Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detection Engine] critical blocker, fixes ordering issue that causes rules to not run the first time #56230

Merged
merged 2 commits into from
Jan 28, 2020
Merged

[SIEM][Detection Engine] critical blocker, fixes ordering issue that causes rules to not run the first time #56230

merged 2 commits into from
Jan 28, 2020

Conversation

FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Jan 28, 2020
edited
Loading

Summary

Fixes ordering issue that @mikecote found for us with rules where we need to first update the rule before trying to enable it so there aren't issues with API keys.

These types of errors should no longer be seen:

{"type":"log","@timestamp":"2020-01-11T09:06:25-07:00","tags":["error","plugins","siem"],"pid":61190,"message":"Error from signal rule name: \"Windows Execution via Connection Manager\", id: \"0624c880-8e64-4c7c-90b4-226b77311ac4\", rule_id: \"f2728299-167a-489c-913c-2e0955ac3c40\" message: [security_exception] missing authentication credentials for REST request [/auditbeat-*%2Cendgame-*%2Cfilebeat-*%2Cpacketbeat-*%2Cwinlogbeat-*/_search?allow_no_indices=true&size=100&ignore_unavailable=true], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Testing:

./hard_reset.sh

Then load the pre-packaged rules and enable them all at once. Ensure you don't see any errors such as the ones above.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11

- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support

- [ ] Documentation was added for features that require explanation or tutorials

- [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

- [ ] This was checked for breaking API changes and was labeled appropriately

@FrankHassanabad FrankHassanabad self-assigned this Jan 28, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@FrankHassanabad FrankHassanabad added the release_note:skip Skip the PR/issue when compiling release notes label Jan 28, 2020
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@FrankHassanabad FrankHassanabad merged commit 2bab2cc into elastic:master Jan 28, 2020
@FrankHassanabad FrankHassanabad deleted the swap-ordering branch January 28, 2020 23:37
This was referenced Jan 28, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhurley14 dhurley14 dhurley14 approved these changes

Assignees

@FrankHassanabad FrankHassanabad

Labels
release_note:skip Skip the PR/issue when compiling release notes Team:SIEM v7.6.0 v7.7.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@FrankHassanabad @elasticmachine @kibanamachine @dhurley14