-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Handle specific fields in /upgrade/_review
upgrade workflow
#180393
Comments
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
I finished evaluating how to handle all the fields in a rule and marked them in the table above. Just wanted to call your attention to
|
/upgrade/_review
upgrade workflow
Update: the field was not removed from the Prebuilt Rules schema since it is extensively used in the code as part of it. We still won't calculate the diff for this field and the |
@jpdjere Thanks for the update. I'm still not convinced that we should handle this field in a special way. Why can't we simply enable it in the ThreeWayDiff UI? Especially because it stays in the prebuilt rule asset schema. We can do a quick zoom on that. |
@banderror We definitely can enable it in the ThreeWayDiff UI; it just doesn't seem necessary since no Prebuilt Detection Rules have an But given having it as part of the UI does not mean any additional complexity, let's change this decision and include it as part of the UI and the |
@jpdjere in the future we might have the suppression fields set for prebuilt rules (depends on additional suppression fields like suppression_enabled). |
@approksiu @jpdjere ++, and we just got a PR that is related to that: elastic/detection-rules#3986 Let's enable diff calculation for this field and show it in the UI. @jpdjere What do we need to do for that, exactly? |
Created a ticket for adding both AlertSuppression and InvestigationFields to the upgrade workflow: #190597 It lists what needs to be done to include the fields in the workflow.
|
Just something to think about; now that we've opened our DAC feature to beta, it allows customers to use our logic to import/export rules using our schemas to their stack. In other words, even if we never create prebuilt rules that use the new alert suppression fields, other customers will still be able to. In fact, a recent customer / partner just reached out about adding support to our repo. They've also tested our implementation to confirm it worked for them and their custom rules. |
@Mikaayenson Good point, this will be supported - users will be able to customize prebuilt rules via the import endpoint and the DAC tool. |
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
Based on the discussions that took place in #147239, we need to treat different rule fields in different ways in the context of the upgrade workflow.
For each field we must decide:
security-rule
asset schema?: In cases where we have certainty that they won't ever be included in prebuilt rule assets, the field should be removed from the schema. E.g.actions
,response_actions
./upgrade/_review
?: does the field need to be removed of thediffs
object that is generated for each rule in the endpoint?diffs
objectdiff
object (won't be calculated if removed fromsecurity-rule
schema)diff
objectField list
/upgrade/_review
?id
rule_source
immutable
version
revision
enabled
execution_summary
alert_suppression
*actions
throttle
response_actions
meta
output_index
namespace
alias_purpose
alias_target_id
outcome
created_at
created_by
updated_at
updated_by
author
license
concurrent_searches
(IM Rules)items_per_search
(IM Rules)rule_id
name
tags
description
severity
severity_mapping
risk_score
risk_score_mapping
references
false_positives
threat
note
setup
related_integrations
required_fields
max_signals
building_block_type
from
(rule_schedule)interval
(rule_schedule)exceptions_list
*rule_name_override
timestamp_override
timestamp_override_fallback_disabled
timeline_id
(timeline_template)timeline_title
(timeline_template)index
(data_source)data_view_id
(data_source)query
language
filters
saved_id
machine_learning_job_id
(ML Rules)anomaly_threshold
(ML Rules)threat_filters
(IM Rules)threat_query
(IM Rules)threat_mapping
(IM Rules)threat_language
(IM Rules)threat_index
(IM Rules)threat_indicator_path
(IM Rules)new_terms_fields
(New Terms Rules)history_window_start
(New Terms Rules)Notes on fields
Endpoint Security
rule includes an exception list value, so this update/customization case needs to be handled. (That's the only prebuilt rule with an exception list as of now)true
. But it's not part of the diffing logic anyways.Details
security-rule
asset schema:x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.ts
diff
in/upgrade/_review
diffs
object:x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts
. We can add/remove them here and define which algorithm is used to calculate the diff.Work left over from this ticket
/upgrade/_perform
endpoint. All of this needs to be done after the refactoring of the endpoint handler is done. As of now, it always installs the full target version, so the changes needed are not possible now. Moving the work to a separate ticket.version
,author
andlicense
fields visible but read-only in the Three Way Diff component. Addings this TO-DO as a requisite in the Three-Way-Diff component ticket.The text was updated successfully, but these errors were encountered: