label Nov 23, 2024

banderror mentioned this issue Nov 27, 2024

[Security Solution] Tests for prebuilt rule upgrade workflow #202078

Open

8 tasks

maximpn mentioned this issue Dec 10, 2024

[Security Solution] Implement concurrency control for Prebuilt Upgrade workflow #203604

Merged

maximpn closed this as completed Jan 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security Solution] Implement rule upgrade concurrency control #200134

[Security Solution] Implement rule upgrade concurrency control #200134

xcrzx commented Nov 14, 2024 •

edited

Loading

elasticmachine commented Nov 14, 2024

elasticmachine commented Nov 14, 2024

elasticmachine commented Nov 14, 2024

maximpn commented Jan 8, 2025

[Security Solution] Implement rule upgrade concurrency control #200134

[Security Solution] Implement rule upgrade concurrency control #200134

Comments

xcrzx commented Nov 14, 2024 • edited Loading

Summary

elasticmachine commented Nov 14, 2024

elasticmachine commented Nov 14, 2024

elasticmachine commented Nov 14, 2024

maximpn commented Jan 8, 2025

xcrzx commented Nov 14, 2024 •

edited

Loading