Skip to content

[SIEM][Detection Engine] critical blocker, fixes ordering issue that causes rules to not run the first time #56230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 28, 2020
Merged

[SIEM][Detection Engine] critical blocker, fixes ordering issue that causes rules to not run the first time #56230

merged 2 commits into from
Jan 28, 2020

Conversation

@FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Jan 28, 2020
edited
Loading

Summary

Fixes ordering issue that @mikecote found for us with rules where we need to first update the rule before trying to enable it so there aren't issues with API keys.

These types of errors should no longer be seen:

{"type":"log","@timestamp":"2020-01-11T09:06:25-07:00","tags":["error","plugins","siem"],"pid":61190,"message":"Error from signal rule name: \"Windows Execution via Connection Manager\", id: \"0624c880-8e64-4c7c-90b4-226b77311ac4\", rule_id: \"f2728299-167a-489c-913c-2e0955ac3c40\" message: [security_exception] missing authentication credentials for REST request [/auditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Testing:

./hard_reset.sh

Then load the pre-packaged rules and enable them all at once. Ensure you don't see any errors such as the ones above.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11

- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support

- [ ] Documentation was added for features that require explanation or tutorials

- [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

- [ ] This was checked for breaking API changes and was labeled appropriately

@FrankHassanabad FrankHassanabad self-assigned this Jan 28, 2020
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 28, 2020

Pinging @elastic/siem (Team:SIEM)

@FrankHassanabad FrankHassanabad added the release_note:skip Skip the PR/issue when compiling release notes label Jan 28, 2020
@kibanamachine
Copy link
Contributor

kibanamachine commented Jan 28, 2020

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@FrankHassanabad FrankHassanabad merged commit 2bab2cc into elastic:master Jan 28, 2020
@FrankHassanabad FrankHassanabad deleted the swap-ordering branch January 28, 2020 23:37
This was referenced Jan 28, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhurley14 dhurley14 dhurley14 approved these changes

Assignees

@FrankHassanabad FrankHassanabad

Labels

release_note:skip Skip the PR/issue when compiling release notes Team:SIEM v7.6.0 v7.7.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@FrankHassanabad @elasticmachine @kibanamachine @dhurley14