[Security solution][Detection Engine] Fixes "Cannot read property 'kibana_siem_app_url' of null error from actions #75844
Conversation
FrankHassanabad
changed the title
|
Pinging @elastic/siem (Team:SIEM) |
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
| @@ -79,6 +79,84 @@ describe('rules_notification_alert_type', () => { | |||
| ); | |||
| }); | |||
|
|
|||
| it('should resolve results_link when meta is undefined to use "/app/security"', async () => { | |||
There was a problem hiding this comment.
I always go back and forth with the wording - I find myself getting confused sometimes (might just be me). In tests when we say x is undefined should we be explicitly be checking that for example, meta: undefined or are we testing that the property itself is not there.
There was a problem hiding this comment.
I guess it's one in the same. 🤯
There was a problem hiding this comment.
It's technically not the same but we treat it a lot of the times as the same.
For example:
const a = { b: 1 }
Object.getOwnPropertyDescriptor(a, 'b')
{value: 1, writable: true, enumerable: true, configurable: true}
a.b = undefined;
Object.getOwnPropertyDescriptor(a, 'b')
{value: undefined, writable: true, enumerable: true, configurable: true}
delete a.b;
Object.getOwnPropertyDescriptor(a, 'b')
undefinedTechnically you can see that the key is no longer there compared to if I just set it to undefined.
You can do this too:
a.b = undefined;
Object.keys(a)
["b"]And really the key is still there. But for testing and stuff we might not be as strict when we could be. I sometimes try to use delete to be more exact or do a type of omit.
I am lazy and sometimes just use the wording of undefined to mean the same thing as for the most part it's treated the same unless/until someone is doing Object.keys() or enumerating against it. We do the same thing a lot of times within TypeScript using something as an undefined to indicate a value does not exist regardless of if the value was deleted or turned into undefined. So, some small subtle differences.
|
Thanks for adding all these great tests! The code itself looks great. I had a question about expected behavior. Here's what I did, let me know if it's all expected.
May be easier to zoom tomorrow, I may be missing something. If this is all known/expected, then LGTM. Was no longer seeing the error mentioned in the ticket. |
|
The auth error you're seeing is probably because while the rule is running if you update it, then the existing running rule has access to an API key that is now invalidated. At least that's we have seen before. You can wait another 5 minutes (for example) and the second run should work out ok. I think the alerting team knows about this. However, if you were to test a second time and see the same issue consistently (even between rule runs) then we would have a bigger problem. |
There was a problem hiding this comment.
Thanks for the detailed replies. It seems then that it is a known issue that I encountered.
I tested:
- creating a rule w/ an action via api with
meta: {}and it worked great 👍 - creating a rule w/ action via UI 👍
- updating rule created via UI to have
meta: {}and resulted in known issue of needing to enable/disable rule to get working again (unrelated to the issue addressed here)
LGTM!
|
@elasticmachine merge upstream |
## Summary Found in 7.9.0, if you post a rule with an action that has a missing "meta" then you are going to get errors in your UI that look something like: ```ts An error occurred during rule execution: message: "Cannot read property 'kibana_siem_app_url' of null" name: "Unusual Windows Remote User" id: "1cc27e7e-d7c7-4f6a-b918-8c272fc6b1a3" rule id: "1781d055-5c66-4adf-9e93-fc0fa69550c9" signals index: ".siem-signals-default" ``` This fixes the accidental referencing of the null/undefined property and adds both integration and unit tests in that area of code. If you have an action id handy you can manually test this by editing the json file of: ```ts test_cases/queries/action_without_meta.json ``` to have your action id and then posting it like so: ```ts ./post_rule.sh ./rules/test_cases/queries/action_without_meta.json ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary Found in 7.9.0, if you post a rule with an action that has a missing "meta" then you are going to get errors in your UI that look something like: ```ts An error occurred during rule execution: message: "Cannot read property 'kibana_siem_app_url' of null" name: "Unusual Windows Remote User" id: "1cc27e7e-d7c7-4f6a-b918-8c272fc6b1a3" rule id: "1781d055-5c66-4adf-9e93-fc0fa69550c9" signals index: ".siem-signals-default" ``` This fixes the accidental referencing of the null/undefined property and adds both integration and unit tests in that area of code. If you have an action id handy you can manually test this by editing the json file of: ```ts test_cases/queries/action_without_meta.json ``` to have your action id and then posting it like so: ```ts ./post_rule.sh ./rules/test_cases/queries/action_without_meta.json ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary Found in 7.9.0, if you post a rule with an action that has a missing "meta" then you are going to get errors in your UI that look something like: ```ts An error occurred during rule execution: message: "Cannot read property 'kibana_siem_app_url' of null" name: "Unusual Windows Remote User" id: "1cc27e7e-d7c7-4f6a-b918-8c272fc6b1a3" rule id: "1781d055-5c66-4adf-9e93-fc0fa69550c9" signals index: ".siem-signals-default" ``` This fixes the accidental referencing of the null/undefined property and adds both integration and unit tests in that area of code. If you have an action id handy you can manually test this by editing the json file of: ```ts test_cases/queries/action_without_meta.json ``` to have your action id and then posting it like so: ```ts ./post_rule.sh ./rules/test_cases/queries/action_without_meta.json ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary Found in 7.9.0, if you post a rule with an action that has a missing "meta" then you are going to get errors in your UI that look something like: ```ts An error occurred during rule execution: message: "Cannot read property 'kibana_siem_app_url' of null" name: "Unusual Windows Remote User" id: "1cc27e7e-d7c7-4f6a-b918-8c272fc6b1a3" rule id: "1781d055-5c66-4adf-9e93-fc0fa69550c9" signals index: ".siem-signals-default" ``` This fixes the accidental referencing of the null/undefined property and adds both integration and unit tests in that area of code. If you have an action id handy you can manually test this by editing the json file of: ```ts test_cases/queries/action_without_meta.json ``` to have your action id and then posting it like so: ```ts ./post_rule.sh ./rules/test_cases/queries/action_without_meta.json ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Found in 7.9.0, if you post a rule with an action that has a missing "meta" then you are going to get errors in your UI that look something like:
This fixes the accidental referencing of the null/undefined property and adds both integration and unit tests in that area of code.
If you have an action id handy you can manually test this by editing the json file of:
to have your action id and then posting it like so:
Checklist
Delete any items that are not applicable to this PR.