Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Fixes incorrect from field transform logic in upgrade/_perform route #202824

Merged
merged 8 commits into from
Dec 10, 2024

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Dec 3, 2024

Fixes: #202575
Fixes: #201631
Partially addresses: #202715

Summary

All bugs have the same source

Note

This bug/related fix is only visible with the prebuiltRulesCustomizationEnabled feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as "Modified" when upgraded due to a bug in the upgrade/_perform endpoint where the from field was incorrectly calculated via the lookback field. Solves multiple bugs where prebuilt rules were marked as "Modified" incorrectly when they were upgraded

See reproduce steps in related tickets (example)

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area backport:version Backport to applied version labels v8.17.0 v8.18.0 labels Dec 3, 2024
@dplumlee dplumlee self-assigned this Dec 3, 2024
@dplumlee dplumlee requested a review from a team as a code owner December 3, 2024 21:42
@dplumlee dplumlee requested a review from xcrzx December 3, 2024 21:42
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Copy link
Contributor

@xcrzx xcrzx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix, @dplumlee! I tested the changes locally with various upgrade scenarios, including cases with and without conflicts, with or without changes to the rule schedule, and situations where a customization was introduced or rolled back during the upgrade workflow. In all cases, the field was upgraded correctly. So this fix resolves the issue with marking rules as customized.

To address the issue of Kibana crashing (#202715), I’d suggest adding proper error handling in the rule upgrade flyout, but that can be done in a separate PR.

I’ve left a couple of comments regarding code deduplication and moving tests to the integration level. But I don’t consider these critical so I’ll leave it to your discretion.

* @param lookback moment.Moment representing the rule's additional lookback
* @returns moment.Moment representing the rule's 'from' property
*/
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => {
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string): number => {

* @param lookback moment.Moment representing the rule's additional lookback
* @returns moment.Moment representing the rule's 'from' property
*/
export const calculateFromValueWithRuleScheduleFields = (interval: string, lookback: string) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would propose to call this function something like - calculateRange or so on.

It does not return from property that can be used in rule straightaway, just time range in seconds. now is added as prefix in another function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switched the function to return the now-prefixed string

@banderror
Copy link
Contributor

@elasticmachine merge upstream

@banderror banderror added v8.17.1 and removed v8.17.0 labels Dec 6, 2024
@banderror
Copy link
Contributor

@dplumlee Is there anything left to do here before merge? I see a few unresolved comments.

@dplumlee dplumlee force-pushed the upgrade-perform-interval-bug branch from 016f717 to 1c6e505 Compare December 9, 2024 17:02
@dplumlee dplumlee enabled auto-merge (squash) December 9, 2024 17:02
@dplumlee
Copy link
Contributor Author

dplumlee commented Dec 9, 2024

@elasticmachine merge upstream

@dplumlee
Copy link
Contributor Author

dplumlee commented Dec 9, 2024

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 9, 2024

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #59 / Observability AI Assistant API tests public_complete/public_complete.spec.ts /api/observability_ai_assistant/chat/complete after executing an action closes the stream without persisting the conversation
  • [job] [logs] FTR Configs #59 / Observability AI Assistant API tests public_complete/public_complete.spec.ts /api/observability_ai_assistant/chat/complete with openai format ouputs one chunk, and one [DONE] event
  • [job] [logs] FTR Configs #69 / serverless search UI connectors connector table confirm searchBar to exist
  • [job] [logs] FTR Configs #69 / serverless search UI connectors connector table confirm searchBar to exist

Metrics [docs]

✅ unchanged

History

cc @dplumlee

@dplumlee
Copy link
Contributor Author

dplumlee commented Dec 9, 2024

@elasticmachine merge upstream

@dplumlee dplumlee merged commit 93112b9 into elastic:main Dec 10, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.17, 8.x

https://github.com/elastic/kibana/actions/runs/12247333721

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 10, 2024
…upgrade/_perform` route (elastic#202824)

**Fixes: elastic#202575
**Fixes: elastic#201631
**Partially addresses: elastic#202715

## Summary

All bugs have the same source

> [!NOTE]
> This bug/related fix is only visible with the
`prebuiltRulesCustomizationEnabled` feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as
"Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint
where the `from` field was incorrectly calculated via the `lookback`
field. Solves multiple bugs where prebuilt rules were marked as
"Modified" incorrectly when they were upgraded

See reproduce steps in related tickets
([example](elastic#202575 (comment)))

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 93112b9)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 10, 2024
…upgrade/_perform` route (elastic#202824)

**Fixes: elastic#202575
**Fixes: elastic#201631
**Partially addresses: elastic#202715

## Summary

All bugs have the same source

> [!NOTE]
> This bug/related fix is only visible with the
`prebuiltRulesCustomizationEnabled` feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as
"Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint
where the `from` field was incorrectly calculated via the `lookback`
field. Solves multiple bugs where prebuilt rules were marked as
"Modified" incorrectly when they were upgraded

See reproduce steps in related tickets
([example](elastic#202575 (comment)))

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 93112b9)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.17
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 10, 2024
…nsform logic in `upgrade/_perform` route (#202824) (#203506)

# Backport

This will backport the following commits from `main` to `8.17`:
- [[Security Solution] Fixes incorrect `from` field transform
logic in `upgrade/_perform` route
(#202824)](#202824)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Davis
Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-10T01:06:12Z","message":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform` route (#202824)\n\n**Fixes:
https://github.com/elastic/kibana/issues/202575**\r\n**Fixes:
https://github.com/elastic/kibana/issues/201631**\r\n**Partially
addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n##
Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This
bug/related fix is only visible with
the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned
on.\r\n\r\nFixes an issue where unedited prebuilt rules were being
marked as\r\n\"Modified\" when upgraded due to a bug in the
`upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly
calculated via the `lookback`\r\nfield. Solves multiple bugs where
prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were
upgraded\r\n\r\nSee reproduce steps in related
tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0","v8.17.1"],"title":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform`
route","number":202824,"url":"https://github.com/elastic/kibana/pull/202824","mergeCommit":{"message":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform` route (#202824)\n\n**Fixes:
https://github.com/elastic/kibana/issues/202575**\r\n**Fixes:
https://github.com/elastic/kibana/issues/201631**\r\n**Partially
addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n##
Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This
bug/related fix is only visible with
the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned
on.\r\n\r\nFixes an issue where unedited prebuilt rules were being
marked as\r\n\"Modified\" when upgraded due to a bug in the
`upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly
calculated via the `lookback`\r\nfield. Solves multiple bugs where
prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were
upgraded\r\n\r\nSee reproduce steps in related
tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202824","number":202824,"mergeCommit":{"message":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform` route (#202824)\n\n**Fixes:
https://github.com/elastic/kibana/issues/202575**\r\n**Fixes:
https://github.com/elastic/kibana/issues/201631**\r\n**Partially
addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n##
Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This
bug/related fix is only visible with
the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned
on.\r\n\r\nFixes an issue where unedited prebuilt rules were being
marked as\r\n\"Modified\" when upgraded due to a bug in the
`upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly
calculated via the `lookback`\r\nfield. Solves multiple bugs where
prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were
upgraded\r\n\r\nSee reproduce steps in related
tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com>
kibanamachine added a commit that referenced this pull request Dec 10, 2024
…sform logic in &#x60;upgrade/_perform&#x60; route (#202824) (#203507)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Fixes incorrect &#x60;from&#x60; field transform
logic in &#x60;upgrade/_perform&#x60; route
(#202824)](#202824)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Davis
Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-10T01:06:12Z","message":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform` route (#202824)\n\n**Fixes:
https://github.com/elastic/kibana/issues/202575**\r\n**Fixes:
https://github.com/elastic/kibana/issues/201631**\r\n**Partially
addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n##
Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This
bug/related fix is only visible with
the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned
on.\r\n\r\nFixes an issue where unedited prebuilt rules were being
marked as\r\n\"Modified\" when upgraded due to a bug in the
`upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly
calculated via the `lookback`\r\nfield. Solves multiple bugs where
prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were
upgraded\r\n\r\nSee reproduce steps in related
tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0","v8.17.1"],"title":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform`
route","number":202824,"url":"https://github.com/elastic/kibana/pull/202824","mergeCommit":{"message":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform` route (#202824)\n\n**Fixes:
https://github.com/elastic/kibana/issues/202575**\r\n**Fixes:
https://github.com/elastic/kibana/issues/201631**\r\n**Partially
addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n##
Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This
bug/related fix is only visible with
the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned
on.\r\n\r\nFixes an issue where unedited prebuilt rules were being
marked as\r\n\"Modified\" when upgraded due to a bug in the
`upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly
calculated via the `lookback`\r\nfield. Solves multiple bugs where
prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were
upgraded\r\n\r\nSee reproduce steps in related
tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202824","number":202824,"mergeCommit":{"message":"[Security
Solution] Fixes incorrect `from` field transform logic in
`upgrade/_perform` route (#202824)\n\n**Fixes:
https://github.com/elastic/kibana/issues/202575**\r\n**Fixes:
https://github.com/elastic/kibana/issues/201631**\r\n**Partially
addresses: https://github.com/elastic/kibana/issues/202715**\r\n\r\n##
Summary\r\n\r\nAll bugs have the same source\r\n\r\n> [!NOTE] \r\n> This
bug/related fix is only visible with
the\r\n`prebuiltRulesCustomizationEnabled` feature flag turned
on.\r\n\r\nFixes an issue where unedited prebuilt rules were being
marked as\r\n\"Modified\" when upgraded due to a bug in the
`upgrade/_perform` endpoint\r\nwhere the `from` field was incorrectly
calculated via the `lookback`\r\nfield. Solves multiple bugs where
prebuilt rules were marked as\r\n\"Modified\" incorrectly when they were
upgraded\r\n\r\nSee reproduce steps in related
tickets\r\n([example](https://github.com/elastic/kibana/issues/202575#issue-2713226478))\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"93112b9d968ab8ed0d19de2250c14cece07dba5e"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com>
@dplumlee dplumlee deleted the upgrade-perform-interval-bug branch December 10, 2024 16:04
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
…upgrade/_perform` route (elastic#202824)

**Fixes: elastic#202575
**Fixes: elastic#201631
**Partially addresses: elastic#202715

## Summary

All bugs have the same source

> [!NOTE]  
> This bug/related fix is only visible with the
`prebuiltRulesCustomizationEnabled` feature flag turned on.

Fixes an issue where unedited prebuilt rules were being marked as
"Modified" when upgraded due to a bug in the `upgrade/_perform` endpoint
where the `from` field was incorrectly calculated via the `lookback`
field. Solves multiple bugs where prebuilt rules were marked as
"Modified" incorrectly when they were upgraded

See reproduce steps in related tickets
([example](elastic#202575 (comment)))

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:version Backport to applied version labels bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.17.0 v8.17.1 v8.18.0 v9.0.0
Projects
None yet
6 participants