[Security Solution] Migrates siem-detection-engine-rule-actions ruleAlertId and actions to saved object references array

[FrankHassanabad]

Summary

Fixes #113278

• Migrates the legacy siem-detection-engine-rule-actions ruleAlertId and actions to saved object references arrays
• Adds an e2e test for siem-detection-engine-rule-actions
• Updates the types to work with the migrations and the new and old data structures.
• Decouples and removes reliance on alerting within the types since we do not want development of alerting to get in the way of legacy things and have migration changes by accident.
• Updates the REST interface and code to produce post migration data structures. Removes some types and code where w can since those parts are no longer needed/used.
• Adds actionRef to the mapping

Before migration you should see data structures like this if you query:

GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

{
  "siem-detection-engine-rule-actions": {
    "ruleAlertId": "fb1046a0-0452-11ec-9b15-d13d79d162f3", <-- ruleAlertId which we want in the references array and removed
    "actions": [
      {
        "action_type_id": ".slack",
        "id": "f6e64c00-0452-11ec-9b15-d13d79d162f3", <-- id which we want in the references array and removed
        "params": {
          "message": "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
        },
        "group": "default"
      }
    ],
    "ruleThrottle": "7d",
    "alertThrottle": "7d"
  },
  "type": "siem-detection-engine-rule-actions",
  "references": [], <-- Array is empty which instead needs the id's of alerts and actions
  "migrationVersion": {
    "siem-detection-engine-rule-actions": "7.11.2"
  },
  "coreMigrationVersion": "7.14.0",
  "updated_at": "2021-09-15T22:18:48.369Z"
}

After migration you should see data structures like this:

{
  "siem-detection-engine-rule-actions": {
    "actions": [
      {
        "action_type_id": ".slack",
        "actionRef" : "action_0", <-- We use the name and "actionRef" to be consistent with kibana alerting
        "params": {
          "message": "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
        },
        "group": "default"
      }
    ],
    "ruleThrottle": "7d",
    "alertThrottle": "7d"
  },
  "type": "siem-detection-engine-rule-actions",
  "references" : [
    {
      "name" : "alert_0", <-- Name is "alert_0"
      "id" : "fb1046a0-0452-11ec-9b15-d13d79d162f3", <-- Alert id is now here
      "type" : "alert" <-- Type should be "alert"
    },
    {
      "name" : "action_0", <-- Name is "action_0" and should be the same as kibana alerting names theirs for consistencty
      "id" : "f6e64c00-0452-11ec-9b15-d13d79d162f3", <-- Id of the action is now here.
      "type" : "action" <-- Type should be "action"
    }
  ],  
  "migrationVersion": {
    "siem-detection-engine-rule-actions": "7.16.0"
  },
  "coreMigrationVersion": "8.0.0",
  "updated_at": "2021-09-15T22:18:48.369Z"
}

Manual testing

There are e2e tests but for any manual testing or verification you can do the following:

If you have a 7.14.0 system and can migrate it forward that is the most straight forward way to ensure this does migrate correctly and forward. You should see that the legacy notification system still operates as expected.

If you are a developer off of master and want to test different scenarios then this section is for below as it is more involved and harder to do but goes into more depth:

• Create a rule and activate it normally within security_solution
• Do not add actions to the rule at this point as we are exercising the older legacy system. However, you want at least one action configured such as a slack notification.
• Within dev tools do a query for all your actions and grab one of the _id of them without their prefix:

# See all your actions
GET .kibana/_search
{
  "query": {
    "term": {
      "type": "action"
    }
  }
}

Mine was "_id" : "action:879e8ff0-1be1-11ec-a722-83da1c22a481", so I will be copying the ID of 879e8ff0-1be1-11ec-a722-83da1c22a481

Go to the file detection_engine/scripts/legacy_notifications/one_action.json and add this id to the file. Something like this:

{
  "name": "Legacy notification with one action",
  "interval": "1m",  <--- You can use whatever you want. Real values are "1h", "1d", "1w". I use "1m" for testing purposes.
  "actions": [
    {
      "id": "879e8ff0-1be1-11ec-a722-83da1c22a481", <--- My action id
      "group": "default",
      "params": {
        "message": "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
      },
      "actionTypeId": ".slack" <--- I am a slack action id type.
    }
  ]
}

Query for an alert you want to add manually add back a legacy notification to it. Such as:

# See all your siem.signals alert types and choose one
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.signals"
    }
  }
}

Grab the _id without the alert prefix. For mine this was 933ca720-1be1-11ec-a722-83da1c22a481

Within the directory of detection_engine/scripts execute the script:

./post_legacy_notification.sh 933ca720-1be1-11ec-a722-83da1c22a481
{
  "ok": "acknowledged"
}

which is going to do a few things. See the file detection_engine/routes/rules/legacy_create_legacy_notification.ts for the definition of the route and what it does in full, but we should notice that we have now:

Created a legacy side car action object of type siem-detection-engine-rule-actions you can see in dev tools:

# See the actions "side car" which are part of the legacy notification system.
GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

Take note that this actually creates the rule migrated since this PR updated the code to produce new side cars. So we have to use some scripting to change the actions to utilize the old format. However, before continuing you should verify that this does fire correctly and that the new format is working as expected. After that replace the structure with the older structure like so below and downgrade the migration version so that we can restart Kibana and ensure that this does migrate correctly forward:

# Get your id of your rules side car above and then use this script to downgrade the data structure
POST .kibana/_update/siem-detection-engine-rule-actions:210f4c90-2233-11ec-98c6-ed2574588902
{
  "script" : {
    "source": """
    ctx._source.migrationVersion['siem-detection-engine-rule-actions'] = "7.15.0";
    ctx._source['siem-detection-engine-rule-actions'].actions[0].id = ctx._source.references[1].id;
    ctx._source['siem-detection-engine-rule-actions'].actions[0].remove('actionRef');
    ctx._source['siem-detection-engine-rule-actions'].ruleAlertId = ctx._source.references[0].id;
    ctx._source.references.remove(0);
    ctx._source.references.remove(0);
    """,
    "lang": "painless"
  }
}

Restart Kibana and now it should be migrated correctly and the system should fire the notifications as expected. You shouldn't see any errors in your console.

In the scripts folder execute the find_rules.sh and expect to see actions like so in the rule with the id still in the REST interface and we shouldn't see actionRef within the actions:

"actions": [{
  "id": "42534430-2092-11ec-99a6-05d79563c01a",
  "group": "default",
  "params": {
    "message": "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
  },
  "action_type_id": ".slack"
}],

Take the rule id and query that as well using ./get_rule_by_id.sh and verify that the action also looks the same and is present within the rule.

You can also verify all of this within the UI's as well for rules to ensure the action is still present and as we expect it to be and work.

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

[yctercero]

👍🏽 Just doing a quick first code pass. Wanted to manually test after #113205 goes in.

[yctercero]

Nit: This may just be me but I'm starting to get confused between references to "alerts" and "rules". This is the reference to the rule, right?

[FrankHassanabad]

That is correct. It is a reference to the rule.

[yctercero]

Should we add a check to log if more than one is found? Doesn't seem to have been an issue ever up till now, but maybe with the migrations and changes, could be worth checking these edge cases we weren't too worried about before. 🤷🏽‍♀️

[FrankHassanabad]

Yeah, I can. You are correct that we can't guarantee that there aren't more than 1. I figured if there was more than 1 I would just pull 1. If there's 2 or more, I think we have to just pull the first 1. Best I can do would be to check if there is more than 1 and then write out an error message in case we begin encountering it we will see it fairly quickly in the log files.

[yctercero]

This is the one we've decided not to delete yet in case of any migration issues right?

[FrankHassanabad]

Correct:

Actually I (think?) I have to keep it because older data will need to be migrated and we cannot remove the mapping as far as I know. I don't know if the mappings are changed before the migration but I assume it would have to be since I already am adding the actionRef above. So if the mappings change before the migration (which I'm pretty sure it does and would need to), and I remove this here I don't know what the effect is going to be. I might still be able to access it without it but I figured it was best to leave it alone for now?

Overall I felt like I should just leave it alone for now.

[yctercero]

These are where you hit the issues that come from typing migrations, right? You'd talked me through this change here on zoom (thank you!) and I'm wondering if it's worth creating an issue that we can socialize with core (I'm happy to take that on). Nothing to solve asap, but def important to try and get some consensus on how to go about this.

[FrankHassanabad]

I think we should talk more in person. I don't think it's an easy job to make types per schema version. It's not that bad at this moment fwiw.

[yctercero]

Thanks for the added tests and addressing all my nits 😬

LGTM!

[FrankHassanabad]

@elasticmachine merge upstream

[FrankHassanabad]

@elasticmachine merge upstream

[FrankHassanabad]

@elasticmachine merge upstream

[FrankHassanabad]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 2c157e3
• Storybooks Preview
• Documentation Changes

Metrics [docs]

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id	before	after	diff
siem-detection-engine-rule-actions	8	9	+1

History

• 💔 Build #158450 failed f25c902
• 💔 Build #158250 failed 5f0733d
• 💔 Build #158219 failed ccb501c
• 💔 Build #158150 failed d675e9e
• 💔 Build #158116 failed 4c6155c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @FrankHassanabad

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.