Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add support for investigation_fields in Detection Rules #3224

Closed
terrancedejesus opened this issue Oct 24, 2023 · 4 comments · Fixed by #3550
Closed

[FR] Add support for investigation_fields in Detection Rules #3224

terrancedejesus opened this issue Oct 24, 2023 · 4 comments · Fixed by #3550
Assignees
@Mikaayenson
Labels
backlog enhancement New feature or request python Internal python for the repository schema

Comments

@terrancedejesus
Copy link
Contributor

terrancedejesus commented Oct 24, 2023
edited by Mikaayenson
Loading

Is your feature request related to a problem? Please describe.
Not related to a problem. The Detection Rules custom rule schemas need to be updated to support investigation_fields. The original feature was introduced here and the recent type change here.

Describe the solution you'd like
We do not support investigation_fields in our custom rule schemas.

Describe alternatives you've considered
Support investigation_fields by determining which rule schema it should be defined in. We should also set a minimum compatibility to 8.11 to avoid a bug discussed here.

Additional context
A rule will need to be created in the UI to determine what options are allowed and how we should structure the support in the rule schemas for this field.
@terrancedejesus terrancedejesus added the enhancement New feature or request label Oct 24, 2023
@terrancedejesus terrancedejesus self-assigned this Oct 24, 2023
@terrancedejesus terrancedejesus added python Internal python for the repository schema labels Oct 24, 2023
@SHolzhauer SHolzhauer mentioned this issue Nov 30, 2023
Open
@botelastic
Copy link

botelastic bot commented Dec 23, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Dec 23, 2023
@botelastic
Copy link

botelastic bot commented Dec 30, 2023

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this as completed Dec 30, 2023
@botelastic botelastic bot removed the stale 60 days of inactivity label Jan 3, 2024
@botelastic
Copy link

botelastic bot commented Mar 3, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Mar 3, 2024
@botelastic
Copy link

botelastic bot commented Mar 10, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this as completed Mar 10, 2024
@Mikaayenson Mikaayenson reopened this Mar 11, 2024
@botelastic botelastic bot removed the stale 60 days of inactivity label Mar 11, 2024
@Mikaayenson Mikaayenson mentioned this issue Mar 29, 2024
Merged
@Mikaayenson Mikaayenson linked a pull request Mar 29, 2024 that will close this issue
[FR] Add support for investigation_fields #3550
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mikaayenson Mikaayenson

Labels
backlog enhancement New feature or request python Internal python for the repository schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FR] Add support for investigation_fields elastic/detection-rules
2 participants
@Mikaayenson @terrancedejesus