[Security Solution] Make changes in the internal rule schema #180124
Labels
8.15 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.15.0
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Depends on: #180122, #180121
Needed for: all migration tickets listed in #174168
Summary
As part of the preparatory changes for the work in Milestone 3, we want to adapt the internal rule schema to the changes proposed in the RFC. In particular, we should:
ruleSource
field to theBaseRuleParams
schema, as an optional field.immutable
field in theBaseRuleParams
schema to be optional.The
ruleSource
field type should be based on therule_source
schema defined for the API schema, which uses camelCase. We should use a transformation function implemented as part of #180121 to avoid creating two versions of the schema (one camelCase and one snake_case).Before migration on write takes place, the value for
ruleSource
will be undefined for all rules, whileimmutable
will continue to have the same value. Once migration on write start to progressively happen,ruleSource
will be populated, whileimmutable
will be deleted from ES data.Background
kibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md
Lines 313 to 336 in de25d7c
The text was updated successfully, but these errors were encountered: