[Security Solution] Detection rule deprecation feature

[dplumlee]

Epic: https://github.com/elastic/security-team/issues/6344 (internal)
Resolves: https://github.com/elastic/security-team/issues/15791 (internal)
Resolves: https://github.com/elastic/security-team/issues/15793 (internal)
Resolves: #118942

Summary

Note

This feature is currently hidden behind the prebuiltRulesDeprecationUIEnabled feature flag

Adds UI for identifying and managing deprecated prebuilt detection rules which will be present in 9.4+ versions of the detection rules package.

• New internal API endpoint POST /internal/detection_engine/prebuilt_rules/deprecation/_review that cross-references deprecated rule assets with installed rules
• num_prebuilt_rules_deprecated added to the prebuilt rules status response
• Rules management page: dismissable warning callout with rule count, "View deprecated rules" modal, and "Delete all" action
• Rule details page: warning callout with deprecation reason (when available), "Delete rule", and "Duplicate and delete" actions
• useTimedDismissal utility hook for dismissal that persists a custom amount of time (for when we don't want to pester users too much but just a little)

Screenshots

Deprecated rules callout on detection rules table page

Deprecated rules modal

Deprecated rules callout on rule details page

Testing this PR

Quick setup

A seed script is included that creates fake prebuilt rules and their deprecated successors so the full deprecation UI can be exercised without a real 9.4+ rules package.

Script file: seed_deprecated_rules.sh

Start Kibana with the feature flag enabled in kibana.dev.yml:

xpack.securitySolution.enableExperimental: ['prebuiltRulesDeprecationUIEnabled']

Seed test data:

bash seed_deprecated_rules.sh

This will:

• Create non-deprecated version 1 rule asset SOs with a full rule schema
• Install them as prebuilt rules via the internal installation API
• Create deprecated version 2 rule asset SOs

Navigate to Security > Rules > Detection Rules (SIEM):

• The deprecated rules callout banner should appear on the rules list page
• Clicking into any of the seeded rules should show the deprecation callout on the rule detail page
• The "View all deprecated rules" modal and "Delete all" flows are fully functional

Clean up when done:

bash seed_deprecated_rules.sh --clean

The script is configurable via env vars:

KIBANA_URL (default: http://localhost:5601/kbn)
KIBANA_AUTH (default: elastic:changeme)

Full integration setup (for testing with a real rules package)

Requires the detection-rules repo with a built package targeting 9.4+.

Add to kibana.dev.yml:

xpack.fleet.developer:
  bundledPackageLocation: /path/to/detection-rules/dist/bundled
xpack.securitySolution.prebuiltRulesPackageVersion: 9.4.0-beta.1

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[nikitaindik]

Not suggesting to do it now, but in the future we might consider passing rule_ids into the endpoint, since we have them anyways. That way we can avoid branching and duplication here, because both branches would be the same, like:

1. Fetch deprecated rules (either all or only for passed rule_ids)
2. Fetch installed rules for these
3. Merge

[dplumlee]

Yeah I don't disagree about the duplication of logic there. The main reason we're passing in id's instead of rule_id's though is to try and protect against the case where 2 rules have the same rule_id's. We've already seen that pop up in an SDH and it's an edge case our existing prebuilt rule workflow routes don't entirely handle because of sole reliance on the rule_id field. It was discussed a bit in the API design doc deciding between the two fields, I initially had it similar to what you describe.

[nikitaindik]

Do you think we should request only the latest version of a deprecated asset here? Is it possible that TRADE folks release two versions with "deprecated: true" because they want to add / adjust deprecated_reason, for example. Seems possible.

If we return multiple results for the same rule_id here, then in UI we won't know which one is the latest.

The endpoint would return

{
    "rules": [
        {
            "id": "33cd765b-53ea-4715-92ff-3905988ad87f",
            "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d",
            "name": "Potential curl CVE-2023-38545 Exploitation"
        },
        {
            "id": "33cd765b-53ea-4715-92ff-3905988ad87f",
            "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d",
            "name": "Potential curl CVE-2023-38545 Exploitation",
            "deprecated_reason": "Yo! I'm old." // UI will ignore this message
        }
    ]
}

[dplumlee]

Right now, the package building script will only include one object per deprecated rule so we should be protected against this edge case, even when deprecated reasons are added. We will begin using the version field when we integrate into the upgrade table.

[nikitaindik]

Do you think we'll need to get notified if we hit 200 prebuilt rules in the package? How realistic is this? The number can only grow, right? If it's realistic, we can update our OOM package tests later to fail if this limit is hit, so we can either bump the limit or investigate what's wrong with the package.

[dplumlee]

Unless something happens like a malformed package, we shouldn't hit this number anytime soon. Right now we have 111 deprecated rule objects in total and that's accumulated over 5+ years. So at least a few years at the current pace, at which point this will be updated and in a more permanent location

[nikitaindik]

As I understand, if we call invalidateDeprecationReview() in executeBulkAction anyways, we can skip calling it here and in useDeprecatedRulesTableCallout.

[nikitaindik]

True to its name, this logic is duplicated a few times in different components. I'll create a ticket to later extract it into something like executeDuplicateRuleBulkAction.

[nikitaindik]

Thanks for the PR, @dplumlee! I reviewed the code and tested it locally. Overall LGTM, but I left some comments for you to consider. Please take a look.

I tested by installing all rules from package v8.7.1, then installing the package version 9.4.0-beta.1. To check if the deprecation message is displayed, I updated one of the prebuilt rule assets in ES – no assets in the beta package seem to have a deprecation message.

---

Also, here's a few non-critical UI things I noticed (click items below to expand).

Modal over modal – can we hide the first one before showing the second?

Tooltips in the modal seem redundant

Rules table callout padding / buttons style is a bit different from the other callout

[nikitaindik]

nit: I'd move the reason above the description, so it logically flows like:

• This rule is deprecated
• Here's why
• Here's what you can do about it
• Here are the buttons to do it

[pborgonovi]

@dplumlee

Exploratory Test Report

---

Exploratory tests were executed and the following areas/flows were covered:

Deprecation Callout & Modal

• Deprecation callout displayed correctly on Rule Management page when deprecated rules are installed
• Modal lists all deprecated rules with correct information
• Deprecated rules counter in callout consistent with actual quantity
• Rules with deprecation_reason display the reason in the details callout
• Rules without deprecation_reason correctly omit the "Deprecation reason" label

Timed Dismissal

• Callout dismiss persists after page refresh
• Timestamp saved correctly in localStorage
• Callout reappears automatically after 7-day expiration (simulated via localStorage)

Bulk Actions

• Bulk enable/disable on deprecated rules works correctly
• Bulk duplicate on deprecated rules works correctly
• Bulk export on deprecated rules works correctly

Editing

• Deprecated rule editable normally, all options available

Export/Import

• Export of deprecated rules generates valid file
• Import maintains deprecation status
• Callout remains visible after reimport

Cross-Feature Integration

• Rule accessed via other features (Alerts/Cases...) maintains deprecation callout consistency

Multi-Space

• Deprecated rules imported in custom Kibana space maintain consistent behavior with default space

Coexistence

• Custom rules and additional prebuilt rules coexist without interference with deprecated rules
• Deprecation UI does not affect other rule management functionalities

---

No unexpected behavior or errors were observed during exploratory testing.

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: b5949c7
• Cloud Deployment
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-259673-b5949c777160
• Security Deployment

Failed CI Steps

• FTR Configs #116
• FTR Configs #131

Test Failures

• [job] [logs] FTR Configs #116 / discover/group6 discover unsaved changes notification indicator should not show the notification indicator initially nor after changes to a draft saved search
• [job] [logs] FTR Configs #131 / Entity Analytics - Risk Score Maintainer @ess @serverless @serverlessQA Risk Score Maintainer Resolution Scoring with test log data produces a resolution score that aggregates alerts from both target and alias

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	9311	9322	+11

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.6MB	11.6MB	+9.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	129.2KB	129.2KB	+37.0B

Unknown metric groups

References to deprecated APIs

id	before	after	diff
securitySolution	538	539	+1

Unreferenced deprecated APIs

id	before	after	diff
securitySolution	538	539	+1

History

• 💛 Build #421013 was flaky 8a7ccf6
• 💚 Build #419231 succeeded a2f40ec
• 💔 Build #419068 failed 97b2fb3
• 💛 Build #418172 was flaky 1dc1238

cc @dplumlee