Skip to content

[8.19] [AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)#223896

Merged
xcrzx merged 2 commits intoelastic:8.19from
xcrzx:backport/8.19/pr-217517
Jun 16, 2025
Merged

[8.19] [AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)#223896
xcrzx merged 2 commits intoelastic:8.19from
xcrzx:backport/8.19/pr-217517

Conversation

@xcrzx
Copy link
Contributor

@xcrzx xcrzx commented Jun 13, 2025

Backport

This will backport the following commits from main to 8.19:

Questions ?

Please refer to the Backport tool documentation

@xcrzx xcrzx requested a review from kibanamachine as a code owner June 13, 2025 11:36
@xcrzx xcrzx added the backport This PR is a backport of another PR label Jun 13, 2025
@xcrzx xcrzx enabled auto-merge (squash) June 13, 2025 11:36
@xcrzx xcrzx mentioned this pull request Jun 13, 2025
Merged
@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 13, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #18 / Category can submit without setting a category
  • [job] [logs] Jest Tests #18 / Category can submit without setting a category
  • [job] [logs] Jest Tests #11 / deleteEsIndicesRoute delete indices
  • [job] [logs] Jest Tests #11 / deleteEsIndicesRoute delete indices
  • [job] [logs] Jest Tests #11 / deleteEsIndicesRoute delete indices - should validate input
  • [job] [logs] Jest Tests #11 / deleteEsIndicesRoute delete indices - should validate input
  • [job] [logs] Jest Tests #11 / deleteStoredScriptRoute delete indices
  • [job] [logs] Jest Tests #11 / deleteStoredScriptRoute delete indices
  • [job] [logs] Jest Tests #11 / deleteStoredScriptRoute delete indices - should validate input
  • [job] [logs] Jest Tests #11 / deleteStoredScriptRoute delete indices - should validate input
  • [job] [logs] Jest Tests #11 / readPrebuiltDevToolContentRoute should read content from "enable_host_risk_score" template
  • [job] [logs] Jest Tests #11 / readPrebuiltDevToolContentRoute should read content from "enable_host_risk_score" template
  • [job] [logs] Jest Tests #11 / readPrebuiltDevToolContentRoute should read content from "enable_user_risk_score" template
  • [job] [logs] Jest Tests #11 / readPrebuiltDevToolContentRoute should read content from "enable_user_risk_score" template

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 7471 7470 -1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
securitySolution 121 122 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 9.4MB 9.4MB +426.0B

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
securitySolution 31 32 +1
Unknown metric groups

API count

id before after diff
securitySolution 189 190 +1

ESLint disabled line counts

id before after diff
securitySolution 561 563 +2

Total ESLint disabled count

id before after diff
securitySolution 647 649 +2

History

[AI4SOC] Added AI4SOC promotion rules bootstrapping (#217517)
6242bb9 
**Resolves: https://github.com/elastic/security-team/issues/12069**

## Summary

Added logic to bootstrap (install, upgrade, and enable) prebuilt
promotion rules required for AI4SOC to function.

Summary of changes:

- Bootstrapping logic now depends on the `externalDetections` (enabled
for AI4SOC) and `detections` (enabled for all tiers except AI4SOC)
product keys.
- For `detections`, we install the prebuilt rules package and the
endpoint package as usual, with no additional steps.
- For `externalDetections`, we install the rules package and skip the
endpoint package installation, but also install on behalf of the user
all promotion rules for enabled integrations.
- The rule bootstrapping algorithm works as follows:
We check if any of the following integrations are installed: Splunk,
Microsoft Sentinel, Google SecOps, SentinelOne, or CrowdStrike. For
enabled integrations, we identify prebuilt rules associated with them
(using the `related_integrations` field) that also have the `Promotion`
tag. This defines the set of promotion rules to install.
- For each rule in that set, we check if it needs to be installed or
upgraded. If the rule is missing, it's installed and enabled by default.
If it was previously installed and disabled, it remains disabled. Rules
are enabled by default only during initial installation.
- Any prebuilt rules that are installed but not considered promotion
rules for enabled integrations are deleted from Kibana.
- To create promotion rules, users must have at least the Alerting
framework CRUD capability. If this capability is missing, an error is
thrown. These errors are exposed in the UI to indicate that rule
installation didn’t complete successfully.
<img width="788" alt="image"
src="https://github.com/user-attachments/assets/5d2a274b-3142-423d-8015-009253eba9d5"
/>
- The bootstrap endpoint API contract has been extended to support the
above scenarios. The response now includes the number of rules modified
during the bootstrap process and any encountered errors:
   ```json
   {
       "packages": [
           {
               "name": "security_detection_engine",
               "version": "9.0.1",
               "status": "already_installed"
           }
       ],
       "rules": {
           "total": 5,
           "installed": 5,
           "updated": 0,
           "deleted": 0,
           "skipped": 0,
           "errors": []
       }
   }
   ```
- Frontend cache invalidation logic has also been updated to refetch any
cached rules if the bootstrap endpoint reports modifications.

### How to test

Currently, there are no promotion rules in the prebuilt rules package,
so there's no straightforward way to test rule bootstrapping without
uploading a fake rules package:

1. Start Kibana in serverless mode with the following product
configuration:
   ```yaml
   xpack.securitySolutionServerless.productTypes:
     [{ product_line: 'ai_soc', product_tier: 'search_ai_lake' }]
   ```
2. Create a rules package archive that contains promotion rules or use
this archive for testing
https://drive.google.com/file/d/1mbx1gjNbcvknbbbopOOXmaIBVvZpVQHC/view?usp=sharing
3. Upload the rules archive to Kibana using the Fleet API:
    ```
curl -u elastic_serverless:changeme
'http://localhost:5601/api/fleet/epm/packages' \
    -H 'content-type: application/zip' \
    -H 'x-elastic-internal-origin: Kibana' \
    -H 'kbn-xsrf: foo' \
    --data-binary @security_detection_engine-9.10.3.zip
   ```
3. Enable any of the available integrations, e.g. Crowdstrike
3. Verify that the rules related to the integration were installed (that
should happen automatically on navigation on any of Security pages) and
enabled. Note that there's no UI for rules yet so it is only possible to
read the rules using API

(cherry picked from commit 98fa0f8)

# Conflicts:
#	x-pack/solutions/security/plugins/security_solution/common/constants.ts
#	x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts
#	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/bootstrap_prebuilt_rules/bootstrap_prebuilt_rules_handler.ts
#	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/install_prebuilt_rules_and_timelines/install_prebuilt_rules_package.ts
#	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/request_context.ts
#	x-pack/solutions/security/plugins/security_solution/server/types.ts
#	x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/is_customized_calculation.ts
@xcrzx xcrzx force-pushed the backport/8.19/pr-217517 branch from c83ec8e to 6242bb9 Compare June 16, 2025 10:10
@xcrzx xcrzx merged commit 5a80573 into elastic:8.19 Jun 16, 2025
8 checks passed
@xcrzx xcrzx deleted the backport/8.19/pr-217517 branch June 16, 2025 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kgeller kgeller kgeller approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xcrzx @elasticmachine @kgeller