[Security Solution] Adds customized_fields and has_base_version fields to rule_source object schema#234793
Merged
dplumlee merged 21 commits intoelastic:mainfrom Oct 3, 2025
Merged
Conversation
dplumlee
added
release_note:enhancement
Team:Detections and Resp
dplumlee
force-pushed
the
rule-customizations-field
branch
from
e7ba7a5 to
058b19d
Compare
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
dplumlee
requested review from
banderror and
jkelas
and removed request for
maximpn
jkelas
reviewed
Sep 12, 2025
Contributor
jkelas
left a comment
jkelas
left a comment
There was a problem hiding this comment.
Hi @dplumlee
I reviewed your changes and the code looks very good. Well done.
I only left two minor comments.
I did the manual testing and all works fine with the modified functionality. I also observed the changes made in the kibana_alerting_cases index for modified rules and everything worked as expected.
...ecurity_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml
Outdated
Show resolved
Hide resolved
...nse/rules_management/prebuilt_rules/common/import_export/import_with_missing_base_version.ts
Outdated
Show resolved
Hide resolved
Contributor
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#9317[✅] x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/configs/ess.config.ts: 100/100 tests passed. |
natasha-moore-elastic
approved these changes
Sep 15, 2025
Contributor
natasha-moore-elastic
left a comment
natasha-moore-elastic
left a comment
There was a problem hiding this comment.
Left some optional wording suggestions, otherwise LGTM!
...ecurity_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml
Outdated
Show resolved
Hide resolved
...ecurity_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml
Outdated
Show resolved
Hide resolved
...ecurity_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml
Outdated
Show resolved
Hide resolved
dplumlee
force-pushed
the
rule-customizations-field
branch
from
09f251f to
5d9cdf7
Compare
banderror
approved these changes
Oct 1, 2025
Contributor
banderror
left a comment
banderror
left a comment
There was a problem hiding this comment.
@dplumlee This fixed implementation looks correct to me, thanks for the fixes and the additional test coverage 👍
I left just a couple nits for your consideration.
I'm trying to test this locally, just a happy path. I can confirm that a customized rule gets a rule_source with all the fields correctly initialized. I can also see that telemetry is being sent. But I'm not seeing it in the analytics-staging cluster. How much time does it take to process and index the incoming telemetry events? Is there any sampling that requires sending a lot of it so that at least some gets indexed?
Approving the PR in advance because the thoroughly reviewed implementation looks correct and the test coverage seems robust enough. Thanks for the hard work @dplumlee!
x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/helpers.test.ts
Outdated
Show resolved
Hide resolved
x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/helpers.test.ts
Outdated
Show resolved
Hide resolved
x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/helpers.test.ts
Outdated
Show resolved
Hide resolved
x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/helpers.ts
Outdated
Show resolved
Hide resolved
dplumlee
force-pushed
the
rule-customizations-field
branch
from
6a13e92 to
cd96cc2
Compare
Contributor
Author
|
@banderror It wasn't immediately indexed for me when I was testing this but always fairly quick (~5-10 min) when I updated the task schedule and restarted ES locally. Perhaps I was lucky in my timing?
I was sending about a 100 alerts per rule, mostly from the resolver generator script but I don't believe the amount of data should matter, there's nothing in the tasks that limit this behavior |
Contributor
|
@dplumlee It still hasn't indexed anything from my machine. I hope I did something wrong, but we should double-check before merging. Let's test it live at our tech sync today. |
Contributor
|
@elasticmachine merge upstream |
Contributor
|
@dplumlee I tested that after your fix of the pipeline the events reach staging correctly, I was able to see events generated by my customized rule, e.g. |
Contributor
|
Starting backport for target branches: 9.1, 9.2 https://github.com/elastic/kibana/actions/runs/18232333038 |
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @dplumlee |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 3, 2025
…ields to `rule_source` object schema (elastic#234793) **Resolves: elastic/security-team#12507 (internal) ## Summary Adds two new fields to the existing `rule_source` object in our rule schema as described in elastic#230856. Also updates and adds test coverage for the new field logic. The new fields are: - `customized_fields`: an array of objects containing rule field names that have been modified from the base version of the prebuilt rule. - Defaults to empty array if prebuilt rule is not customized or if base version did not exist during diff calculation. - `has_base_version`: a boolean field that specifies if the base version of a prebuilt rule was able to be fetched and used during the customization calculation. This PR also adds related telemetry fields as described in elastic#230856. This includes a `customizations` object field which contains a slimmed down version of `customized_fields` and has a `num_functional_fields` number field that is created in the telemetry task pipeline by comparing the customized fields array to a constant list of field names that we are defining as "functional". This source of truth list can be found in the `x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts` file ### Examples ```json { "rule_source": { "type": "external", "is_customized": true, /* New fields */ "customized_fields": [ { "field_name": "tags", }, { "field_name": "query", } ], "has_base_version": true } } ``` ```json "customizations": { "customized_fields": ["tags", "query"], "num_functional_fields": 2, } ``` ## How to test telemetry Link to internal staging with example data: ([internal staging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents))) 1. Set the prebuilt rule task type to something shorter than `1hr` in this file: `x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts` 2. Add the following to `kibana.dev.yml`: ``` telemetry.enabled: true telemetry.optIn: true // (Optional for checking to see if its working) logging: root: appenders: [default] level: warn loggers: - name: plugins.securitySolution level: debug - name: plugins.ruleRegistry - name: plugins.taskManager ``` 3. Start up both Elasticsearch and kibana (Has to be done _after_ updating task interval as task objects are stored in ES) 4. Install prebuilt rules 5. Modify prebuilt rules with different field customizations and enable those rules 6. Generate alerts that match these rules (resolver script generator, dev tools, query modification, etc.) 7. View the alerts getting sent to the internal staging telemetry cluster (https://analytics-staging.sde.elastic.dev) in the `detections_alert_telemetry_elastic*` index 8. Use the new `customizations` field to filter out/in customized rule alerts ## Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] [Rule customization tests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co> (cherry picked from commit aeb873a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 3, 2025
…ields to `rule_source` object schema (elastic#234793) **Resolves: elastic/security-team#12507 (internal) ## Summary Adds two new fields to the existing `rule_source` object in our rule schema as described in elastic#230856. Also updates and adds test coverage for the new field logic. The new fields are: - `customized_fields`: an array of objects containing rule field names that have been modified from the base version of the prebuilt rule. - Defaults to empty array if prebuilt rule is not customized or if base version did not exist during diff calculation. - `has_base_version`: a boolean field that specifies if the base version of a prebuilt rule was able to be fetched and used during the customization calculation. This PR also adds related telemetry fields as described in elastic#230856. This includes a `customizations` object field which contains a slimmed down version of `customized_fields` and has a `num_functional_fields` number field that is created in the telemetry task pipeline by comparing the customized fields array to a constant list of field names that we are defining as "functional". This source of truth list can be found in the `x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts` file ### Examples ```json { "rule_source": { "type": "external", "is_customized": true, /* New fields */ "customized_fields": [ { "field_name": "tags", }, { "field_name": "query", } ], "has_base_version": true } } ``` ```json "customizations": { "customized_fields": ["tags", "query"], "num_functional_fields": 2, } ``` ## How to test telemetry Link to internal staging with example data: ([internal staging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents))) 1. Set the prebuilt rule task type to something shorter than `1hr` in this file: `x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts` 2. Add the following to `kibana.dev.yml`: ``` telemetry.enabled: true telemetry.optIn: true // (Optional for checking to see if its working) logging: root: appenders: [default] level: warn loggers: - name: plugins.securitySolution level: debug - name: plugins.ruleRegistry - name: plugins.taskManager ``` 3. Start up both Elasticsearch and kibana (Has to be done _after_ updating task interval as task objects are stored in ES) 4. Install prebuilt rules 5. Modify prebuilt rules with different field customizations and enable those rules 6. Generate alerts that match these rules (resolver script generator, dev tools, query modification, etc.) 7. View the alerts getting sent to the internal staging telemetry cluster (https://analytics-staging.sde.elastic.dev) in the `detections_alert_telemetry_elastic*` index 8. Use the new `customizations` field to filter out/in customized rule alerts ## Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] [Rule customization tests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co> (cherry picked from commit aeb873a)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 3, 2025
…ion` fields to `rule_source` object schema (#234793) (#237537) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)](#234793) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-10-03T19:52:53Z","message":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)\n\n**Resolves: https://github.com/elastic/security-team/issues/12507**\n(internal)\n\n## Summary\n\nAdds two new fields to the existing `rule_source` object in our rule\nschema as described in https://github.com/elastic/kibana/pull/230856.\nAlso updates and adds test coverage for the new field logic.\n\nThe new fields are:\n\n- `customized_fields`: an array of objects containing rule field names\nthat have been modified from the base version of the prebuilt rule.\n- Defaults to empty array if prebuilt rule is not customized or if base\nversion did not exist during diff calculation.\n- `has_base_version`: a boolean field that specifies if the base version\nof a prebuilt rule was able to be fetched and used during the\ncustomization calculation.\n\nThis PR also adds related telemetry fields as described in\nhttps://github.com//pull/230856. This includes a\n`customizations` object field which contains a slimmed down version of\n`customized_fields` and has a `num_functional_fields` number field that\nis created in the telemetry task pipeline by comparing the customized\nfields array to a constant list of field names that we are defining as\n\"functional\". This source of truth list can be found in the\n`x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts`\nfile\n\n### Examples\n\n```json\n{\n \"rule_source\": {\n \"type\": \"external\",\n \"is_customized\": true,\n /* New fields */\n \"customized_fields\": [\n {\n \"field_name\": \"tags\",\n },\n {\n \"field_name\": \"query\",\n }\n ],\n \"has_base_version\": true\n }\n}\n```\n\n```json\n\"customizations\": {\n \"customized_fields\": [\"tags\", \"query\"],\n \"num_functional_fields\": 2,\n}\n```\n\n## How to test telemetry\n\nLink to internal staging with example data: ([internal\nstaging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents)))\n\n1. Set the prebuilt rule task type to something shorter than `1hr` in\nthis file:\n`x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts`\n2. Add the following to `kibana.dev.yml`:\n```\ntelemetry.enabled: true\ntelemetry.optIn: true\n\n// (Optional for checking to see if its working)\nlogging:\n root:\n appenders: [default]\n level: warn\n loggers:\n - name: plugins.securitySolution\n level: debug\n - name: plugins.ruleRegistry\n - name: plugins.taskManager\n```\n3. Start up both Elasticsearch and kibana (Has to be done _after_\nupdating task interval as task objects are stored in ES)\n4. Install prebuilt rules\n5. Modify prebuilt rules with different field customizations and enable\nthose rules\n6. Generate alerts that match these rules (resolver script generator,\ndev tools, query modification, etc.)\n7. View the alerts getting sent to the internal staging telemetry\ncluster (https://analytics-staging.sde.elastic.dev) in the\n`detections_alert_telemetry_elastic*` index\n8. Use the new `customizations` field to filter out/in customized rule\nalerts\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] [Rule customization\ntests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>","sha":"aeb873a93ad8f8f29b4a616abe17c030621a3823","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.2.0","v9.3.0","v9.1.6"],"title":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema","number":234793,"url":"https://github.com/elastic/kibana/pull/234793","mergeCommit":{"message":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)\n\n**Resolves: https://github.com/elastic/security-team/issues/12507**\n(internal)\n\n## Summary\n\nAdds two new fields to the existing `rule_source` object in our rule\nschema as described in https://github.com/elastic/kibana/pull/230856.\nAlso updates and adds test coverage for the new field logic.\n\nThe new fields are:\n\n- `customized_fields`: an array of objects containing rule field names\nthat have been modified from the base version of the prebuilt rule.\n- Defaults to empty array if prebuilt rule is not customized or if base\nversion did not exist during diff calculation.\n- `has_base_version`: a boolean field that specifies if the base version\nof a prebuilt rule was able to be fetched and used during the\ncustomization calculation.\n\nThis PR also adds related telemetry fields as described in\nhttps://github.com//pull/230856. This includes a\n`customizations` object field which contains a slimmed down version of\n`customized_fields` and has a `num_functional_fields` number field that\nis created in the telemetry task pipeline by comparing the customized\nfields array to a constant list of field names that we are defining as\n\"functional\". This source of truth list can be found in the\n`x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts`\nfile\n\n### Examples\n\n```json\n{\n \"rule_source\": {\n \"type\": \"external\",\n \"is_customized\": true,\n /* New fields */\n \"customized_fields\": [\n {\n \"field_name\": \"tags\",\n },\n {\n \"field_name\": \"query\",\n }\n ],\n \"has_base_version\": true\n }\n}\n```\n\n```json\n\"customizations\": {\n \"customized_fields\": [\"tags\", \"query\"],\n \"num_functional_fields\": 2,\n}\n```\n\n## How to test telemetry\n\nLink to internal staging with example data: ([internal\nstaging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents)))\n\n1. Set the prebuilt rule task type to something shorter than `1hr` in\nthis file:\n`x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts`\n2. Add the following to `kibana.dev.yml`:\n```\ntelemetry.enabled: true\ntelemetry.optIn: true\n\n// (Optional for checking to see if its working)\nlogging:\n root:\n appenders: [default]\n level: warn\n loggers:\n - name: plugins.securitySolution\n level: debug\n - name: plugins.ruleRegistry\n - name: plugins.taskManager\n```\n3. Start up both Elasticsearch and kibana (Has to be done _after_\nupdating task interval as task objects are stored in ES)\n4. Install prebuilt rules\n5. Modify prebuilt rules with different field customizations and enable\nthose rules\n6. Generate alerts that match these rules (resolver script generator,\ndev tools, query modification, etc.)\n7. View the alerts getting sent to the internal staging telemetry\ncluster (https://analytics-staging.sde.elastic.dev) in the\n`detections_alert_telemetry_elastic*` index\n8. Use the new `customizations` field to filter out/in customized rule\nalerts\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] [Rule customization\ntests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>","sha":"aeb873a93ad8f8f29b4a616abe17c030621a3823"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","9.1"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234793","number":234793,"mergeCommit":{"message":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)\n\n**Resolves: https://github.com/elastic/security-team/issues/12507**\n(internal)\n\n## Summary\n\nAdds two new fields to the existing `rule_source` object in our rule\nschema as described in https://github.com/elastic/kibana/pull/230856.\nAlso updates and adds test coverage for the new field logic.\n\nThe new fields are:\n\n- `customized_fields`: an array of objects containing rule field names\nthat have been modified from the base version of the prebuilt rule.\n- Defaults to empty array if prebuilt rule is not customized or if base\nversion did not exist during diff calculation.\n- `has_base_version`: a boolean field that specifies if the base version\nof a prebuilt rule was able to be fetched and used during the\ncustomization calculation.\n\nThis PR also adds related telemetry fields as described in\nhttps://github.com//pull/230856. This includes a\n`customizations` object field which contains a slimmed down version of\n`customized_fields` and has a `num_functional_fields` number field that\nis created in the telemetry task pipeline by comparing the customized\nfields array to a constant list of field names that we are defining as\n\"functional\". This source of truth list can be found in the\n`x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts`\nfile\n\n### Examples\n\n```json\n{\n \"rule_source\": {\n \"type\": \"external\",\n \"is_customized\": true,\n /* New fields */\n \"customized_fields\": [\n {\n \"field_name\": \"tags\",\n },\n {\n \"field_name\": \"query\",\n }\n ],\n \"has_base_version\": true\n }\n}\n```\n\n```json\n\"customizations\": {\n \"customized_fields\": [\"tags\", \"query\"],\n \"num_functional_fields\": 2,\n}\n```\n\n## How to test telemetry\n\nLink to internal staging with example data: ([internal\nstaging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents)))\n\n1. Set the prebuilt rule task type to something shorter than `1hr` in\nthis file:\n`x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts`\n2. Add the following to `kibana.dev.yml`:\n```\ntelemetry.enabled: true\ntelemetry.optIn: true\n\n// (Optional for checking to see if its working)\nlogging:\n root:\n appenders: [default]\n level: warn\n loggers:\n - name: plugins.securitySolution\n level: debug\n - name: plugins.ruleRegistry\n - name: plugins.taskManager\n```\n3. Start up both Elasticsearch and kibana (Has to be done _after_\nupdating task interval as task objects are stored in ES)\n4. Install prebuilt rules\n5. Modify prebuilt rules with different field customizations and enable\nthose rules\n6. Generate alerts that match these rules (resolver script generator,\ndev tools, query modification, etc.)\n7. View the alerts getting sent to the internal staging telemetry\ncluster (https://analytics-staging.sde.elastic.dev) in the\n`detections_alert_telemetry_elastic*` index\n8. Use the new `customizations` field to filter out/in customized rule\nalerts\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] [Rule customization\ntests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>","sha":"aeb873a93ad8f8f29b4a616abe17c030621a3823"}},{"branch":"9.1","label":"v9.1.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Oct 3, 2025
…ion` fields to `rule_source` object schema (#234793) (#237536) # Backport This will backport the following commits from `main` to `9.1`: - [[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)](#234793) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"56367316+dplumlee@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-10-03T19:52:53Z","message":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)\n\n**Resolves: https://github.com/elastic/security-team/issues/12507**\n(internal)\n\n## Summary\n\nAdds two new fields to the existing `rule_source` object in our rule\nschema as described in https://github.com/elastic/kibana/pull/230856.\nAlso updates and adds test coverage for the new field logic.\n\nThe new fields are:\n\n- `customized_fields`: an array of objects containing rule field names\nthat have been modified from the base version of the prebuilt rule.\n- Defaults to empty array if prebuilt rule is not customized or if base\nversion did not exist during diff calculation.\n- `has_base_version`: a boolean field that specifies if the base version\nof a prebuilt rule was able to be fetched and used during the\ncustomization calculation.\n\nThis PR also adds related telemetry fields as described in\nhttps://github.com//pull/230856. This includes a\n`customizations` object field which contains a slimmed down version of\n`customized_fields` and has a `num_functional_fields` number field that\nis created in the telemetry task pipeline by comparing the customized\nfields array to a constant list of field names that we are defining as\n\"functional\". This source of truth list can be found in the\n`x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts`\nfile\n\n### Examples\n\n```json\n{\n \"rule_source\": {\n \"type\": \"external\",\n \"is_customized\": true,\n /* New fields */\n \"customized_fields\": [\n {\n \"field_name\": \"tags\",\n },\n {\n \"field_name\": \"query\",\n }\n ],\n \"has_base_version\": true\n }\n}\n```\n\n```json\n\"customizations\": {\n \"customized_fields\": [\"tags\", \"query\"],\n \"num_functional_fields\": 2,\n}\n```\n\n## How to test telemetry\n\nLink to internal staging with example data: ([internal\nstaging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents)))\n\n1. Set the prebuilt rule task type to something shorter than `1hr` in\nthis file:\n`x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts`\n2. Add the following to `kibana.dev.yml`:\n```\ntelemetry.enabled: true\ntelemetry.optIn: true\n\n// (Optional for checking to see if its working)\nlogging:\n root:\n appenders: [default]\n level: warn\n loggers:\n - name: plugins.securitySolution\n level: debug\n - name: plugins.ruleRegistry\n - name: plugins.taskManager\n```\n3. Start up both Elasticsearch and kibana (Has to be done _after_\nupdating task interval as task objects are stored in ES)\n4. Install prebuilt rules\n5. Modify prebuilt rules with different field customizations and enable\nthose rules\n6. Generate alerts that match these rules (resolver script generator,\ndev tools, query modification, etc.)\n7. View the alerts getting sent to the internal staging telemetry\ncluster (https://analytics-staging.sde.elastic.dev) in the\n`detections_alert_telemetry_elastic*` index\n8. Use the new `customizations` field to filter out/in customized rule\nalerts\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] [Rule customization\ntests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>","sha":"aeb873a93ad8f8f29b4a616abe17c030621a3823","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.2.0","v9.3.0","v9.1.6"],"title":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema","number":234793,"url":"https://github.com/elastic/kibana/pull/234793","mergeCommit":{"message":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)\n\n**Resolves: https://github.com/elastic/security-team/issues/12507**\n(internal)\n\n## Summary\n\nAdds two new fields to the existing `rule_source` object in our rule\nschema as described in https://github.com/elastic/kibana/pull/230856.\nAlso updates and adds test coverage for the new field logic.\n\nThe new fields are:\n\n- `customized_fields`: an array of objects containing rule field names\nthat have been modified from the base version of the prebuilt rule.\n- Defaults to empty array if prebuilt rule is not customized or if base\nversion did not exist during diff calculation.\n- `has_base_version`: a boolean field that specifies if the base version\nof a prebuilt rule was able to be fetched and used during the\ncustomization calculation.\n\nThis PR also adds related telemetry fields as described in\nhttps://github.com//pull/230856. This includes a\n`customizations` object field which contains a slimmed down version of\n`customized_fields` and has a `num_functional_fields` number field that\nis created in the telemetry task pipeline by comparing the customized\nfields array to a constant list of field names that we are defining as\n\"functional\". This source of truth list can be found in the\n`x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts`\nfile\n\n### Examples\n\n```json\n{\n \"rule_source\": {\n \"type\": \"external\",\n \"is_customized\": true,\n /* New fields */\n \"customized_fields\": [\n {\n \"field_name\": \"tags\",\n },\n {\n \"field_name\": \"query\",\n }\n ],\n \"has_base_version\": true\n }\n}\n```\n\n```json\n\"customizations\": {\n \"customized_fields\": [\"tags\", \"query\"],\n \"num_functional_fields\": 2,\n}\n```\n\n## How to test telemetry\n\nLink to internal staging with example data: ([internal\nstaging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents)))\n\n1. Set the prebuilt rule task type to something shorter than `1hr` in\nthis file:\n`x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts`\n2. Add the following to `kibana.dev.yml`:\n```\ntelemetry.enabled: true\ntelemetry.optIn: true\n\n// (Optional for checking to see if its working)\nlogging:\n root:\n appenders: [default]\n level: warn\n loggers:\n - name: plugins.securitySolution\n level: debug\n - name: plugins.ruleRegistry\n - name: plugins.taskManager\n```\n3. Start up both Elasticsearch and kibana (Has to be done _after_\nupdating task interval as task objects are stored in ES)\n4. Install prebuilt rules\n5. Modify prebuilt rules with different field customizations and enable\nthose rules\n6. Generate alerts that match these rules (resolver script generator,\ndev tools, query modification, etc.)\n7. View the alerts getting sent to the internal staging telemetry\ncluster (https://analytics-staging.sde.elastic.dev) in the\n`detections_alert_telemetry_elastic*` index\n8. Use the new `customizations` field to filter out/in customized rule\nalerts\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] [Rule customization\ntests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>","sha":"aeb873a93ad8f8f29b4a616abe17c030621a3823"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","9.1"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234793","number":234793,"mergeCommit":{"message":"[Security Solution] Adds `customized_fields` and `has_base_version` fields to `rule_source` object schema (#234793)\n\n**Resolves: https://github.com/elastic/security-team/issues/12507**\n(internal)\n\n## Summary\n\nAdds two new fields to the existing `rule_source` object in our rule\nschema as described in https://github.com/elastic/kibana/pull/230856.\nAlso updates and adds test coverage for the new field logic.\n\nThe new fields are:\n\n- `customized_fields`: an array of objects containing rule field names\nthat have been modified from the base version of the prebuilt rule.\n- Defaults to empty array if prebuilt rule is not customized or if base\nversion did not exist during diff calculation.\n- `has_base_version`: a boolean field that specifies if the base version\nof a prebuilt rule was able to be fetched and used during the\ncustomization calculation.\n\nThis PR also adds related telemetry fields as described in\nhttps://github.com//pull/230856. This includes a\n`customizations` object field which contains a slimmed down version of\n`customized_fields` and has a `num_functional_fields` number field that\nis created in the telemetry task pipeline by comparing the customized\nfields array to a constant list of field names that we are defining as\n\"functional\". This source of truth list can be found in the\n`x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts`\nfile\n\n### Examples\n\n```json\n{\n \"rule_source\": {\n \"type\": \"external\",\n \"is_customized\": true,\n /* New fields */\n \"customized_fields\": [\n {\n \"field_name\": \"tags\",\n },\n {\n \"field_name\": \"query\",\n }\n ],\n \"has_base_version\": true\n }\n}\n```\n\n```json\n\"customizations\": {\n \"customized_fields\": [\"tags\", \"query\"],\n \"num_functional_fields\": 2,\n}\n```\n\n## How to test telemetry\n\nLink to internal staging with example data: ([internal\nstaging](https://analytics-staging.sde.elastic.dev/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:'2025-09-26T15:59:24.512Z',to:'2025-09-26T16:08:58.435Z'))&_a=(columns:!(),dataSource:(dataViewId:'4ca97040-d095-11ec-95a5-011050c1180f',type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'customizations.num_functional_fields%20%3E%200'),sort:!(!('@timestamp',desc)),viewMode:documents)))\n\n1. Set the prebuilt rule task type to something shorter than `1hr` in\nthis file:\n`x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.ts`\n2. Add the following to `kibana.dev.yml`:\n```\ntelemetry.enabled: true\ntelemetry.optIn: true\n\n// (Optional for checking to see if its working)\nlogging:\n root:\n appenders: [default]\n level: warn\n loggers:\n - name: plugins.securitySolution\n level: debug\n - name: plugins.ruleRegistry\n - name: plugins.taskManager\n```\n3. Start up both Elasticsearch and kibana (Has to be done _after_\nupdating task interval as task objects are stored in ES)\n4. Install prebuilt rules\n5. Modify prebuilt rules with different field customizations and enable\nthose rules\n6. Generate alerts that match these rules (resolver script generator,\ndev tools, query modification, etc.)\n7. View the alerts getting sent to the internal staging telemetry\ncluster (https://analytics-staging.sde.elastic.dev) in the\n`detections_alert_telemetry_elastic*` index\n8. Use the new `customizations` field to filter out/in customized rule\nalerts\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] [Rule customization\ntests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/9317)\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>","sha":"aeb873a93ad8f8f29b4a616abe17c030621a3823"}},{"branch":"9.1","label":"v9.1.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: https://github.com/elastic/security-team/issues/12507 (internal)
Summary
Adds two new fields to the existing
rule_sourceobject in our rule schema as described in #230856. Also updates and adds test coverage for the new field logic.The new fields are:
customized_fields: an array of objects containing rule field names that have been modified from the base version of the prebuilt rule.has_base_version: a boolean field that specifies if the base version of a prebuilt rule was able to be fetched and used during the customization calculation.This PR also adds related telemetry fields as described in #230856. This includes a
customizationsobject field which contains a slimmed down version ofcustomized_fieldsand has anum_functional_fieldsnumber field that is created in the telemetry task pipeline by comparing the customized fields array to a constant list of field names that we are defining as "functional". This source of truth list can be found in thex-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.tsfileExamples
{ "rule_source": { "type": "external", "is_customized": true, /* New fields */ "customized_fields": [ { "field_name": "tags", }, { "field_name": "query", } ], "has_base_version": true } }How to test telemetry
Link to internal staging with example data: (internal staging)
1hrin this file:x-pack/solutions/security/plugins/security_solution/server/lib/telemetry/tasks/prebuilt_rule_alerts.tskibana.dev.yml:detections_alert_telemetry_elastic*indexcustomizationsfield to filter out/in customized rule alertsChecklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.