Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prebuilt Rule Customization — JSON diff #4371

Closed
2 tasks done
Tracked by #3147 ...
joepeeples opened this issue Dec 4, 2023 · 2 comments
Closed
2 tasks done
Tracked by #3147 ...

Prebuilt Rule Customization — JSON diff #4371

joepeeples opened this issue Dec 4, 2023 · 2 comments
Assignees
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Medium Issues that take moderate but not substantial time to complete Feature: Prebuilt rules Feature: Rules new-feature Issues that should be labeled as new features in Release Notes Priority: Medium Issues that have relevance, but aren't urgent Team: Detections/Response Detections and Response v8.12.0

Comments

@joepeeples
Copy link
Contributor

joepeeples commented Dec 4, 2023

Description

As part of Prebuilt Rule Customization, users will be able to view a diff of the JSON for updated prebuilt rules, giving them visibility into how each rule is changing when Elastic sends out updated rules.

Scherm­afbeelding 2023-12-05 om 02 48 37

Docs PRs


Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS release

8.12 — probably available around BC3

Serverless release

Approx week of Dec 18, 2023
Week of Jan 2, 2024 (prob Jan 3 for Production-NonCanary)

Feature differences

No differences between ESS and Serverless

API docs impact

No impact

Prerequisites, privileges, feature flags

No restrictions on subscription tiers or role privileges to use this feature

Feature flag name: jsonPrebuiltRulesDiffingEnabled (false by default)

The feature will be merged with a feature flag to hide it until ready for release. Engineering will un-hide the feature and continue supporting the flag for a short time, but users aren't expected to engage with the flag and so it doesn't need to be documented.

@joepeeples joepeeples added Team: Detections/Response Detections and Response Feature: Rules Feature: Prebuilt rules Priority: Medium Issues that have relevance, but aren't urgent Effort: Medium Issues that take moderate but not substantial time to complete new-feature Issues that should be labeled as new features in Release Notes Docset: Serverless Issues for Serverless Security Docset: ESS Issues that apply to docs in the Stack release labels Dec 4, 2023
@joepeeples joepeeples self-assigned this Dec 4, 2023
nikitaindik added a commit to elastic/kibana that referenced this issue Dec 8, 2023
…72535)

## Summary

**Resolves: #169160
**Resolves: #166164
**Docs issue: elastic/security-docs#4371

This PR adds a new "Updates" tab to the prebuilt rules upgrade flyout.
This tab shows a diff between the installed and updated rule JSON
representations.

<img width="1313" alt="Scherm­afbeelding 2023-12-05 om 02 48 37"
src="https://github.com/elastic/kibana/assets/15949146/ec0f95c6-22c6-4ce6-a6cc-0ceee974c6f7">



### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] Functional changes are communicated to the Docs team. A ticket or
PR is opened in https://github.com/elastic/security-docs. The following
information is included: any feature flags used, affected environments
(Serverless, ESS, or both). ([Docs
issue](elastic/security-docs#4371))
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials ([Docs
issue](elastic/security-docs#4371))
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios (will be added
in a follow-up PR)
- [ ] Functional changes are covered with a test plan and automated
tests (will be added in a follow-up PR)
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [x] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [x] This renders correctly on smaller devices using a responsive
layout. (Doesn't look great on phone screen, because viewing diff
requires a lot of horizontal space. Tablets are fine though.)
- [x] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
- [x] Functional changes are hidden behind a feature flag. If not
hidden, the PR explains why these changes are being implemented in a
long-living feature branch.
- [x] Comprehensive manual testing is done by two engineers: the PR
author and one of the PR reviewers. Changes are tested in both ESS and
Serverless.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 8, 2023
…astic#172535)

## Summary

**Resolves: elastic#169160
**Resolves: elastic#166164
**Docs issue: elastic/security-docs#4371

This PR adds a new "Updates" tab to the prebuilt rules upgrade flyout.
This tab shows a diff between the installed and updated rule JSON
representations.

<img width="1313" alt="Scherm­afbeelding 2023-12-05 om 02 48 37"
src="https://github.com/elastic/kibana/assets/15949146/ec0f95c6-22c6-4ce6-a6cc-0ceee974c6f7">

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] Functional changes are communicated to the Docs team. A ticket or
PR is opened in https://github.com/elastic/security-docs. The following
information is included: any feature flags used, affected environments
(Serverless, ESS, or both). ([Docs
issue](elastic/security-docs#4371))
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials ([Docs
issue](elastic/security-docs#4371))
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios (will be added
in a follow-up PR)
- [ ] Functional changes are covered with a test plan and automated
tests (will be added in a follow-up PR)
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [x] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [x] This renders correctly on smaller devices using a responsive
layout. (Doesn't look great on phone screen, because viewing diff
requires a lot of horizontal space. Tablets are fine though.)
- [x] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
- [x] Functional changes are hidden behind a feature flag. If not
hidden, the PR explains why these changes are being implemented in a
long-living feature branch.
- [x] Comprehensive manual testing is done by two engineers: the PR
author and one of the PR reviewers. Changes are tested in both ESS and
Serverless.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
(cherry picked from commit e5a6b97)
kibanamachine referenced this issue in elastic/kibana Dec 8, 2023
…low (#172535) (#172957)

# Backport

This will backport the following commits from `main` to `8.12`:
- [[Security Solution] JSON diff view for prebuilt rule upgrade flow
(#172535)](#172535)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Nikita
Indik","email":"nikita.indik@elastic.co"},"sourceCommit":{"committedDate":"2023-12-08T15:16:42Z","message":"[Security
Solution] JSON diff view for prebuilt rule upgrade flow (#172535)\n\n##
Summary\r\n\r\n**Resolves:
https://github.com/elastic/kibana/issues/169160**\r\n**Resolves:
https://github.com/elastic/kibana/issues/166164**\r\n**Docs issue:
https://github.com/elastic/security-docs/issues/4371**\r\n\r\nThis PR
adds a new \"Updates\" tab to the prebuilt rules upgrade flyout.\r\nThis
tab shows a diff between the installed and updated rule
JSON\r\nrepresentations.\r\n\r\n<img width=\"1313\"
alt=\"Scherm­afbeelding 2023-12-05 om 02 48
37\"\r\nsrc=\"https://github.com/elastic/kibana/assets/15949146/ec0f95c6-22c6-4ce6-a6cc-0ceee974c6f7\">\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] Functional changes are communicated to the Docs team. A ticket
or\r\nPR is opened in https://github.com/elastic/security-docs. The
following\r\ninformation is included: any feature flags used, affected
environments\r\n(Serverless, ESS, or both).
([Docs\r\nissue](https://github.com/elastic/security-docs/issues/4371))\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials
([Docs\r\nissue](https://github.com/elastic/security-docs/issues/4371))\r\n-
[ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios (will be added\r\nin
a follow-up PR)\r\n- [ ] Functional changes are covered with a test plan
and automated\r\ntests (will be added in a follow-up PR)\r\n- [x] Any UI
touched in this PR is usable by keyboard only (learn more\r\nabout
[keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n-
[x] Any UI touched in this PR does not create any new axe
failures\r\n(run axe in
browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n-
[x] This renders correctly on smaller devices using a
responsive\r\nlayout. (Doesn't look great on phone screen, because
viewing diff\r\nrequires a lot of horizontal space. Tablets are fine
though.)\r\n- [x] This was checked for
[cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n-
[x] Functional changes are hidden behind a feature flag. If
not\r\nhidden, the PR explains why these changes are being implemented
in a\r\nlong-living feature branch.\r\n- [x] Comprehensive manual
testing is done by two engineers: the PR\r\nauthor and one of the PR
reviewers. Changes are tested in both ESS
and\r\nServerless.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Georgii Gorbachev
<georgii.gorbachev@elastic.co>","sha":"e5a6b978b8eca4ac275b72e88415e2238315a241","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Detections
and Resp","Team:
SecuritySolution","release_note:feature","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.12.0","v8.13.0"],"number":172535,"url":"https://github.com/elastic/kibana/pull/172535","mergeCommit":{"message":"[Security
Solution] JSON diff view for prebuilt rule upgrade flow (#172535)\n\n##
Summary\r\n\r\n**Resolves:
https://github.com/elastic/kibana/issues/169160**\r\n**Resolves:
https://github.com/elastic/kibana/issues/166164**\r\n**Docs issue:
https://github.com/elastic/security-docs/issues/4371**\r\n\r\nThis PR
adds a new \"Updates\" tab to the prebuilt rules upgrade flyout.\r\nThis
tab shows a diff between the installed and updated rule
JSON\r\nrepresentations.\r\n\r\n<img width=\"1313\"
alt=\"Scherm­afbeelding 2023-12-05 om 02 48
37\"\r\nsrc=\"https://github.com/elastic/kibana/assets/15949146/ec0f95c6-22c6-4ce6-a6cc-0ceee974c6f7\">\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] Functional changes are communicated to the Docs team. A ticket
or\r\nPR is opened in https://github.com/elastic/security-docs. The
following\r\ninformation is included: any feature flags used, affected
environments\r\n(Serverless, ESS, or both).
([Docs\r\nissue](https://github.com/elastic/security-docs/issues/4371))\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials
([Docs\r\nissue](https://github.com/elastic/security-docs/issues/4371))\r\n-
[ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios (will be added\r\nin
a follow-up PR)\r\n- [ ] Functional changes are covered with a test plan
and automated\r\ntests (will be added in a follow-up PR)\r\n- [x] Any UI
touched in this PR is usable by keyboard only (learn more\r\nabout
[keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n-
[x] Any UI touched in this PR does not create any new axe
failures\r\n(run axe in
browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n-
[x] This renders correctly on smaller devices using a
responsive\r\nlayout. (Doesn't look great on phone screen, because
viewing diff\r\nrequires a lot of horizontal space. Tablets are fine
though.)\r\n- [x] This was checked for
[cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n-
[x] Functional changes are hidden behind a feature flag. If
not\r\nhidden, the PR explains why these changes are being implemented
in a\r\nlong-living feature branch.\r\n- [x] Comprehensive manual
testing is done by two engineers: the PR\r\nauthor and one of the PR
reviewers. Changes are tested in both ESS
and\r\nServerless.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Georgii Gorbachev
<georgii.gorbachev@elastic.co>","sha":"e5a6b978b8eca4ac275b72e88415e2238315a241"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/172535","number":172535,"mergeCommit":{"message":"[Security
Solution] JSON diff view for prebuilt rule upgrade flow (#172535)\n\n##
Summary\r\n\r\n**Resolves:
https://github.com/elastic/kibana/issues/169160**\r\n**Resolves:
https://github.com/elastic/kibana/issues/166164**\r\n**Docs issue:
https://github.com/elastic/security-docs/issues/4371**\r\n\r\nThis PR
adds a new \"Updates\" tab to the prebuilt rules upgrade flyout.\r\nThis
tab shows a diff between the installed and updated rule
JSON\r\nrepresentations.\r\n\r\n<img width=\"1313\"
alt=\"Scherm­afbeelding 2023-12-05 om 02 48
37\"\r\nsrc=\"https://github.com/elastic/kibana/assets/15949146/ec0f95c6-22c6-4ce6-a6cc-0ceee974c6f7\">\r\n\r\n\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] Functional changes are communicated to the Docs team. A ticket
or\r\nPR is opened in https://github.com/elastic/security-docs. The
following\r\ninformation is included: any feature flags used, affected
environments\r\n(Serverless, ESS, or both).
([Docs\r\nissue](https://github.com/elastic/security-docs/issues/4371))\r\n-
[
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials
([Docs\r\nissue](https://github.com/elastic/security-docs/issues/4371))\r\n-
[ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios (will be added\r\nin
a follow-up PR)\r\n- [ ] Functional changes are covered with a test plan
and automated\r\ntests (will be added in a follow-up PR)\r\n- [x] Any UI
touched in this PR is usable by keyboard only (learn more\r\nabout
[keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n-
[x] Any UI touched in this PR does not create any new axe
failures\r\n(run axe in
browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n-
[x] This renders correctly on smaller devices using a
responsive\r\nlayout. (Doesn't look great on phone screen, because
viewing diff\r\nrequires a lot of horizontal space. Tablets are fine
though.)\r\n- [x] This was checked for
[cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n-
[x] Functional changes are hidden behind a feature flag. If
not\r\nhidden, the PR explains why these changes are being implemented
in a\r\nlong-living feature branch.\r\n- [x] Comprehensive manual
testing is done by two engineers: the PR\r\nauthor and one of the PR
reviewers. Changes are tested in both ESS
and\r\nServerless.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Georgii Gorbachev
<georgii.gorbachev@elastic.co>","sha":"e5a6b978b8eca4ac275b72e88415e2238315a241"}}]}]
BACKPORT-->

Co-authored-by: Nikita Indik <nikita.indik@elastic.co>
@joepeeples
Copy link
Contributor Author

joepeeples commented Dec 12, 2023

Diff is currently being restyled via elastic/kibana#173187, might be available later today or tomorrow (pull down a daily SNAPSHOT?). Wait on screenshots.

@joepeeples
Copy link
Contributor Author

PRs are approved, docs are ready to publish. Serverless release targeted for week of Jan 2, 2024 (prob Jan 3 for Production-NonCanary).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Medium Issues that take moderate but not substantial time to complete Feature: Prebuilt rules Feature: Rules new-feature Issues that should be labeled as new features in Release Notes Priority: Medium Issues that have relevance, but aren't urgent Team: Detections/Response Detections and Response v8.12.0
Projects
None yet
Development

No branches or pull requests

1 participant