-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Fixes incorrect from
field transform logic in upgrade/_perform
route
#202824
Conversation
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
...ib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fix, @dplumlee! I tested the changes locally with various upgrade scenarios, including cases with and without conflicts, with or without changes to the rule schedule, and situations where a customization was introduced or rolled back during the upgrade workflow. In all cases, the field was upgraded correctly. So this fix resolves the issue with marking rules as customized.
To address the issue of Kibana crashing (#202715), I’d suggest adding proper error handling in the rule upgrade flyout, but that can be done in a separate PR.
I’ve left a couple of comments regarding code deduplication and moving tests to the integration level. But I don’t consider these critical so I’ll leave it to your discretion.
...tection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.test.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
Outdated
Show resolved
Hide resolved
* @param lookback moment.Moment representing the rule's additional lookback | ||
* @returns moment.Moment representing the rule's 'from' property | ||
*/ | ||
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => { | |
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string): number => { |
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
Outdated
Show resolved
Hide resolved
* @param lookback moment.Moment representing the rule's additional lookback | ||
* @returns moment.Moment representing the rule's 'from' property | ||
*/ | ||
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would propose to call this function something like - calculateRange
or so on.
It does not return from
property that can be used in rule straightaway, just time range in seconds. now
is added as prefix in another function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switched the function to return the now-prefixed string
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/utils.test.ts
Show resolved
Hide resolved
@elasticmachine merge upstream |
@dplumlee Is there anything left to do here before merge? I see a few unresolved comments. |
016f717
to
1c6e505
Compare
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]
History
cc @dplumlee |
@elasticmachine merge upstream |
Starting backport for target branches: 8.17, 8.x |
…upgrade/_perform` route (elastic#202824) **Fixes: elastic#202575 **Fixes: elastic#201631 **Partially addresses: elastic#202715 ## Summary All bugs have the same source > [!NOTE] > This bug/related fix is only visible with the `prebuiltRulesCustomizationEnabled` feature flag turned on. Fixes an issue where unedited prebuilt rules were being marked as "Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint where the `from` field was incorrectly calculated via the `lookback` field. Solves multiple bugs where prebuilt rules were marked as "Modified" incorrectly when they were upgraded See reproduce steps in related tickets ([example](elastic#202575 (comment))) ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 93112b9)
…upgrade/_perform` route (elastic#202824) **Fixes: elastic#202575 **Fixes: elastic#201631 **Partially addresses: elastic#202715 ## Summary All bugs have the same source > [!NOTE] > This bug/related fix is only visible with the `prebuiltRulesCustomizationEnabled` feature flag turned on. Fixes an issue where unedited prebuilt rules were being marked as "Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint where the `from` field was incorrectly calculated via the `lookback` field. Solves multiple bugs where prebuilt rules were marked as "Modified" incorrectly when they were upgraded See reproduce steps in related tickets ([example](elastic#202575 (comment))) ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 93112b9)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…nsform logic in `upgrade/_perform` route (#202824) (#203506) # Backport This will backport the following commits from `main` to `8.17`: - [[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)](#202824) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-10T01:06:12Z","message":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)\n\n**Fixes: https://github.com/elastic/kibana/issues/202575**\r\n**Fixes: https://github.com/elastic/kibana/issues/201631**\r\n**Partially addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n## Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This bug/related fix is only visible with the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned on.\r\n\r\nFixes an issue where unedited prebuilt rules were being marked as\r\n\"Modified\" when upgraded due to a bug in the `upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly calculated via the `lookback`\r\nfield. Solves multiple bugs where prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were upgraded\r\n\r\nSee reproduce steps in related tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v8.17.1"],"title":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route","number":202824,"url":"https://github.com/elastic/kibana/pull/202824","mergeCommit":{"message":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)\n\n**Fixes: https://github.com/elastic/kibana/issues/202575**\r\n**Fixes: https://github.com/elastic/kibana/issues/201631**\r\n**Partially addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n## Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This bug/related fix is only visible with the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned on.\r\n\r\nFixes an issue where unedited prebuilt rules were being marked as\r\n\"Modified\" when upgraded due to a bug in the `upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly calculated via the `lookback`\r\nfield. Solves multiple bugs where prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were upgraded\r\n\r\nSee reproduce steps in related tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202824","number":202824,"mergeCommit":{"message":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)\n\n**Fixes: https://github.com/elastic/kibana/issues/202575**\r\n**Fixes: https://github.com/elastic/kibana/issues/201631**\r\n**Partially addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n## Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This bug/related fix is only visible with the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned on.\r\n\r\nFixes an issue where unedited prebuilt rules were being marked as\r\n\"Modified\" when upgraded due to a bug in the `upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly calculated via the `lookback`\r\nfield. Solves multiple bugs where prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were upgraded\r\n\r\nSee reproduce steps in related tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com>
…sform logic in `upgrade/_perform` route (#202824) (#203507) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)](#202824) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-10T01:06:12Z","message":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)\n\n**Fixes: https://github.com/elastic/kibana/issues/202575**\r\n**Fixes: https://github.com/elastic/kibana/issues/201631**\r\n**Partially addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n## Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This bug/related fix is only visible with the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned on.\r\n\r\nFixes an issue where unedited prebuilt rules were being marked as\r\n\"Modified\" when upgraded due to a bug in the `upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly calculated via the `lookback`\r\nfield. Solves multiple bugs where prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were upgraded\r\n\r\nSee reproduce steps in related tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v8.17.1"],"title":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route","number":202824,"url":"https://github.com/elastic/kibana/pull/202824","mergeCommit":{"message":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)\n\n**Fixes: https://github.com/elastic/kibana/issues/202575**\r\n**Fixes: https://github.com/elastic/kibana/issues/201631**\r\n**Partially addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n## Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This bug/related fix is only visible with the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned on.\r\n\r\nFixes an issue where unedited prebuilt rules were being marked as\r\n\"Modified\" when upgraded due to a bug in the `upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly calculated via the `lookback`\r\nfield. Solves multiple bugs where prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were upgraded\r\n\r\nSee reproduce steps in related tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202824","number":202824,"mergeCommit":{"message":"[Security Solution] Fixes incorrect `from` field transform logic in `upgrade/_perform` route (#202824)\n\n**Fixes: https://github.com/elastic/kibana/issues/202575**\r\n**Fixes: https://github.com/elastic/kibana/issues/201631**\r\n**Partially addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n## Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This bug/related fix is only visible with the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned on.\r\n\r\nFixes an issue where unedited prebuilt rules were being marked as\r\n\"Modified\" when upgraded due to a bug in the `upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly calculated via the `lookback`\r\nfield. Solves multiple bugs where prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were upgraded\r\n\r\nSee reproduce steps in related tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com>
…upgrade/_perform` route (elastic#202824) **Fixes: elastic#202575 **Fixes: elastic#201631 **Partially addresses: elastic#202715 ## Summary All bugs have the same source > [!NOTE] > This bug/related fix is only visible with the `prebuiltRulesCustomizationEnabled` feature flag turned on. Fixes an issue where unedited prebuilt rules were being marked as "Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint where the `from` field was incorrectly calculated via the `lookback` field. Solves multiple bugs where prebuilt rules were marked as "Modified" incorrectly when they were upgraded See reproduce steps in related tickets ([example](elastic#202575 (comment))) ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Fixes: #202575
Fixes: #201631
Partially addresses: #202715
Summary
All bugs have the same source
Note
This bug/related fix is only visible with the
prebuiltRulesCustomizationEnabled
feature flag turned on.Fixes an issue where unedited prebuilt rules were being marked as "Modified" when upgraded due to a bug in the
upgrade/_perform
endpoint where thefrom
field was incorrectly calculated via thelookback
field. Solves multiple bugs where prebuilt rules were marked as "Modified" incorrectly when they were upgradedSee reproduce steps in related tickets (example)
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.