Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Prebuilt rules marked as customized after applying updates #201631

Closed
Tracked by #201502
xcrzx opened this issue Nov 25, 2024 · 6 comments · Fixed by #202824
Closed
Tracked by #201502

[Security Solution] Prebuilt rules marked as customized after applying updates #201631

xcrzx opened this issue Nov 25, 2024 · 6 comments · Fixed by #202824
Assignees
@dplumlee
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.17.1 v8.18.0 v9.0.0

Comments

@xcrzx
Copy link
Contributor

xcrzx commented Nov 25, 2024
edited
Loading

Summary

Non-customized rules are incorrectly marked as customized after applying an update.

Steps to Reproduce

  1. Enable the rule customization feature flag
  2. Install rules from an older package version.
  3. Upgrade the rules package to the latest version.
  4. Find any upgradable rule without conflicts.
  5. Update the rule to the latest version accepting all incoming changes.

Expected Result

The rule is upgraded and remains marked as non-customized.

Actual Result

The rule is upgraded but is incorrectly marked as customized.

Initial analysis shows a difference in the lookback field between the saved updated rule and the target version. The value changes from -60s to 240s.

Image
@xcrzx xcrzx added 8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team v8.17.0 v8.18.0 v9.0.0 labels Nov 25, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@banderror
Copy link
Contributor

@xcrzx Is it with the feature flag ON or OFF?

@banderror banderror mentioned this issue Nov 25, 2024
Open
@xcrzx
Copy link
Contributor Author

xcrzx commented Nov 26, 2024

@xcrzx Is it with the feature flag ON or OFF?

This is with the feature flag enabled. Updated ticket description

This was referenced Nov 27, 2024
Open
Merged
Closed
@xcrzx xcrzx mentioned this issue Dec 3, 2024
Open
@xcrzx
Copy link
Contributor Author

xcrzx commented Dec 3, 2024

The bug caused the from field of the rule to be less than the interval, which resulted in a negative lookback value and subsequently crashed Kibana. Here’s the Git diff with a possible fix:

index 7caa0469eeb..ba23bff67be 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
@@ -5,6 +5,7 @@
  * 2.0.
  */
 import { get, has } from 'lodash';
+import moment from 'moment';
 import type {
   RuleSchedule,
   DataSourceIndexPatterns,
@@ -15,6 +16,7 @@ import type {
 } from '../../../../../../common/api/detection_engine';
 import { type AllFieldsDiff } from '../../../../../../common/api/detection_engine';
 import type { PrebuiltRuleAsset } from '../../model/rule_assets/prebuilt_rule_asset';
+import { parseInterval } from '../../../rule_types/utils/utils';
 
 /**
  * Retrieves and transforms the value for a specific field from a DiffableRule group.
@@ -201,7 +203,11 @@ export const transformDiffableFieldValues = (
   diffableFieldValue: RuleSchedule | InlineKqlQuery | unknown
 ): TransformValuesReturnType => {
   if (fieldName === 'from' && isRuleSchedule(diffableFieldValue)) {
-    return { type: 'TRANSFORMED_FIELD', value: `now-${diffableFieldValue.lookback}` };
+    const interval = parseInterval(diffableFieldValue.interval) ?? moment.duration(0);
+    const parsedFrom = parseInterval(diffableFieldValue.lookback) ?? moment.duration(0);
+
+    const from = parsedFrom.asSeconds() + interval.asSeconds();
+    return { type: 'TRANSFORMED_FIELD', value: `now-${from}s` };
   } else if (fieldName === 'to') {
     return { type: 'TRANSFORMED_FIELD', value: `now` };
   } else if (fieldName === 'saved_id' && isInlineQuery(diffableFieldValue)) {

@dplumlee dplumlee mentioned this issue Dec 3, 2024
Merged
1 task
@banderror banderror mentioned this issue Dec 5, 2024
Open
@banderror banderror added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Dec 5, 2024
This was referenced Dec 5, 2024
Closed
Open
@banderror banderror added v8.17.1 and removed v8.17.0 labels Dec 6, 2024
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 10, 2024
@dplumlee
[Security Solution] Fixes incorrect from field transform logic in `…
3dadeaf 
…upgrade/_perform` route (elastic#202824)

**Fixes: elastic#202575
**Fixes: elastic#201631
**Partially addresses: elastic#202715

## Summary

All bugs have the same source

> [!NOTE]
> This bug/related fix is only visible with the
`prebuiltRulesCustomizationEnabled` feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as
"Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint
where the `from` field was incorrectly calculated via the `lookback`
field. Solves multiple bugs where prebuilt rules were marked as
"Modified" incorrectly when they were upgraded

See reproduce steps in related tickets
([example](elastic#202575 (comment)))

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 93112b9)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 10, 2024
@dplumlee
[Security Solution] Fixes incorrect from field transform logic in `…
883216a 
…upgrade/_perform` route (elastic#202824)

**Fixes: elastic#202575
**Fixes: elastic#201631
**Partially addresses: elastic#202715

## Summary

All bugs have the same source

> [!NOTE]
> This bug/related fix is only visible with the
`prebuiltRulesCustomizationEnabled` feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as
"Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint
where the `from` field was incorrectly calculated via the `lookback`
field. Solves multiple bugs where prebuilt rules were marked as
"Modified" incorrectly when they were upgraded

See reproduce steps in related tickets
([example](elastic#202575 (comment)))

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 93112b9)
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 12, 2024
@dplumlee @CAWilson94
[Security Solution] Fixes incorrect from field transform logic in `…
00701d5 
…upgrade/_perform` route (elastic#202824)

**Fixes: elastic#202575
**Fixes: elastic#201631
**Partially addresses: elastic#202715

## Summary

All bugs have the same source

> [!NOTE]  
> This bug/related fix is only visible with the
`prebuiltRulesCustomizationEnabled` feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as
"Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint
where the `from` field was incorrectly calculated via the `lookback`
field. Solves multiple bugs where prebuilt rules were marked as
"Modified" incorrectly when they were upgraded

See reproduce steps in related tickets
([example](elastic#202575 (comment)))

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.17.1 v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
4 participants
@xcrzx @banderror @elasticmachine @dplumlee