[AI4SOC] Added AI4SOC promotion rules bootstrapping#217517
Merged
xcrzx merged 1 commit intoelastic:mainfrom Apr 23, 2025
Merged
[AI4SOC] Added AI4SOC promotion rules bootstrapping#217517xcrzx merged 1 commit intoelastic:mainfrom
xcrzx merged 1 commit intoelastic:mainfrom
Conversation
xcrzx
force-pushed
the
promotion-rules
branch
11 times, most recently
from
d6e97c8 to
30ec80f
Compare
xcrzx
force-pushed
the
promotion-rules
branch
6 times, most recently
from
6d43d9c to
c43f901
Compare
xcrzx
added
release_note:skip
joeypoon
approved these changes
Apr 23, 2025
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
cc @xcrzx |
PhilippeOberti
approved these changes
Apr 23, 2025
Contributor
PhilippeOberti
left a comment
PhilippeOberti
left a comment
There was a problem hiding this comment.
Approving to not block the PR being merged, but I left one last comment here
delanni
added a commit
that referenced
this pull request
Apr 24, 2025
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
**Resolves: elastic/security-team#12069 ## Summary Added logic to bootstrap (install, upgrade, and enable) prebuilt promotion rules required for AI4SOC to function. Summary of changes: - Bootstrapping logic now depends on the `externalDetections` (enabled for AI4SOC) and `detections` (enabled for all tiers except AI4SOC) product keys. - For `detections`, we install the prebuilt rules package and the endpoint package as usual, with no additional steps. - For `externalDetections`, we install the rules package and skip the endpoint package installation, but also install on behalf of the user all promotion rules for enabled integrations. - The rule bootstrapping algorithm works as follows: We check if any of the following integrations are installed: Splunk, Microsoft Sentinel, Google SecOps, SentinelOne, or CrowdStrike. For enabled integrations, we identify prebuilt rules associated with them (using the `related_integrations` field) that also have the `Promotion` tag. This defines the set of promotion rules to install. - For each rule in that set, we check if it needs to be installed or upgraded. If the rule is missing, it's installed and enabled by default. If it was previously installed and disabled, it remains disabled. Rules are enabled by default only during initial installation. - Any prebuilt rules that are installed but not considered promotion rules for enabled integrations are deleted from Kibana. - To create promotion rules, users must have at least the Alerting framework CRUD capability. If this capability is missing, an error is thrown. These errors are exposed in the UI to indicate that rule installation didn’t complete successfully. <img width="788" alt="image" src="https://github.com/user-attachments/assets/5d2a274b-3142-423d-8015-009253eba9d5" /> - The bootstrap endpoint API contract has been extended to support the above scenarios. The response now includes the number of rules modified during the bootstrap process and any encountered errors: ```json { "packages": [ { "name": "security_detection_engine", "version": "9.0.1", "status": "already_installed" } ], "rules": { "total": 5, "installed": 5, "updated": 0, "deleted": 0, "skipped": 0, "errors": [] } } ``` - Frontend cache invalidation logic has also been updated to refetch any cached rules if the bootstrap endpoint reports modifications. ### How to test Currently, there are no promotion rules in the prebuilt rules package, so there's no straightforward way to test rule bootstrapping without uploading a fake rules package: 1. Start Kibana in serverless mode with the following product configuration: ```yaml xpack.securitySolutionServerless.productTypes: [{ product_line: 'ai_soc', product_tier: 'search_ai_lake' }] ``` 2. Create a rules package archive that contains promotion rules or use this archive for testing https://drive.google.com/file/d/1mbx1gjNbcvknbbbopOOXmaIBVvZpVQHC/view?usp=sharing 3. Upload the rules archive to Kibana using the Fleet API: ``` curl -u elastic_serverless:changeme 'http://localhost:5601/api/fleet/epm/packages' \ -H 'content-type: application/zip' \ -H 'x-elastic-internal-origin: Kibana' \ -H 'kbn-xsrf: foo' \ --data-binary @security_detection_engine-9.10.3.zip ``` 3. Enable any of the available integrations, e.g. Crowdstrike 3. Verify that the rules related to the integration were installed (that should happen automatically on navigation on any of Security pages) and enabled. Note that there's no UI for rules yet so it is only possible to read the rules using API
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
## Summary A variable changed between elastic#217517 and elastic#218122 - this PR adjusts the import
xcrzx
added
v8.19.0
backport:version
Contributor
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/15463396557 |
Contributor
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/15463396638 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
1 similar comment
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added
the
backport missing
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
3 similar comments
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
Contributor
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
Contributor
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
xcrzx
pushed a commit
that referenced
this pull request
Jun 16, 2025
…223896) # Backport This will backport the following commits from `main` to `8.19`: - [[AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)](#217517) <!--- Backport version: 10.0.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Dmitrii Shevchenko","email":"dmitrii.shevchenko@elastic.co"},"sourceCommit":{"committedDate":"2025-04-23T13:52:20Z","message":"[AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)\n\n**Resolves: https://github.com/elastic/security-team/issues/12069**\n\n## Summary\n\nAdded logic to bootstrap (install, upgrade, and enable) prebuilt\npromotion rules required for AI4SOC to function.\n\nSummary of changes:\n\n- Bootstrapping logic now depends on the `externalDetections` (enabled\nfor AI4SOC) and `detections` (enabled for all tiers except AI4SOC)\nproduct keys.\n- For `detections`, we install the prebuilt rules package and the\nendpoint package as usual, with no additional steps.\n- For `externalDetections`, we install the rules package and skip the\nendpoint package installation, but also install on behalf of the user\nall promotion rules for enabled integrations.\n- The rule bootstrapping algorithm works as follows: \nWe check if any of the following integrations are installed: Splunk,\nMicrosoft Sentinel, Google SecOps, SentinelOne, or CrowdStrike. For\nenabled integrations, we identify prebuilt rules associated with them\n(using the `related_integrations` field) that also have the `Promotion`\ntag. This defines the set of promotion rules to install.\n- For each rule in that set, we check if it needs to be installed or\nupgraded. If the rule is missing, it's installed and enabled by default.\nIf it was previously installed and disabled, it remains disabled. Rules\nare enabled by default only during initial installation.\n- Any prebuilt rules that are installed but not considered promotion\nrules for enabled integrations are deleted from Kibana.\n- To create promotion rules, users must have at least the Alerting\nframework CRUD capability. If this capability is missing, an error is\nthrown. These errors are exposed in the UI to indicate that rule\ninstallation didn’t complete successfully.\n<img width=\"788\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/5d2a274b-3142-423d-8015-009253eba9d5\"\n/>\n- The bootstrap endpoint API contract has been extended to support the\nabove scenarios. The response now includes the number of rules modified\nduring the bootstrap process and any encountered errors:\n ```json\n {\n \"packages\": [\n {\n \"name\": \"security_detection_engine\",\n \"version\": \"9.0.1\",\n \"status\": \"already_installed\"\n }\n ],\n \"rules\": {\n \"total\": 5,\n \"installed\": 5,\n \"updated\": 0,\n \"deleted\": 0,\n \"skipped\": 0,\n \"errors\": []\n }\n }\n ```\n- Frontend cache invalidation logic has also been updated to refetch any\ncached rules if the bootstrap endpoint reports modifications.\n\n### How to test\n\nCurrently, there are no promotion rules in the prebuilt rules package,\nso there's no straightforward way to test rule bootstrapping without\nuploading a fake rules package:\n\n1. Start Kibana in serverless mode with the following product\nconfiguration:\n ```yaml\n xpack.securitySolutionServerless.productTypes:\n [{ product_line: 'ai_soc', product_tier: 'search_ai_lake' }]\n ```\n2. Create a rules package archive that contains promotion rules or use\nthis archive for testing\nhttps://drive.google.com/file/d/1mbx1gjNbcvknbbbopOOXmaIBVvZpVQHC/view?usp=sharing\n3. Upload the rules archive to Kibana using the Fleet API:\n ```\ncurl -u elastic_serverless:changeme\n'http://localhost:5601/api/fleet/epm/packages' \\\n -H 'content-type: application/zip' \\\n -H 'x-elastic-internal-origin: Kibana' \\\n -H 'kbn-xsrf: foo' \\\n --data-binary @security_detection_engine-9.10.3.zip\n ```\n3. Enable any of the available integrations, e.g. Crowdstrike\n3. Verify that the rules related to the integration were installed (that\nshould happen automatically on navigation on any of Security pages) and\nenabled. Note that there's no UI for rules yet so it is only possible to\nread the rules using API","sha":"98fa0f8ef4accc7fa501fb5d7f66dab5c9668769","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.1.0","v8.19.0"],"title":"[AI4SOC] Added AI4SOC promotion rules bootstrapping","number":217517,"url":"https://github.com/elastic/kibana/pull/217517","mergeCommit":{"message":"[AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)\n\n**Resolves: https://github.com/elastic/security-team/issues/12069**\n\n## Summary\n\nAdded logic to bootstrap (install, upgrade, and enable) prebuilt\npromotion rules required for AI4SOC to function.\n\nSummary of changes:\n\n- Bootstrapping logic now depends on the `externalDetections` (enabled\nfor AI4SOC) and `detections` (enabled for all tiers except AI4SOC)\nproduct keys.\n- For `detections`, we install the prebuilt rules package and the\nendpoint package as usual, with no additional steps.\n- For `externalDetections`, we install the rules package and skip the\nendpoint package installation, but also install on behalf of the user\nall promotion rules for enabled integrations.\n- The rule bootstrapping algorithm works as follows: \nWe check if any of the following integrations are installed: Splunk,\nMicrosoft Sentinel, Google SecOps, SentinelOne, or CrowdStrike. For\nenabled integrations, we identify prebuilt rules associated with them\n(using the `related_integrations` field) that also have the `Promotion`\ntag. This defines the set of promotion rules to install.\n- For each rule in that set, we check if it needs to be installed or\nupgraded. If the rule is missing, it's installed and enabled by default.\nIf it was previously installed and disabled, it remains disabled. Rules\nare enabled by default only during initial installation.\n- Any prebuilt rules that are installed but not considered promotion\nrules for enabled integrations are deleted from Kibana.\n- To create promotion rules, users must have at least the Alerting\nframework CRUD capability. If this capability is missing, an error is\nthrown. These errors are exposed in the UI to indicate that rule\ninstallation didn’t complete successfully.\n<img width=\"788\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/5d2a274b-3142-423d-8015-009253eba9d5\"\n/>\n- The bootstrap endpoint API contract has been extended to support the\nabove scenarios. The response now includes the number of rules modified\nduring the bootstrap process and any encountered errors:\n ```json\n {\n \"packages\": [\n {\n \"name\": \"security_detection_engine\",\n \"version\": \"9.0.1\",\n \"status\": \"already_installed\"\n }\n ],\n \"rules\": {\n \"total\": 5,\n \"installed\": 5,\n \"updated\": 0,\n \"deleted\": 0,\n \"skipped\": 0,\n \"errors\": []\n }\n }\n ```\n- Frontend cache invalidation logic has also been updated to refetch any\ncached rules if the bootstrap endpoint reports modifications.\n\n### How to test\n\nCurrently, there are no promotion rules in the prebuilt rules package,\nso there's no straightforward way to test rule bootstrapping without\nuploading a fake rules package:\n\n1. Start Kibana in serverless mode with the following product\nconfiguration:\n ```yaml\n xpack.securitySolutionServerless.productTypes:\n [{ product_line: 'ai_soc', product_tier: 'search_ai_lake' }]\n ```\n2. Create a rules package archive that contains promotion rules or use\nthis archive for testing\nhttps://drive.google.com/file/d/1mbx1gjNbcvknbbbopOOXmaIBVvZpVQHC/view?usp=sharing\n3. Upload the rules archive to Kibana using the Fleet API:\n ```\ncurl -u elastic_serverless:changeme\n'http://localhost:5601/api/fleet/epm/packages' \\\n -H 'content-type: application/zip' \\\n -H 'x-elastic-internal-origin: Kibana' \\\n -H 'kbn-xsrf: foo' \\\n --data-binary @security_detection_engine-9.10.3.zip\n ```\n3. Enable any of the available integrations, e.g. Crowdstrike\n3. Verify that the rules related to the integration were installed (that\nshould happen automatically on navigation on any of Security pages) and\nenabled. Note that there's no UI for rules yet so it is only possible to\nread the rules using API","sha":"98fa0f8ef4accc7fa501fb5d7f66dab5c9668769"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/217517","number":217517,"mergeCommit":{"message":"[AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)\n\n**Resolves: https://github.com/elastic/security-team/issues/12069**\n\n## Summary\n\nAdded logic to bootstrap (install, upgrade, and enable) prebuilt\npromotion rules required for AI4SOC to function.\n\nSummary of changes:\n\n- Bootstrapping logic now depends on the `externalDetections` (enabled\nfor AI4SOC) and `detections` (enabled for all tiers except AI4SOC)\nproduct keys.\n- For `detections`, we install the prebuilt rules package and the\nendpoint package as usual, with no additional steps.\n- For `externalDetections`, we install the rules package and skip the\nendpoint package installation, but also install on behalf of the user\nall promotion rules for enabled integrations.\n- The rule bootstrapping algorithm works as follows: \nWe check if any of the following integrations are installed: Splunk,\nMicrosoft Sentinel, Google SecOps, SentinelOne, or CrowdStrike. For\nenabled integrations, we identify prebuilt rules associated with them\n(using the `related_integrations` field) that also have the `Promotion`\ntag. This defines the set of promotion rules to install.\n- For each rule in that set, we check if it needs to be installed or\nupgraded. If the rule is missing, it's installed and enabled by default.\nIf it was previously installed and disabled, it remains disabled. Rules\nare enabled by default only during initial installation.\n- Any prebuilt rules that are installed but not considered promotion\nrules for enabled integrations are deleted from Kibana.\n- To create promotion rules, users must have at least the Alerting\nframework CRUD capability. If this capability is missing, an error is\nthrown. These errors are exposed in the UI to indicate that rule\ninstallation didn’t complete successfully.\n<img width=\"788\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/5d2a274b-3142-423d-8015-009253eba9d5\"\n/>\n- The bootstrap endpoint API contract has been extended to support the\nabove scenarios. The response now includes the number of rules modified\nduring the bootstrap process and any encountered errors:\n ```json\n {\n \"packages\": [\n {\n \"name\": \"security_detection_engine\",\n \"version\": \"9.0.1\",\n \"status\": \"already_installed\"\n }\n ],\n \"rules\": {\n \"total\": 5,\n \"installed\": 5,\n \"updated\": 0,\n \"deleted\": 0,\n \"skipped\": 0,\n \"errors\": []\n }\n }\n ```\n- Frontend cache invalidation logic has also been updated to refetch any\ncached rules if the bootstrap endpoint reports modifications.\n\n### How to test\n\nCurrently, there are no promotion rules in the prebuilt rules package,\nso there's no straightforward way to test rule bootstrapping without\nuploading a fake rules package:\n\n1. Start Kibana in serverless mode with the following product\nconfiguration:\n ```yaml\n xpack.securitySolutionServerless.productTypes:\n [{ product_line: 'ai_soc', product_tier: 'search_ai_lake' }]\n ```\n2. Create a rules package archive that contains promotion rules or use\nthis archive for testing\nhttps://drive.google.com/file/d/1mbx1gjNbcvknbbbopOOXmaIBVvZpVQHC/view?usp=sharing\n3. Upload the rules archive to Kibana using the Fleet API:\n ```\ncurl -u elastic_serverless:changeme\n'http://localhost:5601/api/fleet/epm/packages' \\\n -H 'content-type: application/zip' \\\n -H 'x-elastic-internal-origin: Kibana' \\\n -H 'kbn-xsrf: foo' \\\n --data-binary @security_detection_engine-9.10.3.zip\n ```\n3. Enable any of the available integrations, e.g. Crowdstrike\n3. Verify that the rules related to the integration were installed (that\nshould happen automatically on navigation on any of Security pages) and\nenabled. Note that there's no UI for rules yet so it is only possible to\nread the rules using API","sha":"98fa0f8ef4accc7fa501fb5d7f66dab5c9668769"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: https://github.com/elastic/security-team/issues/12069
Summary
Added logic to bootstrap (install, upgrade, and enable) prebuilt promotion rules required for AI4SOC to function.
Summary of changes:
externalDetections(enabled for AI4SOC) anddetections(enabled for all tiers except AI4SOC) product keys.detections, we install the prebuilt rules package and the endpoint package as usual, with no additional steps.externalDetections, we install the rules package and skip the endpoint package installation, but also install on behalf of the user all promotion rules for enabled integrations.We check if any of the following integrations are installed: Splunk, Microsoft Sentinel, Google SecOps, SentinelOne, or CrowdStrike. For enabled integrations, we identify prebuilt rules associated with them (using the
related_integrationsfield) that also have thePromotiontag. This defines the set of promotion rules to install.{ "packages": [ { "name": "security_detection_engine", "version": "9.0.1", "status": "already_installed" } ], "rules": { "total": 5, "installed": 5, "updated": 0, "deleted": 0, "skipped": 0, "errors": [] } }How to test
Currently, there are no promotion rules in the prebuilt rules package, so there's no straightforward way to test rule bootstrapping without uploading a fake rules package: