[Security Solution] Add support for Fleet package with historical versions of prebuilt rules #148179
Labels
8.7 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.7.0
Epic: https://github.com/elastic/security-team/issues/1974 (internal)
Summary
Add support for historical rule asset saved objects according to the data model chosen based on #144060. Adjust the code to support both the latest and historical rule assets at the same time, so we could release the
security_detection_engine
package with historical versions at any given time.Todo
security-rule
saved objects.rules/prepackaged
endpoints so that they could be used with both the latest and historical rule assets.Details
Saved objects
Figure out what should we do with existing
security-rule
saved objects. Options:security-rule
saved objects type unchanged. There's a chance we could reuse it for storing historical rule assets without any modifications.security-rule
saved objects type according to the needs, so it's capable of storing historical assets.Options 1 and 2 look more suitable for the flat data model. Option 3 looks more suitable for the composite data model.
Existing endpoints
Adjust the two existing
rules/prepackaged
endpoints so that they could be used with both the latest and historical rule assets.The endpoints should determine which assets are stored based on the data in the assets. We could write some aggregation queries for that.
Keep the contract and the existing behavior of the endpoints unchanged regardless of what kind of data is stored under the hood.
The text was updated successfully, but these errors were encountered: