[Security Solution] Handle specific fields in the upgrade workflow's UI #188065
Labels
8.18 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.18.0
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Depends on: #171520
Summary
Based on the discussions that took place in #147239, we need to treat different rule fields in different ways in the context of the upgrade workflow.
For each field we must decide if Should the field be manually hidden and never appear as a diff in the Per Field UI?: (only fields part of
DiffableAllFields
will display)/upgrade/_review
(now or after changes marked as needed in this ticket)Field list
id
rule_source
immutable
version
revision
enabled
execution_summary
alert_suppression
*actions
throttle
response_actions
meta
output_index
namespace
alias_purpose
alias_target_id
outcome
created_at
created_by
updated_at
updated_by
author
license
concurrent_searches
(IM Rules)items_per_search
(IM Rules)rule_id
name
tags
description
severity
severity_mapping
risk_score
risk_score_mapping
references
false_positives
threat
note
setup
related_integrations
required_fields
max_signals
building_block_type
from
(rule_schedule)interval
(rule_schedule)exceptions_list
*rule_name_override
timestamp_override
timestamp_override_fallback_disabled
timeline_id
(timeline_template)timeline_title
(timeline_template)index
(data_source)data_view_id
(data_source)query
language
filters
saved_id
machine_learning_job_id
(ML Rules)anomaly_threshold
(ML Rules)threat_filters
(IM Rules)threat_query
(IM Rules)threat_mapping
(IM Rules)threat_language
(IM Rules)threat_index
(IM Rules)threat_indicator_path
(IM Rules)new_terms_fields
(New Terms Rules)history_window_start
(New Terms Rules)General notes
Notes on fields
Endpoint Security
rule includes an exception list value, so this update/customization case needs to be handled. (That's the only prebuilt rule with an exception list as of now)true
. But it's not part of the diffing logic anyways, so it will not appear in the UI.concurrent_searches
anditems_per_search
are part of the diffing logic, but they will have their own specialized diff algorithms that will ensure that the UI never shows them. The/upgrade/_perform
endpoint will update to thecurrent
version by default, unless specific values for them are passed in the endpoint payload.Work left over from this ticket
/upgrade/_perform
endpoint. All of this needs to be done after the refactoring of the endpoint handler is done. As of now, it always installs the full target version, so the changes needed are not possible now. Moving the work to a separate ticket.The text was updated successfully, but these errors were encountered: