Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Prebuilt rule is duplicated during upgrade when its new version has a different rule type #161305

Closed
Tracked by #174167
banderror opened this issue Jul 5, 2023 · 5 comments · Fixed by #161331
Closed
Tracked by #174167

[Security Solution] Prebuilt rule is duplicated during upgrade when its new version has a different rule type #161305

banderror opened this issue Jul 5, 2023 · 5 comments · Fixed by #161331
Assignees
@jpdjere
Labels
8.9 candidate blocker bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules fixed impact:critical This issue should be addressed immediately due to a critical level of impact on the product. QA:Validated Issue has been validated by QA Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.9.0

Comments

@banderror
Copy link
Contributor

banderror commented Jul 5, 2023
edited
Loading

🚨🚨🚨 This is a blocker for the 8.9.0 release 🚨🚨🚨

Related to: #161247 (comment)

Summary

When you have an installed prebuilt rule that can be upgraded, if Elastic has changed its type and in the new version it has a different rule type, then during the upgrade it will be duplicated -- instead of having 1 upgraded instance you will get 2 upgraded instances of the same rule.

Steps to reproduce

  1. I started a fresh Kibana instance with xpack.securitySolution.prebuiltRulesPackageVersion: '8.3.1' and with empty ES data.
  2. Made sure that 8.3.1 package version is installed in Integrations.
  3. Installed all prebuilt rules.
  4. Restarted Kibana without the xpack.securitySolution.prebuiltRulesPackageVersion setting.
  5. Checked that 8.9.1 package version is installed in Integrations.
  6. Saw 600+ prebuilt rules to upgrade and 100+ new prebuilt rules to install.
  7. Upgraded the 4 rules from [Security Solution] Support rule type changes in the rule upgrade workflow #161247 (comment) one by one (you might need to find them by their old names that you can see in the linked diffs). All those rules have a different rule type in 8.9.1 compared to 8.3.1.
  8. Upgraded the rest of the rules all at once.
  9. Installed all the new rules (UPD: the duplication seems to happen at this step).

Actual behavior: The 4 rules I was upgrading one by one became duplicated. Each of the 2 duplicates has the same signature rule_id, but different object ids. The other rules were upgraded correctly without creating duplicates.

Expected behavior: Rules should not be duplicated during an upgrade, regardless of the way you upgrade them: one by one, a few of them in bulk, all of them in bulk.

Screenshots

Screenshot 2023-07-05 at 22 02 23 Screenshot 2023-07-05 at 22 03 03 Screenshot 2023-07-05 at 22 03 13 Screenshot 2023-07-05 at 22 03 42 Screenshot 2023-07-05 at 22 04 00 Screenshot 2023-07-05 at 22 04 19 Screenshot 2023-07-05 at 22 13 32

Data

I was able to verify that only the 4 rules I was upgrading one by one have been duplicated:

## Number of rules in security-rule assets: 810
GET .kibana_security_solution/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        { "term": { "type": "security-rule" } }
      ]
    }
  },
  "aggs": {
    "rules_by_signature_id": {
      "cardinality": {
        "field": "security-rule.rule_id"
      }
    }
  }
}

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1775,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "rules_by_signature_id": {
      "value": 810
    }
  }
}

## Number of installed prebuilt rules: 817
## 4 of them are duplicates, 3 more were probably deprecated and removed from one of the newer packages
GET .kibana_alerting_cases/_search
{
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        { "term": { "type": "alert" } },
        { "term": { "alert.consumer": "siem" } }
      ]
    }
  },
  "aggs": {
    "rules_by_signature_id": {
      "terms": {
        "field": "alert.params.ruleId"
      }
    }
  }
}

#! this request accesses system indices: [.kibana_alerting_cases_8.10.0_001], but in a future major version, direct access to system indices will be prevented by default
{
  "took": 3,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 817,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "rules_by_signature_id": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 803,
      "buckets": [
        {
          "key": "2d8043ed-5bda-4caf-801c-c1feb7410504",
          "doc_count": 2
        },
        {
          "key": "a00681e3-9ed6-447c-ab2c-be648821c622",
          "doc_count": 2
        },
        {
          "key": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef",
          "doc_count": 2
        },
        {
          "key": "d76b02ef-fc95-4001-9297-01cb7412232f",
          "doc_count": 2
        },
        {
          "key": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
          "doc_count": 1
        },
        {
          "key": "00140285-b827-4aee-aa09-8113f58a08f3",
          "doc_count": 1
        },
        {
          "key": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd",
          "doc_count": 1
        },
        {
          "key": "00678712-b2df-11ed-afe9-f661ea17fbcc",
          "doc_count": 1
        },
        {
          "key": "0136b315-b566-482f-866c-1d8e2477ba16",
          "doc_count": 1
        },
        {
          "key": "015cca13-8832-49ac-a01b-a396114809f6",
          "doc_count": 1
        }
      ]
    }
  }
}
@banderror banderror added bug Fixes for quality problems that affect the customer experience impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules v8.9.0 labels Jul 5, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror mentioned this issue Jul 5, 2023
Merged
1 task
@jpdjere jpdjere mentioned this issue Jul 6, 2023
Merged
1 task
@banderror banderror changed the title [Security Solution] Prebuilt rules are duplicated when upgraded one by one [Security Solution] Prebuilt rule is duplicated during upgrade when its new version has a different rule type Jul 7, 2023
banderror pushed a commit that referenced this issue Jul 7, 2023
@jpdjere
[Security Solution] Set immutable param to true when updating prebuil…
61fa0f5 
…t rules (#161331)

Fixes: #161305

## Summary

- Passes a new `immutable` params to the `upgradeRule` method that is
used when upgrading rules.
- Looks like we had a longstanding bug here in which rule updates of
rule types that changed the type of the rule were overwriting the
`immutable` prop to `false`. (Actually, those rules were deleted and
recreated with `immutable: false`)
- This was causing the `fetchAllInstalledRules` method of our
`ruleObjectsClient` NOT to retrieve these rules when they were already
installed.
- Since our installation `_review` and `_perform` endpoint depends on
this client, these rules that had had their types updated were being
incorrectly listed as available for installation.

## Testing

Repeat testing steps laid out in:
#161305

Rules shouldn't be duplicated.


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
@banderror banderror added the fixed label Jul 7, 2023
@banderror banderror reopened this Jul 7, 2023
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Jul 7, 2023
@jpdjere
[Security Solution] Set immutable param to true when updating prebuil…
3d57001 
…t rules (elastic#161331)

Fixes: elastic#161305

## Summary

- Passes a new `immutable` params to the `upgradeRule` method that is
used when upgrading rules.
- Looks like we had a longstanding bug here in which rule updates of
rule types that changed the type of the rule were overwriting the
`immutable` prop to `false`. (Actually, those rules were deleted and
recreated with `immutable: false`)
- This was causing the `fetchAllInstalledRules` method of our
`ruleObjectsClient` NOT to retrieve these rules when they were already
installed.
- Since our installation `_review` and `_perform` endpoint depends on
this client, these rules that had had their types updated were being
incorrectly listed as available for installation.

## Testing

Repeat testing steps laid out in:
elastic#161305

Rules shouldn't be duplicated.

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 61fa0f5)
kibanamachine added a commit that referenced this issue Jul 7, 2023
@kibanamachine @jpdjere
[8.9] [Security Solution] Set immutable param to true when updating p…
6d02cb5 
…rebuilt rules (#161331) (#161455)

# Backport

This will backport the following commits from `main` to `8.9`:
- [[Security Solution] Set immutable param to true when updating
prebuilt rules (#161331)](#161331)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Juan Pablo
Djeredjian","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-07-07T12:06:28Z","message":"[Security
Solution] Set immutable param to true when updating prebuilt rules
(#161331)\n\nFixes:
https://github.com/elastic/kibana/issues/161305\r\n\r\n##
Summary\r\n\r\n- Passes a new `immutable` params to the `upgradeRule`
method that is\r\nused when upgrading rules.\r\n- Looks like we had a
longstanding bug here in which rule updates of\r\nrule types that
changed the type of the rule were overwriting the\r\n`immutable` prop to
`false`. (Actually, those rules were deleted and\r\nrecreated with
`immutable: false`)\r\n- This was causing the `fetchAllInstalledRules`
method of our\r\n`ruleObjectsClient` NOT to retrieve these rules when
they were already\r\ninstalled.\r\n- Since our installation `_review`
and `_perform` endpoint depends on\r\nthis client, these rules that had
had their types updated were being\r\nincorrectly listed as available
for installation.\r\n\r\n## Testing\r\n\r\nRepeat testing steps laid out
in:\r\nhttps://github.com//issues/161305\r\n\r\nRules
shouldn't be duplicated.\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ]
This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"61fa0f543e84c8e89b0351a82652123d0895a818","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:skip","impact:critical","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.9.0","v8.10.0"],"number":161331,"url":"https://github.com/elastic/kibana/pull/161331","mergeCommit":{"message":"[Security
Solution] Set immutable param to true when updating prebuilt rules
(#161331)\n\nFixes:
https://github.com/elastic/kibana/issues/161305\r\n\r\n##
Summary\r\n\r\n- Passes a new `immutable` params to the `upgradeRule`
method that is\r\nused when upgrading rules.\r\n- Looks like we had a
longstanding bug here in which rule updates of\r\nrule types that
changed the type of the rule were overwriting the\r\n`immutable` prop to
`false`. (Actually, those rules were deleted and\r\nrecreated with
`immutable: false`)\r\n- This was causing the `fetchAllInstalledRules`
method of our\r\n`ruleObjectsClient` NOT to retrieve these rules when
they were already\r\ninstalled.\r\n- Since our installation `_review`
and `_perform` endpoint depends on\r\nthis client, these rules that had
had their types updated were being\r\nincorrectly listed as available
for installation.\r\n\r\n## Testing\r\n\r\nRepeat testing steps laid out
in:\r\nhttps://github.com//issues/161305\r\n\r\nRules
shouldn't be duplicated.\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ]
This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"61fa0f543e84c8e89b0351a82652123d0895a818"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161331","number":161331,"mergeCommit":{"message":"[Security
Solution] Set immutable param to true when updating prebuilt rules
(#161331)\n\nFixes:
https://github.com/elastic/kibana/issues/161305\r\n\r\n##
Summary\r\n\r\n- Passes a new `immutable` params to the `upgradeRule`
method that is\r\nused when upgrading rules.\r\n- Looks like we had a
longstanding bug here in which rule updates of\r\nrule types that
changed the type of the rule were overwriting the\r\n`immutable` prop to
`false`. (Actually, those rules were deleted and\r\nrecreated with
`immutable: false`)\r\n- This was causing the `fetchAllInstalledRules`
method of our\r\n`ruleObjectsClient` NOT to retrieve these rules when
they were already\r\ninstalled.\r\n- Since our installation `_review`
and `_perform` endpoint depends on\r\nthis client, these rules that had
had their types updated were being\r\nincorrectly listed as available
for installation.\r\n\r\n## Testing\r\n\r\nRepeat testing steps laid out
in:\r\nhttps://github.com//issues/161305\r\n\r\nRules
shouldn't be duplicated.\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ]
This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"61fa0f543e84c8e89b0351a82652123d0895a818"}}]}]
BACKPORT-->

Co-authored-by: Juan Pablo Djeredjian <[email protected]>
@vgomez-el
Copy link

Bug fixed and validated for 8.9 BC4.

Upgraded prebuilt rules from version 8.3.3 to 8.9.2

REC-20230718192721.mp4

@vgomez-el vgomez-el added the QA:Validated Issue has been validated by QA label Jul 18, 2023
@MadameSheema
Copy link
Member

@vgomez-el can we close this ticket or is there any testing missing? Thanks! :)

@vgomez-el
Copy link

sorry @MadameSheema, I forgot to close it. Everything was ok.

@xcrzx xcrzx mentioned this issue Jul 27, 2023
Closed
@banderror banderror mentioned this issue Jan 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jpdjere jpdjere

Labels
8.9 candidate blocker bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules fixed impact:critical This issue should be addressed immediately due to a critical level of impact on the product. QA:Validated Issue has been validated by QA Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Set immutable param to true when updating prebuilt rules jpdjere/kibana
5 participants
@jpdjere @banderror @elasticmachine @MadameSheema @vgomez-el