[Security][Fleet] Install the security_detection_engine package automatically

[rw-access]

Summary

Related to https://github.com/elastic/security-team/issues/17
Continuation of #96698

Automatically install the security_detection_engine package alongside the Endpoint package. This will make security rule updates automatically available to users.

Screenshot from a fresh snapshot build:

Checklist

Delete any items that are not applicable to this PR.

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[spong]

What happens if this dependency is removed in the future -- is the package just gracefully uninstalled and SO's removed on upgrade?

[rw-access]

yeah you got it.
fleet manages all the SOs, so they will be removed during an upgrade/uninstall gracefully. the detection engine will then just use the rules compiled in

[jen-huang]

maybe I misunderstood the question but if security_detection_engine is removed from this list of required packages in the future, Fleet will not automatically uninstall the package if it's already installed

[spong]

Ahhh, so we can have lingering SO's from this package then? This would result in the rules installing from these SO's still, or would the fact the package is no-longer present short circuit that logic?

How can they be manually removed -- will it still show up in fleet until it's un-installed, or is there another way to perform this cleanup?

[jen-huang]

Code LGTM

[ruflin]

Does this indirectly mean, the detection rules are also installed the first time the user visits the Fleet page or /setup is called? I'm ok to add this for now but I'm also concerned that /setup takes longer and longer: #96026

[jen-huang]

I had the same thought @ruflin, this will add overhead to /setup, we need to make /setup ops more performant outside of this PR.

[rw-access]

so for this package in particular the only "install" is just the creation of the detection rules SOs. hopefully the overhead of that is smaller and not too obtrusive?

yeah I wish there was a way to make these dependencies conditional. requiring the user to navigate to a particular solution could be useful for both endpoint and this package

[rw-access]

For some reason, pulling in the 0.18.0 endpoint package via the dockerImage update caused some failures for the endpoint list functional tests, which previously worked with 0.17.1.

At first, I thought it was just the destination_index changes, but changing that data caused some security_solution_endpoint_api_int failures.

Instead of fighting an unrelated change in this PR, I think it's most appropriate to change the KQL query acaa76a to something that allows the PR to pass tests. I switched to an agent.id filter, which is testing locally.

This will unblock the PR, and we can investigate a potential 7.12 bug where there appears to be an inconsistency with this particular combination of:

• 0.18.0 endpoint package
• 7.12+ endpoint metadata api logic
• x-pack/test/functional/es_archives/endpoint/metadata/destination_index/data.json test data
• testing logic

We can look into this in a follow on PR, since it's completely unrelated to the scope of the PR, and only surfaced when dockerImage was updated.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: d425a8a
• Storybooks Preview

Metrics [docs]

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	346.1KB	346.2KB	+52.0B

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.