[Security Solution] Support filtering by "Modified rules" and "Unmodified rules" #180169
Comments
jpdjere
added
triage_needed
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
banderror
changed the title
banderror
added
8.15 candidate
enhancement
banderror
changed the title
|
Transitioning this back in "Todo" as I need to switch to another ticket. Here's some info for future reference. I came up with this KQL query to filter by "prebuilt non-customized": |
ARWNightingale
changed the title
|
@approksiu please edit or add any information that I may have missed. |
ARWNightingale
changed the title
|
Hey @dplumlee, we made some changes to the design to decrease scope and insure we are aligned with what data we have to show. any questions please reach out. |
|
Hi @approksiu and @ARWNightingale, we discussed this yesterday with @dplumlee and some questions came up:
This is technically possible but we were having doubts about adding a whole new column to show if the rule is customized. It makes sense for Prebuilt Rules, since they are either modified or not, but what about Custom rules? The column doesn't make sense at all for Custom rules (would it ever show a value?) and seems a waste of space in the table. We were thinking instead that we could have a Badge either before or after the rule's name that shows it as Customised/Modified. WDYT?
This is currently not possible without some planning: the rule currently does not save the information of which fields were modified, only if the whole rule was modified or not (with a change to at least 1 field). It is possible to calculate this on the fly every time that we need it, but it requires some planning since it would affect the Rules Details page performance. We should answer some questions before like:
|
|
@jpdjere thanks for the questions!
I was thinking we could sort the column to see the modified rules on top, with badge it will not be possible.
Yes, it is included in Milestone 4, but needs a ticket. |
|
@approksiu what about @jpdjere's comment about the modified column and custom rules? Is the thought there to just show nothing the same as non-customized prebuilt rules? I think our initial confusion was around having a binary value in the table that's already pretty full and doesn't apply to one of the 3 existing rule types (custom/prebuilt/customized prebuilt). And even if we don't do the badge approach - for sorting that column, what's the benefit of sorting instead of filtering like we do for prebuilt vs custom right now? |
…omization (#197340) ## Summary Addresses #180169 > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Adds a filter for prebuilt rules in the Update rules table for "Modified" and "Unmodified" rules. Also adds a badge column in the Rules table to display whether a prebuilt rule has been customized or not. Also switches the "Customized Elastic rule" badge on the rule details page to align with the updated language of "_Modified_ Elastic rule" ### Screenshots #### Modified badge in Rules table  #### Modification filter dropdown on Rule update page <img width="1479" alt="Screenshot 2024-10-24 at 11 46 26 AM" src="https://github.com/user-attachments/assets/82715abe-6ff6-4ba6-97b3-6fab9f42069e"> #### New "customized rule" badge language on Rule details page  ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
…omization (elastic#197340) ## Summary Addresses elastic#180169 > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Adds a filter for prebuilt rules in the Update rules table for "Modified" and "Unmodified" rules. Also adds a badge column in the Rules table to display whether a prebuilt rule has been customized or not. Also switches the "Customized Elastic rule" badge on the rule details page to align with the updated language of "_Modified_ Elastic rule" ### Screenshots #### Modified badge in Rules table  #### Modification filter dropdown on Rule update page <img width="1479" alt="Screenshot 2024-10-24 at 11 46 26 AM" src="https://github.com/user-attachments/assets/82715abe-6ff6-4ba6-97b3-6fab9f42069e"> #### New "customized rule" badge language on Rule details page  ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit f740d95)
|
Completed by #197340 |
…omization (elastic#197340) ## Summary Addresses elastic#180169 > [!NOTE] > Feature is behind the `prebuiltRulesCustomizationEnabled` feature flag. Adds a filter for prebuilt rules in the Update rules table for "Modified" and "Unmodified" rules. Also adds a badge column in the Rules table to display whether a prebuilt rule has been customized or not. Also switches the "Customized Elastic rule" badge on the rule details page to align with the updated language of "_Modified_ Elastic rule" ### Screenshots #### Modified badge in Rules table  #### Modification filter dropdown on Rule update page <img width="1479" alt="Screenshot 2024-10-24 at 11 46 26 AM" src="https://github.com/user-attachments/assets/82715abe-6ff6-4ba6-97b3-6fab9f42069e"> #### New "customized rule" badge language on Rule details page  ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Design Discussion context: #178211
Summary
Update table
Rules table
Designs
Update table
Rule table
The text was updated successfully, but these errors were encountered: