[New Rules] External Promotion Alerts#4903
Merged
Mikaayenson merged 13 commits intomainfrom Jul 31, 2025
Merged
Conversation
Contributor
Enhancement - GuidelinesThese guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code. Documentation and Context
Code Standards and Practices
Testing
Additional Schema Related Checks
|
|
⛔️ Test failed Results
|
Mikaayenson
commented
Jul 11, 2025
Mikaayenson
commented
Jul 11, 2025
approksiu
reviewed
Jul 14, 2025
approksiu
left a comment
approksiu
left a comment
There was a problem hiding this comment.
LGTM, If we use tag "Promotion: External Alerts" tag, let's also update the "External Alerts" rule tag.
Samirbous
approved these changes
Jul 18, 2025
|
⛔️ Test failed Results
|
Contributor
Author
@peluja1012 will this cause confusion upstream? |
Hey @Mikaayenson, which rules have the "External alerts" tag currently? We wouldn't want AI4DSOC users to have promotion rule automatically installed that are not relevant for the AI4DSOC use case. Looking at the code, it looks like we are checking for both the presence of the tag AND for a related_integration reference before we automatically install the rule. So if a customer has the Crowdstrike integration installed in AI4DSOC, for example, and there is more than one rule with the tag "Promotion: External alerts" that references the Crowdstrike integration via the |
Contributor
Author
Based on our discussion, if we accidentally add the tag to another rule that meets similar criteria it will cause issues with the AI4DSOC, so we will not add the tag to other rules. cc. @approksiu |
|
⛔️ Test failed Results
|
Mikaayenson
commented
Jul 25, 2025
Mikaayenson
commented
Jul 25, 2025
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Aegrah
approved these changes
Jul 25, 2025
| interval = "1m" | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| max_signals = 1000 |
Contributor
There was a problem hiding this comment.
Any specific reason we set this to 1000?
| field = "event.severity" | ||
| operator = "equals" | ||
| severity = "low" | ||
| value = "1" |
Contributor
There was a problem hiding this comment.
Are these mappings of 1, 2 and 3 a sentinal_one thing?
Contributor
Author
There was a problem hiding this comment.
Contributor
Author
There was a problem hiding this comment.
Looking again. This might be a mistake on the sample rules sent. Updating in the next PR.
traut
approved these changes
Jul 25, 2025
eric-forte-elastic
approved these changes
Jul 25, 2025
Contributor
eric-forte-elastic
left a comment
eric-forte-elastic
left a comment
There was a problem hiding this comment.
Once placeholder dates are updated this looks good to merge (ref). Data checks look good too 👍
Contributor
Author
|
Just waiting to test the remaining rules and then we can merge. |
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Contributor
Author
Final Testing
|
spong
added a commit
to elastic/kibana
that referenced
this pull request
Jul 31, 2025
## Summary A follow-up from #229726 after successful testing of the `9.1.3-beta.1` package. This removes the setting entirely in preparation for release. In the interim, the last release version of the package will be installed (`9.1.2`), until `9.1.3` (elastic/detection-rules#4903) is released next week. So testing on QA in the interim will require manually overriding `xpack.securitySolution.prebuiltRulesPackageVersion: '9.1.3-beta.1'`, or manually installing the package via the fleet API ([pre-release from registry](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-epm-packages-pkgname-pkgversion), or [zip upload](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-epm-packages)). cc @pborgonovi @tomsonpl @Mikaayenson @xcrzx
5 tasks
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
Aug 5, 2025
…30118) ## Summary A follow-up from elastic#229726 after successful testing of the `9.1.3-beta.1` package. This removes the setting entirely in preparation for release. In the interim, the last release version of the package will be installed (`9.1.2`), until `9.1.3` (elastic/detection-rules#4903) is released next week. So testing on QA in the interim will require manually overriding `xpack.securitySolution.prebuiltRulesPackageVersion: '9.1.3-beta.1'`, or manually installing the package via the fleet API ([pre-release from registry](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-epm-packages-pkgname-pkgversion), or [zip upload](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-epm-packages)). cc @pborgonovi @tomsonpl @Mikaayenson @xcrzx
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
…30118) ## Summary A follow-up from elastic#229726 after successful testing of the `9.1.3-beta.1` package. This removes the setting entirely in preparation for release. In the interim, the last release version of the package will be installed (`9.1.2`), until `9.1.3` (elastic/detection-rules#4903) is released next week. So testing on QA in the interim will require manually overriding `xpack.securitySolution.prebuiltRulesPackageVersion: '9.1.3-beta.1'`, or manually installing the package via the fleet API ([pre-release from registry](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-epm-packages-pkgname-pkgversion), or [zip upload](https://www.elastic.co/docs/api/doc/kibana/operation/operation-post-fleet-epm-packages)). cc @pborgonovi @tomsonpl @Mikaayenson @xcrzx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
data_stream.dataset#4929Summary - What I changed
data_stream.datasetper integration team guidanceHow To Test
Stack Testing
Testing Data
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hours