-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM] Removing a Rule's Action breaks Rule execution #64870
Comments
Pinging @elastic/siem (Team:SIEM) |
This is a consequence of #53868, which is currently blocked and under discussion. |
Dev update: we have a temporary solution in the following diff: diff --git a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
index f15154a096..29dd52cc57 100644
--- a/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
+++ b/x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
@@ -138,6 +138,7 @@ export const updateRulesRoute = (router: IRouter, ml: SetupPlugins['ml']) => {
ruleActions,
ruleStatuses.saved_objects[0]
);
+ await alertsClient.updateApiKey({ id: rule.id });
if (errors != null) {
return siemResponse.error({ statusCode: 500, body: errors });
} else { It's not ideal as the call to However, we're still digging into the underlying cause here, so we'll be roping in Alerting for some assistance before this ships. |
I don't think #53868 will solve the issue because that is to handle invalidating API keys where this issue is trying to decrypt the API key from a saved object. |
If it's confirmed that the alert params get merged with old values on update, this file |
7.7: #67426 |
Fixed in 7.7.1 :) |
This fixes elastic#64870 _for real_. The issue ended up being caused by a conditional form field that mapped to a nested field on the rule's params: when a rule is created with an action, it has a meta.kibana_siem_app_url field. When the rule's actions were removed via the UI, that field was _also_ removed, which broke AAD and thus rule execution. This fixes the issue by making that field unconditional, and also removes the previous workaround.
This fixes #64870 _for real_. The issue ended up being caused by a conditional form field that mapped to a nested field on the rule's params: when a rule is created with an action, it has a meta.kibana_siem_app_url field. When the rule's actions were removed via the UI, that field was _also_ removed, which broke AAD and thus rule execution. This fixes the issue by making that field unconditional, and also removes the previous workaround.
…#68184) This fixes elastic#64870 _for real_. The issue ended up being caused by a conditional form field that mapped to a nested field on the rule's params: when a rule is created with an action, it has a meta.kibana_siem_app_url field. When the rule's actions were removed via the UI, that field was _also_ removed, which broke AAD and thus rule execution. This fixes the issue by making that field unconditional, and also removes the previous workaround. # Conflicts: # x-pack/plugins/security_solution/public/alerts/components/rules/step_rule_actions/index.tsx # x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_rules_notifications.ts
…#68300) This fixes #64870 _for real_. The issue ended up being caused by a conditional form field that mapped to a nested field on the rule's params: when a rule is created with an action, it has a meta.kibana_siem_app_url field. When the rule's actions were removed via the UI, that field was _also_ removed, which broke AAD and thus rule execution. This fixes the issue by making that field unconditional, and also removes the previous workaround. # Conflicts: # x-pack/plugins/security_solution/public/alerts/components/rules/step_rule_actions/index.tsx # x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_rules_notifications.ts
…#68299) This fixes #64870 _for real_. The issue ended up being caused by a conditional form field that mapped to a nested field on the rule's params: when a rule is created with an action, it has a meta.kibana_siem_app_url field. When the rule's actions were removed via the UI, that field was _also_ removed, which broke AAD and thus rule execution. This fixes the issue by making that field unconditional, and also removes the previous workaround.
…#68681) This fixes #64870 _for real_. The issue ended up being caused by a conditional form field that mapped to a nested field on the rule's params: when a rule is created with an action, it has a meta.kibana_siem_app_url field. When the rule's actions were removed via the UI, that field was _also_ removed, which broke AAD and thus rule execution. This fixes the issue by making that field unconditional, and also removes the previous workaround.
[reported originally by @rylnd)
Kibana version: 7.7.0
After an action is removed from a rule, the rule fails to execute. To resolve this, disable and then re-enable the rule.
This is present on master and 7.7.
Steps to Reproduce
on each rule execution
perform no actions
Last response
will remain as it was prior to step 3)NB That querying the corresponding task, we find that it still exists in the "idle" state:
The text was updated successfully, but these errors were encountered: