[Security Solution] Disable legacy rules on upgrade to 8.x#121442
[Security Solution] Disable legacy rules on upgrade to 8.x#121442madirey merged 13 commits intoelastic:mainfrom
Conversation
This reverts commit 021ec0f.
madirey
changed the title
madirey
added
needs_docs
Team: SecuritySolution
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
|
expected head sha didn’t match current head ref. |
| attributes: { | ||
| ...doc.attributes, | ||
| alertTypeId: ruleTypeMappings[ruleType], | ||
| enabled: false, |
There was a problem hiding this comment.
@elastic/kibana-alerting-services is this sufficient for disabling a rule during migration. Or because the task still exists, the rule runs regardless?
There was a problem hiding this comment.
As of 8.1, we have this logic in place to skip running rules when they are disabled: #119239
That hasn't been backported to 8.0 though, so maybe it needs to be to support this PR
There was a problem hiding this comment.
Even if we backported the above-mentioned PR, I'm wondering if 2 tasks will run when the rule does get enabled. Since we're just setting enabled to false here but the scheduled task still exists, a new task document will get created when the rule gets enabled and then both tasks will run
There was a problem hiding this comment.
As part of this PR, we also delete the code that registered the old rule type so the old task still exists but it doesn't get picked up by task manager to actually execute since it can't find the executor logic.
There was a problem hiding this comment.
Gotcha! Verified that this all works as expected. It will just leave an API key that is never invalidated. Is that a big deal @mikecote ?
There was a problem hiding this comment.
From a platform perspective, it is ok, it will not cause any harm leaving API keys behind. If folks in the security solution are ok with this caveat, we should be ok.
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
ymao1
left a comment
ymao1
left a comment
There was a problem hiding this comment.
Can we update the unit tests for x-pack/plugins/alerting/server/saved_objects/migrations.ts to test for this migration? We also have alerting migration functional tests but it sounds like there might already be security solutions functional tests to cover this?
|
@ymao1 Added tests! |
ymao1
left a comment
ymao1
left a comment
There was a problem hiding this comment.
LGTM! Thanks for adding the tests.
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
madirey
added
the
auto-backport
💔 All backports failed
How to fixRe-run the backport manually: Questions ?Please refer to the Backport tool documentation |
…21442) * Disable legacy rule and notify user to upgrade * Ensure rules are disabled on upgrade * Fix dupe detection on upgrade * Revert "Fix dupe detection on upgrade" This reverts commit 021ec0f. * Add legacy notification * Add tests for 8.0 security_solution rule migration Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 1ddb647) # Conflicts: # x-pack/plugins/alerting/server/saved_objects/migrations.ts # x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts # x-pack/plugins/security_solution/server/plugin.ts
|
UPDATE: Please disregard, this is working as expected! |
|
That would not be what I expect (and also not what I observed when I tried running it locally). Both the alerting rule & the scheduled task with the legacy task type should exist after the migration. The first time task manager claims the task, it should mark it as A new scheduled task with the new task task type should not be created until the rule is enabled by the user. |
…1442) (#122695) * [Security Solution] Disable legacy rules on upgrade to 8.x (#121442) * Disable legacy rule and notify user to upgrade * Ensure rules are disabled on upgrade * Fix dupe detection on upgrade * Revert "Fix dupe detection on upgrade" This reverts commit 021ec0f. * Add legacy notification * Add tests for 8.0 security_solution rule migration Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 1ddb647) # Conflicts: # x-pack/plugins/alerting/server/saved_objects/migrations.ts # x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts # x-pack/plugins/security_solution/server/plugin.ts * RawRule should be RawAlert in 8.0
|
@ymao1 Thanks, I'm not sure what I was seeing, but I'm not seeing it now. I think this is working as expected. 👍 |
7 participants
Summary
This PR modifies the alerting migration for Detection Engine rules to disable each rule on upgrade to 8.x. This ensures that legacy rules will no longer fire, in the case that the customer failed to disable the rules manually before upgrading. The rules will need to be re-enabled once the upgrade is complete, which is in line with current customer guidance.
@jmikell821 Can we verify that our documentation reflects the steps above? They should no longer need to disable their rules before upgrading, but they will need to go back in and re-enable all their rules post-upgrade (from pre-8.0 to 8.x). cc: @marshallmain
@MadameSheema Should we add upgrade tests to cover this? cc: @rylnd
There is a related issue where dupes can occur after upgrading ... I'll create a separate issue for that.
For maintainers