Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM] Removing a Rule's Action breaks Rule execution #64870

Closed
tsg opened this issue Apr 30, 2020 · 7 comments · Fixed by #67364 or #68184
Closed

[SIEM] Removing a Rule's Action breaks Rule execution #64870

tsg opened this issue Apr 30, 2020 · 7 comments · Fixed by #67364 or #68184
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@tsg
Copy link
Contributor

tsg commented Apr 30, 2020

[reported originally by @rylnd)

Kibana version: 7.7.0

After an action is removed from a rule, the rule fails to execute. To resolve this, disable and then re-enable the rule.

This is present on master and 7.7.

Steps to Reproduce

  1. Create and activate a Rule with an Action
    • any action type and frequency work, but easiest to test with on each rule execution
    • similar to above, running the rule every 30s eases testing
  2. (optional): wait for the rule to execute, generate signals, and fire the action
    • this is the pre-bug sanity check
  3. Edit the Rule and "deactivate" its Action by changing its Actions Frequency to perform no actions
  4. Observe errant behaviors:
    • Rule no longer generates signals
    • Rule no longer reports success/failure (Last response will remain as it was prior to step 3)
    • if running locally, kibana logs should show an error:
      server    log   [12:20:57.406] [error][encryptedSavedObjects][plugins] Failed to decrypt "apiKey" attribute: Unsupported state or unable to authenticate data
      server    log   [12:20:57.406] [error][alerting][alerting][plugins][plugins] Executing Alert "684c28a5-a49d-490b-9c9b-26dc865e641c" has resulted in Error: Unable to decrypt attribute "apiKey"
      

NB That querying the corresponding task, we find that it still exists in the "idle" state:

GET .kibana_task_manager*/_search
{"query":{"match":{"task.taskType":"alerting:siem.signals"}}}
@tsg tsg added bug Fixes for quality problems that affect the customer experience Team:SIEM labels Apr 30, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@tsg tsg changed the title Removing a Rule's Action breaks Rule execution [SIEM] Removing a Rule's Action breaks Rule execution Apr 30, 2020
@rylnd
Copy link
Contributor

rylnd commented May 8, 2020

This is a consequence of #53868, which is currently blocked and under discussion.

@rylnd
Copy link
Contributor

rylnd commented May 13, 2020

Dev update: we have a temporary solution in the following diff:

diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
index f15154a096..29dd52cc57 100644
--- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
+++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
@@ -138,6 +138,7 @@ export const updateRulesRoute = (router: IRouter, ml: SetupPlugins['ml']) => {
             ruleActions,
             ruleStatuses.saved_objects[0]
           );
+          await alertsClient.updateApiKey({ id: rule.id });
           if (errors != null) {
             return siemResponse.error({ statusCode: 500, body: errors });
           } else {

It's not ideal as the call to updateApiKey itself logs an error when removing the rule's action, but it does allow the rule to continue executing sans actions. If acceptable we'll have to add a similar fix to all patch/update rule routes that can delete actions.

However, we're still digging into the underlying cause here, so we'll be roping in Alerting for some assistance before this ships.

@mikecote
Copy link
Contributor

Failed to decrypt "apiKey" attribute: Unsupported state or unable to authenticate data usually means data has change since it was last encrypted. This can happen when doing a partial update or when the Elasticsearch document merges json on update. You can tell the latter by comparing alert params on update vs what is stored in the document in ES after update.

I don't think #53868 will solve the issue because that is to handle invalidating API keys where this issue is trying to decrypt the API key from a saved object.

@mikecote
Copy link
Contributor

If it's confirmed that the alert params get merged with old values on update, this file x-pack/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts would need to set default null values to all the optional properties.

@rylnd
Copy link
Contributor

rylnd commented May 27, 2020

7.7: #67426

@MadameSheema
Copy link
Member

Fixed in 7.7.1 :)

rylnd added a commit to rylnd/kibana that referenced this issue Jun 3, 2020
This fixes elastic#64870 _for real_.

The issue ended up being caused by a
conditional form field that mapped to a nested field on the rule's
params: when a rule is created with an action, it has a
meta.kibana_siem_app_url field. When the rule's actions were removed via
the UI, that field was _also_ removed, which broke AAD and thus rule
execution.

This fixes the issue by making that field unconditional, and also
removes the previous workaround.
rylnd added a commit that referenced this issue Jun 4, 2020
This fixes #64870 _for real_.

The issue ended up being caused by a
conditional form field that mapped to a nested field on the rule's
params: when a rule is created with an action, it has a
meta.kibana_siem_app_url field. When the rule's actions were removed via
the UI, that field was _also_ removed, which broke AAD and thus rule
execution.

This fixes the issue by making that field unconditional, and also
removes the previous workaround.
rylnd added a commit to rylnd/kibana that referenced this issue Jun 4, 2020
…#68184)

This fixes elastic#64870 _for real_.

The issue ended up being caused by a
conditional form field that mapped to a nested field on the rule's
params: when a rule is created with an action, it has a
meta.kibana_siem_app_url field. When the rule's actions were removed via
the UI, that field was _also_ removed, which broke AAD and thus rule
execution.

This fixes the issue by making that field unconditional, and also
removes the previous workaround.
# Conflicts:
#	x-pack/plugins/security_solution/public/alerts/components/rules/step_rule_actions/index.tsx
#	x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_rules_notifications.ts
rylnd added a commit that referenced this issue Jun 5, 2020
…#68300)

This fixes #64870 _for real_.

The issue ended up being caused by a
conditional form field that mapped to a nested field on the rule's
params: when a rule is created with an action, it has a
meta.kibana_siem_app_url field. When the rule's actions were removed via
the UI, that field was _also_ removed, which broke AAD and thus rule
execution.

This fixes the issue by making that field unconditional, and also
removes the previous workaround.
# Conflicts:
#	x-pack/plugins/security_solution/public/alerts/components/rules/step_rule_actions/index.tsx
#	x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_rules_notifications.ts
rylnd added a commit that referenced this issue Jun 5, 2020
…#68299)

This fixes #64870 _for real_.

The issue ended up being caused by a
conditional form field that mapped to a nested field on the rule's
params: when a rule is created with an action, it has a
meta.kibana_siem_app_url field. When the rule's actions were removed via
the UI, that field was _also_ removed, which broke AAD and thus rule
execution.

This fixes the issue by making that field unconditional, and also
removes the previous workaround.
rylnd added a commit that referenced this issue Jun 9, 2020
…#68681)

This fixes #64870 _for real_.

The issue ended up being caused by a
conditional form field that mapped to a nested field on the rule's
params: when a rule is created with an action, it has a
meta.kibana_siem_app_url field. When the rule's actions were removed via
the UI, that field was _also_ removed, which broke AAD and thus rule
execution.

This fixes the issue by making that field unconditional, and also
removes the previous workaround.
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
7 participants