-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Integrate Prebuilt Rules Customization UI with the _perform
upgrade API
#199761
[Security Solution] Integrate Prebuilt Rules Customization UI with the _perform
upgrade API
#199761
Conversation
18bbcb7
to
2c6f94f
Compare
_perform
API_perform
upgrade API
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested this PR locally with a focus on the feature flag off case. No issues found across all cases—single rule update, bulk update, or all—each sends the correct payload to the backend with the target version selected. I also tested the feature flag on, but only covered the happy paths. I’ll likely put more effort into testing later today or next week. For now, let's merge this PR to unblock work on the rule type change. Left a couple of comments for future improvements and created a ticket for proper OCC handling as discussed yesterday: #200134
return rulesToUpgrade.filter((rule) => rule.diff.num_fields_with_conflicts > 0); | ||
}, | ||
[rulesUpgradeState] | ||
); | ||
|
||
const { mutateAsync: upgradeSpecificRulesRequest } = usePerformUpgradeSpecificRules({ | ||
pickVersion: isPrebuiltRulesCustomizationEnabled ? 'MERGED' : 'TARGET', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note for future refactoring: We construct the perform request payload in two places. The first part is pickVersion
here, and the second part is ruleUpgradeSpecifiers
inside upgradeRules
. This separation makes it difficult to follow and understand the entire payload. We should aim to construct the payload in a single location for better clarity and maintainability.
})); | ||
setLoadingRules((prev) => [...prev, ...rulesToUpgrade.map((r) => r.rule_id)]); | ||
const conflictRuleIdsSet = new Set( | ||
isPrebuiltRulesCustomizationEnabled |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note for future refactoring: We use isPrebuiltRulesCustomizationEnabled
in seleral different places across this context, making it difficult to follow the full logic when the feature flag is on or off. I suggest splitting the upgrade methods into two for improved clarity: updateRulesWithCustomization
when the FF is on, and updateRulesWithoutCustomization
when it's off.
c1275bf
to
6d90ced
Compare
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11838943846 |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
History
cc @maximpn |
…e `_perform` upgrade API (elastic#199761) **Partially addresses:** elastic#171520 ## Summary This PR integrates Prebuilt Rules Customization UI functionality with the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` Prebuilt Rules Customization upgrade API. > [!CAUTION] > This PR doesn't handle rule type changes. Prebuilt rule updates with rule type change consider having a NON SOLVABLE conflict and won't be upgraded neither individually nor in bulk. Addressing that task requires UI and functional changes and will be addressed in a separate PR. ## Details ## How to test - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - [ ] Check update functionality in a flyout - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Press the `Update` button - [ ] Check table row rule update - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - Press the `Update rule` button in the rule's table row - [ ] Check bulk rule update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After press the `Update All` button on the page - [ ] Check selected rules bulk update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After select the modified rule updates - Press the `Update N selected rule(s)` button on the page Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co> (cherry picked from commit 1862b59)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ith the `_perform` upgrade API (#199761) (#200193) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Integrate Prebuilt Rules Customization UI with the `_perform` upgrade API (#199761)](#199761) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2024-11-14T14:13:20Z","message":"[Security Solution] Integrate Prebuilt Rules Customization UI with the `_perform` upgrade API (#199761)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR integrates Prebuilt Rules Customization UI functionality with\r\nthe `/internal/detection_engine/prebuilt_rules/upgrade/_perform`\r\nPrebuilt Rules Customization upgrade API.\r\n\r\n> [!CAUTION]\r\n> This PR doesn't handle rule type changes. Prebuilt rule updates with\r\nrule type change consider having a NON SOLVABLE conflict and won't be\r\nupgraded neither individually nor in bulk. Addressing that task requires\r\nUI and functional changes and will be addressed in a separate PR.\r\n\r\n## Details\r\n\r\n\r\n## How to test\r\n\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the `security_detection_engine` Fleet\r\npackage\r\n ```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json'\r\n-H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d\r\n'{\"force\":true}'\r\nhttp://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n ```\r\n- Install prebuilt rules\r\n ```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json'\r\n-H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}'\r\nhttp://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n ```\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates`\r\n- [ ] Check update functionality in a flyout\r\n - Pick a rule\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Press the `Update` button\r\n- [ ] Check table row rule update\r\n - Pick a rule\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - Press the `Update rule` button in the rule's table row\r\n- [ ] Check bulk rule update\r\n - Pick a few rules and for each of them do the next steps\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - After press the `Update All` button on the page\r\n- [ ] Check selected rules bulk update\r\n - Pick a few rules and for each of them do the next steps\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - After select the modified rule updates\r\n - Press the `Update N selected rule(s)` button on the page\r\n\r\nCo-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>","sha":"1862b5914786a207238c650465c3d6b3f04ab172","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.17.0"],"title":"[Security Solution] Integrate Prebuilt Rules Customization UI with the `_perform` upgrade API","number":199761,"url":"https://github.com/elastic/kibana/pull/199761","mergeCommit":{"message":"[Security Solution] Integrate Prebuilt Rules Customization UI with the `_perform` upgrade API (#199761)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR integrates Prebuilt Rules Customization UI functionality with\r\nthe `/internal/detection_engine/prebuilt_rules/upgrade/_perform`\r\nPrebuilt Rules Customization upgrade API.\r\n\r\n> [!CAUTION]\r\n> This PR doesn't handle rule type changes. Prebuilt rule updates with\r\nrule type change consider having a NON SOLVABLE conflict and won't be\r\nupgraded neither individually nor in bulk. Addressing that task requires\r\nUI and functional changes and will be addressed in a separate PR.\r\n\r\n## Details\r\n\r\n\r\n## How to test\r\n\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the `security_detection_engine` Fleet\r\npackage\r\n ```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json'\r\n-H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d\r\n'{\"force\":true}'\r\nhttp://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n ```\r\n- Install prebuilt rules\r\n ```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json'\r\n-H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}'\r\nhttp://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n ```\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates`\r\n- [ ] Check update functionality in a flyout\r\n - Pick a rule\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Press the `Update` button\r\n- [ ] Check table row rule update\r\n - Pick a rule\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - Press the `Update rule` button in the rule's table row\r\n- [ ] Check bulk rule update\r\n - Pick a few rules and for each of them do the next steps\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - After press the `Update All` button on the page\r\n- [ ] Check selected rules bulk update\r\n - Pick a few rules and for each of them do the next steps\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - After select the modified rule updates\r\n - Press the `Update N selected rule(s)` button on the page\r\n\r\nCo-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>","sha":"1862b5914786a207238c650465c3d6b3f04ab172"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199761","number":199761,"mergeCommit":{"message":"[Security Solution] Integrate Prebuilt Rules Customization UI with the `_perform` upgrade API (#199761)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR integrates Prebuilt Rules Customization UI functionality with\r\nthe `/internal/detection_engine/prebuilt_rules/upgrade/_perform`\r\nPrebuilt Rules Customization upgrade API.\r\n\r\n> [!CAUTION]\r\n> This PR doesn't handle rule type changes. Prebuilt rule updates with\r\nrule type change consider having a NON SOLVABLE conflict and won't be\r\nupgraded neither individually nor in bulk. Addressing that task requires\r\nUI and functional changes and will be addressed in a separate PR.\r\n\r\n## Details\r\n\r\n\r\n## How to test\r\n\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web\r\nbrowser)\r\n- Install an outdated version of the `security_detection_engine` Fleet\r\npackage\r\n ```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json'\r\n-H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d\r\n'{\"force\":true}'\r\nhttp://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n ```\r\n- Install prebuilt rules\r\n ```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json'\r\n-H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}'\r\nhttp://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n ```\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates`\r\n- [ ] Check update functionality in a flyout\r\n - Pick a rule\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Press the `Update` button\r\n- [ ] Check table row rule update\r\n - Pick a rule\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - Press the `Update rule` button in the rule's table row\r\n- [ ] Check bulk rule update\r\n - Pick a few rules and for each of them do the next steps\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - After press the `Update All` button on the page\r\n- [ ] Check selected rules bulk update\r\n - Pick a few rules and for each of them do the next steps\r\n - Click on rule's name\r\n - Make changes to fields in incoming rule updates updates\r\n - Save field(s) changes\r\n - Close the flyout\r\n - After select the modified rule updates\r\n - Press the `Update N selected rule(s)` button on the page\r\n\r\nCo-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>","sha":"1862b5914786a207238c650465c3d6b3f04ab172"}},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
…e `_perform` upgrade API (elastic#199761) **Partially addresses:** elastic#171520 ## Summary This PR integrates Prebuilt Rules Customization UI functionality with the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` Prebuilt Rules Customization upgrade API. > [!CAUTION] > This PR doesn't handle rule type changes. Prebuilt rule updates with rule type change consider having a NON SOLVABLE conflict and won't be upgraded neither individually nor in bulk. Addressing that task requires UI and functional changes and will be addressed in a separate PR. ## Details ## How to test - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - [ ] Check update functionality in a flyout - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Press the `Update` button - [ ] Check table row rule update - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - Press the `Update rule` button in the rule's table row - [ ] Check bulk rule update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After press the `Update All` button on the page - [ ] Check selected rules bulk update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After select the modified rule updates - Press the `Update N selected rule(s)` button on the page Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>
…e `_perform` upgrade API (elastic#199761) **Partially addresses:** elastic#171520 ## Summary This PR integrates Prebuilt Rules Customization UI functionality with the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` Prebuilt Rules Customization upgrade API. > [!CAUTION] > This PR doesn't handle rule type changes. Prebuilt rule updates with rule type change consider having a NON SOLVABLE conflict and won't be upgraded neither individually nor in bulk. Addressing that task requires UI and functional changes and will be addressed in a separate PR. ## Details ## How to test - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - [ ] Check update functionality in a flyout - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Press the `Update` button - [ ] Check table row rule update - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - Press the `Update rule` button in the rule's table row - [ ] Check bulk rule update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After press the `Update All` button on the page - [ ] Check selected rules bulk update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After select the modified rule updates - Press the `Update N selected rule(s)` button on the page Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>
…e `_perform` upgrade API (elastic#199761) **Partially addresses:** elastic#171520 ## Summary This PR integrates Prebuilt Rules Customization UI functionality with the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` Prebuilt Rules Customization upgrade API. > [!CAUTION] > This PR doesn't handle rule type changes. Prebuilt rule updates with rule type change consider having a NON SOLVABLE conflict and won't be upgraded neither individually nor in bulk. Addressing that task requires UI and functional changes and will be addressed in a separate PR. ## Details ## How to test - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - [ ] Check update functionality in a flyout - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Press the `Update` button - [ ] Check table row rule update - Pick a rule - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - Press the `Update rule` button in the rule's table row - [ ] Check bulk rule update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After press the `Update All` button on the page - [ ] Check selected rules bulk update - Pick a few rules and for each of them do the next steps - Click on rule's name - Make changes to fields in incoming rule updates updates - Save field(s) changes - Close the flyout - After select the modified rule updates - Press the `Update N selected rule(s)` button on the page Co-authored-by: Dmitrii Shevchenko <dmitrii.shevchenko@elastic.co>
Partially addresses: #171520
Summary
This PR integrates Prebuilt Rules Customization UI functionality with the
/internal/detection_engine/prebuilt_rules/upgrade/_perform
Prebuilt Rules Customization upgrade API.Caution
This PR doesn't handle rule type changes. Prebuilt rule updates with rule type change consider having a NON SOLVABLE conflict and won't be upgraded neither individually nor in bulk. Addressing that task requires UI and functional changes and will be addressed in a separate PR.
Details
How to test
security_detection_engine
Fleet packagecurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
Detection Rules (SIEM)
Page ->Rule Updates
Update
buttonUpdate rule
button in the rule's table rowUpdate All
button on the pageUpdate N selected rule(s)
button on the page