[Security Solution] Handle specific fields in the upgrade workflow's UI

[jpdjere]

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Depends on: #171520
PR that adds versions to flyout header: #206636

Summary

Based on the discussions that took place in #147239, we need to treat different rule fields in different ways in the context of the upgrade workflow.

For each field we must decide if Should the field be manually hidden and never appear as a diff in the Per Field UI?: (only fields part of DiffableAllFields will display)

• ✏️ : should be manually hidden in the UI
• ➖ : irrelevant, field not returned in the /upgrade/_review (now or after changes marked as needed in this ticket)
• ❗ : needs to display in the diff UI, but read-only
• ✅ : needs to display in the diff UI

Field list

Field name	Hidden in UI?
id	➖
rule_source	➖
immutable	➖
version	❗
revision	➖
enabled	➖
execution_summary	➖
alert_suppression*	➖
actions	➖
throttle	➖
response_actions	➖
meta	➖
output_index	➖
namespace	➖
alias_purpose	➖
alias_target_id	➖
outcome	➖
created_at	➖
created_by	➖
updated_at	➖
updated_by	➖
author	✏️
license	✏️
concurrent_searches (IM Rules)	➖
items_per_search (IM Rules)	➖
rule_id	✏️
name	✅
tags	✅
description	✅
severity	✅
severity_mapping	✅
risk_score	✅
risk_score_mapping	✅
references	✅
false_positives	✅
threat	✅
note	✅
setup	✅
related_integrations	✅
required_fields	✅
max_signals	✅
building_block_type	✅
from (rule_schedule)	✅
interval (rule_schedule)	✅
exceptions_list*	✅
rule_name_override	✅
timestamp_override	✅
timestamp_override_fallback_disabled	✅
timeline_id (timeline_template)	✅
timeline_title (timeline_template)	✅
index (data_source)	✅
data_view_id (data_source)	✅
query	✅
language	✅
filters	✅
saved_id	✅
machine_learning_job_id (ML Rules)	✅
anomaly_threshold (ML Rules)	✅
threat_filters (IM Rules)	✅
threat_query (IM Rules)	✅
threat_mapping (IM Rules)	✅
threat_language (IM Rules)	✅
threat_index (IM Rules)	✅
threat_indicator_path (IM Rules)	✅
new_terms_fields (New Terms Rules)	✅
history_window_start (New Terms Rules)	✅

General notes

• All references to "displaying fields diffs in the UI" in the ticket description refer exclusively to the Per Field Diff UI, which will be expanded to display the Three Way Diff upgrade flow. The JSON Diff won't be used anymore for it's current use (an alternative to displaying -more or less- the same data), but the React components we created could be reused to create the Final Preview view that will be used as the final step of the Three-Way Update workflow.

Notes on fields

1. exceptions_list: The Endpoint Security rule includes an exception list value, so this update/customization case needs to be handled. (That's the only prebuilt rule with an exception list as of now)
2. enabled: must be part of Prebuilt Asset schema as some important rules have their default value set to true. But it's not part of the diffing logic anyways, so it will not appear in the UI.
3. The concurrent_searches and items_per_search are part of the diffing logic, but they will have their own specialized diff algorithms that will ensure that the UI never shows them. The /upgrade/_perform endpoint will update to the current version by default, unless specific values for them are passed in the endpoint payload.

Work left over from this ticket

• Handling fields in the /upgrade/_perform endpoint. All of this needs to be done after the refactoring of the endpoint handler is done. As of now, it always installs the full target version, so the changes needed are not possible now. Moving the work to a separate ticket.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[banderror]

@jpdjere Thank you, I updated the label to 8.16 -- think it should be addessed right after #171520

[maximpn]

@approksiu,

This ticket requires handling specific fields. Currently we have the following specific fields always upgrading to current

• author
• license
• version

These fields aren't show in UI. We could display them in the header. Do we still need them for Milestone 3?

[approksiu]

@maximpn

These fields aren't show in UI.

Do you mean Update UI or the rule details?

[maximpn]

@approksiu

It concerns Rule Upgrade Flyout in particular. author, license and version aren't customizable and always get upgraded to Elastic provided value. Rule edit form shows author and license inputs as disabled for prebuilt rules. version is a technical field denoting rule version. We use it to determine whether a rule has an upgrade.

[approksiu]

We have discussed this with @ARWNightingale.

1. We suggest not to show author/licence in the Updates tab of the Rule Update flyout at the moment - these fields will not likely to change (and if they do, they should appear in the diff as read-only), we want user to focus on the task at hand - reviewing the updates. Also this information is available in the JSON and Overview tabs.
2. We have a suggestion on how to show version in the header, @ARWNightingale will add a mock for it soon.
   cc @maximpn

[nikitaindik]

@ARWNightingale Please ping me once there's a mock for version in the header

[ARWNightingale]

@nikitaindik I have updated the design file with the copy and here is a screen shot too.

[nikitaindik]

I've added the version display in this PR.

Here's how it looks:

[nikitaindik]

Closing the issue since all the fields are now handled