Recently we got an SDH relating to detection rule schema validation. Upgrading to 7.13 caused the detections page to no longer show the detection rules because the _find API was returning a 500 because of validation errors. These errors likely resulted from a failed migration which leaves the rule with superfluous fields and also missing certain required fields.
One solution we tried was to export the rules hoping that we could fixe them locally in an editor and then reimport them. Unfortunately, this also does not work because we perform validation on the export code path.
This issue is to discuss removing validation (or maybe having a way to disable it) when performing an export of detection rules. We'd certainly still want to do validation on import. This way if the rules somehow get in an invalid state, we can bulk export, fix them, and reimport. This avoids having to do multiple Elasticsearch queries/updates to get the rules back into a valid state (https://github.com/elastic/sdh-security-team/issues/192#issuecomment-892843081).
Recently we got an SDH relating to detection rule schema validation. Upgrading to 7.13 caused the detections page to no longer show the detection rules because the
_find
API was returning a 500 because of validation errors. These errors likely resulted from a failed migration which leaves the rule with superfluous fields and also missing certain required fields.SDH Issue: https://github.com/elastic/sdh-security-team/issues/192
One solution we tried was to export the rules hoping that we could fixe them locally in an editor and then reimport them. Unfortunately, this also does not work because we perform validation on the export code path.
This issue is to discuss removing validation (or maybe having a way to disable it) when performing an export of detection rules. We'd certainly still want to do validation on import. This way if the rules somehow get in an invalid state, we can bulk export, fix them, and reimport. This avoids having to do multiple Elasticsearch queries/updates to get the rules back into a valid state (https://github.com/elastic/sdh-security-team/issues/192#issuecomment-892843081).