Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Investigate removing usage of internal tags #92334

Open
spong opened this issue Feb 23, 2021 · 2 comments
Open

[Security Solution][Detections] Investigate removing usage of internal tags #92334

spong opened this issue Feb 23, 2021 · 2 comments
Labels
Feature:Detection Rules Security Solution rules and Detection Engine refactoring Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture Theme: simp_prot_mgmt Security Solution Simplified Protection Management Theme

Comments

@spong
Copy link
Member

spong commented Feb 23, 2021
edited
Loading

With #92036, the Alerting team enabled the ability to filter on string parameters within our custom alert params. As a result, we should be able to use this to remove our internal_tags workaround for filtering on the immutable custom field. While immutable is a boolean, this fix leverages the flattened mapping under the hood, and so we should be able to use the string representation "true" or "false" to filter rules accordingly. e.g. alert.attributes.params.immutable:"true"

Testing real quick, I modified:

kibana/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts

Lines 113 to 118 in 4584a8b

const showCustomRuleFilter = filterOptions.showCustomRules
? [`alert.attributes.tags: "__internal_immutable:false"`]
: [];
const showElasticRuleFilter = filterOptions.showElasticRules
? [`alert.attributes.tags: "__internal_immutable:true"`]
: [];

to be:

  const showCustomRuleFilter = filterOptions.showCustomRules
    ? [`alert.attributes.params.immutable: "false"`]
    : [];
  const showElasticRuleFilter = filterOptions.showElasticRules
    ? [`alert.attributes.params.immutable: "true"`]
    : [];

And this appears to work! 🎉

For more details on the internal_tags implementation, please see the original PR here: #52838
@spong spong added refactoring technical debt Improvement of the software architecture and operational architecture Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong mentioned this issue Feb 23, 2021
Closed
@peluja1012 peluja1012 added the Team:Detection Rule Management Security Detection Rule Management Team label Sep 14, 2021
@peluja1012 peluja1012 added the Theme: simp_prot_mgmt Security Solution Simplified Protection Management Theme label Oct 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Detection Rules Security Solution rules and Detection Engine refactoring Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture Theme: simp_prot_mgmt Security Solution Simplified Protection Management Theme
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peluja1012 @spong @elasticmachine