-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Allow importing of prebuilt rules via the API #190198
Merged
+2,730
−650
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will be necessary for importing prebuilt rules without having to modify their contents.
This behavior was already there, we're just pinning it down.
Instead of nested uses of objectContaining with toEqual, we can instead use toMatchObject, which accomplishes the same.
Since we only reference it in legacy validation.
Like immutable, it's dropped, but we still support it being sent (so that users can send their prebuilt rules).
This has the same effect: any value is allowed, but the field is ultimately ignored in the handling routes.
Our rule types may technically have this.
As a user I always appreciate an actual example (for type, formatting, etc.)
This will be added to the detection-rules repo as they modify rules moving forward.
In order to prevent users from importing prebuilt rules before the feature is fully enabled, we need to add additional validation logic to account for our looser schema validation (which allows any value for `immutable`).
That actually asserts that our specified rule_source was ignored.
The logic here can/should be optimized, but this is mostly just leveraging existing helpers to do this work.
rylnd
added
release_note:skip
Skip the PR/issue when compiling release notes
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Detection Rule Management
Security Detection Rule Management Team
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
8.16 candidate
labels
Aug 8, 2024
/ci |
rylnd
commented
Aug 9, 2024
x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts
Outdated
Show resolved
Hide resolved
It would be a breaking change to make this param optional. Since we've discussed keeping it around but deprecating it, we don't really need to change this type, and need to instead ensure that we create this field if left unspecified.
This change to the RuleToImport schema affects all rules being imported, as they're validated by this schema. This ensures we always generate a value for the field, which is needed for backwards compatibility. Associated unit tests were similarly updated.
/ci |
…ule_management/logic/detection_rules_client/converters/normalize_rule_params.ts Co-authored-by: Georgii Gorbachev <banderror@gmail.com>
This also makes it more obvious that the `RuleSpecifier` type should be placed with the utility functions that expect them as arguments.
Setup's single argument doesn't need to be a named key in an object.
Since a "utility" file is prone to collect random things, and these functions are all specific to the importer itself, we're now inlining them into the same file as the class, until such time as they need to be reused.
Conflicts: x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/type_specific_camel_to_snake.ts
Since `calculateIsCustomized` will fail if the provided rule is not a valid RuleResponse, we were experiencing failures (uncovered by integration tests) due to a improper conversion of incoming rules. I _believe_ that I've fixed this by: 1. Defining an explicit converter utility for this case: RuleToImport -> RuleResponse 2. Calling `applyRuleDefaults` within this utility `applyRuleDefaults` is what, in the normal import code path, adds these missing/default fields. My assumption is that this will cover any other issues with conversion to a `RuleResponse`, which will ideally be validated by the Rules Management team. The same issue still exists for the previously-used converter utility, but I'm going to tackle that in a separate commit.
We don't want to specify `language` here since it's not a required field, and their presence could actually mask bugs with defaulting logic throughout our test suite. I believe there were just a few tests that were (unnecessarily) dependent on those fields; everything else luckily just works.
If a prebuilt asset is lacking a 'language' field, this conversion function would previously throw an error due to us not providing a default for it. This was fixed by calling `applyRuleDefaults` within this function, which made some other logic in this function redundant (and so it was removed).
/ci |
Conflicts: x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/trial_license_complete_tier/index.ts
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
cc @rylnd |
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11374033325 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 16, 2024
…astic#190198) ## Summary This PR introduces the backend functionality necessary to import prebuilt rules via our existing import API. The [RFC](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md) goes into detail, and the import-specific issue is described [here](elastic#180168), but at a high level we're adding two things in this PR: 1. The logic to calculate the new `rule_source` field on import, which contains the information about the rule's relationship to existing prebuilt rules. 2. A new code path for importing rules, which respects the calculated `rule_source` field. In order to maintain backwards compatibility with the existing import logic, and because the existing import implementation is hard to modify/extend, I opted to add a top-level switch on the feature flag in the import route itself, which calls either the existing import function (now named `importRulesLegacy`), or the new function, `importRules`, which ultimately calls the new `DetectionRulesClient` method, `importRules`. Neither knows about the feature flag, and thanks to great suggestions from @xcrzx there are nice, clean boundaries between the import functions and the client methods. I went down the path of trying to write the new import code by reusing the outer `importRules` function, but after discussion with the team we decided it was simplest to simply bifurcate the code at that point, so that we have: 1. The legacy import code, which: * only supports custom rules (`immutable: false`) * accepts `version` as an optional parameter * calculates a legacy `rule_source` value based on the `immutable` field 2. The new import code, which * Installs the prebuilt rules assets as necessary * Accepts both kinds of rules (`immutable: true/false`) * Requires `version` as a parameter for _prebuilt_ rules * Allows `version` to be optional for custom rules * calculates a proper `rule_source` (and `immutable`) ### Deprecation of `immutable` The RFC (and thus I) had initially thought that we'd be deprecating the `immutable` field as part of this PR/Epic. However, after [discussion](elastic#190198 (comment)) we have opted to continue supporting `immutable` until such time as we can drop it, compatibility-wise. ## Steps to Review 1. Enable the Feature Flag: `prebuiltRulesCustomizationEnabled` 2. Install the prebuilt rules package via fleet 3. Create and export a custom rule to serve as a template (or download one: curl -L -H 'Authorization: 8eef0fe5d7dfc52b' -o 'rules_export (1).ndjson' https://upload.elastic.co/d/4693e7fe4356ce7bcf7b7d6b72881a9fd189730c61bf5ef47c9930458d746979 ) 4. Install some prebuilt rules, and obtain a prebuilt rule's `rule_id`, e.g. `ac8805f6-1e08-406c-962e-3937057fa86f` 5. Edit the `rules_export.ndjson` to contain only the first line, and modify the `rule_id` with the prebuilt rule's 6. Import `rules_export.ndjson` and then retrieve the rule via the Dev Console: GET kbn:api/detection_engine/rules?rule_id=ac8805f6-1e08-406c-962e-3937057fa86f 7. Observe that the rule has the expected `rule_source` and `immutable` values 8. Test other permutations of import by modifying `rules_export.ndjson` and re-importing; see ([the test plan](elastic#191116) as well as a [reference table of scenarios](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md#importing-rules)) ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Georgii Gorbachev <banderror@gmail.com> (cherry picked from commit c0b1301)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 16, 2024
…PI (#190198) (#196613) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Allow importing of prebuilt rules via the API (#190198)](#190198) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ryland Herrick","email":"ryalnd@gmail.com"},"sourceCommit":{"committedDate":"2024-10-16T21:19:05Z","message":"[Security Solution] Allow importing of prebuilt rules via the API (#190198)\n\n## Summary\r\n\r\nThis PR introduces the backend functionality necessary to import\r\nprebuilt rules via our existing import API. The\r\n[RFC](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md)\r\ngoes into detail, and the import-specific issue is described\r\n[here](#180168), but at a high\r\nlevel we're adding two things in this PR:\r\n\r\n1. The logic to calculate the new `rule_source` field on import, which\r\ncontains the information about the rule's relationship to existing\r\nprebuilt rules.\r\n2. A new code path for importing rules, which respects the calculated\r\n`rule_source` field.\r\n\r\nIn order to maintain backwards compatibility with the existing import\r\nlogic, and because the existing import implementation is hard to\r\nmodify/extend, I opted to add a top-level switch on the feature flag in\r\nthe import route itself, which calls either the existing import function\r\n(now named `importRulesLegacy`), or the new function, `importRules`,\r\nwhich ultimately calls the new `DetectionRulesClient` method,\r\n`importRules`. Neither knows about the feature flag, and thanks to great\r\nsuggestions from @xcrzx there are nice, clean boundaries between the\r\nimport functions and the client methods.\r\n\r\nI went down the path of trying to write the new import code by reusing\r\nthe outer `importRules` function, but after discussion with the team we\r\ndecided it was simplest to simply bifurcate the code at that point, so\r\nthat we have:\r\n\r\n1. The legacy import code, which:\r\n * only supports custom rules (`immutable: false`)\r\n * accepts `version` as an optional parameter\r\n* calculates a legacy `rule_source` value based on the `immutable` field\r\n2. The new import code, which\r\n * Installs the prebuilt rules assets as necessary\r\n * Accepts both kinds of rules (`immutable: true/false`)\r\n * Requires `version` as a parameter for _prebuilt_ rules\r\n * Allows `version` to be optional for custom rules\r\n * calculates a proper `rule_source` (and `immutable`)\r\n\r\n\r\n### Deprecation of `immutable`\r\nThe RFC (and thus I) had initially thought that we'd be deprecating the\r\n`immutable` field as part of this PR/Epic. However, after\r\n[discussion](https://github.com/elastic/kibana/pull/190198#discussion_r1736021749)\r\nwe have opted to continue supporting `immutable` until such time as we\r\ncan drop it, compatibility-wise.\r\n\r\n\r\n## Steps to Review\r\n1. Enable the Feature Flag: `prebuiltRulesCustomizationEnabled`\r\n2. Install the prebuilt rules package via fleet\r\n3. Create and export a custom rule to serve as a template (or download\r\none:\r\n\r\ncurl -L -H 'Authorization: 8eef0fe5d7dfc52b' -o 'rules_export\r\n(1).ndjson'\r\nhttps://upload.elastic.co/d/4693e7fe4356ce7bcf7b7d6b72881a9fd189730c61bf5ef47c9930458d746979\r\n )\r\n \r\n4. Install some prebuilt rules, and obtain a prebuilt rule's `rule_id`,\r\ne.g. `ac8805f6-1e08-406c-962e-3937057fa86f`\r\n5. Edit the `rules_export.ndjson` to contain only the first line, and\r\nmodify the `rule_id` with the prebuilt rule's\r\n6. Import `rules_export.ndjson` and then retrieve the rule via the Dev\r\nConsole:\r\n\r\nGET\r\nkbn:api/detection_engine/rules?rule_id=ac8805f6-1e08-406c-962e-3937057fa86f\r\n\r\n7. Observe that the rule has the expected `rule_source` and `immutable`\r\nvalues\r\n8. Test other permutations of import by modifying `rules_export.ndjson`\r\nand re-importing; see ([the test\r\nplan](#191116) as well as a\r\n[reference table of\r\nscenarios](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md#importing-rules))\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Georgii Gorbachev <banderror@gmail.com>","sha":"c0b1301a21b74e8b643fc0e898b1d982fd85d98e","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","v8.16.0","backport:version"],"title":"[Security Solution] Allow importing of prebuilt rules via the API","number":190198,"url":"https://github.com/elastic/kibana/pull/190198","mergeCommit":{"message":"[Security Solution] Allow importing of prebuilt rules via the API (#190198)\n\n## Summary\r\n\r\nThis PR introduces the backend functionality necessary to import\r\nprebuilt rules via our existing import API. The\r\n[RFC](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md)\r\ngoes into detail, and the import-specific issue is described\r\n[here](#180168), but at a high\r\nlevel we're adding two things in this PR:\r\n\r\n1. The logic to calculate the new `rule_source` field on import, which\r\ncontains the information about the rule's relationship to existing\r\nprebuilt rules.\r\n2. A new code path for importing rules, which respects the calculated\r\n`rule_source` field.\r\n\r\nIn order to maintain backwards compatibility with the existing import\r\nlogic, and because the existing import implementation is hard to\r\nmodify/extend, I opted to add a top-level switch on the feature flag in\r\nthe import route itself, which calls either the existing import function\r\n(now named `importRulesLegacy`), or the new function, `importRules`,\r\nwhich ultimately calls the new `DetectionRulesClient` method,\r\n`importRules`. Neither knows about the feature flag, and thanks to great\r\nsuggestions from @xcrzx there are nice, clean boundaries between the\r\nimport functions and the client methods.\r\n\r\nI went down the path of trying to write the new import code by reusing\r\nthe outer `importRules` function, but after discussion with the team we\r\ndecided it was simplest to simply bifurcate the code at that point, so\r\nthat we have:\r\n\r\n1. The legacy import code, which:\r\n * only supports custom rules (`immutable: false`)\r\n * accepts `version` as an optional parameter\r\n* calculates a legacy `rule_source` value based on the `immutable` field\r\n2. The new import code, which\r\n * Installs the prebuilt rules assets as necessary\r\n * Accepts both kinds of rules (`immutable: true/false`)\r\n * Requires `version` as a parameter for _prebuilt_ rules\r\n * Allows `version` to be optional for custom rules\r\n * calculates a proper `rule_source` (and `immutable`)\r\n\r\n\r\n### Deprecation of `immutable`\r\nThe RFC (and thus I) had initially thought that we'd be deprecating the\r\n`immutable` field as part of this PR/Epic. However, after\r\n[discussion](https://github.com/elastic/kibana/pull/190198#discussion_r1736021749)\r\nwe have opted to continue supporting `immutable` until such time as we\r\ncan drop it, compatibility-wise.\r\n\r\n\r\n## Steps to Review\r\n1. Enable the Feature Flag: `prebuiltRulesCustomizationEnabled`\r\n2. Install the prebuilt rules package via fleet\r\n3. Create and export a custom rule to serve as a template (or download\r\none:\r\n\r\ncurl -L -H 'Authorization: 8eef0fe5d7dfc52b' -o 'rules_export\r\n(1).ndjson'\r\nhttps://upload.elastic.co/d/4693e7fe4356ce7bcf7b7d6b72881a9fd189730c61bf5ef47c9930458d746979\r\n )\r\n \r\n4. Install some prebuilt rules, and obtain a prebuilt rule's `rule_id`,\r\ne.g. `ac8805f6-1e08-406c-962e-3937057fa86f`\r\n5. Edit the `rules_export.ndjson` to contain only the first line, and\r\nmodify the `rule_id` with the prebuilt rule's\r\n6. Import `rules_export.ndjson` and then retrieve the rule via the Dev\r\nConsole:\r\n\r\nGET\r\nkbn:api/detection_engine/rules?rule_id=ac8805f6-1e08-406c-962e-3937057fa86f\r\n\r\n7. Observe that the rule has the expected `rule_source` and `immutable`\r\nvalues\r\n8. Test other permutations of import by modifying `rules_export.ndjson`\r\nand re-importing; see ([the test\r\nplan](#191116) as well as a\r\n[reference table of\r\nscenarios](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md#importing-rules))\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Georgii Gorbachev <banderror@gmail.com>","sha":"c0b1301a21b74e8b643fc0e898b1d982fd85d98e"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/190198","number":190198,"mergeCommit":{"message":"[Security Solution] Allow importing of prebuilt rules via the API (#190198)\n\n## Summary\r\n\r\nThis PR introduces the backend functionality necessary to import\r\nprebuilt rules via our existing import API. The\r\n[RFC](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md)\r\ngoes into detail, and the import-specific issue is described\r\n[here](#180168), but at a high\r\nlevel we're adding two things in this PR:\r\n\r\n1. The logic to calculate the new `rule_source` field on import, which\r\ncontains the information about the rule's relationship to existing\r\nprebuilt rules.\r\n2. A new code path for importing rules, which respects the calculated\r\n`rule_source` field.\r\n\r\nIn order to maintain backwards compatibility with the existing import\r\nlogic, and because the existing import implementation is hard to\r\nmodify/extend, I opted to add a top-level switch on the feature flag in\r\nthe import route itself, which calls either the existing import function\r\n(now named `importRulesLegacy`), or the new function, `importRules`,\r\nwhich ultimately calls the new `DetectionRulesClient` method,\r\n`importRules`. Neither knows about the feature flag, and thanks to great\r\nsuggestions from @xcrzx there are nice, clean boundaries between the\r\nimport functions and the client methods.\r\n\r\nI went down the path of trying to write the new import code by reusing\r\nthe outer `importRules` function, but after discussion with the team we\r\ndecided it was simplest to simply bifurcate the code at that point, so\r\nthat we have:\r\n\r\n1. The legacy import code, which:\r\n * only supports custom rules (`immutable: false`)\r\n * accepts `version` as an optional parameter\r\n* calculates a legacy `rule_source` value based on the `immutable` field\r\n2. The new import code, which\r\n * Installs the prebuilt rules assets as necessary\r\n * Accepts both kinds of rules (`immutable: true/false`)\r\n * Requires `version` as a parameter for _prebuilt_ rules\r\n * Allows `version` to be optional for custom rules\r\n * calculates a proper `rule_source` (and `immutable`)\r\n\r\n\r\n### Deprecation of `immutable`\r\nThe RFC (and thus I) had initially thought that we'd be deprecating the\r\n`immutable` field as part of this PR/Epic. However, after\r\n[discussion](https://github.com/elastic/kibana/pull/190198#discussion_r1736021749)\r\nwe have opted to continue supporting `immutable` until such time as we\r\ncan drop it, compatibility-wise.\r\n\r\n\r\n## Steps to Review\r\n1. Enable the Feature Flag: `prebuiltRulesCustomizationEnabled`\r\n2. Install the prebuilt rules package via fleet\r\n3. Create and export a custom rule to serve as a template (or download\r\none:\r\n\r\ncurl -L -H 'Authorization: 8eef0fe5d7dfc52b' -o 'rules_export\r\n(1).ndjson'\r\nhttps://upload.elastic.co/d/4693e7fe4356ce7bcf7b7d6b72881a9fd189730c61bf5ef47c9930458d746979\r\n )\r\n \r\n4. Install some prebuilt rules, and obtain a prebuilt rule's `rule_id`,\r\ne.g. `ac8805f6-1e08-406c-962e-3937057fa86f`\r\n5. Edit the `rules_export.ndjson` to contain only the first line, and\r\nmodify the `rule_id` with the prebuilt rule's\r\n6. Import `rules_export.ndjson` and then retrieve the rule via the Dev\r\nConsole:\r\n\r\nGET\r\nkbn:api/detection_engine/rules?rule_id=ac8805f6-1e08-406c-962e-3937057fa86f\r\n\r\n7. Observe that the rule has the expected `rule_source` and `immutable`\r\nvalues\r\n8. Test other permutations of import by modifying `rules_export.ndjson`\r\nand re-importing; see ([the test\r\nplan](#191116) as well as a\r\n[reference table of\r\nscenarios](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md#importing-rules))\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [ ]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Georgii Gorbachev <banderror@gmail.com>","sha":"c0b1301a21b74e8b643fc0e898b1d982fd85d98e"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
rylnd
added a commit
that referenced
this pull request
Nov 11, 2024
…191116) ## Summary This PR introduces test plans for both [Prebuilt Rule Import](#180168) (corresponding [PR](#190198)) and [Prebuilt Rule Export](#180167) (corresponding [PR](#194498)). Import is considerably more complicated as it is calculating new values (for `rule_source`, `immutable`), while the export work is mainly removing existing restrictions (which allowed only custom rules to be exported). --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 11, 2024
…lastic#191116) ## Summary This PR introduces test plans for both [Prebuilt Rule Import](elastic#180168) (corresponding [PR](elastic#190198)) and [Prebuilt Rule Export](elastic#180167) (corresponding [PR](elastic#194498)). Import is considerably more complicated as it is calculating new values (for `rule_source`, `immutable`), while the export work is mainly removing existing restrictions (which allowed only custom rules to be exported). --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit e429849)
kibanamachine
added a commit
that referenced
this pull request
Nov 11, 2024
…ort (#191116) (#199716) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Test plans for prebuilt rule import and export (#191116)](#191116) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ryland Herrick","email":"ryalnd@gmail.com"},"sourceCommit":{"committedDate":"2024-11-11T21:01:46Z","message":"[Security Solution] Test plans for prebuilt rule import and export (#191116)\n\n## Summary\r\n\r\nThis PR introduces test plans for both [Prebuilt Rule\r\nImport](#180168) (corresponding\r\n[PR](#190198)) and [Prebuilt Rule\r\nExport](#180167) (corresponding\r\n[PR](#194498)). Import is\r\nconsiderably more complicated as it is calculating new values (for\r\n`rule_source`, `immutable`), while the export work is mainly removing\r\nexisting restrictions (which allowed only custom rules to be exported).\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"e4298492b5e48338396618d51168ea3e8427c103","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","test-plan","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.17.0"],"title":"[Security Solution] Test plans for prebuilt rule import and export","number":191116,"url":"https://github.com/elastic/kibana/pull/191116","mergeCommit":{"message":"[Security Solution] Test plans for prebuilt rule import and export (#191116)\n\n## Summary\r\n\r\nThis PR introduces test plans for both [Prebuilt Rule\r\nImport](#180168) (corresponding\r\n[PR](#190198)) and [Prebuilt Rule\r\nExport](#180167) (corresponding\r\n[PR](#194498)). Import is\r\nconsiderably more complicated as it is calculating new values (for\r\n`rule_source`, `immutable`), while the export work is mainly removing\r\nexisting restrictions (which allowed only custom rules to be exported).\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"e4298492b5e48338396618d51168ea3e8427c103"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/191116","number":191116,"mergeCommit":{"message":"[Security Solution] Test plans for prebuilt rule import and export (#191116)\n\n## Summary\r\n\r\nThis PR introduces test plans for both [Prebuilt Rule\r\nImport](#180168) (corresponding\r\n[PR](#190198)) and [Prebuilt Rule\r\nExport](#180167) (corresponding\r\n[PR](#194498)). Import is\r\nconsiderably more complicated as it is calculating new values (for\r\n`rule_source`, `immutable`), while the export work is mainly removing\r\nexisting restrictions (which allowed only custom rules to be exported).\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"e4298492b5e48338396618d51168ea3e8427c103"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
tkajtoch
pushed a commit
to tkajtoch/kibana
that referenced
this pull request
Nov 12, 2024
…lastic#191116) ## Summary This PR introduces test plans for both [Prebuilt Rule Import](elastic#180168) (corresponding [PR](elastic#190198)) and [Prebuilt Rule Export](elastic#180167) (corresponding [PR](elastic#194498)). Import is considerably more complicated as it is calculating new values (for `rule_source`, `immutable`), while the export work is mainly removing existing restrictions (which allowed only custom rules to be exported). --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Nov 18, 2024
…lastic#191116) ## Summary This PR introduces test plans for both [Prebuilt Rule Import](elastic#180168) (corresponding [PR](elastic#190198)) and [Prebuilt Rule Export](elastic#180167) (corresponding [PR](elastic#194498)). Import is considerably more complicated as it is calculating new values (for `rule_source`, `immutable`), while the export work is mainly removing existing restrictions (which allowed only custom rules to be exported). --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
backport:version
Backport to applied version labels
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
release_note:skip
Skip the PR/issue when compiling release notes
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.0
v9.0.0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces the backend functionality necessary to import prebuilt rules via our existing import API. The RFC goes into detail, and the import-specific issue is described here, but at a high level we're adding two things in this PR:
rule_source
field on import, which contains the information about the rule's relationship to existing prebuilt rules.rule_source
field.In order to maintain backwards compatibility with the existing import logic, and because the existing import implementation is hard to modify/extend, I opted to add a top-level switch on the feature flag in the import route itself, which calls either the existing import function (now named
importRulesLegacy
), or the new function,importRules
, which ultimately calls the newDetectionRulesClient
method,importRules
. Neither knows about the feature flag, and thanks to great suggestions from @xcrzx there are nice, clean boundaries between the import functions and the client methods.I went down the path of trying to write the new import code by reusing the outer
importRules
function, but after discussion with the team we decided it was simplest to simply bifurcate the code at that point, so that we have:immutable: false
)version
as an optional parameterrule_source
value based on theimmutable
fieldimmutable: true/false
)version
as a parameter for prebuilt rulesversion
to be optional for custom rulesrule_source
(andimmutable
)Deprecation of
immutable
The RFC (and thus I) had initially thought that we'd be deprecating the
immutable
field as part of this PR/Epic. However, after discussion we have opted to continue supportingimmutable
until such time as we can drop it, compatibility-wise.Steps to Review
Enable the Feature Flag:
prebuiltRulesCustomizationEnabled
Install the prebuilt rules package via fleet
Create and export a custom rule to serve as a template (or download one:
)
Install some prebuilt rules, and obtain a prebuilt rule's
rule_id
, e.g.ac8805f6-1e08-406c-962e-3937057fa86f
Edit the
rules_export.ndjson
to contain only the first line, and modify therule_id
with the prebuilt rule'sImport
rules_export.ndjson
and then retrieve the rule via the Dev Console:Observe that the rule has the expected
rule_source
andimmutable
valuesTest other permutations of import by modifying
rules_export.ndjson
and re-importing; see (the test plan as well as a reference table of scenarios)Checklist
Delete any items that are not applicable to this PR.