[Security Solution] Add AlertSuppression and Investigation Fields to Rule Upgrade workflow
#195499
+2
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jpdjere
added
release_note:enhancement
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
…on-tp-upgrade-workflow
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @jpdjere |
jpdjere
deleted the
add-investigation-fields-and-alert-suppression-tp-upgrade-workflow
branch
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11293508837 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 11, 2024
… to Rule Upgrade workflow (elastic#195499) Resolves: elastic#190597 ## Summary Adds `AlertSuppression` and `Investigation Fields` to Rule Upgrade workflow: - Fields had already been added to DiffableRule schema and diffing algorithms in elastic#190128 - Current PR adds them to the UI field list so they get displayed in the diff ## Screenshots #### Investigation Fields  #### Alert Suppression  ## Testing Little bit tricky: no prebuilt rules have these fields, so no matter which packages you install you wont' see this upgrade. You'll need to tinker with the security-rule assets, for example: ```ts POST .kibana_security_solution/_update_by_query { "script": { "source": """ ctx._source['security-rule']['alert_suppression'] = [ 'group_by': ['agent.hostname'], 'missing_fields_strategy': 'suppress' ]; """, "lang": "painless" }, "query": { "bool": { "must": [ { "term": { "type": { "value": "security-rule" } } }, { "term": { "security-rule.rule_id": { "value": "0564fb9d-90b9-4234-a411-82a546dc1343" } } }, { "term": { "security-rule.version": { "value": "111" } } } ] } } } ``` ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) (cherry picked from commit ed144bd)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 11, 2024
…Investigation Fields` to Rule Upgrade workflow (#195499) (#195924) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add `AlertSuppression` and `Investigation Fields` to Rule Upgrade workflow (#195499)](#195499) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Juan Pablo Djeredjian","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-11T13:44:50Z","message":"[Security Solution] Add `AlertSuppression` and `Investigation Fields` to Rule Upgrade workflow (#195499)\n\nResolves: https://github.com/elastic/kibana/issues/190597\r\n\r\n## Summary\r\n\r\nAdds `AlertSuppression` and `Investigation Fields` to Rule Upgrade\r\nworkflow:\r\n- Fields had already been added to DiffableRule schema and diffing\r\nalgorithms in https://github.com/elastic/kibana/pull/190128\r\n- Current PR adds them to the UI field list so they get displayed in the\r\ndiff\r\n\r\n## Screenshots\r\n\r\n#### Investigation Fields\r\n\r\n\r\n\r\n\r\n#### Alert Suppression\r\n\r\n\r\n\r\n\r\n\r\n## Testing\r\n\r\nLittle bit tricky: no prebuilt rules have these fields, so no matter\r\nwhich packages you install you wont' see this upgrade. You'll need to\r\ntinker with the security-rule assets, for example:\r\n```ts\r\nPOST .kibana_security_solution/_update_by_query\r\n{\r\n \"script\": {\r\n \"source\": \"\"\"\r\n ctx._source['security-rule']['alert_suppression'] = [\r\n 'group_by': ['agent.hostname'],\r\n 'missing_fields_strategy': 'suppress'\r\n ];\r\n \"\"\",\r\n \"lang\": \"painless\"\r\n },\r\n \"query\": {\r\n \"bool\": {\r\n \"must\": [\r\n {\r\n \"term\": {\r\n \"type\": {\r\n \"value\": \"security-rule\"\r\n }\r\n }\r\n },\r\n {\r\n \"term\": {\r\n \"security-rule.rule_id\": {\r\n \"value\": \"0564fb9d-90b9-4234-a411-82a546dc1343\"\r\n }\r\n }\r\n },\r\n {\r\n \"term\": {\r\n \"security-rule.version\": {\r\n \"value\": \"111\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n```\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ed144bdba48585754de6b89f80b5dbba37f19edf","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:prev-minor","v8.16.0"],"title":"[Security Solution] Add `AlertSuppression` and `Investigation Fields` to Rule Upgrade workflow","number":195499,"url":"https://github.com/elastic/kibana/pull/195499","mergeCommit":{"message":"[Security Solution] Add `AlertSuppression` and `Investigation Fields` to Rule Upgrade workflow (#195499)\n\nResolves: https://github.com/elastic/kibana/issues/190597\r\n\r\n## Summary\r\n\r\nAdds `AlertSuppression` and `Investigation Fields` to Rule Upgrade\r\nworkflow:\r\n- Fields had already been added to DiffableRule schema and diffing\r\nalgorithms in https://github.com/elastic/kibana/pull/190128\r\n- Current PR adds them to the UI field list so they get displayed in the\r\ndiff\r\n\r\n## Screenshots\r\n\r\n#### Investigation Fields\r\n\r\n\r\n\r\n\r\n#### Alert Suppression\r\n\r\n\r\n\r\n\r\n\r\n## Testing\r\n\r\nLittle bit tricky: no prebuilt rules have these fields, so no matter\r\nwhich packages you install you wont' see this upgrade. You'll need to\r\ntinker with the security-rule assets, for example:\r\n```ts\r\nPOST .kibana_security_solution/_update_by_query\r\n{\r\n \"script\": {\r\n \"source\": \"\"\"\r\n ctx._source['security-rule']['alert_suppression'] = [\r\n 'group_by': ['agent.hostname'],\r\n 'missing_fields_strategy': 'suppress'\r\n ];\r\n \"\"\",\r\n \"lang\": \"painless\"\r\n },\r\n \"query\": {\r\n \"bool\": {\r\n \"must\": [\r\n {\r\n \"term\": {\r\n \"type\": {\r\n \"value\": \"security-rule\"\r\n }\r\n }\r\n },\r\n {\r\n \"term\": {\r\n \"security-rule.rule_id\": {\r\n \"value\": \"0564fb9d-90b9-4234-a411-82a546dc1343\"\r\n }\r\n }\r\n },\r\n {\r\n \"term\": {\r\n \"security-rule.version\": {\r\n \"value\": \"111\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n```\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ed144bdba48585754de6b89f80b5dbba37f19edf"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/195499","number":195499,"mergeCommit":{"message":"[Security Solution] Add `AlertSuppression` and `Investigation Fields` to Rule Upgrade workflow (#195499)\n\nResolves: https://github.com/elastic/kibana/issues/190597\r\n\r\n## Summary\r\n\r\nAdds `AlertSuppression` and `Investigation Fields` to Rule Upgrade\r\nworkflow:\r\n- Fields had already been added to DiffableRule schema and diffing\r\nalgorithms in https://github.com/elastic/kibana/pull/190128\r\n- Current PR adds them to the UI field list so they get displayed in the\r\ndiff\r\n\r\n## Screenshots\r\n\r\n#### Investigation Fields\r\n\r\n\r\n\r\n\r\n#### Alert Suppression\r\n\r\n\r\n\r\n\r\n\r\n## Testing\r\n\r\nLittle bit tricky: no prebuilt rules have these fields, so no matter\r\nwhich packages you install you wont' see this upgrade. You'll need to\r\ntinker with the security-rule assets, for example:\r\n```ts\r\nPOST .kibana_security_solution/_update_by_query\r\n{\r\n \"script\": {\r\n \"source\": \"\"\"\r\n ctx._source['security-rule']['alert_suppression'] = [\r\n 'group_by': ['agent.hostname'],\r\n 'missing_fields_strategy': 'suppress'\r\n ];\r\n \"\"\",\r\n \"lang\": \"painless\"\r\n },\r\n \"query\": {\r\n \"bool\": {\r\n \"must\": [\r\n {\r\n \"term\": {\r\n \"type\": {\r\n \"value\": \"security-rule\"\r\n }\r\n }\r\n },\r\n {\r\n \"term\": {\r\n \"security-rule.rule_id\": {\r\n \"value\": \"0564fb9d-90b9-4234-a411-82a546dc1343\"\r\n }\r\n }\r\n },\r\n {\r\n \"term\": {\r\n \"security-rule.version\": {\r\n \"value\": \"111\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n}\r\n```\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"ed144bdba48585754de6b89f80b5dbba37f19edf"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Juan Pablo Djeredjian <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves: #190597
Summary
Adds
AlertSuppressionandInvestigation Fieldsto Rule Upgrade workflow:Screenshots
Investigation Fields
Alert Suppression
Testing
Little bit tricky: no prebuilt rules have these fields, so no matter which packages you install you wont' see this upgrade. You'll need to tinker with the security-rule assets, for example:
For maintainers