-
Notifications
You must be signed in to change notification settings - Fork 518
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Package v8.16.2
contains new rule versions without updates
#4276
Comments
These are min_stack version updates 🙂 Part of the PR With the changing requirements of the integration versions, we identify the kibana version to minstack for rules. Where no query contents are changed in this case. Will be presenting this into todays Simplified Protections Management Theme Working Group meeting |
Notable Debugging and Root Cause Identification
|
Spot Check on My Test Stack
Also out of the 26 rules reported by @banderror , I was able to reproduce only 6 of them :), the rest of them seem to render the right set of information for me |
I see the same behavior as @banderror. @shashank-elastic I will share the instance where you can check. I see both issues - missing integration, and no changes in any rule fields. The rendering depends on the rule version you currently have, since you skipped some updates - there are more changes accumulated that you can view in diff. |
@banderror @approksiu There are two issues.
|
@Mikaayenson thanks! Are there plans to fix ES|QL rules build time field issues? |
@Mikaayenson Yes thats true I was able to drill dow to the source of the First Version of the File that was added in release https://github.com/elastic/ia-trade-team/issues/388 The very first version of the rule, https://github.com/elastic/integrations/pull/10239/files#diff-0208dd40dfe6b85cb7f8bdba6bcd7305d84f9303bbf86514c8a0f9624157a8de does not have the related integrations_field. To confirm the same here is another ESQL rule sample |
Have created a PR to fix even.dataset -#4278 |
@approksiu From your test stack I was able to reproduce the issue on the UI. But from the asset perspective all the necessary required fields for related_integrations are rightly populated in non ES|QL supported rules. Looking at the custom package that we created to test smart limits the only major difference we see is the json format But all of the required information is rightly populated. If we move to the latest version 8.16.2-beta.2 the file format is rectified https://github.com/elastic/integrations/pull/11900/files#diff-c0d42a1b673f8da2e46f126338934d5466bd7c9eb1f740f02870e4d3b2c5f238 But its unclear weather this is causing the issue, and since am not upgrading from a smart limit package, I may not be seeing this issue as in your stack or @banderror stack From @approksiu Test Stack From @shashank-elastic Test Stack Also please not am moving from version 1--> 103 and the other stack is moving from 2 --> 103. One possible way to look at this is we are trying to diff from v8.16.2-beta.1 which was a custom package only to test smart limits, released ad-hoc. So a conclusive debugging would be
Having said that, v8.16.2-beta.1 was temporary only a beta package to test smart limits and we have override that with the latest GA package so customers seeing this would be highly unlikely! |
@approksiu We do not have plans to fix ES|QL build time fields. Going back to Mar 2023 we were recommended by the ESQL team to build a python parser in-house. We do not have the capacity to do this, and any ad-hoc approach will result in bugs/tech debt. We still do need this parser if we want to ship the build time fields (related integrations, required fields, etc) in a scalable and reliable way. One alternative would be to parse ESQL rules in kibana since it's already available and extract the build time fields. In a previous POC I explored in detail the LOE to develop and maintain a parser and it quickly became evident that we didn't have to the capacity to develop/maintain this. We need help / resources for this gap. One stop gap for the related integrations field would be:
Important For any chances to our detection engineering workflows, we ( @elastic/threat-research-and-detection-engineering ) will need to discuss internally to minimize impact. Also, minor note, these two ideas will still not address the required fields issue. |
Thanks for looking into it @Mikaayenson @shashank-elastic @approksiu! A few comments on the above:
I think it would be more correct to say that we diff rule versions between each other, not packages. Let's break this example down. If a new However, the fact that these versions If we abstract away from prerelease and release package, I think there would be a few rules of thumb:
This also sounds a bit suspicious. Are you saying that we added some fake rule versions to the
The concern here is not about having or not having I think the latter should be fixed on the detection-rules repo side. As far as I understand, when we bump an integration's version, we update the corresponding prebuilt rules that indirectly depend on this integration via rule query, and increment their versions. So, if we can't parse ES|QL queries yet, we shouldn't be incrementing ES|QL rules versions as part of this process.
Great, thanks! I'm going to re-test the upgrade workflow with the new |
@banderror we never introduced any fake rule versions, we followed the beta release package process like we do for our rule set and add historical versions of the rule, like mentioned in #4150 (comment). |
@shashank-elastic Thank you, got it. I also just updated my comment above because I noticed a few mistakes from my side. Corrected. |
Related to: elastic/kibana#201825 (review)
Summary
In Kibana, I upgraded the package with prebuilt rules from
v8.16.2-beta.1
tov8.16.2
and got 64 detection rules that can be upgraded via the Security Solution UI. Out of those 64 rules, there were 26 rules that had only theversion
field bumped from something like 2 or 3 to something like 100+, and there were no other changes to rule fields in these newer versions of rules.Here's an example of how such rules are displayed in the rule upgrade UI:
To Reproduce
On way to reproduce this when testing it with the local Kibana: elastic/kibana#201825 (review)
Expected Behavior
In the package with prebuilt rules, we shouldn't release a new rule version if it doesn't have any changes to any other rule parameters, compared to the previous version of the rule.
Problematic rules
Here's the full list of rules with updated
version
and no updates to any other fields:The text was updated successfully, but these errors were encountered: