Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] KQL/Lucene Query bar filters generate diff when saved without changes in Prebuilt Rule Customization workflow #202966

Open
Tracked by #201502
maximpn opened this issue Dec 4, 2024 · 3 comments · May be fixed by #206344
Open
Tracked by #201502

[Security Solution] KQL/Lucene Query bar filters generate diff when saved without changes in Prebuilt Rule Customization workflow #202966

maximpn opened this issue Dec 4, 2024 · 3 comments · May be fixed by #206344
Assignees
@dplumlee
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0

Comments

@maximpn
Copy link
Contributor

maximpn commented Dec 4, 2024
edited
Loading

Summary

Query bar for editing KQL/Lucene query allows to manage query filters. Some prebuilt rules have such filters. Saving query bar with filters leads to extra fields like alias: null appearing in the diff. Saving rule edit form without any changes leads to the same result.

Steps to reproduce:

  1. Setup the environment as described below
  2. Open Threat Intel Hash Indicator Match rule in rule update preview flyout
  3. Edit the KQL query and save

Expected behavior: There is NO diff in query filters

Actual behavior: There is diff in query filters

Screenshots:

Image

The video below demonstrates how changes to threat query appear even without actual changes while editing a rule in the rule form

Screen.Recording.2024-12-17.at.20.20.15.mov

Setup the environment

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
  • Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
  • Clear Elasticsearch data
  • Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
  • Install an outdated version of the security_detection_engine Fleet package
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
  • Install prebuilt rules
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
  • Open a threat_match rule for editing. For example Threat Intel Hash Indicator Match with rule_id aab184d3-72b3-4639-b242-6597c99d8bca.
@maximpn maximpn added 8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Dec 4, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@banderror banderror mentioned this issue Dec 5, 2024
Open
@maximpn maximpn mentioned this issue Dec 9, 2024
Merged
@dplumlee dplumlee linked a pull request Jan 10, 2025 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Normalizes filters field before rule diff comparison dplumlee/kibana
4 participants
@maximpn @banderror @elasticmachine @dplumlee