[Security Solution] Users can Customize Prebuilt Detection Rules: Milestone 4 (DRAFT)

[banderror]

Epic: https://github.com/elastic/security-team/issues/1974 (internal)
Milestones: << • >>

Status: Draft.

Summary

Milestone 4: Improve prebuilt rule customization, upgrade, and installation UX.

This meta ticket is created to simplify tracking of various tickets related to the epic, and to make this public information so our users can track the progress.

Useful info:

• RFC: Prebuilt Rules Customization - a new technical design document describing in detail how prebuilt rule customization should work and affect other existing features.
• Prebuilt Rules Customization Technical Design - an older document from Milestone 1.

Prebuilt rule customization workflow

Rule management and details UX enhancements

Preview Give feedback

1. [Security Solution] Add a filter for customized prebuilt rules to the Rules table #205161
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Consultation UX: UI/UX Designs enhancement needs product +8
   
2. [Security Solution] Rule Details page: show what fields are customized and what are these customizations exactly #207172
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Designs +5
   
3. Ability to reset customizations and revert back to the base version https://github.com/elastic/security-team/issues/2841

Rule creation and editing independently of source data

Preview Give feedback

1. [Security Solution] Editing rules independently of source data #180407
   2 of 6
   Feature:Prebuilt Detection Rules Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp enhancement +8
2. [Security Solution] Allow editing alert suppression settings independently of source data #207244
   Feature:Prebuilt Detection Rules Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement +7
3. https://github.com/elastic/security-team/issues/10215

Rule creation and editing validation improvements

Preview Give feedback

1. [Security Solution] Editing rules independently of source data: improve validation errors UX #191832
   Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp needs design needs product +7
   
2. Add BE-side validation for ESQL query field
3. Add BE-side validation for EQL query field
4. Add BE-side validation for KQL query field

Prebuilt rule installation workflow

Rule installation UX enhancements

Preview Give feedback

1. [Security Solution] Include namespace of source indices in index patterns of prebuilt rules #183616
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement needs product +6
   

Prebuilt rule upgrade workflow

Rule upgrade UX enhancements

Preview Give feedback

1. [Security Solution] Show callouts when new prebuilt rules or rule updates are available #160270
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp +4
2. [Security Solution] Implement filtering of Rule Installation and Rule Upgrade tables by Elastic Rules and Customized Elastic rules (DRAFT) #180396
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp triage_needed +5
3. [Security Solution] Inform users about missing base versions during prebuilt rule upgrade #186880
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Consultation enhancement +6
   
4. Implement a preview of the applied changes in the Rule Upgrade Flyout and show it before calling the upgrade/_perform API endpoint
5. [Security Solution] Indicate conflicting rules in the Rule Upgrade table #190500
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Designs needs product +6
   
6. [Security Solution] Implement UI for updating prebuilt rule to a new rule type (proper solution) #203145
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Designs enhancement needs product +7
   
7. [Security Solution] Closing Rule Upgrade Flyout while editing a field discards form changes #206321
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low +6
8. https://github.com/elastic/security-team/issues/8994
9. [Security Solution] Filter/sort Rule Updates table by enabled rules, show which rules are enabled #207233
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Designs +5
   
10. [Security Solution] Indicate rules with available updates in the Installed rules table and rule details page #207229
    Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp UX: UI/UX Designs +5
    
11. [Security Solution] Declutter the ThreeWayDiff UI #208177
    Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement needs design needs product +7
    

Rule upgrade, diff algorithms

Preview Give feedback

1. [Security Solution] Implement array of objects diff algorithm #180161
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement +5
   
2. [Security Solution] Implement MITRE ATT&CK® field diff algorithm #187660
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement +5
   
3. [Security Solution] Implement query filters diff algorithm #190241
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp enhancement +5
   
4. [Security Solution] Assign proper diff algorithms to all rule fields #148191
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp +4
   

"Last Updated" field in the UI

Preview Give feedback

1. [FR] Add source_updated_at to Rule Schema as a Build Time Field detection-rules#2826
   backlog enhancement v8.10 +3
2. [Security Solution] Add source_updated_at field to PrebuiltRuleAsset #176286
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp +4
3. [Security Solution] Add source_updated_at field to RuleResponse via ResponseFields #174740
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp +4
4. [Security Solution] [Prebuilt Rules Customization] Add "Last Updated" column in the Add Elastic Rules and Rule Updates tables #174767
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management +3

Prebuilt rule import/export workflow

Rule import/export UX enhancements

Preview Give feedback

No tasks being tracked yet.

Bugs

Bugs: rule editing and customization

Preview Give feedback

No tasks being tracked yet.

Bugs: rule installation

Preview Give feedback

No tasks being tracked yet.

Bugs: rule upgrade general issues

Preview Give feedback

No tasks being tracked yet.

Bugs: rule upgrade field-specific issues

Preview Give feedback

No tasks being tracked yet.

Bugs: rule installation and upgrade

Preview Give feedback

1. [Security Solution] Installing prebuilt rules by 2 users at the same time causes rules to be duplicated (DRAFT) #180196
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug triage_needed +6
2. [Security Solution] Prebuilt rules being duplicated on upgrade #174847
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high +6
3. [Security Solution] Rule Update failure on 8.13 from 7.17.18 #177852
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium +6
   
4. [Security Solution] Error when upgrading a rule that has an action referencing a deleted connector #198771
   Feature:Prebuilt Detection Rules Feature:Rule Actions Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium needs product sdh-linked +9
5. [Security Solution] Rule is not updated and is followed by 'Rule failed to update' message when user attempts to upgrade a rule linked to a deleted shared exception list #198845
   Feature:Prebuilt Detection Rules Feature:Rule Exceptions Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium +7
6. [Security Solution] Placeholder “Semver” Appears in the Related Integrations “Version” Text Field in Rule Upgrade Flyout #200079
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low +6
7. [Security Solution] Changes in Final Column Persist After Dismissal but Are Lost Upon Navigating Tabs #202799
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low +6
8. [Security Solution] Inconsistent naming for prebuilt rules across rule installation and flows #202783
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low ui-copy +7
   
9. [Security Solution] Upgrading a prebuilt rule with exceptions succeeds on the 2nd attempt #203012
   8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium +7
   
10. [Security Solution] Auto-merge ignores incoming rule changes for rule query fields #202185
    8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium +7
    
11. [Security Solution] Tags filter in updates table does not reflect newly added tags #206655
    Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low needs product +7
12. [Security Solution] Update flyout does not display customized fields for rules with type changes #206649
    Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium +6

Bugs: rule import and export

Preview Give feedback

1. [Security Solution] Users can import custom rules with rule_id equal to that of a not-installed prebuilt rule #180198
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium +6
2. [Security Solution] Rule import creates extra rules while importing a large number of rules #176207
   Feature:Rule Import/Export Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high +7
   
3. [Security Solution] Prevent creation of rules with the same rule_id when importing rules concurrently #177283
   Feature:Rule Import/Export Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high +6
4. [Security Solution] Error when exporting a rule that has an action referencing a deleted connector #178221
   Feature:Rule Actions Feature:Rule Import/Export Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:medium needs product +8
5. https://github.com/elastic/security-team/issues/8644

Bugs: misc

Preview Give feedback

1. [Security Solution] Large number of related integrations can impact performance on rule creation/edit form #183607
   Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp bug impact:medium performance +9
   
2. [Security Solution] See what's new in Prebuilt Security Detection Rules link on Add Elastic Rules page works with clicking anywhere on the blank space available on the right side of the page. #194275
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:low +6
3. [Security Solution] Inconsistent Behavior When Saving Additional Look-Back Time #206494
   Feature:Rule Creation Feature:Rule Edit Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp bug impact:low +8

Technical improvements and debt

Schema migration from immutable to rule_source

Preview Give feedback

1. [Security Solution] Detection rule migration mechanism #187651
   Feature:Alerting/RulesFramework Feature:Rule Management Team: SecuritySolution Team:Detection Engine Team:Detection Rule Management Team:Detections and Resp Team:ResponseOps +7
2. [Security Solution] Migrate security rules encrypted saved objects to new schema with ruleSource field (BLOCKED) #184113
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp blocked +5
3. [Security Solution] Update rule searching to search by rule_source (BLOCKED) #180126
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp blocked +5
4. [Security Solution] Mark immutable as optional in the internal rule schema and stop writing it to rules (BLOCKED) #182573
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp blocked +5
5. [Security Solution] Deprecate the immutable field (DRAFT)(BLOCKED) #180269
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp triage_needed +5

Fleet package with prebuilt rules

Preview Give feedback

1. [FR] [Implementation] Smart Limits for Detection Rules detection-rules#4388
   Team: TRADE community enhancement +3
   
2. [Security Solution] Implement reliable tests to catch OOMs during rules package installation #188090
   8.18 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp rca-action technical debt v8.18.0 +8
   
3. [Security Solution] Alternative mechanism for distributing prebuilt rules #187649
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp needs product +5
4. [Security Solution] Splitting the package with prebuilt rules #187648
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp needs product +5
5. Support "content-only" integrations package-spec#351
   Team:Ecosystem discuss +2

Refactoring

Preview Give feedback

1. [Security Solution] Create types or tests to link Rule Schema and Diffable Rule schema #194484
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp +4
   
2. [Security Solution] Apply same defaults values in extractDiffableCommonFields as in convertCreateAPIToInternalSchema #180165
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp refactoring +5
   
3. [Security Solution] DetectionRulesClient refactoring. Part 3 #187656
   Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp refactoring +5
4. [Security Solution] Implement a Zod transformation from snake_case to camelCase and vice versa #180121
   Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp technical debt +4
5. [Security Solution] Improve rule diff algorithm performance by splitting diff calculation into async chunks #180164
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp performance refactoring +6
   

Tests

Preview Give feedback

1. [Security Solution] Move existing test plans of Rules Management team from Google docs to Kibana repo #180451
   Feature:Rule Management Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp technical debt test-plan +6
   
2. [Security Solution] Write tests for filtering, sorting, pagination in the Rule Installation and Upgrade tables #166215
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp technical debt test-coverage +6

Performance

Preview Give feedback

1. [Security Solution] /upgrade/_perform performance improvements #199101
   Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp performance +5
2. [Security Solution] Create asynchronous rules import API #195633
   Feature:Prebuilt Detection Rules Feature:Rule Import/Export Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp +5
3. Import API: revisit [Security Solution] Move calculation of rule source outside of applyRuleUpdate #199720 and reimplement properly from the software design standpoint
4. Import API: implement bulk rule creation / updates in the RulesClient and use it in the import endpoint
5. [Security Solution] Add pagination to the upgrade/_review endpoint #208361
   9.1 candidate Feature:Prebuilt Detection Rules Team: SecuritySolution Team:Detection Rule Management Team:Detections and Resp bug impact:high performance +8

Misc

Preview Give feedback

No tasks being tracked yet.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)