Not able to edit rules

Elastic Security SIEM
1

Hi,
after updating from 8.2.3 to 8.4 it's no longer possible to edit the existing rules.
Every time "Object type "siem.queryRule" is not registered." is shown.
Hope somebody has an idea how to fix.

another error occures:

{
"name": "Error",
"body": {
"message": "illegal_argument_exception: rollover target [.siem-signals-default] does not point to a write index",
"status_code": 400
},
"message": "Bad Request",
"stack": "o@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:396:16044\nt@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:396:15274\n__kbnSharedDeps_npm__</e.exports/<@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:396:12404\nn@https://fed:5601/55434/bundles/core/core.entry.js:1:269671\ne/<@https://fed:5601/55434/bundles/core/core.entry.js:1:276516\nf@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:515:1458\nd/o._invoke</<@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:515:1212\nO/</<@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:515:1821\nn@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364:292131\ns@https://fed:5601/55434/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:364:292343\n"
}

best regards
Uwe

2

@UweW - Hi there,

Can you run GET _cat/aliases/.siem-signals-*?v and GET _cat/shards/.siem-signals-*?v and share the results with us?

Thank you.

3

Hi Romain,

GET _cat/aliases/.siem-signals-*?v
alias index filter routing.index routing.search is_write_index
.siem-signals-default .siem-signals-default-000010 - - - false
.siem-signals-default .siem-signals-default-000011 - - - false

GET _cat/shards/.siem-signals-*?v
index shard prirep state docs store ip node
.siem-signals-default-000010 0 p STARTED 2 48.5kb 10.88.0.1 elasticsearch
.siem-signals-default-000011 0 p STARTED 963 958.5kb 10.88.0.1 elasticsearch

best regards
Uwe

4

Hi @UweW - could you run this and check if this solves the problem?

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": ".siem-signals-default-000011",
        "alias": ".siem-signals-default",
        "is_write_index": true
      }
    }
  ]
}
5

Hey there!

The .siem-signals index was the index name used pre-8.0 for writing security solution alerts. In 8.0 it's expected that it is now aliased to the new security solution alerts index, so

GET _cat/aliases/.siem-signals-*?v

should result in something like:

alias                               index                                           filter routing.index routing.search is_write_index
.siem-signals-default .internal.alerts-security.alerts-default-000001 -      -             -              false

This should have all occurred in the initial upgrade to 8.x.

6

@UweW

If you GET /.siem-signals* - can you share what the top portion of that return looks like. We would expect to see something like:

{
  ".internal.alerts-security.alerts-default-000001": {
    "aliases": {
      ".alerts-security.alerts-default": {
        "is_write_index": false
      },
      ".siem-signals-default": {
        "is_write_index": false
      }
    },
    "mappings": {
      "dynamic": "false",
      "_meta": {
        "namespace": "default",
        "kibana": {
          "version": "8.4.2"
        }
      },
[...]

In 8.x we should no longer be writing to .siem-signals*.

Best,
Yara

7

Hi Romain,
that fixed the issue that I was not able to edit the rules in the security section. :+1:
There is still the issue with the "Object type "siem.queryRule" is not registered." when I open rules in the stack management section .

best regards
Uwe

8

Hi Yara,
this is how it looks:

{
".siem-signals-default-000010": {
"aliases": {
".alerts-security.alerts-default": {
"is_write_index": false
},
".siem-signals-default": {
"is_write_index": false
}
},
"mappings": {
"dynamic": "false",
"_meta": {
"version": 45,
"aliases_version": 3
},
"runtime": {
"host.os.name.caseless": {
"type": "keyword",
"script": {
"source": "if(doc['host.os.name'].size()!=0) emit(doc['host.os.name'].value.toLowerCase());",
"lang": "painless"
}
}
},

best regards
Uwe

9

Hi Yara,
I cannot find any index beginning with .internal*
So it looks like that it hasn't occured in the initial upgrade.
One more time updating was not successful :frowning:
Any idea how to fix ?
Best regrads
Uwe

PS: the update path was 8.3.3 -> 8.4.0 -> 8.4.1

10

@UweW the .internal index is created once the first alert is written. That may be why you don't see it yet. If rules are running but no alerts have been generated, it won't yet exist.

As for the issues with viewing rules in stack management - I am asking around to see if it's a known issue. Luckily, most all actions you would need to take can be done through the security solution rules management interface.

I'll follow back around as soon as I hopefully find out more on the stack management side :slight_smile:

11

Here is the issue that was tracked for this error you're encountering - Security Rule details page doesn't load up in Stack Management · Issue #138639 · elastic/kibana · GitHub

It looks like it may not have made it in 8.4.1, but is in for 8.4.2.

12

Hi Yara,
yes, this is the issue I have.
8.4.2 was released today. Even if I can't find a hint in the release notes I can confirm that it fixes this bug on two Lab installations.
Many thanks for your support.

Uwe

1 Like
13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.