Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Detection rule migration mechanism #187651

Open
Tracked by #179907
banderror opened this issue Jul 5, 2024 · 7 comments
Open
Tracked by #179907

[Security Solution] Detection rule migration mechanism #187651

banderror opened this issue Jul 5, 2024 · 7 comments
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Engine Security Solution Detection Engine Area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@banderror
Copy link
Contributor

banderror commented Jul 5, 2024
edited
Loading

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Blocker for: #184113
Related to: #50216

Summary

This is our own ticket to track the development of a mechanism for migrating rules in the Alerting Framework. The ResponseOps team tracks it in #50216.

In Security Solution, we can use this ticket to plan our own work on the mechanism, e.g. we can contribute to its design, propose any solutions, or open an RFC.
@banderror banderror added triage_needed Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:Detection Rule Management Security Detection Rule Management Team Team:Detection Engine Security Solution Detection Engine Area labels Jul 5, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@banderror banderror mentioned this issue Jul 5, 2024
Open
@banderror banderror changed the title [Security Solution] Detection rule migration mechanism [Security Solution] Detection rule migration mechanism (DRAFT) Jul 5, 2024
@banderror banderror mentioned this issue Jul 5, 2024
Open
@banderror banderror changed the title [Security Solution] Detection rule migration mechanism (DRAFT) [Security Solution] Detection rule migration mechanism Jul 5, 2024
@banderror banderror mentioned this issue Jul 5, 2024
Open
@marshallmain
Copy link
Contributor

marshallmain commented Jul 9, 2024
edited
Loading

After discussing with @approksiu we see 3 potential new fields that we might want to add to rules soon (exact parameter names tbd):

  • rule_source.repo: in Detections as Code we envision allowing users to connect external repositories of rules, either from VCS or other spaces or clusters, in addition to the Elastic prebuilt rules. This field would keep track of which external repository a rule is associated with. It's a net new field and we should be able to work around not having migrations by assuming that the repo is "elastic prebuilt rules" if a rule is immutable and the repo field is not populated.
  • suppression.enabled: Some users have asked for prebuilt rules to come with suppression settings preconfigured, with a switch to just turn suppression on or off. An enabled flag for suppression would be a natural way to do this. We should be able to add the new enabled field and assume it is true if the field is not set.
  • rule_lifecycle: A new metadata field for describing if the rule is in development, testing, prod, etc. As metadata this would be optional and not require any extra effort to workaround migrations.

As these 3 are net new fields and we do not see a near term use case where rule migrations are a hard blocker, I think it's appropriate to prioritize Alerting Scale++ over rule migrations. However, rule migrations would be useful for rule_source.repo and suppression.enabled so we can manage and reduce overall complexity by removing assumptions that we must make when the field is not present.

cc @kobelb - in summary, I'm comfortable giving rule migrations lower priority than Alerting Scale++.

@kobelb
Copy link
Contributor

kobelb commented Jul 9, 2024

@marshallmain thank you for tracking down the product needs so quickly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Engine Security Solution Detection Engine Area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kobelb @banderror @elasticmachine @marshallmain