Skip to content

[8.17] [Security Solution] Fix prebuilt rules force upgrade on Endpoint policy creation (#217959)#218209

Merged
xcrzx merged 1 commit into
elastic:8.17from
xcrzx:backport/8.17/pr-217959
Apr 15, 2025
Merged

[8.17] [Security Solution] Fix prebuilt rules force upgrade on Endpoint policy creation (#217959)#218209
xcrzx merged 1 commit into
elastic:8.17from
xcrzx:backport/8.17/pr-217959

Conversation

@xcrzx
Copy link
Copy Markdown
Contributor

@xcrzx xcrzx commented Apr 15, 2025

Backport

This will backport the following commits from main to 8.17:

Questions ?

Please refer to the Backport tool documentation

[Security Solution] Fix prebuilt rules force upgrade on Endpoint poli…
d76beff 
…cy creation (#217959)

**Resolves: https://github.com/elastic/security-team/issues/7216**

## Summary

This PR updates the Endpoint policy callback to:

- **Install only the Elastic Defend rule if it's missing**, without
upgrading it to the latest version. Previously, the rule was both
installed and updated whenever an Endpoint policy was created, which
conflicted with rule customization. Automatic upgrades could erase
existing user customizations.

- **Avoid triggering the installation or upgrade of any other prebuilt
rules** as part of this flow. The Endpoint package policy creation
callback
([source](https://github.com/elastic/kibana/blob/f7d8bc3c25663ebd5e473087790e3a53c4901548/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.ts#L181-L187))
previously installed and upgraded **all** prebuilt detection rules to
their target versions whenever an Endpoint policy was created.

This logic relied on the legacy rule upgrade method, which has a known
issue that causes all configured rule actions and exceptions to be lost.
By removing the upgrade logic, this PR eliminates that incorrect
behavior.

(cherry picked from commit 9f5425f)

# Conflicts:
#	x-pack/plugins/security_solution/server/fleet_integration/handlers/install_prepackaged_rules.ts
@xcrzx xcrzx requested a review from kibanamachine as a code owner April 15, 2025 08:51
@xcrzx xcrzx added the backport This PR is a backport of another PR label Apr 15, 2025
@xcrzx xcrzx enabled auto-merge (squash) April 15, 2025 08:52
@xcrzx xcrzx mentioned this pull request Apr 15, 2025
Merged
banderror
banderror approved these changes Apr 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The backport is identical to the main PR ✅

@banderror banderror mentioned this pull request Apr 15, 2025
Closed
@xcrzx xcrzx merged commit b18e545 into elastic:8.17 Apr 15, 2025
11 checks passed
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 15, 2025

💚 Build Succeeded

Metrics [docs]

✅ unchanged

@xcrzx xcrzx deleted the backport/8.17/pr-217959 branch April 15, 2025 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@banderror banderror banderror approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xcrzx @elasticmachine @banderror