Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] .siem-signals index continuously rolls over if version in template is higher than built in version #84981

Closed
marshallmain opened this issue Dec 4, 2020 · 0 comments · Fixed by #84982
Closed

[Security Solution] .siem-signals index continuously rolls over if version in template is higher than built in version #84981

marshallmain opened this issue Dec 4, 2020 · 0 comments · Fixed by #84982
Assignees
@marshallmain
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Alerts Security Solution Detection Alerts Feature impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@marshallmain
Copy link
Contributor

Kibana version:
7.10

Describe the bug:
If the .siem-signals template is manually upgraded to a version higher than the built in version and also sets mapping._meta.version to a version other than the built in version (SIGNALS_TEMPLATE_VERSION) then we will roll over the .siem-signals index every time an admin visits the detections page. This is due to the !== check here, whereas the template uses < to check if it needs to be upgraded here.
In this situation the template does not get upgraded but it continuously tries to upgrade the index, using the same template repeatedly.
Steps to reproduce:

  1. Manually update the .siem-signals template so that version and mappings._meta.version are both greater than the built in SIGNALS_TEMPLATE_VERSION
  2. Manually trigger a rollover of the .siem-signals index so it picks up the template changes
  3. Observe that the .siem-signals index rolls over again each time you load the detections page

Expected behavior:
Rollover should only occur automatically on loading the detections page if the index version is less than the built in version.
@marshallmain marshallmain added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Dec 4, 2020
@marshallmain marshallmain mentioned this issue Dec 4, 2020
Merged
8 tasks
@peluja1012 peluja1012 added Team:Detections and Resp Security Detection Response Team Feature:Detection Alerts Security Solution Detection Alerts Feature labels Dec 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marshallmain marshallmain

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Alerts Security Solution Detection Alerts Feature impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
2 participants
@peluja1012 @marshallmain