Skip to content

Commit

Permalink
[8.x] [Security Solution] Fix inability to unset optional field values (
Browse files Browse the repository at this point in the history
elastic#204231) (elastic#205041)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Fix inability to unset optional field values
(elastic#204231)](elastic#204231)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2024-12-20T12:26:50Z","message":"[Security
Solution] Fix inability to unset optional field values
(elastic#204231)\n\n**Resolves:
https://github.com/elastic/kibana/issues/203634**\r\n\r\n##
Summary\r\n\r\nThis PR fixes bugs blocking unsetting optional rule field
values in rule\r\nupgrade workflow.\r\n\r\n## Details\r\n\r\nChanges
here cover 3 groups of fields optional, string fields allowing\r\nempty
strings and array fields allowing empty arrays. It was verified\r\nthat
fields in that groups allow to unset the value.\r\n\r\nThe following
issues were fixed\r\n- inability to set an empty string or `setup` and
`note` fields\r\nIt required adding `stripEmptyFields: false` for rule
upgrade fields\r\nedit form.\r\n- inability to unset
`timestamp_override` field\r\n Timestamp override form deserializer was
fixed.\r\n- inability to unset `alert_suppression`\r\nAlert Suppression
was excluded from special special fields list always\r\nupgrading to the
current value. It's expected Alert Suppression won't be\r\nincluded in
Prebuilt Rules delivered in prebuilt rules packages. The\r\nonly way to
get this setting and have it included in rule upgrade flyout\r\nis
editing a prebuilt rule by a user with a sufficient licence.\r\n\r\nThe
following fields were verified and fixed where necessary\r\n\r\n###
Optional fields\r\n\r\n- ✅ `investigation_fields`\r\n- ✅
`rule_name_override`\r\n- ⚠️ `timestamp_override` (field's form
deserializer was fixed)\r\n- ✅ `timeline_template`\r\n- ✅
`building_block`\r\n- ⚠️ `alert_suppression` (the field was excluded
from special special\r\nfields list always upgrading to the current
value)\r\n- ✅ `threat_indicator_path` (empty value resets to
default\r\n`threat.indicator`)\r\n\r\n### String fields allowing empty
strings\r\n\r\n- ⚠️ `note` (required adding `stripEmptyFields: false` to
the form)\r\n- ⚠️ `setup` (required adding `stripEmptyFields: false` to
the form)\r\n\r\n### Array fields allowing empty arrays\r\n\r\n- ✅
`tags`\r\n- ✅ `references`\r\n- ✅ `false_positives`\r\n- ✅ `threat`\r\n-
✅ `related_integrations`\r\n- ✅ `required_fields`\r\n- ✅
`severity_mapping`\r\n- ✅ `risk_score_mapping`\r\n\r\n##
Screenshots\r\n\r\n![Screenshot 2024-12-17 at 09
15\r\n14](https://github.com/user-attachments/assets/671f5198-55da-4899-ab52-1e93f3c841af)\r\n\r\n\r\nhttps://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2\r\n\r\n##
How to test?\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled`
feature flag is enabled\r\n- Allow internal APIs via adding
`server.restrictInternalApis: false` to\r\n`kibana.dev.yaml`\r\n- Clear
Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not
open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the
`security_detection_engine` Fleet\r\npackage\r\n```bash\r\ncurl -X POST
--user elastic:changeme -H 'Content-Type: application/json' -H
'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d
'{\"force\":true}'
http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n-
Install prebuilt rules\r\n```bash\r\ncurl -X POST --user
elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'
-H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}'
http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n-
Customize one or more rules (change fields to see them in rule
upgrade\r\nworkflow)\r\n- Open Rule upgrade for the rule(s)\r\n- Unset
field values\r\n- Upgrade
rule(s)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"54989a519260397f26694be0db1913a7468b40cb","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","impact:high","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0"],"title":"[Security Solution] Fix
inability to unset optional field
values","number":204231,"url":"https://github.com/elastic/kibana/pull/204231","mergeCommit":{"message":"[Security
Solution] Fix inability to unset optional field values
(elastic#204231)\n\n**Resolves:
https://github.com/elastic/kibana/issues/203634**\r\n\r\n##
Summary\r\n\r\nThis PR fixes bugs blocking unsetting optional rule field
values in rule\r\nupgrade workflow.\r\n\r\n## Details\r\n\r\nChanges
here cover 3 groups of fields optional, string fields allowing\r\nempty
strings and array fields allowing empty arrays. It was verified\r\nthat
fields in that groups allow to unset the value.\r\n\r\nThe following
issues were fixed\r\n- inability to set an empty string or `setup` and
`note` fields\r\nIt required adding `stripEmptyFields: false` for rule
upgrade fields\r\nedit form.\r\n- inability to unset
`timestamp_override` field\r\n Timestamp override form deserializer was
fixed.\r\n- inability to unset `alert_suppression`\r\nAlert Suppression
was excluded from special special fields list always\r\nupgrading to the
current value. It's expected Alert Suppression won't be\r\nincluded in
Prebuilt Rules delivered in prebuilt rules packages. The\r\nonly way to
get this setting and have it included in rule upgrade flyout\r\nis
editing a prebuilt rule by a user with a sufficient licence.\r\n\r\nThe
following fields were verified and fixed where necessary\r\n\r\n###
Optional fields\r\n\r\n- ✅ `investigation_fields`\r\n- ✅
`rule_name_override`\r\n- ⚠️ `timestamp_override` (field's form
deserializer was fixed)\r\n- ✅ `timeline_template`\r\n- ✅
`building_block`\r\n- ⚠️ `alert_suppression` (the field was excluded
from special special\r\nfields list always upgrading to the current
value)\r\n- ✅ `threat_indicator_path` (empty value resets to
default\r\n`threat.indicator`)\r\n\r\n### String fields allowing empty
strings\r\n\r\n- ⚠️ `note` (required adding `stripEmptyFields: false` to
the form)\r\n- ⚠️ `setup` (required adding `stripEmptyFields: false` to
the form)\r\n\r\n### Array fields allowing empty arrays\r\n\r\n- ✅
`tags`\r\n- ✅ `references`\r\n- ✅ `false_positives`\r\n- ✅ `threat`\r\n-
✅ `related_integrations`\r\n- ✅ `required_fields`\r\n- ✅
`severity_mapping`\r\n- ✅ `risk_score_mapping`\r\n\r\n##
Screenshots\r\n\r\n![Screenshot 2024-12-17 at 09
15\r\n14](https://github.com/user-attachments/assets/671f5198-55da-4899-ab52-1e93f3c841af)\r\n\r\n\r\nhttps://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2\r\n\r\n##
How to test?\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled`
feature flag is enabled\r\n- Allow internal APIs via adding
`server.restrictInternalApis: false` to\r\n`kibana.dev.yaml`\r\n- Clear
Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not
open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the
`security_detection_engine` Fleet\r\npackage\r\n```bash\r\ncurl -X POST
--user elastic:changeme -H 'Content-Type: application/json' -H
'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d
'{\"force\":true}'
http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n-
Install prebuilt rules\r\n```bash\r\ncurl -X POST --user
elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'
-H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}'
http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n-
Customize one or more rules (change fields to see them in rule
upgrade\r\nworkflow)\r\n- Open Rule upgrade for the rule(s)\r\n- Unset
field values\r\n- Upgrade
rule(s)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"54989a519260397f26694be0db1913a7468b40cb"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204231","number":204231,"mergeCommit":{"message":"[Security
Solution] Fix inability to unset optional field values
(elastic#204231)\n\n**Resolves:
https://github.com/elastic/kibana/issues/203634**\r\n\r\n##
Summary\r\n\r\nThis PR fixes bugs blocking unsetting optional rule field
values in rule\r\nupgrade workflow.\r\n\r\n## Details\r\n\r\nChanges
here cover 3 groups of fields optional, string fields allowing\r\nempty
strings and array fields allowing empty arrays. It was verified\r\nthat
fields in that groups allow to unset the value.\r\n\r\nThe following
issues were fixed\r\n- inability to set an empty string or `setup` and
`note` fields\r\nIt required adding `stripEmptyFields: false` for rule
upgrade fields\r\nedit form.\r\n- inability to unset
`timestamp_override` field\r\n Timestamp override form deserializer was
fixed.\r\n- inability to unset `alert_suppression`\r\nAlert Suppression
was excluded from special special fields list always\r\nupgrading to the
current value. It's expected Alert Suppression won't be\r\nincluded in
Prebuilt Rules delivered in prebuilt rules packages. The\r\nonly way to
get this setting and have it included in rule upgrade flyout\r\nis
editing a prebuilt rule by a user with a sufficient licence.\r\n\r\nThe
following fields were verified and fixed where necessary\r\n\r\n###
Optional fields\r\n\r\n- ✅ `investigation_fields`\r\n- ✅
`rule_name_override`\r\n- ⚠️ `timestamp_override` (field's form
deserializer was fixed)\r\n- ✅ `timeline_template`\r\n- ✅
`building_block`\r\n- ⚠️ `alert_suppression` (the field was excluded
from special special\r\nfields list always upgrading to the current
value)\r\n- ✅ `threat_indicator_path` (empty value resets to
default\r\n`threat.indicator`)\r\n\r\n### String fields allowing empty
strings\r\n\r\n- ⚠️ `note` (required adding `stripEmptyFields: false` to
the form)\r\n- ⚠️ `setup` (required adding `stripEmptyFields: false` to
the form)\r\n\r\n### Array fields allowing empty arrays\r\n\r\n- ✅
`tags`\r\n- ✅ `references`\r\n- ✅ `false_positives`\r\n- ✅ `threat`\r\n-
✅ `related_integrations`\r\n- ✅ `required_fields`\r\n- ✅
`severity_mapping`\r\n- ✅ `risk_score_mapping`\r\n\r\n##
Screenshots\r\n\r\n![Screenshot 2024-12-17 at 09
15\r\n14](https://github.com/user-attachments/assets/671f5198-55da-4899-ab52-1e93f3c841af)\r\n\r\n\r\nhttps://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2\r\n\r\n##
How to test?\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled`
feature flag is enabled\r\n- Allow internal APIs via adding
`server.restrictInternalApis: false` to\r\n`kibana.dev.yaml`\r\n- Clear
Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not
open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the
`security_detection_engine` Fleet\r\npackage\r\n```bash\r\ncurl -X POST
--user elastic:changeme -H 'Content-Type: application/json' -H
'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d
'{\"force\":true}'
http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n-
Install prebuilt rules\r\n```bash\r\ncurl -X POST --user
elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'
-H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}'
http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n-
Customize one or more rules (change fields to see them in rule
upgrade\r\nworkflow)\r\n- Open Rule upgrade for the rule(s)\r\n- Unset
field values\r\n- Upgrade
rule(s)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"54989a519260397f26694be0db1913a7468b40cb"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
  • Loading branch information
kibanamachine and maximpn authored Dec 20, 2024
1 parent fc6c64b commit 7d91aff
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ export const PickVersionValuesEnum = PickVersionValues.enum;
export const FIELDS_TO_UPGRADE_TO_CURRENT_VERSION = [
'enabled',
'exceptions_list',
'alert_suppression',
'actions',
'throttle',
'response_actions',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ export function RuleFieldEditFormWrapper({
onSubmit: handleSubmit,
options: {
warningValidationCodes: VALIDATION_WARNING_CODES,
stripEmptyFields: false,
},
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,10 +72,11 @@ function TimestampFallbackDisabled() {
return null;
}

export function timestampOverrideDeserializer(defaultValue: FormData) {
export function timestampOverrideDeserializer(_: unknown, finalDiffableRule: DiffableRule) {
return {
timestampOverride: defaultValue.timestamp_override.field_name,
timestampOverrideFallbackDisabled: defaultValue.timestamp_override.fallback_disabled ?? false,
timestampOverride: finalDiffableRule.timestamp_override?.field_name,
timestampOverrideFallbackDisabled:
finalDiffableRule.timestamp_override?.fallback_disabled ?? false,
};
}

Expand Down

0 comments on commit 7d91aff

Please sign in to comment.