[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4#2467
Merged
terrancedejesus merged 2 commits intomainfrom Jan 13, 2023
Merged
[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4#2467terrancedejesus merged 2 commits intomainfrom
terrancedejesus merged 2 commits intomainfrom
Conversation
terrancedejesus
added
Rule: Tuning
terrancedejesus
requested review from
Mikaayenson,
eric-forte-elastic,
imays11 and
w0rk3r
brokensound77
approved these changes
Jan 13, 2023
Contributor
brokensound77
left a comment
brokensound77
left a comment
There was a problem hiding this comment.
The analysis makes sense to me.
eric-forte-elastic
approved these changes
Jan 13, 2023
Contributor
eric-forte-elastic
left a comment
eric-forte-elastic
left a comment
There was a problem hiding this comment.
Good discussion this morning. Based on that and what is written above, analysis makes good sense to me 👍
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues
#2464
elastic/integrations#3430
Summary
While updating and locking rule versions for the v8.3.4 and v8.4.2 release, we noticed that Google Workspace rule versions were double bumped. Analysis revealed this to be a result of build-time fields, specifically
related_integrations. At the Detection Rules 8.3 branch, the build-timeversionvalue forrelated_integrationsis 1.2.0, whereas for the 8.4 branch the value is 2.0.0 and thus the versions double bumped.We have had a discussion with @spong about potentially adjusting this build-time value being determined via Fleet instead as we would supply the package and integration. While this is a long-term solution, a stop-gap solution is necessary to ensure we do not continue to double bump these versions, but continue our release process.
Bumping the min-stack rule to 8.4 would fork the Google Workspace rules and thus prior to 8.4 stacks they would receive the 1.2.0 package whereas 8.4+ would receive the 2.0.0 package. In regards to versioning, this would allow the rule to be in a diverged state and thus the SHA256 sum remain the same for the 8.3 forked version and 8.4+ separately.
Additionally, the Google Workspace integration received an update which may confirm the changes were necessary to change the Kibana stack version to 8.4.0.