[Security Solutions][Detection Engine] Fixes pre-packaged rules which contain exception lists to not overwrite user defined lists #80592
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FrankHassanabad
added
release_note:skip
|
Pinging @elastic/siem (Team:SIEM) |
yctercero
reviewed
Oct 15, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
yctercero
reviewed
Oct 15, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
yctercero
reviewed
Oct 15, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
yctercero
approved these changes
Oct 15, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/get_rules_to_update.test.ts
Outdated
Show resolved
Hide resolved
| @@ -7,15 +7,67 @@ | |||
| import { AddPrepackagedRulesSchemaDecoded } from '../../../../common/detection_engine/schemas/request/add_prepackaged_rules_schema'; | |||
| import { RuleAlertType } from './types'; | |||
|
|
|||
| /** | |||
There was a problem hiding this comment.
This is awesome, thanks for the added context.
| expect(update.exceptions_list).toEqual(ruleFromFileSystem1.exceptions_list); | ||
| }); | ||
|
|
||
| test('should not remove an additional exception_list if an additional one was added by the end user on an immutable rule during an upgrade', () => { |
There was a problem hiding this comment.
Curious, is there a scenario where the rules have mismatching endpoint lists? I don't know exactly what the scenario would be, but curious as to how we might deal with that since right now we can only have one global endpoint list.
There was a problem hiding this comment.
You cannot have a pre-packaged rule which overwrites an existing list or deletes a list only add a new list to the array. Talked to @spong and I think we need to have a way to associate/de-associate lists as well as delete them from a separate UI/UX such as a table very very soon.
| if (installedRule != null && installedRule.params.exceptionsList != null) { | ||
| const installedExceptionList = installedRule.params.exceptionsList; | ||
| const fileSystemExceptions = ruleFromFileSystem.exceptions_list.filter((potentialDuplicate) => | ||
| installedExceptionList.every((item) => item.list_id !== potentialDuplicate.list_id) |
There was a problem hiding this comment.
I think this answers my question from earlier. So in the case of endpoint exception lists, it would flag it as duplicate because we control the endpoint exception list id and nothing should change for the user.
There was a problem hiding this comment.
Yeah, I use list_id as what it should skip if it already exists on the list so we don't accidentally add duplicates. If we end up messing this part up and adding duplicates we are totally 🍞 (toast) as we don't have UI/UX to de-associate lists really as well as delete lists.
FrankHassanabad
changed the title
spong
added
the
bug
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
FrankHassanabad
added a commit
to FrankHassanabad/kibana
that referenced
this pull request
Oct 15, 2020
… contain exception lists to not overwrite user defined lists (elastic#80592) ## Summary Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: elastic#80417 * Fixes the merge logic so that any exception lists from pre-packaged rules will be additive if they do not already exist on the rule. User based exception lists will not be lost. * Added new backend integration tests for exception lists that did not exist before including ones that test the functionality of exception lists * Refactored some of the code in the `get_rules_to_update.ts` * Refactored some of the integration tests to use helper utils of `countDownES`, and `countDownTest` which simplify the retry logic within the integration tests * Added unit tests to exercise the bug and then the fix. * Added integration tests that fail this logic and then fixed the logic ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
that referenced
this pull request
Oct 15, 2020
… contain exception lists to not overwrite user defined lists (#80592) (#80734) ## Summary Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: #80417 * Fixes the merge logic so that any exception lists from pre-packaged rules will be additive if they do not already exist on the rule. User based exception lists will not be lost. * Added new backend integration tests for exception lists that did not exist before including ones that test the functionality of exception lists * Refactored some of the code in the `get_rules_to_update.ts` * Refactored some of the integration tests to use helper utils of `countDownES`, and `countDownTest` which simplify the retry logic within the integration tests * Added unit tests to exercise the bug and then the fix. * Added integration tests that fail this logic and then fixed the logic ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
that referenced
this pull request
Oct 15, 2020
… contain exception lists to not overwrite user defined lists (#80592) (#80733) ## Summary Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: #80417 * Fixes the merge logic so that any exception lists from pre-packaged rules will be additive if they do not already exist on the rule. User based exception lists will not be lost. * Added new backend integration tests for exception lists that did not exist before including ones that test the functionality of exception lists * Refactored some of the code in the `get_rules_to_update.ts` * Refactored some of the integration tests to use helper utils of `countDownES`, and `countDownTest` which simplify the retry logic within the integration tests * Added unit tests to exercise the bug and then the fix. * Added integration tests that fail this logic and then fixed the logic ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Oct 16, 2020
* master: (115 commits) [ML] Transforms/DF Analytics: Fix data grid column sorting. (elastic#80618) added brace import to vis editor (elastic#80652) Fix error rate sorting in services list (elastic#80764) Emit info log when using custom registry URL (elastic#80768) [Reporting] Config Schema Validation for rules[N].protocol strings (elastic#80766) Add Storybook a11y addon (elastic#80069) Fix anomaly alert selection text (elastic#80746) [Security Solution] [Maps] Kibana index pattern, comma bug fix (elastic#80208) [kbn/optimizer] tweak split chunks options (elastic#80444) update template to use the new team label (elastic#80748) [Security Solution] Fix the Field dropdown in Timeline data providers resets when scrolled (elastic#80718) Adjusts observability alerting perms to require "all" (elastic#79896) [Security Solutions][Detection Engine] Fixes pre-packaged rules which contain exception lists to not overwrite user defined lists (elastic#80592) [data.ui] Fix flaky test & lazy loading rendering artifacts. (elastic#80612) Licensed feature usage for connectors (elastic#77679) [Security Solution] Cypress template creation (elastic#80180) [APM] Hide service if only data is from ML (elastic#80145) Fix role mappings test for ESS (elastic#80604) [Maps] Add support for envelope (elastic#80614) [Security Solution] Update button text according to status (elastic#80389) ...
MindyRS
added
the
Team: SecuritySolution
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a bug where when you update your pre-packaged rules you could end up removing any existing exception lists the user might have already added. See: #80417
get_rules_to_update.tscountDownES, andcountDownTestwhich simplify the retry logic within the integration testsChecklist
Delete any items that are not applicable to this PR.