Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Users can Customize Prebuilt Detection Rules: Milestone 3 #174168

Open
banderror opened this issue Jan 3, 2024 · 7 comments
Assignees
Labels
8.17 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Meta Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.14.0 v8.15.0 v8.16.0

Comments

@banderror
Copy link
Contributor

banderror commented Jan 3, 2024

Epic: https://github.com/elastic/security-team/issues/1974 (internal)
Milestones: <<>>

Status: In development.

Summary

Milestone 3: Add support for customizing prebuilt rules. Extend the rule upgrade workflow with full support for 3-way diffs and conflict resolution.

This meta ticket is created to simplify tracking of various tickets related to the epic, and to make this public information so our users can track the progress.

User-facing outcomes:

  • Users can click “edit” button for prebuilt rules and customise any field in the same editing interface as the custom rules
  • User can filter rules in the rule management page by custom/customised/Elastic
  • User can see if the rule was customised on the rule details page
  • If the prebuilt rule is customised and update comes in:
    • User can see the current version and update and compare per field
    • They are able to edit the final field versions before finalising the update
    • If the rule type changes - they can only accept the incoming changes
  • Prebuilt rules can be exported and imported

Useful info:

Design

Technical design

  1. 8.14 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    jpdjere
  2. 8.14 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp discuss
    approksiu banderror
    jpdjere
  3. Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp discuss release_note:skip skip-ci
    banderror

UI/UX design

  1. 8.14 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp design
  2. 2 of 5
    8.18 candidate Feature:Prebuilt Detection Rules Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp

Preparatory changes

Preparatory changes is something we can work on before starting to hide functionality behind a feature flag. This will reduce the overall complexity introduced by feature toggling.

Missing UI for editing certain rule fields

  1. 8.14 candidate Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.14.0
    dplumlee
  2. 8.15 candidate Feature:Rule Creation Feature:Rule Details Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.15.0
    ARWNightingale dplumlee
  3. 8.15 candidate Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.15.0
    ARWNightingale maximpn
  4. 8.15 candidate Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.15.0
    ARWNightingale nikitaindik

Missing UI for editing certain rule fields (docs)

  1. 3 of 3
    Docset: ESS Docset: Serverless Feature: Rules Team: Detections/Response v8.14.0
    joepeeples
  2. 3 of 3
    Docset: ESS Docset: Serverless Feature: Rules Team: Detections/Response v8.15.0
    joepeeples
  3. 3 of 3
    Docset: ESS Docset: Serverless Feature: Rules Team: Detections/Response v8.15.0
    joepeeples
  4. 3 of 3
    Docset: ESS Docset: Serverless Feature: Rules Team: Detections/Response v8.15.0
    joepeeples

Schema-related changes

  1. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.15.0
    xcrzx
  2. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.15.0
    xcrzx
  3. Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp backport:skip bug impact:critical release_note:skip v8.15.0
    xcrzx
  4. 8.15 candidate Feature:Prebuilt Detection Rules Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.15.0
    xcrzx
  5. 8.15 candidate Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp refactoring v8.15.0
    jpdjere
  6. 8.16 candidate Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp refactoring v8.15.0 v8.16.0
    nikitaindik xcrzx
  7. 8.16 candidate Feature:Prebuilt Detection Rules Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    jpdjere

Rule customization, API changes

  1. 8.16 candidate Feature:Prebuilt Detection Rules Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    xcrzx
  2. 8.16 candidate Feature:Prebuilt Detection Rules Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    xcrzx
  3. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    dplumlee
  4. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    dplumlee

Rule upgrade, API changes

  1. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.15.0
    dplumlee
  2. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    jpdjere
  3. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    jpdjere
  4. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp refactoring
    jpdjere
  5. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    jpdjere
  6. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    jpdjere
  7. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    jpdjere
  8. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    jpdjere
  9. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    jpdjere
  10. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp refactoring
    jpdjere

Rule upgrade, diff algorithms

  1. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.15.0
    dplumlee
  2. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.15.0
    dplumlee
  3. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    dplumlee
  4. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    dplumlee
  5. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    dplumlee
  6. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    dplumlee
  7. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement
    dplumlee
  8. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    dplumlee

Fleet package with prebuilt rules

  1. 3 of 3
    8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet v8.16.0
    xcrzx
  2. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet technical debt
    xcrzx
  3. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet technical debt
    xcrzx
  4. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet
    xcrzx
  5. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.16.0
    xcrzx
  6. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp Team:Fleet performance v8.17.0
    xcrzx
  7. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.17.0
    approksiu xcrzx
  8. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp technical debt

Changes hidden behind the feature flag

These are changes that will need to be hidden behind the prebuiltRulesCustomizationEnabled feature flag.

Rule customization, UI changes

  1. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp v8.15.0
    nikitaindik
  2. 8.15 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.15.0
    nikitaindik
  3. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement
    dplumlee
  4. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    dplumlee
  5. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    dplumlee

Rule upgrade, UI changes

  1. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement v8.16.0
    maximpn nikitaindik
  2. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    maximpn nikitaindik
  3. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp needs design
    ARWNightingale jpdjere
    xcrzx
  4. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    xcrzx

Rule export and import, API and UI changes

  1. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement
    rylnd
  2. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement
    rylnd
  3. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    dplumlee
  4. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    dplumlee
  5. 8.17 candidate Feature:Prebuilt Detection Rules Feature:Rule Import/Export Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    rylnd
  6. 8.17 candidate Feature:Prebuilt Detection Rules Feature:Rule Import/Export Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    rylnd

RBAC

Telemetry

  1. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp needs product telemetry
    xcrzx

Before release

Bugs: rule editing and customization

  1. 8.16 candidate Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug fixed impact:medium v8.16.0
    e40pud
  2. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high v8.16.1 v8.17.0 v9.0.0
    dplumlee
  3. 8.17 candidate Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium v8.16.1 v8.17.0 v9.0.0
    dplumlee
  4. 8.18 candidate Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium
  5. 8.18 candidate Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp needs design needs product
    ARWNightingale approksiu
  6. 2 of 5
    8.18 candidate Feature:Prebuilt Detection Rules Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp

Bugs: rule details and upgrade flyout

  1. 8.17 candidate Feature:Rule Details Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium
    nikitaindik
  2. 8.17 candidate Feature:Rule Details Feature:Threshold Rule Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug enhancement sdh-linked
    nikitaindik
  3. 8.17 candidate Feature:Rule Details Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low
    nikitaindik

Bugs: rule installation and upgrade

  1. 8.14 candidate Feature:Detection Alerts/Rules RBAC Feature:Prebuilt Detection Rules QA:Validated Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug fixed impact:medium v8.12.2 v8.13.0 v8.14.0
    jpdjere
  2. 8.14 candidate Feature:Prebuilt Detection Rules QA:Validated Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high
  3. Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low performance
    nikitaindik
  4. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium v8.16.0
    jpdjere
  5. 8.16 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug fixed impact:high v8.16.0
    maximpn
  6. 8.17 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:critical performance v8.16.1 v8.17.0 v9.0.0
    dplumlee xcrzx
  7. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high
    maximpn
  8. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high

Bugs: rule import and export

  1. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug triage_needed

Bugs: misc

  1. 8.16 candidate Feature:Prebuilt Detection Rules Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug fixed impact:medium v8.15.1 v8.16.0
    banderror

Testing

  1. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    ARWNightingale approksiu
  2. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    MadameSheema pborgonovi
  3. 8.18 candidate Feature:Prebuilt Detection Rules Feature:Rule Details Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp technical debt test-coverage
    nikitaindik

Documentation

  1. v8.18.0
    joepeeples
  2. v8.18.0
    joepeeples

Final changes before releasing the feature

  1. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp

After release

Last changes after releasing the feature

  1. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
    pborgonovi
  2. 8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp
@banderror banderror added Meta Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area labels Jan 3, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror
Copy link
Contributor Author

banderror commented Feb 23, 2024

Draft plan for Milestone 3

UPD: the plan has been moved to the ticket description.

@banderror
Copy link
Contributor Author

banderror commented Jul 5, 2024

@jpdjere Please review the updated ticket and let's sync on it on Monday.

Here are the changes I made:

  • Addressed all the todos, except pinging Kseniia and Alex about the work to do on their side. Before we ask other people to prioritize certain work, I'd like to sync on our plan with a few people.
  • Opened new tickets:
    • Stream-based programmatic API for installing packages #187646
    • API endpoint for the package with prebuilt rules #187647
    • Smart limits for the package with prebuilt rules #187645
    • Splitting the package with prebuilt rules #187648
    • Alternative mechanism for distributing prebuilt rules #187649
    • Detection rule migration mechanism #187651
    • DetectionRulesClient refactoring. Part 3 #187656
    • Implement query fields diff algorithm #187658
    • Implement data source fields diff algorithm #187659
    • Implement MITRE ATT&CK® field diff algorithm #187660
    • Calculate and save ruleSource.isCustomized in bulk edit API #187706
  • Wrote descriptions for:
    • Implement UI for updating prebuilt rule to a new rule type #180395
    • Replace PATCH logic with PUT when upgrading rules #180195
  • Assigned 8.16 candidate and 8.17 candidate labels to all the tickets in Milestone 3.
  • Moved the tickets that we can postpone until later to Milestone 4.

maximpn added a commit that referenced this issue Sep 27, 2024
…Update Workflow (#193531)

**Epic:** #174168
**Addresses:** #171520

## Summary

This PR introduces a new `Update` tab allowing users to resolve rule upgrade conflicts. It's a result of combination of read-only components implemented in #193261 and rule upgrade state implemented in #191721.

## Details

The goal of this PR is to provide intermediate integration between rule upgrade state ([PR](#191721)) and components displaying the diff and read-only state ([PR](#193261)). It will facilitate further development of rule field editable components and streamline rule upgrade functionality developing.

## How to test?

The functionality is hidden under `prebuiltRulesCustomizationEnabled` feature flag. Add the following to your Kibana config

```yaml
xpack.securitySolution.enableExperimental:
  - prebuiltRulesCustomizationEnabled
```

When the above feature flag enabled the new `Update` tab is displayed instead of the old one.

## Screenshots

Suggested components design 
![image](https://github.com/user-attachments/assets/b5aaf571-286a-4595-9bd4-fdaf9a423b03)

New `Update` tab
<img width="1718" alt="image" src="https://github.com/user-attachments/assets/28aa6bb3-f805-4109-a808-d67e58c7c5b8">
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Sep 27, 2024
…Update Workflow (elastic#193531)

**Epic:** elastic#174168
**Addresses:** elastic#171520

## Summary

This PR introduces a new `Update` tab allowing users to resolve rule upgrade conflicts. It's a result of combination of read-only components implemented in elastic#193261 and rule upgrade state implemented in elastic#191721.

## Details

The goal of this PR is to provide intermediate integration between rule upgrade state ([PR](elastic#191721)) and components displaying the diff and read-only state ([PR](elastic#193261)). It will facilitate further development of rule field editable components and streamline rule upgrade functionality developing.

## How to test?

The functionality is hidden under `prebuiltRulesCustomizationEnabled` feature flag. Add the following to your Kibana config

```yaml
xpack.securitySolution.enableExperimental:
  - prebuiltRulesCustomizationEnabled
```

When the above feature flag enabled the new `Update` tab is displayed instead of the old one.

## Screenshots

Suggested components design
![image](https://github.com/user-attachments/assets/b5aaf571-286a-4595-9bd4-fdaf9a423b03)

New `Update` tab
<img width="1718" alt="image" src="https://github.com/user-attachments/assets/28aa6bb3-f805-4109-a808-d67e58c7c5b8">

(cherry picked from commit 878ba13)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.17 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Meta Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.14.0 v8.15.0 v8.16.0
Projects
None yet
Development

No branches or pull requests

3 participants