Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Prebuilt rule customization is lost on upgrade when Base version is missing #201500

Open
Tracked by #201502
banderror opened this issue Nov 23, 2024 · 4 comments
Assignees
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0

Comments

@banderror
Copy link
Contributor

banderror commented Nov 23, 2024

Epic: #174168
Should be fixed by: #187645
Related to: #200285

Summary

Note

The affected functionality is hidden behind the prebuiltRulesCustomizationEnabled feature flag.

Currently, when you customize a prebuilt rule which has an "update" (can be upgraded to a new version), and the customized field in the Target version is unchanged compared to the Base one, on upgrade the diff algorithm picks the Target version as the Final one, which effectively resets the user customization.

Steps to reproduce (example for the tags field):

  • In the Base version of a prebuilt rule let's say you had some tags, e.g. ['foo', 'bar'].
  • You customized this rule and removed all tags from it.
  • In the Current version you now have an empty array of tags: [].
  • In the Target version from Elastic these tags were not changed and stay the same: ['foo', 'bar'].

Expected result:

The diff algorithm should keep the user customization and pick the Current version as the Final one: [].

Actual result:

The diff algorithm picks the Target version as the Final one: ['foo', 'bar']. Which is incorrect by itself (the user loses their customization, although it's possible to restore it manually in the Upgrade flyout) and also generates a confusing diff that is shown by default between the Current and the Final versions.

Screenshots

Example video:

Screen.Recording.2024-11-14.at.3.57.45.PM.mov

Reason

Currently, this bug exists because the Base version doesn't exist in most cases. Without the Base version, the diff algorithm:

  • identifies the upgrade case as -AB and SOLVABLE conflict
  • cannot know for sure if it should keep the user customization (A) or the Target version (B) as the Final one
  • and so it picks the Target version

Image

The reason for the missing Base version is: our Fleet package with prebuilt rules currently doesn't ship all historical versions of prebuilt rules. We're working with the TRADE team on fixing this (#187645, elastic/detection-rules#4150 (comment)) and this is a release blocker.

@banderror banderror added 8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team v8.18.0 labels Nov 23, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror
Copy link
Contributor Author

@xcrzx Idea discussed via zoom: we should disallow updating version for prebuilt rules in bot rule update endpoints (PUT, PATCH).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.18 candidate bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0
Projects
None yet
Development

No branches or pull requests

3 participants