-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Calculate and save ruleSource.isCustomized
in API endpoint handlers
#180145
Closed
6 tasks
Tracked by
#174168
Labels
8.16 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Feature:Rule Management
Security Solution Detection Rule Management area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.0
Comments
jpdjere
added
triage_needed
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Feature:Rule Management
Security Solution Detection Rule Management area
Team:Detection Rule Management
Security Detection Rule Management Team
labels
Apr 5, 2024
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
banderror
changed the title
[Security Solution] Implement migration on write for rule update API and calculation of
[Security Solution] Implement migration on write for rule update API and calculation of Apr 17, 2024
is_customized
is_customized
(DRAFT)
banderror
added
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
8.15 candidate
and removed
triage_needed
labels
May 12, 2024
jpdjere
changed the title
[Security Solution] Implement migration on write for rule update API and calculation of
[Security Solution] Calculate May 23, 2024
is_customized
(DRAFT)ruleSource.isCustomized
field for rule update API (DRAFT)
jpdjere
changed the title
[Security Solution] Calculate
[Security Solution] Calculate May 23, 2024
ruleSource.isCustomized
field for rule update API (DRAFT)ruleSource.isCustomized
field for rule update and bulk rule update API (DRAFT)
jpdjere
changed the title
[Security Solution] Calculate
[Security Solution] Calculate May 23, 2024
ruleSource.isCustomized
field for rule update and bulk rule update API (DRAFT)ruleSource.isCustomized
field for rule update and bulk rule update APIs (DRAFT)
jpdjere
changed the title
[Security Solution] Calculate
[Security Solution] Calculate May 23, 2024
ruleSource.isCustomized
field for rule update and bulk rule update APIs (DRAFT)ruleSource.isCustomized
in API endpoint handlers (DRAFT)
jpdjere
changed the title
[Security Solution] Calculate
[Security Solution] Calculate and save May 23, 2024
ruleSource.isCustomized
in API endpoint handlers (DRAFT)ruleSource.isCustomized
in API endpoint handlers (DRAFT)
jpdjere
changed the title
[Security Solution] Calculate and save
[Security Solution] Calculate and save May 24, 2024
ruleSource.isCustomized
in API endpoint handlers (DRAFT)ruleSource.isCustomized
in API endpoint handlers
xcrzx
added a commit
that referenced
this issue
Aug 29, 2024
…190041) **Resolves: #187706 ## Summary Added the `isCustomized` field recalculation after a bulk edit operation on rules as part of the [rules customization epic](elastic/security-team#1974). **Background** The `isCustomized` field is a rule parameter indicating if a prebuilt Elastic rule has been modified by a user. This field is extensively used in the prebuilt rule upgrade workflow. It's essential to ensure any rule modification operation recalculates this field to keep its value in sync with the rule content. Most of the rule CRUD operations were already covered in a previous PR: [Calculate and save ruleSource.isCustomized in API endpoint handlers](#180145). This PR addresses the remaining bulk rule modification operations performed using the `rulesClient.bulkEdit` method. **`rulesClient.bulkEdit` changes** The `isCustomized` calculation is based on the entire rule object (i.e., rule params and attributes) and should be performed after all bulk operations have been applied to the rule - after `operations` and `paramsModifier`. To support this, I changed the `paramsModifier` to accept entire rule object: ```diff export type ParamsModifier<Params extends RuleParams> = ( - params: Params + rule: Rule<Params> ) => Promise<ParamsModifierResult<Params>>; ``` **Security Solution Bulk Endpoint changes** The `/api/detection_engine/rules/_bulk_action` endpoint now handles bulk edit actions a bit differently. Previously, most of the bulk action was delegated to the rules client. Now, we need to do some preparatory work: 1. Fetch the affected rules in memory first, regardless of whether we received a query or rule IDs as input (previously delegated to Alerting). 2. Identify all prebuilt rules among the fetched rules. 3. Fetch base versions of the prebuilt rules. 4. Provide base versions to `ruleModifier` for the `isCustomized` calculation. These changes add a few extra roundtrips to Elasticsearch and make the bulk edit endpoint less efficient than before. However, this seems justified given the added functionality of the customization epic. In the future, we might consider optimizing to reduce the number of database requests. Ideally, for Security Solution use cases, we would need a more generic method than `bulkEdit`, such as `bulkUpdate`, allowing us to implement any required rule update logic fully on the solution side.
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
8.16 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Feature:Rule Management
Security Solution Detection Rule Management area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.0
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
Implement calculation of
ruleSource.isCustomized
in all necessary endpoints that write theruleSource
field to prebuilt rules, and where fields can be customized, diverging from the base version from the Rule Asset.The calculation and saving of the field should be done in the following endpoints:
PUT /rules
PATCH /rules
PUT /rules/_bulk_update
PATCH /rules/_bulk_update
POST /rules/_import
POST /prebuilt_rules/upgrade/_perform
(Internal)Extracted to other tickets:
POST /rules/_bulk_action
: with action Edit rules actionruleSource.isCustomized
in bulk edit API #187706Background
Context from RFC:
isCustomized
field - see table with scenarios for calculation ofisCustomized
isCustomized
during bulk editing rulesisCustomized
when importing rules - see table with import scenarios and their respectiveisCustomized
calculationskibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md
Lines 559 to 584 in 269649a
kibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md
Lines 817 to 821 in b6e0f87
The text was updated successfully, but these errors were encountered: