bex
March 1, 2023, 9:52am
1
I would like to clarify, what is the difference between "EndPoint Security" and "Elastic Defend" integrations?
1 Like
Hey @bex ,
its the same it was renamed in:8.5 | Elastic Security Solution [8.6] | Elastic
Renames the Elastic Endpoint and Cloud Security integration to the Elastic Defend integration (#139517 ).
Regards
Sebastian
1 Like
bex
March 2, 2023, 4:56am
3
Hello Sebastian. Thanks for reply.
Hello @bex ,
I would check the following things:
Was the integration also rolled out via an Elastic Agent Policy . If not then role this out.
If this integration was rolled out then I would check if the agent can communicate with the elasticsearch.
As you can see in your error message from image 1, this role would currently run into the void because there is currently no data from Elastic defend in elasticsearch.
Regards,
Sebastian
bex
March 3, 2023, 5:51am
5
Hello @Sebastian_Huettersen
Yes, the integration was rolled out via an Elastic Agent policy.
Yes, agent can communicate with the elasticsearch. Elasticsearch receives logs from elastic agents and I can see them. In the "fleet" section, everything is fine with the status of agents.
The only thing that I have disabled, the "collect agent metrics"
Hello @bex
I have looked at your screenshots again. There I noticed that one of the rule has worked.
opened 11:10PM - 26 Jan 23 UTC
bug
impact:medium
Team:Detections and Resp
fixed
Team: SecuritySolution
Team:Detection Rules
Feature:Prebuilt Detection Rules
v8.7.0
Feature:Related Integrations
First reported in `8.6.1`, but also reproduced in `8.5.0`, the `Elastic Defend` … or `Endpoint` integration will show as `Not installed` when it is in fact installed.
<p align="center">
<img width="500" src="https://user-images.githubusercontent.com/2946766/214969842-6fc90608-387f-49ec-8c69-d5f1d87dfc2e.png" />
</p>
Debugging this, we can work our way back from the client since it appears the `detection_engine/fleet/integrations/installed` API is returning back that it's actually installed.
Here we determine if the integration is `installed` by seeing if the related integration from the Rule is within the list of installed packages returned by fleet. The package name check ends up being truthy, however the integration name check fails since the rule doesn't provide an related integration name (since there isn't one for `Elastic Defend`), yet the our data model is including integration details with an `''` integration_name.
https://github.com/elastic/kibana/blob/21de750b3cff4d4ad27d07c77135327e644b3bee/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integration_details.ts#L81-L84
Now heading to the server, we set the `integration_name` from the `policy.input[].policy_template`, however this is undefined for the `Elastic Defend` integration, and so ends up as emptystring `''`.
https://github.com/elastic/kibana/blob/21de750b3cff4d4ad27d07c77135327e644b3bee/x-pack/plugins/security_solution/server/lib/detection_engine/fleet_integrations/api/get_installed_integrations/installed_integration_set.ts#L129
As a result, when determining if we need to augment the package with integration details, we now have a mismatch between `packageInfo.package_name` & `integrationInfo.integration_name`, which results in us adding integration details, but with an invalid `integration_name`.
https://github.com/elastic/kibana/blob/21de750b3cff4d4ad27d07c77135327e644b3bee/x-pack/plugins/security_solution/server/lib/detection_engine/fleet_integrations/api/get_installed_integrations/installed_integration_set.ts#L88
which is why the client is determining that the integration is not installed.
So looks like the root cause here is that there's no `policy_template` being returned on the packagePolicies' `input` object for the `Elastic Defend` integration:
<p align="center">
<img width="500" src="https://user-images.githubusercontent.com/2946766/214964074-3e7affe5-56c8-485a-b549-a628fdbb197e.png" />
</p>
We can see this directly with the `/kbn/api/fleet/package_policies` fleet API as well:
##### Elastic Defend integration on the left, Fleet Server integration on the right:
<img width="400" alt="image" src="https://user-images.githubusercontent.com/2946766/214969593-4012264b-1df2-45ab-9022-841efb511eb9.png"> <img width="400" alt="image" src="https://user-images.githubusercontent.com/2946766/214969642-d7912abd-c574-473d-8acb-e34d7e3f6181.png">
---
I haven't found any specific fleet/package-registry changes yet that would explain why the `Elastic Defend` packagePolicies don't include a `policy_template` (maybe it happened as part of the refactor from Elastic Security -> Elastic Defend?), so if not a change introduced in the interim, perhaps we missed this in our initial testing @banderror?
Either way, looks like we can either use the root `input.type` or the nested `config.integration_config.type` off of the packagePolicy if the `policy_template` isn't present. Will need to test with lone packages and packages+integrations to see the behavior here.
I guess that the one rule does not work because there have been no alerts from the Elastic defend so far.
bex
March 3, 2023, 6:44am
7
as I understand, what shows as "not installed" is a bug, right? But from [Security Solution]Endpoint security rule has wrong Related integrations information. · Issue #151103 · elastic/kibana · GitHub , we see that the bug was fixed for version 8.7.
system
March 31, 2023, 6:47am
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
