No description

Find a file

Frank Hassanabad 3e7423a0e9 [Security Solutions][Detection Engine] Migrates exception lists to saved object references (Part 2) (#108291 ) ## Summary This is part 2 to addressing the issue seen here: #101975 (Part 1 #107064) This adds the alerting migration scripts and unit tests for exception list containers on Kibana startup for `7.15.0` We only migrate if we find these conditions and cases: - `exceptionLists` are an `array` and not `null`, `undefined`, or malformed data. - The exceptionList item is an `object` and its `id` is a `string` and not `null`, `undefined`, or malformed data - The existing references do not already have an exceptionItem reference already found within it. We migrate on the common use case - The saved object references do not exist but we have exceptionList items with the id's to create the saved object references, 👍 so we migrate. - The alert contains no exception list items, in which case we have nothing to migrate We do these additional (mis-use) cases and steps as well. These should _NOT_ be common things that happen but we safe guard for them here: - If the migration is run twice we are idempotent and do _NOT_ add duplicates list items or remove items. - If the migration was partially successful but re-run a second time, we only add what is missing. Again no duplicates or removed items should occur. - If the `exceptionLists` contains invalid data shape or not enough information to migrate, we filter it out and ignore it - If the saved object references already exists and contains a different or foreign value, we will retain the foreign reference(s) and still migrate. ## Manual testing There are unit tests but for any manual testing or verification you can do the following: Create a few alerts through the `security_solution` application with exception lists <img width="1775" alt="Screen Shot 2021-08-11 at 5 42 31 PM" src="https://user-images.githubusercontent.com/1151048/129117377-61b17fcf-ad01-4405-bbfe-42d97a6f7654.png"> Use the dev tools to de-migrate as well as to test end to end like so: ```json # First get an "_id" with an exceptions list like below. Mine I found was: "alert:38482620-ef1b-11eb-ad71-7de7959be71c": GET .kibana/_search { "query": { "terms": { "alert.alertTypeId": [ "siem.signals" ] } }, "size": 10000 } ``` With Kibana running downgrade and remove the references as a test: ```json # Set saved object array references as empty arrays and set our migration version to be 7.14.0 POST .kibana/_update/alert:38482620-ef1b-11eb-ad71-7de7959be71c { "script" : { "source": """ ctx._source.migrationVersion.alert = "7.14.0"; ctx._source.references = [] """, "lang": "painless" } } # Double check the references is empty and the version is 7.14.0 GET .kibana/_doc/alert:38482620-ef1b-11eb-ad71-7de7959be71c ``` Reload the alert in the `security_solution` and notice you get these errors until you restart Kibana to cause a migration moving forward ```sh server log [17:35:16.914] [error][plugins][securitySolution] The saved object references were not found for our exception list when we were expecting to find it. Kibana migrations might not have run correctly or someone might have removed the saved object references manually. Returning the last known good exception list id which might not work. exceptionItem with its id being returned is: {"list_id":"endpoint_list","namespace_type":"agnostic","id":"endpoint_list","type":"endpoint"} server log [17:35:16.914] [error][plugins][securitySolution] Cannot get a saved object reference using an index which is larger than the saved object references. Index is:1 which is larger than the savedObjectReferences:[] server log [17:35:16.915] [error][plugins][securitySolution] The saved object references were not found for our exception list when we were expecting to find it. Kibana migrations might not have run correctly or someone might have removed the saved object references manually. Returning the last known good exception list id which might not work. exceptionItem with its id being returned is: {"list_id":"cd152d0d-3590-4a45-a478-eed04da7936b","namespace_type":"single","id":"50e3bd70-ef1b-11eb-ad71-7de7959be71c","type":"detection"} server log [17:35:16.940] [error][plugins][securitySolution] The saved object references were not found for our exception list when we were expecting to find it. Kibana migrations might not have run correctly or someone might have removed the saved object references manually. Returning the last known good exception list id which might not work. exceptionItem with its id being returned is: {"list_id":"endpoint_list","namespace_type":"agnostic","id":"endpoint_list","type":"endpoint"} server log [17:35:16.940] [error][plugins][securitySolution] Cannot get a saved object reference using an index which is larger than the saved object references. Index is:1 which is larger than the savedObjectReferences:[] server log [17:35:16.940] [error][plugins][securitySolution] The saved object references were not found for our exception list when we were expecting to find it. Kibana migrations might not have run correctly or someone might have removed the saved object references manually. Returning the last known good exception list id which might not work. exceptionItem with its id being returned is: {"list_id":"cd152d0d-3590-4a45-a478-eed04da7936b","namespace_type":"single","id":"50e3bd70-ef1b-11eb-ad71-7de7959be71c","type":"detection"} ``` Restart Kibana and you should no longer have errors in the Kibana console. If you do this query in dev tools ```json # Check that the `migrationVersion` is `7.15.0` and that we have a `references` array filled out with the correct structure GET .kibana/_doc/alert:38482620-ef1b-11eb-ad71-7de7959be71c ``` You should notice that you now have a `references` array filled out: ```json "references" : [ { "name" : "param:exceptionsList_0", "id" : "endpoint_list", "type" : "exception-list-agnostic" }, { "name" : "param:exceptionsList_1", "id" : "50e3bd70-ef1b-11eb-ad71-7de7959be71c", "type" : "exception-list" } ], "migrationVersion" : { "alert" : "7.15.0" } ``` For testing [idempotentence](https://en.wikipedia.org/wiki/Idempotence) Run just this to downgrade and restart Kibana and you should notice on a GET that we do not have anything extra in the references array: ```json # Set our migration version to be 7.14.0 only POST .kibana/_update/alert:38482620-ef1b-11eb-ad71-7de7959be71c { "script" : { "source": """ ctx._source.migrationVersion.alert = "7.14.0"; """, "lang": "painless" } } # Double check the `references` is still there, and we do not get errors or changes to `references` after we restart Kibana GET .kibana/_doc/alert:38482620-ef1b-11eb-ad71-7de7959be71c ``` For testing foreign keys: ```json # Set saved object array references to foreign keys and set our migration version to be 7.14.0 POST .kibana/_update/alert:38482620-ef1b-11eb-ad71-7de7959be71c { "script" : { "source": """ ctx._source.migrationVersion.alert = "7.14.0"; ctx._source.references = [["name" : "foreign", "id" : "123", "type" : "some-type"]]; """, "lang": "painless" } } ``` Restart, ensure no errors in Kibana console and do a get call to ensure we have the foreign mixed with valid values: ```json GET .kibana/_doc/alert:38482620-ef1b-11eb-ad71-7de7959be71c ``` Should return this data: ```json "type" : "alert", "references" : [ { "name" : "foreign", "id" : "123", "type" : "some-type" }, { "name" : "param:exceptionsList_0", "id" : "endpoint_list", "type" : "exception-list-agnostic" }, { "name" : "param:exceptionsList_1", "id" : "50e3bd70-ef1b-11eb-ad71-7de7959be71c", "type" : "exception-list" } ] ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios		2021-08-17 13:59:25 -06:00
.buildkite
.ci	Bump Node.js from version 14.17.3 to 14.17.5. (#108324 )	2021-08-13 09:26:42 +02:00
.github	Adding owners to kibana plugins (#108407 )	2021-08-17 10:21:06 -04:00
api_docs	[Data cleanup] unify serializable state (#107745 )	2021-08-10 13:03:48 +02:00
config
dev_docs	Developer guide - index patterns key concepts (#96017 )	2021-08-15 08:48:51 -05:00
docs	styling updates to alerts table and alignment of elements (#108507 )	2021-08-17 14:35:21 -04:00
examples	Adding owners to kibana plugins (#108407 )	2021-08-17 10:21:06 -04:00
licenses
packages	uptime - index default severity of warning for tls and monitor status alerts (#108731 )	2021-08-17 12:10:00 -04:00
plugins
rfcs
scripts	[QA][SO INFO SVC] Add cli (#108353 )	2021-08-16 13:36:22 +01:00
src	Update onboarding interstitial to handle default Fleet assets (#108193 )	2021-08-17 15:47:03 -04:00
tasks/config
test	Update onboarding interstitial to handle default Fleet assets (#108193 )	2021-08-17 15:47:03 -04:00
typings	[Fleet] Replace usages of EuiCodeEditor by CodeEditor (#107434 )	2021-08-05 11:40:40 -04:00
utilities
vars	[APM] Add new ftr_e2e to kibana CI and remove current e2e tests. (#107593 )	2021-08-10 23:40:20 -04:00
x-pack	[Security Solutions][Detection Engine] Migrates exception lists to saved object references (Part 2) (#108291 )	2021-08-17 13:59:25 -06:00
.backportrc.json
.bazelignore
.bazeliskversion
.bazelrc
.bazelrc.common
.bazelversion
.browserslistrc
.editorconfig
.eslintignore	[Reporting] Create reports with full state required to generate the report (#101048 )	2021-08-12 18:40:19 +02:00
.eslintrc.js	Allow optional OSS to X-Pack dependencies (#107432 )	2021-08-05 13:58:24 -04:00
.fossa.yml
.gitattributes
.gitignore	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
.i18nrc.json	[index patterns] index pattern create modal (#101853 )	2021-08-05 22:58:57 -05:00
.node-version	Bump Node.js from version 14.17.3 to 14.17.5. (#108324 )	2021-08-13 09:26:42 +02:00
.npmrc
.nvmrc	Bump Node.js from version 14.17.3 to 14.17.5. (#108324 )	2021-08-13 09:26:42 +02:00
.prettierignore
.prettierrc
.stylelintignore
.stylelintrc
.telemetryrc.json
.yarnrc
api-documenter.json
BUILD.bazel	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md	Point to new developer guide in CONTRIBUTING.md (#108953 )	2021-08-17 14:04:12 -04:00
FAQ.md
github_checks_reporter.json
Gruntfile.js
Jenkinsfile
jest.config.integration.js
jest.config.js
kibana.d.ts
LICENSE.txt
NOTICE.txt
package.json	bumping chromedriver dep up to 92.0.1 (#108849 )	2021-08-17 15:05:57 +02:00
preinstall_check.js
README.md	STYLEGUIDE reference `.md` => `.mdx` (#107440 )	2021-08-02 14:05:58 -05:00
renovate.json5
RISK_MATRIX.mdx
SECURITY.md
STYLEGUIDE.mdx	Update Styleguide path to .mdx (#107890 )	2021-08-10 13:15:43 +02:00
tsconfig.base.json	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
tsconfig.bazel.json	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
tsconfig.browser.json
tsconfig.browser_bazel.json	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
tsconfig.json	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
tsconfig.types.json	[build_ts_refs] improve caches, allow building a subset of projects (#107981 )	2021-08-10 22:12:45 -07:00
TYPESCRIPT.md
WORKSPACE.bazel	chore(NA): upgrades bazel rules nodejs into v3.8.0 (#108471 )	2021-08-13 15:24:51 +01:00
yarn.lock	bumping chromedriver dep up to 92.0.1 (#108849 )	2021-08-17 15:05:57 +02:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started
- Using a Kibana Release
- Building and Running Kibana, and/or Contributing Code
Documentation
Version Compatibility with Elasticsearch
Questions? Problems? Suggestions?

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Download the latest version on the Kibana Download Page.
Learn more about Kibana's features and capabilities on the Kibana Product Page.
We also offer a hosted version of Kibana on our Cloud Service.

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

CONTRIBUTING.md will help you get Kibana up and running.
If you would like to contribute code, please follow our STYLEGUIDE.mdx.
For all other questions, check out the FAQ.md and wiki.

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation	Example Kibana version	Example ES version	Outcome
Versions are the same.	5.1.2	5.1.2	💚 OK
ES patch number is newer.	5.1.2	5.1.5	⚠️ Logged warning
ES minor number is newer.	5.1.2	5.5.0	⚠️ Logged warning
ES major number is newer.	5.1.2	6.0.0	🚫 Fatal error
ES patch number is older.	5.1.2	5.1.0	⚠️ Logged warning
ES minor number is older.	5.1.2	5.0.0	🚫 Fatal error
ES major number is older.	5.1.2	4.0.0	🚫 Fatal error

Questions? Problems? Suggestions?

If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.