Closed yctercero closed 2 years ago
Pinging @elastic/security-solution (Team: SecuritySolution)
{
"took" : 2,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 4,
"relation" : "eq"
},
"max_score" : 0.41443375,
"hits" : [
{
"_index" : ".kibana_7.15.3_001",
"_type" : "_doc",
"_id" : "alert:d1588970-a949-11ec-81a1-1d8de8a0946c",
"_score" : 0.41443375,
"_source" : {
"alert" : {
"name" : "Test w/ legacy action 2",
"tags" : [
"__internal_rule_id:aad7ca41-345e-4252-b6ae-ccfb09db2cc9",
"__internal_immutable:false"
],
"alertTypeId" : "siem.signals",
"consumer" : "siem",
"params" : {
"author" : [ ],
"description" : "a",
"falsePositives" : [ ],
"from" : "now-360s",
"license" : "",
"outputIndex" : ".siem-signals-default",
"meta" : {
"from" : "1m",
"kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
},
"maxSignals" : 100,
"riskScore" : 21,
"riskScoreMapping" : [ ],
"severity" : "low",
"severityMapping" : [ ],
"threat" : [ ],
"to" : "now",
"references" : [ ],
"version" : 2,
"exceptionsList" : [ ],
"ruleId" : "aad7ca41-345e-4252-b6ae-ccfb09db2cc9",
"immutable" : false,
"query" : "*:*",
"language" : "kuery",
"filters" : [ ],
"index" : [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"type" : "query"
},
"schedule" : {
"interval" : "5m"
},
"enabled" : true,
"actions" : [ ],
"throttle" : null,
"notifyWhen" : "onActiveAlert",
"apiKeyOwner" : "1311967740",
"apiKey" : "85VAXNHt2yGRVpFxDIlJVeqtRmNyFhEyRkXcVLCjFcYThavsOkNQdz1nQPArrgFP4qINhbmvrEHBbb2cMR6qOtIYcMq0XtODal+f9vACOHlAxHAZ4YF+FXCf7Ar+hxn6E6iVsRvHIzpo7LjLv+8I9ucczd52bCPtFOgRLAKQ0ecURKgps100JRyHIfVhcDQCRxEHGYIVo8nucg==",
"createdBy" : "1311967740",
"updatedBy" : "1311967740",
"createdAt" : "2022-03-21T19:05:05.168Z",
"updatedAt" : "2022-03-21T19:05:36.829Z",
"muteAll" : false,
"mutedInstanceIds" : [ ],
"executionStatus" : {
"status" : "ok",
"lastExecutionDate" : "2022-03-21T19:05:40.549Z",
"error" : null
},
"meta" : {
"versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
},
"scheduledTaskId" : "e4a9e910-a949-11ec-81a1-1d8de8a0946c"
},
"type" : "alert",
"references" : [ ],
"migrationVersion" : {
"alert" : "7.15.0"
},
"coreMigrationVersion" : "7.15.3",
"updated_at" : "2022-03-21T19:05:43.648Z"
}
},
{
"_index" : ".kibana_7.15.3_001",
"_type" : "_doc",
"_id" : "alert:ebf9b4c0-a949-11ec-81a1-1d8de8a0946c",
"_score" : 0.41443375,
"_source" : {
"alert" : {
"name" : "Test w/ legacy action 3",
"tags" : [
"__internal_rule_id:c0521582-6b86-498d-89c2-a01001284340",
"__internal_immutable:false"
],
"alertTypeId" : "siem.signals",
"consumer" : "siem",
"params" : {
"author" : [ ],
"description" : "a",
"falsePositives" : [ ],
"from" : "now-360s",
"license" : "",
"outputIndex" : ".siem-signals-default",
"meta" : {
"from" : "1m",
"kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
},
"maxSignals" : 100,
"riskScore" : 21,
"riskScoreMapping" : [ ],
"severity" : "low",
"severityMapping" : [ ],
"threat" : [ ],
"to" : "now",
"references" : [ ],
"version" : 2,
"exceptionsList" : [ ],
"ruleId" : "c0521582-6b86-498d-89c2-a01001284340",
"immutable" : false,
"query" : "*:*",
"language" : "kuery",
"filters" : [ ],
"index" : [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"type" : "query"
},
"schedule" : {
"interval" : "5m"
},
"enabled" : true,
"actions" : [ ],
"throttle" : null,
"notifyWhen" : "onActiveAlert",
"apiKeyOwner" : "1311967740",
"apiKey" : "PwhVOu4/yy231AQTxKt8WA+KMwPWAJu78KA3n63RnvpUm1OrjAa+62/39pGYrGvV/4N8cCaE6MuW3jMv1UrNgBelAgbxuRgWi+UNrA9nbYdfZN7BT6aDFOLfLnO8xSliOUPlqjZNB4onDRoDAorvWUmhnEbz+al9pYLdhxhMXEN8b9SLSyyDV888b4LaCu93wNlIlzlBfJkysQ==",
"createdBy" : "1311967740",
"updatedBy" : "1311967740",
"createdAt" : "2022-03-21T19:05:49.846Z",
"updatedAt" : "2022-03-21T19:06:24.772Z",
"muteAll" : false,
"mutedInstanceIds" : [ ],
"executionStatus" : {
"status" : "ok",
"lastExecutionDate" : "2022-03-21T19:06:28.564Z",
"error" : null
},
"meta" : {
"versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
},
"scheduledTaskId" : "0162a9c0-a94a-11ec-81a1-1d8de8a0946c"
},
"type" : "alert",
"references" : [ ],
"migrationVersion" : {
"alert" : "7.15.0"
},
"coreMigrationVersion" : "7.15.3",
"updated_at" : "2022-03-21T19:06:31.508Z"
}
},
{
"_index" : ".kibana_7.15.3_001",
"_type" : "_doc",
"_id" : "alert:ebf9b4c1-a949-11ec-81a1-1d8de8a0946c",
"_score" : 0.41443375,
"_source" : {
"alert" : {
"name" : "Test w/ legacy action 4",
"tags" : [
"__internal_rule_id:628f1b7f-dc04-45ad-914f-63de9c0c8cad",
"__internal_immutable:false"
],
"alertTypeId" : "siem.signals",
"consumer" : "siem",
"params" : {
"author" : [ ],
"description" : "a",
"ruleId" : "628f1b7f-dc04-45ad-914f-63de9c0c8cad",
"falsePositives" : [ ],
"from" : "now-360s",
"immutable" : false,
"license" : "",
"outputIndex" : ".siem-signals-default",
"meta" : {
"from" : "1m",
"kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
},
"maxSignals" : 100,
"riskScore" : 21,
"riskScoreMapping" : [ ],
"severity" : "low",
"severityMapping" : [ ],
"threat" : [ ],
"to" : "now",
"references" : [ ],
"version" : 3,
"exceptionsList" : [ ],
"type" : "query",
"language" : "kuery",
"index" : [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"query" : "*:*",
"filters" : [ ]
},
"schedule" : {
"interval" : "5m"
},
"enabled" : false,
"actions" : [ ],
"throttle" : null,
"notifyWhen" : "onActiveAlert",
"apiKeyOwner" : null,
"apiKey" : null,
"createdBy" : "1311967740",
"updatedBy" : "1311967740",
"createdAt" : "2022-03-21T19:05:49.849Z",
"updatedAt" : "2022-03-21T19:06:42.899Z",
"muteAll" : false,
"mutedInstanceIds" : [ ],
"executionStatus" : {
"status" : "pending",
"lastExecutionDate" : "2022-03-21T19:05:49.849Z",
"error" : null
},
"meta" : {
"versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
}
},
"type" : "alert",
"references" : [ ],
"migrationVersion" : {
"alert" : "7.15.0"
},
"coreMigrationVersion" : "7.15.3",
"updated_at" : "2022-03-21T19:06:42.899Z"
}
},
{
"_index" : ".kibana_7.15.3_001",
"_type" : "_doc",
"_id" : "alert:c718f0d0-a949-11ec-81a1-1d8de8a0946c",
"_score" : 0.41443375,
"_source" : {
"alert" : {
"name" : "Test w/ legacy action",
"tags" : [
"__internal_rule_id:41701350-e09e-4baa-a71f-7d6f1be22a96",
"__internal_immutable:false"
],
"alertTypeId" : "siem.signals",
"consumer" : "siem",
"params" : {
"author" : [ ],
"description" : "a",
"ruleId" : "41701350-e09e-4baa-a71f-7d6f1be22a96",
"falsePositives" : [ ],
"from" : "now-360s",
"immutable" : false,
"license" : "",
"outputIndex" : ".siem-signals-default",
"meta" : {
"from" : "1m",
"kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
},
"maxSignals" : 100,
"riskScore" : 21,
"riskScoreMapping" : [ ],
"severity" : "low",
"severityMapping" : [ ],
"threat" : [ ],
"to" : "now",
"references" : [ ],
"version" : 1,
"exceptionsList" : [ ],
"type" : "query",
"language" : "kuery",
"index" : [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"query" : "*:*",
"filters" : [ ]
},
"schedule" : {
"interval" : "5m"
},
"enabled" : true,
"actions" : [ ],
"throttle" : null,
"notifyWhen" : "onActiveAlert",
"apiKeyOwner" : "1311967740",
"apiKey" : "iQ9OUTir2k5ForgmwQU5ri/5dbM2FgkgxuMZt1E6kI3DaeNdqw4yGidjOFW7ovXct/SXq0pS1tiDhLoXk0L25L8dyo7HFTiEjl+/gatfKq9mdpKKl6hYCMK5dPcU2UvvCbGEcAMUaj0JRJGvmPUIqhvUpb9Y0yM/F7J6G/I5FKkGQL4PV1HtF4v5YDUWhB1ITFhWfTsdqVAs4g==",
"createdBy" : "1311967740",
"updatedBy" : "1311967740",
"createdAt" : "2022-03-21T19:04:48.775Z",
"updatedAt" : "2022-03-21T19:04:48.775Z",
"muteAll" : false,
"mutedInstanceIds" : [ ],
"executionStatus" : {
"status" : "ok",
"lastExecutionDate" : "2022-03-21T19:09:52.558Z",
"error" : null
},
"meta" : {
"versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
},
"scheduledTaskId" : "c7ecbb90-a949-11ec-81a1-1d8de8a0946c"
},
"type" : "alert",
"references" : [ ],
"migrationVersion" : {
"alert" : "7.15.0"
},
"coreMigrationVersion" : "7.15.3",
"updated_at" : "2022-03-21T19:09:54.680Z"
}
}
]
}
}
Bulk actions
dropdown on the rules page
This PR addresses the to do from the first round of testing. It updates the 8.1 bulk routes to include the action migration logic.
When testing https://github.com/elastic/kibana/pull/128518 I noticed that it seems like there's some cleanup logic missing in the legacyMigrate
function, because it leaves siem-detection-engine-rule-actions
sidecar saved objects in the index in some cases.
More details in https://github.com/elastic/kibana/pull/128518#issuecomment-1082230439
Fix is in this PR - https://github.com/elastic/kibana/pull/130511
@MadameSheema ready for 8.3 QA check - instructions on testing can be found in PR description. Thanks so much!
Hi Team,
We have validated above issue on 8.3.0 BC3 and it's not fixed. 🔴
Build Details
VERSION: 8.3.0 BC3
BUILD: 53272
COMMIT: 7a0df2bca36ced2a898420cbb193a9dba0782a7a
Screenshots:
Thanks !
@karanverma-qasource - can you give a bit more details as to what steps you took and what the screenshots are showing? Like what actions are those rules supposed to have?
Hi @yctercero,
I have followed the steps mentioned in this PR, as per the steps after upgrade to 8.3.0 and running below query
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.queryRule"
}
}
}
We should get the throttle corresponds to the selected interval
and notifyWhen: onThrottleInterval
but here we are getting throttle as Null and notifyWhen as onActiveAlert
. Actions I have used "None, Rule Run, Hourly, Daily, Weekly".
Please let us know we are missing something.
Thanks!
@yctercero @karanverma-qasource any update on this?
@MadameSheema No update received till now.
Sorry, lost this a bit after PTO. I'll take a look today.
@karanverma-qasource sorry, but can you give more details as to how you re-enabled the rules in 8.3. Was it via bulk actions? Just editing the rule? Or one by one? I'm still not able to reproduce this. If you could share the following information similar to below, that would help. These are the results I got.
After migrating, they appear to have the expected fields.
Actions | Post migrated rule |
---|---|
Rule run | - siem-detection-engine-rule-actions DELETED - actions continue to live on rule params - throttle is null - notifyWhen is onActiveAlert |
Hourly | - siem-detection-engine-rule-actions DELETED - siem.notifications DELETED- actions moved to live on rule params - throttle is 1h - notifyWhen is onThrottleInterval |
Daily | - siem-detection-engine-rule-actions DELETED - siem.notifications DELETED- actions moved to live on rule params - throttle is 1d - notifyWhen is onThrottleInterval |
Weekly | - siem-detection-engine-rule-actions DELETED - siem.notifications DELETED- actions moved to live on rule params - throttle is 7d - notifyWhen is onThrottleInterval |
## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
## Gets the siem sidecar actions
GET .kibana/_search
{
"query": {
"term": {
"type": {
"value": "siem-detection-engine-rule-actions"
}
}
}
}
## Get rules
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.signals"
}
}
}
## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
## Gets the siem sidecar actions
GET .kibana/_search
{
"query": {
"term": {
"type": {
"value": "siem-detection-engine-rule-actions"
}
}
}
}
## Get rules
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.queryRule"
}
}
}
Hi @yctercero,
Yes, I have bulk enabled the rules after upgrading to 8.3.1 and I am getting "throttle": null,"notifyWhen": "onActiveAlert"
for every rule.
Build Details:
VERSION: 8.3.1
BUILD: 53549
COMMIT: a4f8dc60edb19553f16c166ea79c83c16572897a
8.3.1
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.queryRule"
}
}
}
Please let us know if we are missing something.
Thanks !
@karanverma-qasource are these all prepackaged rules you're testing?
Hi @yctercero ,
We are testing with custom rules as in above steps its mentioned Create 4 rules, each with an action at a different interval
, please let us know if we have to test with prepackaged or elastic prebuilt rules.
Thanks !
Hey @karanverma-qasource - I'm still not able to recreate even when I tested with bulk enabling. Could you video your entire testing process or set up a zoom meeting to go over it together? I'm still not sure how you're getting the rules in that state. So far, re-enabling rules after migration one by one or using bulk actions - both are migrating as expected.
## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
## Gets the siem sidecar actions
GET .kibana/_search
{
"query": {
"term": {
"type": {
"value": "siem-detection-engine-rule-actions"
}
}
}
}
## Get rules
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.queryRule"
}
}
}
## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
## Gets the siem sidecar actions
GET .kibana/_search
{
"query": {
"term": {
"type": {
"value": "siem-detection-engine-rule-actions"
}
}
}
}
## Get rules
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.queryRule"
}
}
}
Hi @yctercero,
Thank you so much for your kind help, we have validated above issue on 8.3.2 and it's fixed.
Build Details:
VERSION: 8.3.2
BUILD: 53596
COMMIT: 12341eba941264b1d015dc6394ec3f006b13b1af
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
GET .kibana/_search
{
"query": {
"term": {
"type": {
"value": "siem-detection-engine-rule-actions"
}
}
}
}
GET .kibana/_search
{
"size": 10000
}
Summary
Detection rule actions are migrated on rule touch or enable. Because detections requires users to disable their rules prior to 8.0 migration, we theorized that upon enableing rules post migration, the rule's actions would be migrated. That means that we should see 0 enabled rules with legacy actions. However, thanks to Frank's work with telemetry, we saw that this is not the case. Still unclear of the culprit.
Telemetry actions dashboard
Steps to reproduce
Gets the siem sidecar actions
GET .kibana/_search { "query": { "term": { "type": { "value": "siem-detection-engine-rule-actions" } } } }
Gets the rules pre 8.0
For legacy actions with an interval other than on every rule run, the
actions
array is empty andthrottle : null
, andnotifyWhen : onActiveAlert
.GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.signals" } } }
Gets the query rules post 8.0
For NON legacy actions that have successfully migrated actions, the
actions
array is filled out on the rule,the
throttle
corresponds to the selected interval andnotifyWhen: onThrottleInterval
GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.queryRule" } } }