Detection Rules Update Failure

Elastic Security
1

Hi,

With version 8.15.3 we see 18 prebuilt security detection rules failing to update (Screenshot):
image

List of rules not being able to update:

Anomalous Windows Process Creation
Suspicious Windows Process Cluster Spawned by a User
Unusual Windows Username
Unusual Windows Service
Suspicious Powershell Script
Unusual Windows User Privilege Elevation Activity
Unusual Windows Remote User
Unusual Process Spawned by a User
Unusual Windows Path Activity
Unusual Process Spawned by a Host
Unusual Process For a Windows Host
Anomalous Process For a Windows Population
Unusual Windows Process Calling the Metadata Service
Unusual Windows Network Activity
Suspicious Windows Process Cluster Spawned by a Host
Unusual Windows User Calling the Metadata Service
Unusual Process Spawned by a Parent Process
Suspicious Windows Process Cluster Spawned by a Parent Process

What these rule have in common:
a) they are ML rules (without expecting all of them)
b) they have a depandency to the integration "Windows"
c) they all want to update the Windows-Integration's version dependency (Screenshot):

image
image878×362 11.4 KB

Can someone please point us to a solution or workaround for this?
Elastic/Kibana version 8.15.3, on-prem, debian not containerized

2

Hi @syk . Thanks for bringing this up!

I'll investigate the issue, but meanwhile, would you be able to post the full response from the rule upgrade API call?

If you open the Network tab in your browser's Dev Tools when you try to update one or more rules, you'll see the request is made to the url POST /kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform.

You can just copy and paste the response here.

Also: did you just update your Kibana version? If you just did, can you let us know from which version to which you did?

Thanks!

3

Quick question, do you have a paid License enabled in your cluster, platinum or enterprise?

4

@Juan_Pablo_Djeredjia : the mentioned 18 rules are not updated because:

 "message": "Your license does not support machine learning. Please upgrade your license."

@leandrojmp: I guess this answers your question as well: all clusters we experience this behaviour have a basic license applied...

But why do only these 18 rules behave like that? They aren't even enabled...

5

we upgraded from 8.15.2 to 8.15.3

6

Yeah, if you are using the basic license this is your issue, the ML rules require a paid license, but this is not checked while installing or updating the rules.

Also the toast informing that the update failed is also wrong, it shows the success toast (green line and check mark) and not the failure toast (red line and a x mark).

I had a similar issue and opened a github issue in August: [Security Solution] Detection rule fails to install but does not show reason and the toast in the UI shows up as success · Issue #190753 · elastic/kibana · GitHub

You can just ignore this error, it is a bug in Kibana.

7

Thanks for the quick answer Leandro!

Could you please explain the topics below for clarification:

  • There are currently 77 prebuilt rules tagged for "Machine Learning" - correct?

    image
    image298×320 13.1 KB

  • 18 of those will never be updated and added to other upcoming rule-updates, so the number of "Rule Updates" displayed will increase and we have to keep track of the numbers?
    image

  • Out of the 77 ML-rules 5 can be enabled even with only a basic license applied (see screenshot below) - is this intentional?

    image
    image1592×566 60.2 KB

  • This is the wrong place to report Kibana-Bugs?

8

Hi @syk, thanks for the clear description of your situation. Let's please move our discussion to GitHub - this will help the right team at Elastic to track and fix the bug. Could you please open a new issue on GitHub · Where software is built and drop a link to it in this thread? We'll continue from there. Thanks!

9

Link to the github topic as requested:

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.