Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Bug] Rules and alerts are available in second space if user re-create the space with same name again. #216158

Open
muskangulati-qasource opened this issue Mar 27, 2025 · 8 comments
Open

[Security Solution] [Bug] Rules and alerts are available in second space if user re-create the space with same name again. #216158

muskangulati-qasource opened this issue Mar 27, 2025 · 8 comments
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed v8.18.0

Comments

@muskangulati-qasource
Copy link

Describe the bug
Rules and alerts are available in second space if user re-create the space with same name again.

Kibana/Elasticsearch Stack version

VERSION: 8.18.0
BUILD: 82852
COMMIT: dae17b1f42873e0b3a53fbe6bf3482fc891800db

Pre Conditions

  1. Kibana v8.18.0 must be available.
  2. Second Space must be available. ( here - Mus1 )

Steps

  1. Login with user in Second Space. ( here - Mus1 )
  2. Navigate to Security -> Rules
  3. Create a custom rule
  4. Alerts must be triggered
  5. Navigate to Security -> Alerts
  6. Validate, alerts must exist
  7. Switch to Default Space.
  8. Now from Manage Space, delete the Second Space in which Rule was created and alerts were generated earlier. ( here - Mus1 )
  9. Now click on Create Space button.
  10. Enter the Space name same as for earlier deleted spaces. ( here - Mus1 )
  11. Switch to newly created Space. ( here - Mus1 )
  12. Navigate to Security -> Rules and Security -> Alerts
  13. Observe that rules and alerts are available

Expected Result
The data previously deleted should not be available for the newly re created space as it can expose private data

Screen Recording

Alerts.mp4
@muskangulati-qasource muskangulati-qasource added bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team triage_needed v8.18.0 labels Mar 27, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@arvindersingh-qasource
Copy link

Reviewed and Assigned to @vgomez-el

@vgomez-el
Copy link
Contributor

Hi @muskangulati-qasource!
I have been able to properly reproduce the bug, but in my case Detection rules were deleted but alerts were not.

REC-20250327152007.mp4

I will check with @PhilippeOberti and Threat hunting investigations team, if the bug belongs to them, or to the team that owns spaces.

@vgomez-el vgomez-el added the Team:Threat Hunting:Investigations Security Solution Investigations Team label Mar 27, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@vgomez-el vgomez-el added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! and removed Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels Mar 27, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@vgomez-el vgomez-el removed their assignment Mar 27, 2025
@azasypkin azasypkin added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. and removed Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Mar 27, 2025
@dhurley14
Copy link
Contributor

I reproduced this using stack rules + alerts:

spaces_bug.mov

@jaredburgettelastic
Copy link
Contributor

Similar bug on Entity Analytics side here, a similar solution should be able to be used for both Alerts/Rules and EA. We may need a way to hook into the "Delete Space" code to remove additional resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed v8.18.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@dhurley14 @azasypkin @elasticmachine @muskangulati-qasource @arvindersingh-qasource @vgomez-el @jaredburgettelastic