Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Allow users to edit required_fields field for custom rules #173594

Closed
14 tasks done
Tracked by #174168
approksiu opened this issue Dec 19, 2023 · 23 comments · Fixed by #180682
Closed
14 tasks done
Tracked by #174168

[Security Solution] Allow users to edit required_fields field for custom rules #173594

approksiu opened this issue Dec 19, 2023 · 23 comments · Fixed by #180682
Assignees
Labels
8.15 candidate enhancement New value added to drive a business result Feature:Rule Creation Security Solution Detection Rule Creation workflow Feature:Rule Edit Security Solution Detection Rule Editing workflow Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.15.0

Comments

@approksiu
Copy link

approksiu commented Dec 19, 2023

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168

Summary

We need to expose the required_fileds field in the rule edit page and allow editing it.
The required_fields is an optional field.

Background

We want to allow users to easily specify the prerequisites for their custom rules.

User story

  • As a user, I want to be able to specify required fields for my custom rules.

Acceptance criteria

  • Rule edit page shows the required_fields field in the Define Rule section.
  • User can add required fields.
  • On the rule edit page, there is a tooltip explaining what this field does, (and a link to documentation?).
  • When the Elastic prebuilt rule is duplicated - the required_fields value should be kept.

Release progress

  • Initial implementation is done. (PR)
  • Feature is covered with automated tests.
  • Feature is fully implemented and considered by the development team as ready to be released.
  • Exploratory testing is done and the feature is approved by @jpdjere
  • Acceptance testing is done and the feature is approved by @approksiu and @ARWNightingale.
  • API docs PR is merged
  • Serverless documentation is written by @joepeeples. The PR is merged (docs ticket).
  • ESS documentation is written by @joepeeples. The PR is approved and ready to be merged (docs ticket).
  • Feature is released in Serverless.

Planned release date in Serverless: May 20th, 2024.
Planned release date in ESS: v8.15.0.

@botelastic botelastic bot added the needs-team Issues missing a team label label Dec 19, 2023
@approksiu approksiu added the Team:Detection Rule Management Security Detection Rule Management Team label Dec 19, 2023
@botelastic botelastic bot removed the needs-team Issues missing a team label label Dec 19, 2023
@approksiu approksiu changed the title [Security Solution] Allow users to edit required_fields field for rules [Security Solution] [WIP] Allow users to edit required_fields field for rules Jan 2, 2024
@ARWNightingale ARWNightingale self-assigned this Jan 8, 2024
@jpdjere
Copy link
Contributor

jpdjere commented Jan 10, 2024

@approksiu @ARWNightingale

Is it possible to use the fields drop-down component for adding required fields?

Yes, we have to think about the design here. The required_fields field looks something like this:

            "required_fields": [
              {
                "ecs": true,
                "name": "event.type",
                "type": "keyword"
              },
              {
                "ecs": true,
                "name": "host.os.type",
                "type": "keyword"
              },
              {
                "ecs": true,
                "name": "process.args",
                "type": "keyword"
              },
              {
                "ecs": true,
                "name": "process.command_line",
                "type": "wildcard"
              },
              {
                "ecs": true,
                "name": "process.name",
                "type": "keyword"
              },
              {
                "ecs": true,
                "name": "process.parent.executable",
                "type": "keyword"
              },
              {
                "ecs": true,
                "name": "process.pe.original_file_name",
                "type": "keyword"
              }
            ]

so basically a collection of objects with 3 properties:

  • name: just a string, I think this should be a free form text field - allowing only one word. We cannot offer a dropdown here since we don't know all the possible field values.
  • type: I think this can be a dropdown. These are all the current values for type that our security-rules offer right now:
          {
            "key": "keyword",
            "doc_count": 15694
          },
          {
            "key": "unknown",
            "doc_count": 958
          },
          {
            "key": "long",
            "doc_count": 380
          },
          {
            "key": "ip",
            "doc_count": 301
          },
          {
            "key": "wildcard",
            "doc_count": 275
          },
          {
            "key": "boolean",
            "doc_count": 166
          },
          {
            "key": "match_only_text",
            "doc_count": 24
          },
          {
            "key": "text",
            "doc_count": 6
          }
        ]

so it's basically a great majority of keyword but some other. We can retrieve the whole list from https://github.com/elastic/kibana/blob/main/packages/kbn-field-types/src/types.ts , but note that our types are split between ES types and Kibana types so we'll have to merge those.

  • ecs: just a boolean, true vs false. So we can have a dropdown or a checkbox.

So the design could look something similar to Reference URL:
image
with a button to add more required fields, but instead of one long text field, each line has the three fields mentioned above.

@approksiu
Copy link
Author

@jpdjere I was thinking more something similar to alert suppression setup interface.

@approksiu
Copy link
Author

approksiu commented Jan 11, 2024

Check the suppression component. Question: what to do if the field is mapped with different types in different indexes? Does the suppression component "know" if field is ecs-compliant and what type does it have?

@approksiu approksiu changed the title [Security Solution] [WIP] Allow users to edit required_fields field for rules [Security Solution] Allow users to edit required_fields field for rules Jan 12, 2024
@jpdjere
Copy link
Contributor

jpdjere commented Jan 18, 2024

@approksiu @ARWNightingale
I checked how the Alert Suppression component works, and we can reuse that functionality.

Basically, we call the [useRuleIndexPattern](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/form.tsx#L128) hook to retrieve the list of fields, and the list looks like this:

[
    {
        "name": "@timestamp",
        "searchable": true,
        "type": "date",
        "aggregatable": true,
        "esTypes": [
            "date"
        ]
    },
    {
        "name": "_id",
        "searchable": true,
        "type": "string",
        "aggregatable": false,
        "esTypes": [
            "_id"
        ]
    },
    // [... more fields]
    {
        "name": "agent",
        "searchable": true,
        "type": "conflict",
        "aggregatable": false,
        "esTypes": [
            "text",
            "object"
        ],
        "conflictDescriptions": {
            "text": [
                "logs-ti_1"
            ],
            "object": [
                ".ds-auditbeat-8.3.3-2024.01.15-000001",
                ".ds-packetbeat-8.3.3-2024.01.15-000001"
            ]
        }
    },
    {
        "name": "agent.build.original",
        "searchable": true,
        "type": "string",
        "aggregatable": true,
        "esTypes": [
            "keyword"
        ]
    },
     // [... thousands fields more]
]

So we can prepopulate a dropdown field showing the fields name, and when the user selects it, we can prepopulate another dropdown to its right that contains the possible types for the fields, which can get get from each field's esTypes array:

image

The only missing data here is whether the field is ECS compliant or not. I don't think we need to display this to the user, we can calculate it on our side and save it without the user knowing about it. To calculate it, we can use the computeIsEcsCompliant method.

@approksiu
Copy link
Author

@jpdjere awesome! I like that we can define if the field is ecs-compliant and not have the user fill it in. I assume if one type option is available - it will be automatically selected for the user.

@jpdjere
Copy link
Contributor

jpdjere commented Jan 18, 2024

I assume if one type option is available - it will be automatically selected for the user.

Yes, once the user chooses a required field, let's preselect the first available option in the type dropdown by default (but the user can still change it if he wishes, and if there is more than 1 available type)

@banderror banderror changed the title [Security Solution] Allow users to edit required_fields field for rules [Security Solution] Allow users to edit required_fields field for custom rules Mar 4, 2024
@nikitaindik nikitaindik self-assigned this Mar 4, 2024
@banderror banderror added enhancement New value added to drive a business result Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Creation Security Solution Detection Rule Creation workflow 8.14 candidate labels Mar 7, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@nikitaindik
Copy link
Contributor

Hey @approksiu and @ARWNightingale. I have updated the sandbox with latest Required Fields changes. Would you mind taking a look and providing feedback for it?

Sandbox: https://nikitaindik-pr-180682-editable-required-fields.kbndev.co/kbn
Credentials: https://p.elstc.co/paste/U6uTAkz3#WW6hltDBqi++3e3Kzpi5bGiEHhKtAfKEnkRFsK6juZL

@nikitaindik
Copy link
Contributor

nikitaindik commented Apr 22, 2024

@approksiu @ARWNightingale Here's some additional info about the feature and testing it in the sandbox.

The basic flow goes like this: first you specify your index patterns (or a data view), then you can select required fields for these index patterns.

Scherm­afbeelding 2024-04-22 om 10 27 56

I have created two indices in the sandbox deployment: i1 and i2.

  • Index i1 has fields: one with type text and three with type text.
  • Index i2 has fields: one with type keyword and two with type integer.

Since for field one both text and keyword types are available, the dropdown will show both options.
For other fields, only one type is available, so only one option will be shown and the dropdown will be disabled.

Scherm­afbeelding 2024-04-22 om 10 28 32

Warnings

If a field that is not present in the index pattern is selected, you will see a warning message.
This can happen in the following cases:

  • You have specified an index pattern, selected a required field from this index pattern, and then removed this index pattern.
  • The index doesn't yet exist. For example, you have installed a prebuilt rule but the data for it hasn't been ingested yet.
  • The index was removed.
  • The mappings for the index were changed and the field is no longer present.

In any of these cases, you'll see a general warning message above the form section. And then also a more specific warning message next to the field that is causing the issue.

Scherm­afbeelding 2024-04-22 om 10 28 58

The warnings won't prevent the user to submit the form.

ESQL and ML rules

Here's how available dropdown options are determined for different rule types:

For all rule types except ESQL and ML, we take the index patterns specified by the user and fetch thier mappings (fields and their types). Then we use these fields and types to populate the dropdowns.

For ESQL rules we parse index patterns out of the query since there's no explicit index pattern form field. We then fetch the mappings for these index patterns and use them to populate the dropdowns.

For ML rules, we don't show "required fields" at all. ML rules are a special case.

  1. The concept of "required fields" is sort of handled during creation of the ML job itself, where the user specifies the fields that are required for the job to run.
  2. In the ML rule creation/editing interface, we don't display the index patterns a rule operates on. So, even if we allowed specifying required fields, the user would need to check the ML job details to see the index patterns the job uses.
  3. The ML job dropdown includes both existing and not-yet-created jobs. We can't get index patterns for jobs that don't exist yet, so we can't fill the dropdowns with fields and types.

Sample queries

Here are a few sample queries that can be used to test the feature:
ESQL: from i* [metadata _id, _index, _version]
EQL: any where two == "*"
Lucene: one: "value1" AND two > 10 AND three: "pattern*"

@ARWNightingale
Copy link

@nikitaindik this looks good to me.

@approksiu
Copy link
Author

Thanks @nikitaindik ! Looks good!

@banderror
Copy link
Contributor

@vgomez-el Please start exploratory testing when you can

@nikitaindik
Copy link
Contributor

Hey @joepeeples! I've created a ticket for documenting the UI and API changes: elastic/security-docs#5131

@vgomez-el
Copy link

@banderror Just to let you know, I started the exploratory testing at the end of the week, but after asking @nikitaindik about some doubts, he told me that there are some last minute changes he needs to work in and push into the branch. I will delay the feature exploratory testing until those changes are finished and pushed to the branch/environment to avoid duplicating testing efforts.

@nikitaindik
Copy link
Contributor

Hey team! Here's what we have left to do for Required Fields:

  • First I need to merge in the latest changes from the main branch, resolve any conflicts and make sure the tests pass.
  • Then @xcrzx will need to code review the PR. I might need to make some updates based on Dmitrii's feedback.
  • Once the PR gets the approval @vgomez-el will do exploratory testing.
  • Then we'll need @approksiu to acceptance test it.
  • Lastly, @joepeeples will need to prepare the docs.

Current Serverless release target is Monday, May 6th. But given the remaining work, we might need to aim for the following release on May 13th. This means we would need to complete the review, testing and the docs by the end of the next week.

Does moving the release to May 13th work for everyone? If it does, I'll update the dates in this issue and in the docs issue. Please reply below. Thanks!

@vgomez-el
Copy link

@nikitaindik Moving it to the next release works for me. Just let me know when the environment is ready and I will perform the exploratory testing over the feature

@nikitaindik
Copy link
Contributor

Hey team! Since I'm still working on the PR comments, Required Fields won't make it into the 13th May Serverless release. Rescheduling it to May 20th. I have updated the date in this ticket and in the API docs ticket.

@xcrzx @approksiu @joepeeples @banderror

@nikitaindik
Copy link
Contributor

Hey folks! I have fixed all the issues, answered all the comments and have reopened the PR for review. I would appreciate if you can start reviewing it asap, since we want to release it on the 20th. Thanks!

@xcrzx @maximpn

@jpdjere
Copy link
Contributor

jpdjere commented May 16, 2024

@nikitaindik

Finished exploratory testing, looking good! Great work 👍
Also, thanks for the super detailed PR description.

@approksiu
Copy link
Author

@nikitaindik acceptance testing done. Looks good. Thank you!

nikitaindik added a commit that referenced this issue May 17, 2024
…tom rules (#180682)

**Resolves: #173594
**Flaky test runner:**
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5915


## Summary
This PR adds an ability to add and edit custom rule's required fields.
"Required fields" is an optional field that shows the user which
Elasticsearch fields are needed for the rule to run properly. The values
in "required fields" don't affect rule execution in any way. It's purely
documentational, similar to "setup guide" and "investigation guide".
This functionality is added to both rule creation and rule editing
screens. It's available for all rule types except ML.

<img width="650" alt="Scherm­afbeelding 2024-05-07 om 12 28 50"
src="https://github.com/elastic/kibana/assets/15949146/70ed052e-3e59-413e-80de-73146225f75a">


## Details
The basic flow goes like this: first you specify your index patterns (or
a data view), then you can set required fields for these index patterns.
Once a user adds a required field and chooses its name, he can then
choose its type from the dropdown. The first available type for the
field name selected automatically. User can also add their own custom
names and types.

### Warnings
If a field that is not present in the selected index pattern, you will
see a warning message.
This can happen in the following cases:
- You have specified an index pattern, selected a required field from
this index pattern, and then removed this index pattern.
- The index doesn't yet exist. For example, you have installed a
prebuilt rule but the data for it hasn't been ingested yet, so there's
no index yet.
 - The index was removed.
- The mappings for the index were changed and the field is no longer
present.

In any of these cases, you'll see a general warning message above the
form section. And then also a more specific warning message next to the
field that is causing the issue.

### ESQL and ML rules
Here's how available dropdown options are determined for different rule
types:

For all rule types except ESQL and ML, we take the index patterns
specified by the user and fetch their mappings. Then we use these fields
and types to populate the dropdowns.

For ESQL rules we parse index patterns out of the query since there's no
explicit index pattern form field. We then fetch the mappings for these
index patterns and use them to populate the dropdowns.

For ML rules, we don't show "required fields" at all. ML rules are a
special case.
1. The concept of "required fields" is sort of handled during creation
of the ML job itself, where the user specifies the fields that are
required for the job to run.
2. In the ML rule creation/editing interface, we don't display the index
patterns a rule operates on. So, even if we allowed specifying required
fields, the user would need to check the ML job details to see the index
patterns the job uses.
3. The ML job dropdown includes both existing and not-yet-created jobs.
We can't get index patterns for jobs that don't exist yet, so we can't
fill the dropdowns with fields and types.

## Screenshots
<img width="628" alt="screen1_"
src="https://github.com/elastic/kibana/assets/15949146/aade141f-8285-44c6-8c56-611ba1a9f17b">

<img width="601" alt="screen2_"
src="https://github.com/elastic/kibana/assets/15949146/b44fb254-c254-44b8-9600-45b47f29a421">
@nikitaindik
Copy link
Contributor

Hey folks! 🎉 The main Required Fields PR and the API docs PR, have both been merged. Woohoo!

This means the feature is going into the Monday, the 20th Serverless release! 🚀

High-fives to everyone who helped with the review and testing! 🙌💖

@banderror banderror reopened this May 17, 2024
@banderror
Copy link
Contributor

The feature went live in Serverless on Tue, May 21st 🎉
Thanks to everyone involved! I'm closing this ticket. We'll track elastic/security-docs#5131 separately.

banderror added a commit that referenced this issue Aug 26, 2024
…ed integrations and required fields from the original rule (#191065)

**Fixes: #190628
**Related to:** #173595,
#173594

## Summary

As stated in the bug ticket, when duplicating a prebuilt rule, the
"Related Integrations" and "Required Fields" values should be inherited
from the original rule, as it was specified in the Acceptance Criteria
for #173595 and
#173594.

This PR:

- Removes the logic that resets these fields to empty arrays for
duplicated prebuilt rules - we needed this logic in the past because
these fields were not editable in the UI, but we don't need it anymore.
- Updates the corresponding unit tests.

## Screenshots

These screenshots were taken after introducing the fixes.

**Original prebuilt rule:**

<img width="1463" alt="Screenshot_2024-08-23_at_13_25_07"
src="https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119">

**Duplicated prebuilt rule:**

<img width="1469" alt="Screenshot_2024-08-23_at_13_25_43"
src="https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b">

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
banderror added a commit to banderror/kibana that referenced this issue Aug 27, 2024
…ed integrations and required fields from the original rule (elastic#191065)

**Fixes: elastic#190628
**Related to:** elastic#173595,
elastic#173594

## Summary

As stated in the bug ticket, when duplicating a prebuilt rule, the
"Related Integrations" and "Required Fields" values should be inherited
from the original rule, as it was specified in the Acceptance Criteria
for elastic#173595 and
elastic#173594.

This PR:

- Removes the logic that resets these fields to empty arrays for
duplicated prebuilt rules - we needed this logic in the past because
these fields were not editable in the UI, but we don't need it anymore.
- Updates the corresponding unit tests.

## Screenshots

These screenshots were taken after introducing the fixes.

**Original prebuilt rule:**

<img width="1463" alt="Screenshot_2024-08-23_at_13_25_07"
src="https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119">

**Duplicated prebuilt rule:**

<img width="1469" alt="Screenshot_2024-08-23_at_13_25_43"
src="https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b">

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit b144c05)

# Conflicts:
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/actions/duplicate_rule.test.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/actions/duplicate_rule.ts
banderror added a commit that referenced this issue Aug 27, 2024
…y related integrations and required fields from the original rule (#191065) (#191493)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Security Solution] Fix prebuilt rule duplication logic to copy
related integrations and required fields from the original rule
(#191065)](#191065)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Georgii
Gorbachev","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-08-26T13:42:52Z","message":"[Security
Solution] Fix prebuilt rule duplication logic to copy related
integrations and required fields from the original rule
(#191065)\n\n**Fixes:
https://github.com/elastic/kibana/issues/190628**\r\n**Related to:**
https://github.com/elastic/kibana/issues/173595,\r\nhttps://github.com/elastic/kibana/issues/173594\r\n\r\n##
Summary\r\n\r\nAs stated in the bug ticket, when duplicating a prebuilt
rule, the\r\n\"Related Integrations\" and \"Required Fields\" values
should be inherited\r\nfrom the original rule, as it was specified in
the Acceptance Criteria\r\nfor
#173595
and\r\nhttps://github.com//issues/173594.\r\n\r\nThis
PR:\r\n\r\n- Removes the logic that resets these fields to empty arrays
for\r\nduplicated prebuilt rules - we needed this logic in the past
because\r\nthese fields were not editable in the UI, but we don't need
it anymore.\r\n- Updates the corresponding unit tests.\r\n\r\n##
Screenshots\r\n\r\nThese screenshots were taken after introducing the
fixes.\r\n\r\n**Original prebuilt rule:**\r\n\r\n<img width=\"1463\"
alt=\"Screenshot_2024-08-23_at_13_25_07\"\r\nsrc=\"https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119\">\r\n\r\n**Duplicated
prebuilt rule:**\r\n\r\n<img width=\"1469\"
alt=\"Screenshot_2024-08-23_at_13_25_43\"\r\nsrc=\"https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b\">\r\n\r\n###
Checklist\r\n\r\n- [
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"b144c05e8f39f28dd9551b7c62daa01cfa1d2cd5","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","impact:medium","Team:Detections
and Resp","Team: SecuritySolution","Feature:Rule
Management","Team:Detection Rule Management","Feature:Prebuilt Detection
Rules","v8.16.0","v8.15.1"],"number":191065,"url":"https://github.com/elastic/kibana/pull/191065","mergeCommit":{"message":"[Security
Solution] Fix prebuilt rule duplication logic to copy related
integrations and required fields from the original rule
(#191065)\n\n**Fixes:
https://github.com/elastic/kibana/issues/190628**\r\n**Related to:**
https://github.com/elastic/kibana/issues/173595,\r\nhttps://github.com/elastic/kibana/issues/173594\r\n\r\n##
Summary\r\n\r\nAs stated in the bug ticket, when duplicating a prebuilt
rule, the\r\n\"Related Integrations\" and \"Required Fields\" values
should be inherited\r\nfrom the original rule, as it was specified in
the Acceptance Criteria\r\nfor
#173595
and\r\nhttps://github.com//issues/173594.\r\n\r\nThis
PR:\r\n\r\n- Removes the logic that resets these fields to empty arrays
for\r\nduplicated prebuilt rules - we needed this logic in the past
because\r\nthese fields were not editable in the UI, but we don't need
it anymore.\r\n- Updates the corresponding unit tests.\r\n\r\n##
Screenshots\r\n\r\nThese screenshots were taken after introducing the
fixes.\r\n\r\n**Original prebuilt rule:**\r\n\r\n<img width=\"1463\"
alt=\"Screenshot_2024-08-23_at_13_25_07\"\r\nsrc=\"https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119\">\r\n\r\n**Duplicated
prebuilt rule:**\r\n\r\n<img width=\"1469\"
alt=\"Screenshot_2024-08-23_at_13_25_43\"\r\nsrc=\"https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b\">\r\n\r\n###
Checklist\r\n\r\n- [
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"b144c05e8f39f28dd9551b7c62daa01cfa1d2cd5"}},"sourceBranch":"main","suggestedTargetBranches":["8.15"],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","labelRegex":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/191065","number":191065,"mergeCommit":{"message":"[Security
Solution] Fix prebuilt rule duplication logic to copy related
integrations and required fields from the original rule
(#191065)\n\n**Fixes:
https://github.com/elastic/kibana/issues/190628**\r\n**Related to:**
https://github.com/elastic/kibana/issues/173595,\r\nhttps://github.com/elastic/kibana/issues/173594\r\n\r\n##
Summary\r\n\r\nAs stated in the bug ticket, when duplicating a prebuilt
rule, the\r\n\"Related Integrations\" and \"Required Fields\" values
should be inherited\r\nfrom the original rule, as it was specified in
the Acceptance Criteria\r\nfor
#173595
and\r\nhttps://github.com//issues/173594.\r\n\r\nThis
PR:\r\n\r\n- Removes the logic that resets these fields to empty arrays
for\r\nduplicated prebuilt rules - we needed this logic in the past
because\r\nthese fields were not editable in the UI, but we don't need
it anymore.\r\n- Updates the corresponding unit tests.\r\n\r\n##
Screenshots\r\n\r\nThese screenshots were taken after introducing the
fixes.\r\n\r\n**Original prebuilt rule:**\r\n\r\n<img width=\"1463\"
alt=\"Screenshot_2024-08-23_at_13_25_07\"\r\nsrc=\"https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119\">\r\n\r\n**Duplicated
prebuilt rule:**\r\n\r\n<img width=\"1469\"
alt=\"Screenshot_2024-08-23_at_13_25_43\"\r\nsrc=\"https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b\">\r\n\r\n###
Checklist\r\n\r\n- [
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"b144c05e8f39f28dd9551b7c62daa01cfa1d2cd5"}},{"branch":"8.15","label":"v8.15.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.15 candidate enhancement New value added to drive a business result Feature:Rule Creation Security Solution Detection Rule Creation workflow Feature:Rule Edit Security Solution Detection Rule Editing workflow Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.15.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants