From 7ef02d693710088358d00573a52b5890a519b2ea Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 19:12:34 -0500 Subject: [PATCH 01/12] First draft --- serverless/serverless-changelog.asciidoc | 61 ++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 5c237a6a0a..5b70d935ef 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -9,6 +9,67 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e [[serverless-changelog-12032024]] == December 3, 2024 +[discrete] +[[known-issues-12032024]] +=== Known issues + +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. + +*Workaround* + + +For custom rules: + +. From the {security-app}, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +. Fetch the affected exception list ID or IDs that are associated with the rule. +.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`. +.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: ++ +[source,console] +---- +curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +---- ++ +.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). +. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). ++ +The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. +==== +// end::known-issue[201820] + [discrete] [[features-enhancements-12032024]] === Features and enhancements From 9ee6bccf565e9ce38286fca3556b62f11cb44e8b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 19:30:49 -0500 Subject: [PATCH 02/12] Minor tweaks --- serverless/serverless-changelog.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 5b70d935ef..0d6b4711b4 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -15,7 +15,7 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e // tag::known-issue[201820] [discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`) +. In {sec-serverless}, the **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) [%collapsible] ==== *Details* + @@ -25,14 +25,14 @@ On December 5, 2024, it was discovered that the **Exceptions** tab will not load For custom rules: -. From the {security-app}, <> the rule or rules with the affected exception lists. +. From your {sec-serverless} project, <> the rule or rules with the affected exception lists. . Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. Return to your project and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: . Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`. +.. Find the affected rule's ID (`id`). From your {sec-serverless} project, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + [source,console] @@ -64,7 +64,7 @@ curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 202 ---- + . Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. From your {sec-serverless} project, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. ==== From 25b1940f0aea21632efb32df69c7d7329e8fcc07 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 22:26:07 -0500 Subject: [PATCH 03/12] Formatting fix --- serverless/serverless-changelog.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 0d6b4711b4..b2adf39b6e 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -15,7 +15,7 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e // tag::known-issue[201820] [discrete] -. In {sec-serverless}, the **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) +.In {sec-serverless}, the **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) [%collapsible] ==== *Details* + From b75d5863b21b196f166cbfa45a558abed2c229ce Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:36:26 -0500 Subject: [PATCH 04/12] Update serverless/serverless-changelog.asciidoc --- serverless/serverless-changelog.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index b2adf39b6e..c246e82d0e 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -37,7 +37,7 @@ For prebuilt rules: + [source,console] ---- -curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +curl -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. From ab469f29d1229a737615301c045d938880aa2068 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 12:36:32 -0500 Subject: [PATCH 05/12] Update serverless/serverless-changelog.asciidoc Co-authored-by: Ryland Herrick --- serverless/serverless-changelog.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index c246e82d0e..3023ad6b7d 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -60,7 +60,7 @@ curl -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-ver + [source,console] ---- -curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). From 2d70b08e6684e42d72607f4386eff8a3790b5e10 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 13:25:57 -0500 Subject: [PATCH 06/12] Update serverless/serverless-changelog.asciidoc --- serverless/serverless-changelog.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 3023ad6b7d..54fb9a8f73 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -31,6 +31,8 @@ For custom rules: For prebuilt rules: +NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. + . Fetch the affected exception list ID or IDs that are associated with the rule. .. Find the affected rule's ID (`id`). From your {sec-serverless} project, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: From b3a7dc821d117c20dfce8ea20bbcf18a36957514 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 14:11:04 -0500 Subject: [PATCH 07/12] Updates summary and removes stack info --- serverless/serverless-changelog.asciidoc | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 54fb9a8f73..b1406c466a 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -19,30 +19,30 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). *Workaround* + For custom rules: -. From your {sec-serverless} project, <> the rule or rules with the affected exception lists. +. From the **Rules** page, <> the rule or rules with the affected exception lists. . Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to your project and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. -. Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From your {sec-serverless} project, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. -.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: + [source,console] ---- curl -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + -.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + [source,console] ---- @@ -58,17 +58,17 @@ curl -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-ver } ---- + -. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: + [source,console] ---- curl -XPOST -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + -. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. From your {sec-serverless} project, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + -The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. +Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From 3777165f5ac642c7c38338d1e431a24371b16fb8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 16:40:28 -0500 Subject: [PATCH 08/12] Ryland's input --- serverless/serverless-changelog.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index b1406c466a..36eb183ab3 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -31,7 +31,7 @@ For custom rules: For prebuilt rules: -NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. @@ -39,7 +39,7 @@ NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, + [source,console] ---- -curl -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. @@ -62,11 +62,11 @@ curl -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-ver + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Re-import the modified exception list using **Import exception lists** option on the <> page. + Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== From c693d01626f07b1f00f2acd6ed1761eb223818c6 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 17:07:50 -0500 Subject: [PATCH 09/12] fix it! --- serverless/serverless-changelog.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 36eb183ab3..c170053bec 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -31,7 +31,7 @@ For custom rules: For prebuilt rules: -NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. @@ -66,7 +66,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. +. Re-import the modified exception list using **Import exception lists** option on the <> page. + Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== From 7bdffd5c5ed1b5dc5d61d4ead29c55ab9329de43 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Dec 2024 16:53:09 -0500 Subject: [PATCH 10/12] dev input --- serverless/serverless-changelog.asciidoc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index c170053bec..8fdb310f2d 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -19,7 +19,7 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`) ({kibana-issue}[#201820]). *Workaround* + @@ -35,7 +35,7 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. -.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: +.. Specify the `id` when fetching the rule's details using the {api-kibana-serverless}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: + [source,console] ---- @@ -66,9 +66,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. -+ -Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From bce400ce2f5b66130a4ca137f16393d2d7a97af5 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:58:41 -0500 Subject: [PATCH 11/12] Update serverless/serverless-changelog.asciidoc --- serverless/serverless-changelog.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index 8fdb310f2d..d868061859 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -19,7 +19,7 @@ For serverless changes in Cloud Console, refer to https://www.elastic.co/guide/e [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`) ({kibana-issue}[#201820]). +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`) ({kibana-issue}201820[#201820]). *Workaround* + From 91d4cd9ffd57521d9432de0a8e18dc280396573e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 22:23:21 -0500 Subject: [PATCH 12/12] Update serverless/serverless-changelog.asciidoc --- serverless/serverless-changelog.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/serverless-changelog.asciidoc b/serverless/serverless-changelog.asciidoc index d868061859..37e3085a65 100644 --- a/serverless/serverless-changelog.asciidoc +++ b/serverless/serverless-changelog.asciidoc @@ -66,7 +66,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820]