Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Calculate and save ruleSource.isCustomized in bulk edit API #187706

Closed
Tracked by #174168
banderror opened this issue Jul 5, 2024 · 3 comments · Fixed by #190041
Closed
Tracked by #174168

[Security Solution] Calculate and save ruleSource.isCustomized in bulk edit API #187706

banderror opened this issue Jul 5, 2024 · 3 comments · Fixed by #190041
Assignees
@xcrzx
Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0

Comments

@banderror
Copy link
Contributor

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Follow-up to: #180145

Summary

Implement calculation of ruleSource.isCustomized in all necessary endpoints that write the ruleSource field to prebuilt rules, and where fields can be customized, diverging from the base version from the Rule Asset.

The calculation and saving of the field should be done in the following endpoints:

  • Bulk Actions - POST /rules/_bulk_action: with action Edit rules action

Background

Context from the Rule Customization RFC:

kibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md

Lines 559 to 584 in 269649a

#### Updating and upgrading rules
Updating rules can currently be performed via five endpoints:
- **Update Rule** - `PUT /rules`
- **Patch Rule** - `PATCH /rules`
- **Bulk Update Rules** - `PUT /rules/_bulk_update`
- **Bulk Patch Rules** - `PATCH /rules/_bulk_update`
- **Bulk Actions** - `POST /rules/_bulk_action`: with **bulk edit** action
Upgrading prebuilt rules to their newer version is done by two endpoints:
- **(LEGACY) Install Prebuilt Rules And Timelines** - `PUT /rules/prepackaged`
- **Perform Rule Upgrade** - `POST /prebuilt_rules/upgrade/_perform` (Internal)
The legacy endpoint does not allow for customization of fields during the upgrade, but the new rule upgrade customization endpoint does.
Additionally:
- **Bulk Actions** - `POST /rules/_bulk_action`: with **duplicate** action
will perform migration but does not allow for customization during the duplication process.
So we can analyze the expected outputs of the migration of all these 8 endpoints together.
The resulting values for `immutable` and `rule_source` when calling these endpoints, and the migration being performed in the background, should be as follows:

kibana/x-pack/plugins/security_solution/docs/rfcs/detection_response/prebuilt_rules_customization.md

Lines 817 to 821 in b6e0f87

Secondly, in order to migrate the `is_customized` value for rule edits, we can follow two approaches:
1. Calculate it in the `paramsModifier` callback that is passed to the `rulesClient.bulkEdit` method. This will need to modify the parameters of the callback to take as parameter the whole rule and the operations on the attributes, in order to have access to the values of the rule's field before and after of the edit.
2. Calculate it as part of the `validateMutatedRuleTypeParams` method in `x-pack/plugins/alerting/server/lib/validate_mutated_rule_type_params.ts` where we have access to the original params and the modified params.

@banderror banderror added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area 8.16 candidate v8.16.0 labels Jul 5, 2024
This was referenced Jul 5, 2024
Closed
Open
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror assigned xcrzx and unassigned jpdjere Jul 29, 2024
@xcrzx xcrzx mentioned this issue Aug 7, 2024
Merged
@xcrzx xcrzx closed this as completed in 5cf9522 Aug 29, 2024
@banderror banderror mentioned this issue Nov 27, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Recalculate isCustomized when bulk editing rules xcrzx/kibana
4 participants
@xcrzx @jpdjere @banderror @elasticmachine