[SIEM][Detection Engine] critical blocker, fixes ordering issue that causes rules to not run the first time

FrankHassanabad · web-flow · commit 2bab2cc84a81 · 2020-01-28T16:37:25.000-07:00
## Summary Fixes ordering issue that @mikecote found for us with rules where we need to first update the rule before trying to enable it so there aren't issues with API keys. These types of errors should no longer be seen: ``` {"type":"log","@timestamp":"2020-01-11T09:06:25-07:00","tags":["error","plugins","siem"],"pid":61190,"message":"Error from signal rule name: \"Windows Execution via Connection Manager\", id: \"0624c880-8e64-4c7c-90b4-226b77311ac4\", rule_id: \"f2728299-167a-489c-913c-2e0955ac3c40\" message: [security_exception] missing authentication credentials for REST request [/auditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"} ``` Testing: ```ts ./hard_reset.sh ``` Then load the pre-packaged rules and enable them all at once. Ensure you don't see any errors such as the ones above. ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts
@@ -5,6 +5,7 @@
  */
 
 import { defaults, pickBy, isEmpty } from 'lodash/fp';
+import { PartialAlert } from '../../../../../alerting/server/types';
 import { readRules } from './read_rules';
 import { UpdateRuleParams, IRuleSavedAttributesSavedObjectAttributes } from './types';
 import { addTags } from './add_tags';
@@ -108,7 +109,7 @@ export const updateRules = async ({
   type,
   references,
   version,
-}: UpdateRuleParams) => {
+}: UpdateRuleParams): Promise<PartialAlert | null> => {
   const rule = await readRules({ alertsClient, ruleId, id });
   if (rule == null) {
     return null;
@@ -169,6 +170,18 @@ export const updateRules = async ({
     }
   );
 
+  const update = await alertsClient.update({
+    id: rule.id,
+    data: {
+      tags: addTags(tags ?? rule.tags, rule.params.ruleId, immutable ?? rule.params.immutable),
+      name: calculateName({ updatedName: name, originalName: rule.name }),
+      schedule: {
+        interval: calculateInterval(interval, rule.schedule.interval),
+      },
+      actions: rule.actions,
+      params: nextParams,
+    },
+  });
   if (rule.enabled && enabled === false) {
     await alertsClient.disable({ id: rule.id });
   } else if (!rule.enabled && enabled === true) {
@@ -194,16 +207,10 @@ export const updateRules = async ({
   } else {
     // enabled is null or undefined and we do not touch the rule
   }
-  return alertsClient.update({
-    id: rule.id,
-    data: {
-      tags: addTags(tags ?? rule.tags, rule.params.ruleId, immutable ?? rule.params.immutable),
-      name: calculateName({ updatedName: name, originalName: rule.name }),
-      schedule: {
-        interval: calculateInterval(interval, rule.schedule.interval),
-      },
-      actions: rule.actions,
-      params: nextParams,
-    },
-  });
+
+  if (enabled != null) {
+    return { ...update, enabled };
+  } else {
+    return update;
+  }
 };
