Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Security Solution] Fix inability to unset optional field values (
elastic#204231) (elastic#205041) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Fix inability to unset optional field values (elastic#204231)](elastic#204231) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2024-12-20T12:26:50Z","message":"[Security Solution] Fix inability to unset optional field values (elastic#204231)\n\n**Resolves: https://github.com/elastic/kibana/issues/203634**\r\n\r\n## Summary\r\n\r\nThis PR fixes bugs blocking unsetting optional rule field values in rule\r\nupgrade workflow.\r\n\r\n## Details\r\n\r\nChanges here cover 3 groups of fields optional, string fields allowing\r\nempty strings and array fields allowing empty arrays. It was verified\r\nthat fields in that groups allow to unset the value.\r\n\r\nThe following issues were fixed\r\n- inability to set an empty string or `setup` and `note` fields\r\nIt required adding `stripEmptyFields: false` for rule upgrade fields\r\nedit form.\r\n- inability to unset `timestamp_override` field\r\n Timestamp override form deserializer was fixed.\r\n- inability to unset `alert_suppression`\r\nAlert Suppression was excluded from special special fields list always\r\nupgrading to the current value. It's expected Alert Suppression won't be\r\nincluded in Prebuilt Rules delivered in prebuilt rules packages. The\r\nonly way to get this setting and have it included in rule upgrade flyout\r\nis editing a prebuilt rule by a user with a sufficient licence.\r\n\r\nThe following fields were verified and fixed where necessary\r\n\r\n### Optional fields\r\n\r\n- ✅ `investigation_fields`\r\n- ✅ `rule_name_override`\r\n-⚠️ `timestamp_override` (field's form deserializer was fixed)\r\n- ✅ `timeline_template`\r\n- ✅ `building_block`\r\n-⚠️ `alert_suppression` (the field was excluded from special special\r\nfields list always upgrading to the current value)\r\n- ✅ `threat_indicator_path` (empty value resets to default\r\n`threat.indicator`)\r\n\r\n### String fields allowing empty strings\r\n\r\n-⚠️ `note` (required adding `stripEmptyFields: false` to the form)\r\n-⚠️ `setup` (required adding `stripEmptyFields: false` to the form)\r\n\r\n### Array fields allowing empty arrays\r\n\r\n- ✅ `tags`\r\n- ✅ `references`\r\n- ✅ `false_positives`\r\n- ✅ `threat`\r\n- ✅ `related_integrations`\r\n- ✅ `required_fields`\r\n- ✅ `severity_mapping`\r\n- ✅ `risk_score_mapping`\r\n\r\n## Screenshots\r\n\r\n![Screenshot 2024-12-17 at 09 15\r\n14](https://github.com/user-attachments/assets/671f5198-55da-4899-ab52-1e93f3c841af)\r\n\r\n\r\nhttps://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2\r\n\r\n## How to test?\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to\r\n`kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the `security_detection_engine` Fleet\r\npackage\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Customize one or more rules (change fields to see them in rule upgrade\r\nworkflow)\r\n- Open Rule upgrade for the rule(s)\r\n- Unset field values\r\n- Upgrade rule(s)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"54989a519260397f26694be0db1913a7468b40cb","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","impact:high","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0"],"title":"[Security Solution] Fix inability to unset optional field values","number":204231,"url":"https://github.com/elastic/kibana/pull/204231","mergeCommit":{"message":"[Security Solution] Fix inability to unset optional field values (elastic#204231)\n\n**Resolves: https://github.com/elastic/kibana/issues/203634**\r\n\r\n## Summary\r\n\r\nThis PR fixes bugs blocking unsetting optional rule field values in rule\r\nupgrade workflow.\r\n\r\n## Details\r\n\r\nChanges here cover 3 groups of fields optional, string fields allowing\r\nempty strings and array fields allowing empty arrays. It was verified\r\nthat fields in that groups allow to unset the value.\r\n\r\nThe following issues were fixed\r\n- inability to set an empty string or `setup` and `note` fields\r\nIt required adding `stripEmptyFields: false` for rule upgrade fields\r\nedit form.\r\n- inability to unset `timestamp_override` field\r\n Timestamp override form deserializer was fixed.\r\n- inability to unset `alert_suppression`\r\nAlert Suppression was excluded from special special fields list always\r\nupgrading to the current value. It's expected Alert Suppression won't be\r\nincluded in Prebuilt Rules delivered in prebuilt rules packages. The\r\nonly way to get this setting and have it included in rule upgrade flyout\r\nis editing a prebuilt rule by a user with a sufficient licence.\r\n\r\nThe following fields were verified and fixed where necessary\r\n\r\n### Optional fields\r\n\r\n- ✅ `investigation_fields`\r\n- ✅ `rule_name_override`\r\n-⚠️ `timestamp_override` (field's form deserializer was fixed)\r\n- ✅ `timeline_template`\r\n- ✅ `building_block`\r\n-⚠️ `alert_suppression` (the field was excluded from special special\r\nfields list always upgrading to the current value)\r\n- ✅ `threat_indicator_path` (empty value resets to default\r\n`threat.indicator`)\r\n\r\n### String fields allowing empty strings\r\n\r\n-⚠️ `note` (required adding `stripEmptyFields: false` to the form)\r\n-⚠️ `setup` (required adding `stripEmptyFields: false` to the form)\r\n\r\n### Array fields allowing empty arrays\r\n\r\n- ✅ `tags`\r\n- ✅ `references`\r\n- ✅ `false_positives`\r\n- ✅ `threat`\r\n- ✅ `related_integrations`\r\n- ✅ `required_fields`\r\n- ✅ `severity_mapping`\r\n- ✅ `risk_score_mapping`\r\n\r\n## Screenshots\r\n\r\n![Screenshot 2024-12-17 at 09 15\r\n14](https://github.com/user-attachments/assets/671f5198-55da-4899-ab52-1e93f3c841af)\r\n\r\n\r\nhttps://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2\r\n\r\n## How to test?\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to\r\n`kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the `security_detection_engine` Fleet\r\npackage\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Customize one or more rules (change fields to see them in rule upgrade\r\nworkflow)\r\n- Open Rule upgrade for the rule(s)\r\n- Unset field values\r\n- Upgrade rule(s)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"54989a519260397f26694be0db1913a7468b40cb"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204231","number":204231,"mergeCommit":{"message":"[Security Solution] Fix inability to unset optional field values (elastic#204231)\n\n**Resolves: https://github.com/elastic/kibana/issues/203634**\r\n\r\n## Summary\r\n\r\nThis PR fixes bugs blocking unsetting optional rule field values in rule\r\nupgrade workflow.\r\n\r\n## Details\r\n\r\nChanges here cover 3 groups of fields optional, string fields allowing\r\nempty strings and array fields allowing empty arrays. It was verified\r\nthat fields in that groups allow to unset the value.\r\n\r\nThe following issues were fixed\r\n- inability to set an empty string or `setup` and `note` fields\r\nIt required adding `stripEmptyFields: false` for rule upgrade fields\r\nedit form.\r\n- inability to unset `timestamp_override` field\r\n Timestamp override form deserializer was fixed.\r\n- inability to unset `alert_suppression`\r\nAlert Suppression was excluded from special special fields list always\r\nupgrading to the current value. It's expected Alert Suppression won't be\r\nincluded in Prebuilt Rules delivered in prebuilt rules packages. The\r\nonly way to get this setting and have it included in rule upgrade flyout\r\nis editing a prebuilt rule by a user with a sufficient licence.\r\n\r\nThe following fields were verified and fixed where necessary\r\n\r\n### Optional fields\r\n\r\n- ✅ `investigation_fields`\r\n- ✅ `rule_name_override`\r\n-⚠️ `timestamp_override` (field's form deserializer was fixed)\r\n- ✅ `timeline_template`\r\n- ✅ `building_block`\r\n-⚠️ `alert_suppression` (the field was excluded from special special\r\nfields list always upgrading to the current value)\r\n- ✅ `threat_indicator_path` (empty value resets to default\r\n`threat.indicator`)\r\n\r\n### String fields allowing empty strings\r\n\r\n-⚠️ `note` (required adding `stripEmptyFields: false` to the form)\r\n-⚠️ `setup` (required adding `stripEmptyFields: false` to the form)\r\n\r\n### Array fields allowing empty arrays\r\n\r\n- ✅ `tags`\r\n- ✅ `references`\r\n- ✅ `false_positives`\r\n- ✅ `threat`\r\n- ✅ `related_integrations`\r\n- ✅ `required_fields`\r\n- ✅ `severity_mapping`\r\n- ✅ `risk_score_mapping`\r\n\r\n## Screenshots\r\n\r\n![Screenshot 2024-12-17 at 09 15\r\n14](https://github.com/user-attachments/assets/671f5198-55da-4899-ab52-1e93f3c841af)\r\n\r\n\r\nhttps://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2\r\n\r\n## How to test?\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to\r\n`kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the `security_detection_engine` Fleet\r\npackage\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Customize one or more rules (change fields to see them in rule upgrade\r\nworkflow)\r\n- Open Rule upgrade for the rule(s)\r\n- Unset field values\r\n- Upgrade rule(s)\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"54989a519260397f26694be0db1913a7468b40cb"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
- Loading branch information