[SIEM][Detection Engine] Allow to edit actions for prepackaged rules #61312
Conversation
patrykkopycinski
requested review from
XavierM and
FrankHassanabad
and removed request for
XavierM
patrykkopycinski
added
release_note:skip
|
Pinging @elastic/siem (Team:SIEM) |
|
Thank you, @patrykkopycinski, for finding a quick solution. I think I like this for 7.7 at least, but we should discuss the following two points:
CC @FrankHassanabad @spong @MikePaquette @XavierM @marrasherrier for the discussion. |
|
@tsg @patrykkopycinski @FrankHassanabad @spong @XavierM Amazing, this has the potential to save users hours of time whenever we update our prebuilt rules.
We also need to consider the common case of prebuilt rules being "updated" (e.g., each time we release updated rules). The expected experience is that the alerting settings (and in the future, allowlist settings) would be preserved independently, even though the rule contents (immutable parts) may change during updates.
I'd say yes. @marrasherrier and I spoke about this yesterday with @lindseypoli, and while we may come up with a better experience in the future, this seems quite acceptable. In fact, we thought ahead to when we add support for rule exceptions, and this approach would be easily extensible to that. (i.e., if the user edits a pre-built rule, the only active tabs would be "Alerts" and "Exceptions.") |
@tsg @MikePaquette we don't allow to export, so to import prepackaged rules. With my changes, we will not override |
That should work with the current PR, if I understand it correctly. I'm just worried if this (technical) design is perhaps too brittle for the future. But we can always improve it as needed. |
|
Maybe, we should create rules_actions saved object, therefore we do not save action with the rules saved objects so it is independent of the rules and we can keep the immutable logic in rules for pre-packaged rules. |
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
..._plugins/kibana/public/management/sections/objects/components/objects_table/objects_table.js
Outdated
Show resolved
Hide resolved
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
…packedrules-actions-edit
|
@elasticmachine merge upstream |
Conflicts: x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
Conflicts: x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/create/helpers.ts x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts
We missed adding throttle in one spot, here.
There was a problem hiding this comment.
Ran things locally, two notes:
- Adding actions doesn't affect a prepackaged rule's version, so 👍 there
- When adding an action to a prepackaged rule, the rule was automatically enabled. This was unexpected to me so I'm thinking it might be a bug?
I just fixed the one test failure, so hopefully this'll be green in a little bit here. I'm babysitting some other stuff so I'll keep an eye on this one as well.
| export const isRuleActionsSavedObjectType = ( | ||
| obj: unknown | ||
| ): obj is SavedObject<IRuleActionsAttributesSavedObjectAttributes> => { | ||
| return get('attributes', obj) != null; |
There was a problem hiding this comment.
Wouldn't every saved object have an attributes property? Ditto for the check of saved_objects below. If these are not guaranteed to find only the type in question, then these are functionally equivalent to just saying as [Type], and have all the same downsides.
…trykkopycinski/kibana into feat/siem-prepackedrules-actions-edit
…packedrules-actions-edit # Conflicts: # x-pack/legacy/plugins/siem/server/plugin.ts
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Checklist
Delete any items that are not applicable to this PR.
For maintainers