-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Add InvestigationFields and AlertSuppression fields to the upgrade workflow #190597
Labels
8.16 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
jpdjere
added
triage_needed
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Detection Rule Management
Security Detection Rule Management Team
labels
Aug 15, 2024
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
jpdjere
added
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
v8.16.0
labels
Aug 15, 2024
1 task
jpdjere
added a commit
that referenced
this issue
Sep 12, 2024
…0128) ## Summary - Partially addresses #166376 (see step 1 of [plan](#166376 (comment))) - Partially addresses: #190597 - Creates a Map of the fields that are upgradable during the Upgrade workflow, by type. - Creating this Map dynamically, based of BaseCreateProps and TypeSpecificFields, ensures that we don't need to: - manually add rule types to this Map if they are created - manually add or remove any fields if they are added or removed to a specific rule type - manually add or remove any fields if we decide that they should not be part of the upgradable fields. - This Map will be used as part of the `/upgrade/_perform` endpoint handler logic to build the payload of fields that will be upgraded to their different versions (`BASE`, `CURRENT`, `TARGET`, `MERGED`,`RESOLVED`) - Creates `RuleFieldsToUpgrade` Zod schema and `FieldUpgradeSpecifier` type, part of the `/upgrade/_perform` payload, which defines which fields can be upgraded and how. <br> <details> <summary>See output: <b>UPGRADABLE_RULES_FIELDS_BY_TYPE_MAP</b></summary> ```ts new Map([ [ "eql", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "language", "index", "data_view_id", "filters", "event_category_override", "tiebreaker_field", "timestamp_field", "alert_suppression" ] ], [ "query", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "index", "data_view_id", "filters", "saved_id", "alert_suppression", "query", "language" ] ], [ "saved_query", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "saved_id", "index", "data_view_id", "filters", "alert_suppression", "query", "language" ] ], [ "threshold", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "threshold", "index", "data_view_id", "filters", "saved_id", "alert_suppression", "language" ] ], [ "threat_match", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "threat_query", "threat_mapping", "threat_index", "index", "data_view_id", "filters", "saved_id", "threat_filters", "threat_indicator_path", "threat_language", "concurrent_searches", "items_per_search", "alert_suppression", "language" ] ], [ "machine_learning", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "anomaly_threshold", "machine_learning_job_id", "alert_suppression" ] ], [ "new_terms", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "new_terms_fields", "history_window_start", "index", "data_view_id", "filters", "alert_suppression", "language" ] ], [ "esql", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "alert_suppression", "type", "language", "query" ] ] ]) ``` </details> <br> ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]>
gergoabraham
pushed a commit
to gergoabraham/kibana
that referenced
this issue
Sep 13, 2024
…stic#190128) ## Summary - Partially addresses elastic#166376 (see step 1 of [plan](elastic#166376 (comment))) - Partially addresses: elastic#190597 - Creates a Map of the fields that are upgradable during the Upgrade workflow, by type. - Creating this Map dynamically, based of BaseCreateProps and TypeSpecificFields, ensures that we don't need to: - manually add rule types to this Map if they are created - manually add or remove any fields if they are added or removed to a specific rule type - manually add or remove any fields if we decide that they should not be part of the upgradable fields. - This Map will be used as part of the `/upgrade/_perform` endpoint handler logic to build the payload of fields that will be upgraded to their different versions (`BASE`, `CURRENT`, `TARGET`, `MERGED`,`RESOLVED`) - Creates `RuleFieldsToUpgrade` Zod schema and `FieldUpgradeSpecifier` type, part of the `/upgrade/_perform` payload, which defines which fields can be upgraded and how. <br> <details> <summary>See output: <b>UPGRADABLE_RULES_FIELDS_BY_TYPE_MAP</b></summary> ```ts new Map([ [ "eql", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "language", "index", "data_view_id", "filters", "event_category_override", "tiebreaker_field", "timestamp_field", "alert_suppression" ] ], [ "query", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "index", "data_view_id", "filters", "saved_id", "alert_suppression", "query", "language" ] ], [ "saved_query", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "saved_id", "index", "data_view_id", "filters", "alert_suppression", "query", "language" ] ], [ "threshold", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "threshold", "index", "data_view_id", "filters", "saved_id", "alert_suppression", "language" ] ], [ "threat_match", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "threat_query", "threat_mapping", "threat_index", "index", "data_view_id", "filters", "saved_id", "threat_filters", "threat_indicator_path", "threat_language", "concurrent_searches", "items_per_search", "alert_suppression", "language" ] ], [ "machine_learning", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "anomaly_threshold", "machine_learning_job_id", "alert_suppression" ] ], [ "new_terms", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "new_terms_fields", "history_window_start", "index", "data_view_id", "filters", "alert_suppression", "language" ] ], [ "esql", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "alert_suppression", "type", "language", "query" ] ] ]) ``` </details> <br> ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]>
11 tasks
markov00
pushed a commit
to markov00/kibana
that referenced
this issue
Sep 18, 2024
…stic#190128) ## Summary - Partially addresses elastic#166376 (see step 1 of [plan](elastic#166376 (comment))) - Partially addresses: elastic#190597 - Creates a Map of the fields that are upgradable during the Upgrade workflow, by type. - Creating this Map dynamically, based of BaseCreateProps and TypeSpecificFields, ensures that we don't need to: - manually add rule types to this Map if they are created - manually add or remove any fields if they are added or removed to a specific rule type - manually add or remove any fields if we decide that they should not be part of the upgradable fields. - This Map will be used as part of the `/upgrade/_perform` endpoint handler logic to build the payload of fields that will be upgraded to their different versions (`BASE`, `CURRENT`, `TARGET`, `MERGED`,`RESOLVED`) - Creates `RuleFieldsToUpgrade` Zod schema and `FieldUpgradeSpecifier` type, part of the `/upgrade/_perform` payload, which defines which fields can be upgraded and how. <br> <details> <summary>See output: <b>UPGRADABLE_RULES_FIELDS_BY_TYPE_MAP</b></summary> ```ts new Map([ [ "eql", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "language", "index", "data_view_id", "filters", "event_category_override", "tiebreaker_field", "timestamp_field", "alert_suppression" ] ], [ "query", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "index", "data_view_id", "filters", "saved_id", "alert_suppression", "query", "language" ] ], [ "saved_query", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "saved_id", "index", "data_view_id", "filters", "alert_suppression", "query", "language" ] ], [ "threshold", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "threshold", "index", "data_view_id", "filters", "saved_id", "alert_suppression", "language" ] ], [ "threat_match", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "threat_query", "threat_mapping", "threat_index", "index", "data_view_id", "filters", "saved_id", "threat_filters", "threat_indicator_path", "threat_language", "concurrent_searches", "items_per_search", "alert_suppression", "language" ] ], [ "machine_learning", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "anomaly_threshold", "machine_learning_job_id", "alert_suppression" ] ], [ "new_terms", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "type", "query", "new_terms_fields", "history_window_start", "index", "data_view_id", "filters", "alert_suppression", "language" ] ], [ "esql", [ "name", "description", "risk_score", "severity", "rule_name_override", "timestamp_override", "timestamp_override_fallback_disabled", "timeline_id", "timeline_title", "license", "note", "building_block_type", "investigation_fields", "version", "tags", "enabled", "risk_score_mapping", "severity_mapping", "interval", "from", "to", "exceptions_list", "author", "false_positives", "references", "max_signals", "threat", "setup", "related_integrations", "required_fields", "alert_suppression", "type", "language", "query" ] ] ]) ``` </details> <br> ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]>
Open
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
8.16 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
Two fields have been left out of the Prebuilt Rules upgrade workflows and should be added:
InvestigationFields
AlertSuppression
: is actually two different fields:AlertSuppression
for all rule types except ThresholdThresholdAlertSuppression
for Threshold rule typesTo completely add these fields to the Upgrade Workflow the following sections in the codebase need to be edited:
/upgrade/_review
endpoint/upgrade/_perform
endpoint/upgrade/_perform
endpoint request payload typesUI
The text was updated successfully, but these errors were encountered: