SIEM Alert Actions not updating

I've gone through a few iterations of alert actions, checking both the API and the UI the SIEM app shows my current version of the actions, but when an alert is sent it uses a previous version of the actions. I've restarted the deployment and Kibana on it's own.

Hi @Mercwri, welcome to the community!

I'd love to help, let's start with some refining questions:

  1. Which version of kibana are you running?
  2. Which actions are you using?
  3. How are you creating these actions?
  4. When you refer to " version," are you referring to the alert variable {{context.rule.version}} or to something else?
  5. When an alert is sent, is it always the same (original) version, or is it e.g. one version behind the expected version?

If you could share some of those API/UI checks that you referenced, I'm sure that would also help!

I look forward to your response,

--
Ryland

  1. 7.7.0
  2. Webhook and Email
  3. UI and making requests to /api/detection_engine/rules
  4. I'm referring to changes to the actions fields.
  5. It is atleast one if not more than that behind.

For checking it, in the UI if I go to SIEM/Detection Rules/Rule/Manage Rule/Actions the most recent change will show.

For the API I wrote a simple bit of python to poll the API for all my current rules and then check the actions field and update if the actions are different.

import requests, json, yaml

from requests.auth import HTTPBasicAuth

with open("config.yaml","r") as yml:

    config = yaml.load(yml)

base_url = config["base_url"]

headers = {'kbn-xsrf':'true'}

user = config["user"]

password = config["password"]

rules = requests.get(base_url+"/api/detection_engine/rules/_find?page=1&per_page=200",auth=HTTPBasicAuth(user,password),headers=headers)

rules = json.loads(rules.content)

rules = rules["data"]

actions = #My Actions Redacted

for rule in rules:

    print "[=]Checking rule "+rule["id"]

    check = requests.get(base_url+"/api/detection_engine/rules?id="+rule["id"],auth=HTTPBasicAuth(user,password),headers=headers)

    if json.dumps(json.loads(check.content)["actions"]) == actions:

        print "[+]Rule Up to Date"

    else:

        print "[-]Rule Out of Spec"

        payload = {"id":rule["id"],"actions":actions,"throttle":"rule"}

        apply = requests.patch(base_url+"/api/detection_engine/rules",auth=HTTPBasicAuth(user,password),headers=headers,data=payload)

        check_2 = requests.get(base_url+"/api/detection_engine/rules?id="+rule["id"],auth=HTTPBasicAuth(user,password),headers=headers)

        if json.dumps(json.loads(check_2.content)["actions"]) == actions:

            print "[+]Rule Updated"

        else:

            print "[-]Rule Failed to Update"

            print apply.content

I can apply the changes by updating my action, running the script, then confirming by check the UI on a random rule to see if it did correctly update.

For example if I modify my action to change the JSON sent on the webhook, the old JSON will be sent on the webhook, same as the body when I update the body on the email.

@Mercwri, thank you for the comprehensive response, it was incredibly helpful!

The bad news: it looks like you've uncovered a bug with our PATCH endpoint.
The good news: we have some workarounds, and we'll be fixing this as soon as possible.

I've created this issue to track the bug and its resolution; please follow along there for updates.

In the meantime, let's get you up and running again. I mention the workarounds in that issue, but for your specific use case I would recommend modifying your script to use the PUT endpoint instead of PATCH. This will require two changes on your end:

  1. removing fields from the GET response that aren't allowed in the PUT response
  2. sending this new whitelisted payload to the PUT endpoint instead of PATCH

Please give that a shot and let me know if you encounter any issues; I'm happy to help troubleshoot further.

Thanks again for your post. The SIEM app and our community are both better for it!

@Mercwri just a quick update: the fix has been merged, and should be available in the upcoming 7.8.0 release.

Thanks, the work-around has been working for me so far.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.