Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Remove exceptions_list, author and license from Diffable Rule #196213

Closed
Tracked by #174168
jpdjere opened this issue Oct 14, 2024 · 3 comments · Fixed by #196561
Closed
Tracked by #174168

[Security Solution] Remove exceptions_list, author and license from Diffable Rule #196213

jpdjere opened this issue Oct 14, 2024 · 3 comments · Fixed by #196561
Assignees
Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0

Comments

@jpdjere
Copy link
Contributor

jpdjere commented Oct 14, 2024

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168

Also see related Slack discussion: https://elastic.slack.com/archives/C02HA9E8221/p1728997234244849


Currently, the fields exceptions_list, author and license are part of the DiffableRule definition. This means that:

  • the field diffs are currently displayed in the current diffs in the Rule Upgrade UI in the flyout
  • would be shown in the new Three Way Diff component as a fields to update

However, since we decided in #186544, that these fields would need to be always updated to their CURRENT version, or TARGET version (author and license) it makes no sense for them to be displayed in the Three Way Diff component during Rule Upgrade. Also, no Prebuilt Rules contain exceptions_list.

Therefore, exclude them from the DiffableRule definition.

This will:

  • prevent them from appearing in the Three Way Diff component
  • prevent them from being able to be passed as a value in the fields object of the /upgrade/_perform endpoint to set a specific pick_version for it (NOTE: the current logic already forces exceptions_list to upgrade to the CURRENT version, but removing it from DiffableRule, will completely remove the from the payload schema, and the endpoint will then throw a validation error if included, rather than silently ignoring it)
@jpdjere jpdjere added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team triage_needed labels Oct 14, 2024
@jpdjere jpdjere self-assigned this Oct 14, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@jpdjere jpdjere added 8.16 candidate and removed bug Fixes for quality problems that affect the customer experience labels Oct 14, 2024
@jpdjere jpdjere changed the title [Security Solution] Remove exceptions_list and alert_suppression from Diffable Rule [Security Solution] Remove exceptions_list from Diffable Rule Oct 15, 2024
@jpdjere jpdjere changed the title [Security Solution] Remove exceptions_list from Diffable Rule [Security Solution] Remove exceptions_list, author and license from Diffable Rule Oct 15, 2024
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 18, 2024
…from Diffable Rule (elastic#196561)

Resolves: elastic#196213

## Summary

Excludes the fields `exceptions_list`, `author` and `license` from the
`DiffableRule` definition.

This will:

- prevent them from appearing in the Three Way Diff component
- prevent them from being able to be passed as a value in the `fields`
object of the `/upgrade/_perform` endpoint to set a specific
`pick_version` for it (NOTE: the current logic already forces
`exceptions_list` to upgrade to the CURRENT version, but removing it
from DiffableRule, will completely remove the from the payload schema,
and the endpoint will then throw a validation error if included, rather
than silently ignoring it)

## Screenshots

### Before

![image](https://github.com/user-attachments/assets/aacd0b43-bb29-46d0-990d-c669224c1451)

### After

![image](https://github.com/user-attachments/assets/e568ca7f-03fc-42d6-8879-d3f23558ae9d)

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 716fdb2)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 18, 2024
…from Diffable Rule (elastic#196561)

Resolves: elastic#196213

## Summary

Excludes the fields `exceptions_list`, `author` and `license` from the
`DiffableRule` definition.

This will:

- prevent them from appearing in the Three Way Diff component
- prevent them from being able to be passed as a value in the `fields`
object of the `/upgrade/_perform` endpoint to set a specific
`pick_version` for it (NOTE: the current logic already forces
`exceptions_list` to upgrade to the CURRENT version, but removing it
from DiffableRule, will completely remove the from the payload schema,
and the endpoint will then throw a validation error if included, rather
than silently ignoring it)

## Screenshots

### Before

![image](https://github.com/user-attachments/assets/aacd0b43-bb29-46d0-990d-c669224c1451)

### After

![image](https://github.com/user-attachments/assets/e568ca7f-03fc-42d6-8879-d3f23558ae9d)

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

(cherry picked from commit 716fdb2)
@banderror banderror added Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area v8.16.0 and removed triage_needed labels Oct 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0
Projects
None yet
3 participants