[Security Solution] Calculate and save ruleSource.isCustomized in API endpoint handlers
#180145
Assignees
Labels
8.16 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
Feature:Rule Management
Security Solution Detection Rule Management
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.0
Comments
jpdjere
added
triage_needed
Team:Detections and Resp
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
banderror
changed the title
is_customizedis_customized (DRAFT)
banderror
added
Feature:Prebuilt Detection Rules
jpdjere
changed the title
is_customized (DRAFT)ruleSource.isCustomized field for rule update API (DRAFT)
jpdjere
changed the title
ruleSource.isCustomized field for rule update API (DRAFT)ruleSource.isCustomized field for rule update and bulk rule update API (DRAFT)
jpdjere
changed the title
ruleSource.isCustomized field for rule update and bulk rule update API (DRAFT)ruleSource.isCustomized field for rule update and bulk rule update APIs (DRAFT)
jpdjere
changed the title
ruleSource.isCustomized field for rule update and bulk rule update APIs (DRAFT)ruleSource.isCustomized in API endpoint handlers (DRAFT)
jpdjere
changed the title
ruleSource.isCustomized in API endpoint handlers (DRAFT)ruleSource.isCustomized in API endpoint handlers (DRAFT)
jpdjere
changed the title
ruleSource.isCustomized in API endpoint handlers (DRAFT)ruleSource.isCustomized in API endpoint handlers
xcrzx
added a commit
that referenced
this issue
Aug 29, 2024
…190041) **Resolves: #187706 ## Summary Added the `isCustomized` field recalculation after a bulk edit operation on rules as part of the [rules customization epic](elastic/security-team#1974). **Background** The `isCustomized` field is a rule parameter indicating if a prebuilt Elastic rule has been modified by a user. This field is extensively used in the prebuilt rule upgrade workflow. It's essential to ensure any rule modification operation recalculates this field to keep its value in sync with the rule content. Most of the rule CRUD operations were already covered in a previous PR: [Calculate and save ruleSource.isCustomized in API endpoint handlers](#180145). This PR addresses the remaining bulk rule modification operations performed using the `rulesClient.bulkEdit` method. **`rulesClient.bulkEdit` changes** The `isCustomized` calculation is based on the entire rule object (i.e., rule params and attributes) and should be performed after all bulk operations have been applied to the rule - after `operations` and `paramsModifier`. To support this, I changed the `paramsModifier` to accept entire rule object: ```diff export type ParamsModifier<Params extends RuleParams> = ( - params: Params + rule: Rule<Params> ) => Promise<ParamsModifierResult<Params>>; ``` **Security Solution Bulk Endpoint changes** The `/api/detection_engine/rules/_bulk_action` endpoint now handles bulk edit actions a bit differently. Previously, most of the bulk action was delegated to the rules client. Now, we need to do some preparatory work: 1. Fetch the affected rules in memory first, regardless of whether we received a query or rule IDs as input (previously delegated to Alerting). 2. Identify all prebuilt rules among the fetched rules. 3. Fetch base versions of the prebuilt rules. 4. Provide base versions to `ruleModifier` for the `isCustomized` calculation. These changes add a few extra roundtrips to Elasticsearch and make the bulk edit endpoint less efficient than before. However, this seems justified given the added functionality of the customization epic. In the future, we might consider optimizing to reduce the number of database requests. Ideally, for Security Solution use cases, we would need a more generic method than `bulkEdit`, such as `bulkUpdate`, allowing us to implement any required rule update logic fully on the solution side.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
Implement calculation of
ruleSource.isCustomizedin all necessary endpoints that write theruleSourcefield to prebuilt rules, and where fields can be customized, diverging from the base version from the Rule Asset.The calculation and saving of the field should be done in the following endpoints:
PUT /rulesPATCH /rulesPUT /rules/_bulk_updatePATCH /rules/_bulk_updatePOST /rules/_importPOST /prebuilt_rules/upgrade/_perform(Internal)Extracted to other tickets:
POST /rules/_bulk_action: with action Edit rules actionruleSource.isCustomizedin bulk edit API #187706Background
Context from RFC:
isCustomizedfield - see table with scenarios for calculation ofisCustomizedisCustomizedduring bulk editing rulesisCustomizedwhen importing rules - see table with import scenarios and their respectiveisCustomizedcalculationskibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md
Lines 559 to 584 in 269649a
kibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md
Lines 817 to 821 in b6e0f87
The text was updated successfully, but these errors were encountered: