[Security Solution] Handle rule deprecations within Prebuilt Rule upgrade workflow

[spong]

A current limitation of the Prebuilt Rule upgrade workflow (whether loading from filesystem or the Fleet Prebuilt Security Detection Rule integration) is that we don't support the deprecation or removal of prebuilt rules. As a result, when a rule is deprecated, has its' id changed, or is flat out removed from future distributions, previous versions of the installed rule will stick around whether or not they were enabled by the user, and with no indication of why or what rule may have superseded it. This issue is for discussing a deprecation workflow, and what functionality may need to be added in support of it (deprecatedVersion/deprecatedMessage fields, delete-on-update functionality for the pre-packaged rules route, etc).

Note: This information can usually be found either in the Prebuilt Rule Reference documentation, or directly within the detection-rules repo, but is not accessible from within the Security Solution application at the moment.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[spong]

Note: the behavior outlined in this issue was present when reviewing #119527. Current thought is the old rule (version 2) was being loaded from a pre-7.16 fleet package (v0.14.2) which didn't include the ruleId update from #118657.

[banderror]

Hey @Mikaayenson, is there a reason why you removed the labels?

[Mikaayenson]

Hey @Mikaayenson, is there a reason why you removed the labels?

Glitch in the matrix. (I think when I pruned other issues I made a mistake and removed these) although I don't recall seeing this. I've added them back.

[banderror]

Ok cool, thanks for getting them back 🙂

[spong]

Was just discussing this with @terrancedejesus as they've been seeing some deprecated rules being reported in telemetry multiple version past their deprecation (since they'll just keep rolling forward with each version upgrade). So it would be nice to get some part of this worked so users can know within the app that they shouldn't be using these rules anymore (whether that's a deprecated tag, or something more prominent in the UI like a warning callout on Rule Details). May be tougher to add retroactively since we're not shipping these rules anymore, but we'll potentially have more options once the rule immutability work ships, or as @xcrzx brought up, doing a delta between the current package and currently installed.

cc @jethr0null @peluja1012

[terrancedejesus]

Thanks for sharing @spong. To put some perspective on this from Telemetry, the Unusual Process Execution - Temp detection rule was deprecated prior to the release of 8.4.

However, in the last 60 days, we have ~192 clusters reporting security alerts for this rule with ~4m security alerts in total across these client stacks. 75% of these ~4m security alerts are from stacks where this rule would not exist if removed because it was deprecated.

[ARWNightingale]

Hi All, I think this initial design could belong here.

https://www.figma.com/file/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=2218%3A468370&t=1BLDw8a7h50XzbAt-1