Skip to content

[Security Solution] KQL/Lucene Query bar filters generate diff when saved without changes in Prebuilt Rule Customization workflow #202966

New issue
Jump to bottom
New issue
Jump to bottom
Open
Bug
#206344
Open
[Security Solution] KQL/Lucene Query bar filters generate diff when saved without changes in Prebuilt Rule Customization workflow#202966
Bug
#206344
Assignees
dplumlee
Labels
8.18 candidateFeature:Prebuilt Detection RulesSecurity Solution Prebuilt Detection Rules areaTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response TeambugFixes for quality problems that affect the customer experienceimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.v8.18.0
@maximpn

Description

@maximpn
maximpn
opened on Dec 4, 2024

Summary

Query bar for editing KQL/Lucene query allows to manage query filters. Some prebuilt rules have such filters. Saving query bar with filters leads to extra fields like alias: null appearing in the diff. Saving rule edit form without any changes leads to the same result.

Steps to reproduce:

  1. Setup the environment as described below
  2. Open Threat Intel Hash Indicator Match rule in rule update preview flyout
  3. Edit the KQL query and save

Expected behavior: There is NO diff in query filters

Actual behavior: There is diff in query filters

Screenshots:

Image

The video below demonstrates how changes to threat query appear even without actual changes while editing a rule in the rule form

Screen.Recording.2024-12-17.at.20.20.15.mov

Setup the environment

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled
  • Allow internal APIs via adding server.restrictInternalApis: false to kibana.dev.yaml
  • Clear Elasticsearch data
  • Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
  • Install an outdated version of the security_detection_engine Fleet package
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
  • Install prebuilt rules
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
  • Open a threat_match rule for editing. For example Threat Intel Hash Indicator Match with rule_id aab184d3-72b3-4639-b242-6597c99d8bca.

Metadata

Assignees

Labels

8.18 candidateFeature:Prebuilt Detection RulesSecurity Solution Prebuilt Detection Rules areaTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response TeambugFixes for quality problems that affect the customer experienceimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.v8.18.0

Type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions