search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.65k stars 8.23k forks source link

[Security Solution] Rule integrations are displayed disabled while being enabled #200167

Open maximpn opened 3 days ago

maximpn commented 3 days ago

Summary

In some cases rule integrations are shown being disabled while Fleet UI says integrations are enabled. Where enabled integrations have agent policies installed.

Details

Preliminary research revealed that functionality for integrations status calculation fetches only the first page of policies (which is 20 items per page by default). Occasionally an agent policy might be on a second or further pages which will be considered as that integration is disabled. Code chunk fetching agent policies for status calculation can be found here

const [packages, packagePolicies] = await Promise.all([
  fleet.packages.getPackages(),
  fleet.packagePolicy.list(fleet.savedObjects.createInternalScopedSoClient(), {}), // it should use perPage: 10000
]);

To fix the problem we need to all agent policies.

Steps to reproduce

ER: All installed integrations are shown as enabled AR: Some of the installed integrations are shown as disabled

elasticmachine commented 3 days ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 3 days ago

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine commented 3 days ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)