[Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8#206119
Merged
vitaliidm merged 8 commits intoelastic:mainfrom Jan 24, 2025
Conversation
…t was reindexed from v7 to v8
vitaliidm
added
Team:Detections and Resp
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @vitaliidm |
dhurley14
approved these changes
Jan 24, 2025
Contributor
dhurley14
left a comment
dhurley14
left a comment
There was a problem hiding this comment.
I'm approving with a few things that I wanted to point out:
- When I got to the "click reindex" in upgrade assistant the reindexing process started with the flyout showing up but stayed at 0% for a bit and then it logged me out, so I had to log back in again. Not a big problem but could be scary to users. Not sure if this was seen before.
- Alerts table is not populated after reindex process but the counts are visible
- Screenshot that the reindex api worked:
Contributor
Author
|
thanks for review @dhurley14
Never seen it before (I reindexed probably more than dozen indices while working on thus and similar issues).
I looked in to it. This affects not reindexed index, but any alert created in 7.17. {
"match_phrase": {
"kibana.alert.workflow_status": "open"
}
},But alerts created in 7.17 do not have it. {
"_index": ".siem-signals-another-3-000001-r000077",
"_id": "389a2db0a7ab1b4a99f58a345bf781a0630fcbe2243af7f0253687c4b5dda8cc",
"_score": 1,
"_source": {
"@timestamp": "2025-01-24T10:10:29.875Z",
"destination.port": 1,
"source.ip": "127.0.0.1",
"event": {
"kind": "signal"
},
"destination.ip": "127.0.0.2",
"signal": {
"reason": "event with:1, created low alert custom query rule.",
"parent": {
"depth": 0,
"index": "close_alerts",
"id": "IAPJl5QBKnW_HB3YObWr",
"type": "event"
},
"depth": 1,
"_meta": {
"version": 77
},
"rule": {
"throttle": null,
"severity_mapping": [],
"references": [],
"created_at": "2025-01-24T10:10:24.801Z",
"description": "eee",
"language": "kuery",
"output_index": ".siem-signals-another-3",
"type": "query",
"enabled": true,
"exceptions_list": [],
"updated_at": "2025-01-24T10:10:26.833Z",
"from": "now-36000018000s",
"id": "6d13e240-da3b-11ef-83df-57c27462827f",
"severity": "low",
"max_signals": 100,
"risk_score": 21,
"risk_score_mapping": [],
"author": [],
"query": "*",
"index": [
"close_alerts"
],
"filters": [],
"created_by": "942543759",
"version": 1,
"tags": [],
"rule_id": "98c35aa2-ee85-4f63-9066-6670a163c278",
"license": "",
"immutable": false,
"meta": {
"from": "10000000h",
"kibana_siem_app_url": "https://to-9-0.kb.eastus2.staging.azure.foundit.no/app/security"
},
"name": "custom query rule",
"updated_by": "942543759",
"interval": "5h",
"false_positives": [],
"threat": [],
"to": "now",
"actions": []
},
"original_time": "2024-09-27T09:26:30.425Z",
"ancestors": [
{
"depth": 0,
"index": "close_alerts",
"id": "IAPJl5QBKnW_HB3YObWr",
"type": "event"
}
],
"parents": [
{
"depth": 0,
"index": "close_alerts",
"id": "IAPJl5QBKnW_HB3YObWr",
"type": "event"
}
],
"status": "open"
}
}
}
|
Contributor
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/12948662880 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 24, 2025
…t was reindexed from v7 to v8 (elastic#206119) ## Summary - addresses elastic/security-team#11440 ### Testing 1. Create cloud env of 7.17 version, (East US 2 (Virginia) on Azurem where 8.18 snapshot available) 2. Create rule 3. Generate alerts 4. Create cloud env of 8.18 from existing 7.x snapshot (Restore snapshot data option) 5. Connect local Kibana of 8.18 from mirror branch of this one(elastic#206120) 6. Add to Kibana dev config following options to enable Upgrade assistant(UA) showing outdated indices ```yml xpack.upgrade_assistant.featureSet: mlSnapshots: true migrateDataStreams: true migrateSystemIndices: true reindexCorrectiveActions: true ``` 7. When Kibana started DO NOT visit Detection rule or any Security page 8. Open KIbana Upgrade Assistant, 9. Got to step 3 - Review deprecated settings and resolve issues 11. Click Elasticsearch section 12. Find outdated .siem-signals-* index 13. Reindex it 14. Visit detection page to ensure index API updated mappings Visit to that page should initiate `POST /api/detection_engine/index`, which updates mappings Subsequent index status check should return: ```JSON GET kbn:/api/detection_engine/index // should return { "name": ".alerts-security.alerts-default", "index_mapping_outdated": false } ``` (cherry picked from commit 5c67037)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
Contributor
Author
|
I looked further into it. It was working fine in 8.16. I checked this, and alerts displayed there. Something broke in 8.18. I noticed change in filters for 8.18 and 8.16. In 8.18 there are these filters present: {
"terms": {
"kibana.alert.rule.consumer": [
"siem"
]
}
},
{
"terms": {
"kibana.alert.rule.rule_type_id": [
"siem.eqlRule",
"siem.esqlRule",
"siem.indicatorRule",
"siem.mlRule",
"siem.queryRule",
"siem.savedQueryRule",
"siem.thresholdRule",
"siem.newTermsRule"
]
}
}
I believe they prevent alerts to be displayed in table |
kibanamachine
added a commit
that referenced
this pull request
Jan 24, 2025
…when it was reindexed from v7 to v8 (#206119) (#208174) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8 (#206119)](#206119) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-01-24T11:22:30Z","message":"[Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8 (#206119)\n\n## Summary\r\n\r\n - addresses https://github.com/elastic/security-team/issues/11440\r\n\r\n\r\n### Testing\r\n\r\n1. Create cloud env of 7.17 version, (East US 2 (Virginia) on Azurem\r\nwhere 8.18 snapshot available)\r\n2. Create rule\r\n3. Generate alerts\r\n4. Create cloud env of 8.18 from existing 7.x snapshot (Restore snapshot\r\ndata option)\r\n5. Connect local Kibana of 8.18 from mirror branch of this\r\none(https://github.com/elastic/kibana/pull/206120)\r\n6. Add to Kibana dev config following options to enable Upgrade\r\nassistant(UA) showing outdated indices\r\n ```yml\r\n xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n migrateDataStreams: true\r\n migrateSystemIndices: true\r\n reindexCorrectiveActions: true\r\n ``` \r\n7. When Kibana started DO NOT visit Detection rule or any Security page\r\n8. Open KIbana Upgrade Assistant, \r\n9. Got to step 3 - Review deprecated settings and resolve issues\r\n11. Click Elasticsearch section\r\n12. Find outdated .siem-signals-* index\r\n13. Reindex it\r\n14. Visit detection page to ensure index API updated mappings\r\n\r\nVisit to that page should initiate `POST /api/detection_engine/index`,\r\nwhich updates mappings\r\n\r\nSubsequent index status check should return: \r\n\r\n```JSON\r\nGET kbn:/api/detection_engine/index\r\n\r\n// should return\r\n\r\n{\r\n \"name\": \".alerts-security.alerts-default\",\r\n \"index_mapping_outdated\": false\r\n}\r\n```","sha":"5c670378d44d0af7f5c582fe06b5013008df56d4","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","backport:prev-minor","Team:Detection Engine","v8.18.0"],"title":"[Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8","number":206119,"url":"https://github.com/elastic/kibana/pull/206119","mergeCommit":{"message":"[Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8 (#206119)\n\n## Summary\r\n\r\n - addresses https://github.com/elastic/security-team/issues/11440\r\n\r\n\r\n### Testing\r\n\r\n1. Create cloud env of 7.17 version, (East US 2 (Virginia) on Azurem\r\nwhere 8.18 snapshot available)\r\n2. Create rule\r\n3. Generate alerts\r\n4. Create cloud env of 8.18 from existing 7.x snapshot (Restore snapshot\r\ndata option)\r\n5. Connect local Kibana of 8.18 from mirror branch of this\r\none(https://github.com/elastic/kibana/pull/206120)\r\n6. Add to Kibana dev config following options to enable Upgrade\r\nassistant(UA) showing outdated indices\r\n ```yml\r\n xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n migrateDataStreams: true\r\n migrateSystemIndices: true\r\n reindexCorrectiveActions: true\r\n ``` \r\n7. When Kibana started DO NOT visit Detection rule or any Security page\r\n8. Open KIbana Upgrade Assistant, \r\n9. Got to step 3 - Review deprecated settings and resolve issues\r\n11. Click Elasticsearch section\r\n12. Find outdated .siem-signals-* index\r\n13. Reindex it\r\n14. Visit detection page to ensure index API updated mappings\r\n\r\nVisit to that page should initiate `POST /api/detection_engine/index`,\r\nwhich updates mappings\r\n\r\nSubsequent index status check should return: \r\n\r\n```JSON\r\nGET kbn:/api/detection_engine/index\r\n\r\n// should return\r\n\r\n{\r\n \"name\": \".alerts-security.alerts-default\",\r\n \"index_mapping_outdated\": false\r\n}\r\n```","sha":"5c670378d44d0af7f5c582fe06b5013008df56d4"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206119","number":206119,"mergeCommit":{"message":"[Security Solution][Detection Engine] fixes siem-signal update when it was reindexed from v7 to v8 (#206119)\n\n## Summary\r\n\r\n - addresses https://github.com/elastic/security-team/issues/11440\r\n\r\n\r\n### Testing\r\n\r\n1. Create cloud env of 7.17 version, (East US 2 (Virginia) on Azurem\r\nwhere 8.18 snapshot available)\r\n2. Create rule\r\n3. Generate alerts\r\n4. Create cloud env of 8.18 from existing 7.x snapshot (Restore snapshot\r\ndata option)\r\n5. Connect local Kibana of 8.18 from mirror branch of this\r\none(https://github.com/elastic/kibana/pull/206120)\r\n6. Add to Kibana dev config following options to enable Upgrade\r\nassistant(UA) showing outdated indices\r\n ```yml\r\n xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n migrateDataStreams: true\r\n migrateSystemIndices: true\r\n reindexCorrectiveActions: true\r\n ``` \r\n7. When Kibana started DO NOT visit Detection rule or any Security page\r\n8. Open KIbana Upgrade Assistant, \r\n9. Got to step 3 - Review deprecated settings and resolve issues\r\n11. Click Elasticsearch section\r\n12. Find outdated .siem-signals-* index\r\n13. Reindex it\r\n14. Visit detection page to ensure index API updated mappings\r\n\r\nVisit to that page should initiate `POST /api/detection_engine/index`,\r\nwhich updates mappings\r\n\r\nSubsequent index status check should return: \r\n\r\n```JSON\r\nGET kbn:/api/detection_engine/index\r\n\r\n// should return\r\n\r\n{\r\n \"name\": \".alerts-security.alerts-default\",\r\n \"index_mapping_outdated\": false\r\n}\r\n```","sha":"5c670378d44d0af7f5c582fe06b5013008df56d4"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Contributor
Author
|
issue regarding absent alerts: #208204 |
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this pull request
Jan 27, 2025
…t was reindexed from v7 to v8 (elastic#206119) ## Summary - addresses elastic/security-team#11440 ### Testing 1. Create cloud env of 7.17 version, (East US 2 (Virginia) on Azurem where 8.18 snapshot available) 2. Create rule 3. Generate alerts 4. Create cloud env of 8.18 from existing 7.x snapshot (Restore snapshot data option) 5. Connect local Kibana of 8.18 from mirror branch of this one(elastic#206120) 6. Add to Kibana dev config following options to enable Upgrade assistant(UA) showing outdated indices ```yml xpack.upgrade_assistant.featureSet: mlSnapshots: true migrateDataStreams: true migrateSystemIndices: true reindexCorrectiveActions: true ``` 7. When Kibana started DO NOT visit Detection rule or any Security page 8. Open KIbana Upgrade Assistant, 9. Got to step 3 - Review deprecated settings and resolve issues 11. Click Elasticsearch section 12. Find outdated .siem-signals-* index 13. Reindex it 14. Visit detection page to ensure index API updated mappings Visit to that page should initiate `POST /api/detection_engine/index`, which updates mappings Subsequent index status check should return: ```JSON GET kbn:/api/detection_engine/index // should return { "name": ".alerts-security.alerts-default", "index_mapping_outdated": false } ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Testing
Visit to that page should initiate
POST /api/detection_engine/index, which updates mappingsSubsequent index status check should return: