elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.58k stars 8.21k forks source link

[Security Solution] Detection rule fails to install but does not show reason and the toast in the UI shows up as success #190753

Open leandrojmp opened 2 months ago

leandrojmp commented 2 months ago

Describe the bug:

Some detection rules uses Machine Learning, which is a licensed feature, when trying to install those rules in a cluster with the basic license it will fail, but the reason will not be given to the user and also the toast on the bottom of the screen is the success one, with the green bar, when it should be the error one, with the red bar.

Kibana/Elasticsearch Stack version: 8.15.0

Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Detection Rules

Steps to reproduce:

  1. Spin-up a cluster with basic license.
  2. Add the pre-built rules
  3. Try to install a rule that uses ML

Current behavior:

The detection rule fails to install without given the reason and the toast in the bottom of the screen is the success one with the green bar.

According to the Elastic UI, this error is using the color success and the iconType check

Expected behavior:

The detection rule fails to install, the reason is show to the user and the toast in the bottom of the screen should be the error one, with the red bar.

According to the Elastic UI it should use the color danger and the iconType error

Screenshots (if relevant):

image

Response in the developer console:

{
    "summary": {
        "total": 1,
        "succeeded": 0,
        "skipped": 0,
        "failed": 1
    },
    "results": {
        "created": [],
        "skipped": []
    },
    "errors": [
        {
            "message": "Your license does not support machine learning. Please upgrade your license.",
            "status_code": 403,
            "rules": [
                {
                    "rule_id": "0678bc9c-b71a-433b-87e6-2f664b6b3131",
                    "name": "Unusual Remote File Size"
                }
            ]
        }
    ]
}
elasticmachine commented 2 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 2 months ago

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine commented 2 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

leandrojmp commented 1 week ago

A similar question was made on discuss about this: https://discuss.elastic.co/t/detection-rules-update-failure/369051

I think that the rule install/update process should check if any rule cannot be instaleld based on the cluster license, currently it does not check.