Detection Rules Integration Dependencies

Hi,
We experience some issues with detection rules detecting their dependencies on installed integrations correctly:

a) Installed Integrations are displayed as "Disabled" complaining there would be no agent policies using it. We have to edit any already configured policy, change anything in the allegedly disabled integration configuration to be able to save the changed settings -> then the rules correctly recognize the integration as "Installed" again.

b) the "Windows" Integration always shows this "version mismatch" (Screenshot):
image

It seems that these are only "cosmetical" issues because the rules work just fine with the collected data and produce alerts based on the indices of the wrongly "Disabled" or otherwise faulty recognized integrations. Nevertheless it's annoying to have no reliable indicator if all prerequisites of a rule are satisfied or not...

Hello,

Which version of the stack are you using?

sorry for not mentioning from start: 8.15.2, on-prem, debian-based

There was an issue about it, but it was marked as solved a long time ago.

It is this one: [Security Solution] Prebuilt rules' Related Integrations: version mismatch · Issue #139440 · elastic/kibana · GitHub

I would comment there and say that it stills happen on 8.15.2

1 Like

Thanks for your suggestion @leandrojmp but the topic was closed as completed in 2022 and I don't want to participate/reopen this using my personal git hub-account.

I'll stick with my workaround:

If anyone else encounters similar phenomenona - installed and enabled integrations appear as "Disabled" or with version mismatches that should be solved long ago:
in any agent-policy containing the integration ->
edit it,
change something,
save the changed settings (and change it all back) ->
your detection rules should update their view of dependent integrations now
(at least this works on 8.15.x Kibana-Versions, prebuilt-rules integration version 8.15.8, debian based installation, on premises, not containerized).

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.