[Security Solution] Handle specific fields in /upgrade/_review upgrade workflow
#180393
Comments
jpdjere
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
jpdjere
added
Feature:Prebuilt Detection Rules
jpdjere
changed the title
|
I finished evaluating how to handle all the fields in a rule and marked them in the table above. Just wanted to call your attention to
|
jpdjere
changed the title
/upgrade/_review upgrade workflow
Update: the field was not removed from the Prebuilt Rules schema since it is extensively used in the code as part of it. We still won't calculate the diff for this field and the |
|
@jpdjere Thanks for the update. I'm still not convinced that we should handle this field in a special way. Why can't we simply enable it in the ThreeWayDiff UI? Especially because it stays in the prebuilt rule asset schema. We can do a quick zoom on that. |
|
@banderror We definitely can enable it in the ThreeWayDiff UI; it just doesn't seem necessary since no Prebuilt Detection Rules have an But given having it as part of the UI does not mean any additional complexity, let's change this decision and include it as part of the UI and the |
|
@jpdjere in the future we might have the suppression fields set for prebuilt rules (depends on additional suppression fields like suppression_enabled). |
|
@approksiu @jpdjere ++, and we just got a PR that is related to that: elastic/detection-rules#3986 Let's enable diff calculation for this field and show it in the UI. @jpdjere What do we need to do for that, exactly? |
|
Created a ticket for adding both AlertSuppression and InvestigationFields to the upgrade workflow: #190597 It lists what needs to be done to include the fields in the workflow.
|
Just something to think about; now that we've opened our DAC feature to beta, it allows customers to use our logic to import/export rules using our schemas to their stack. In other words, even if we never create prebuilt rules that use the new alert suppression fields, other customers will still be able to. In fact, a recent customer / partner just reached out about adding support to our repo. They've also tested our implementation to confirm it worked for them and their custom rules. |
@Mikaayenson Good point, this will be supported - users will be able to customize prebuilt rules via the import endpoint and the DAC tool. |
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
Based on the discussions that took place in #147239, we need to treat different rule fields in different ways in the context of the upgrade workflow.
For each field we must decide:
security-ruleasset schema?: In cases where we have certainty that they won't ever be included in prebuilt rule assets, the field should be removed from the schema. E.g.actions,response_actions./upgrade/_review?: does the field need to be removed of thediffsobject that is generated for each rule in the endpoint?diffsobjectdiffobject (won't be calculated if removed fromsecurity-ruleschema)diffobjectField list
/upgrade/_review?idrule_sourceimmutableversionrevisionenabledexecution_summaryalert_suppression*actionsthrottleresponse_actionsmetaoutput_indexnamespacealias_purposealias_target_idoutcomecreated_atcreated_byupdated_atupdated_byauthorlicenseconcurrent_searches(IM Rules)items_per_search(IM Rules)rule_idnametagsdescriptionseverityseverity_mappingrisk_scorerisk_score_mappingreferencesfalse_positivesthreatnotesetuprelated_integrationsrequired_fieldsmax_signalsbuilding_block_typefrom(rule_schedule)interval(rule_schedule)exceptions_list*rule_name_overridetimestamp_overridetimestamp_override_fallback_disabledtimeline_id(timeline_template)timeline_title(timeline_template)index(data_source)data_view_id(data_source)querylanguagefilterssaved_idmachine_learning_job_id(ML Rules)anomaly_threshold(ML Rules)threat_filters(IM Rules)threat_query(IM Rules)threat_mapping(IM Rules)threat_language(IM Rules)threat_index(IM Rules)threat_indicator_path(IM Rules)new_terms_fields(New Terms Rules)history_window_start(New Terms Rules)Notes on fields
Endpoint Securityrule includes an exception list value, so this update/customization case needs to be handled. (That's the only prebuilt rule with an exception list as of now)true. But it's not part of the diffing logic anyways.Details
security-ruleasset schema:x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.tsdiffin/upgrade/_reviewdiffsobject:x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts. We can add/remove them here and define which algorithm is used to calculate the diff.Work left over from this ticket
/upgrade/_performendpoint. All of this needs to be done after the refactoring of the endpoint handler is done. As of now, it always installs the full target version, so the changes needed are not possible now. Moving the work to a separate ticket.version,authorandlicensefields visible but read-only in the Three Way Diff component. Addings this TO-DO as a requisite in the Three-Way-Diff component ticket.The text was updated successfully, but these errors were encountered: