[Security Solution] Prebuilt Rules Upgrade & Install Workflow Skeleton

[spong]

Summary

This is a WIP PR capturing the skeletal and architectural changes of the new Prebuilt Rules Upgrade & Install workflow changes in progress for the 8.8 release.

Please see #153751 for arch design discussion.
These Figma Mocks for base designs.
And corresponding whimsical design diagram.

To easily test the Rule Upgrade flow, you can use the below devtools request to 'update' a prebuilt rule to be a higher version than what has shipped, then hit the _review endpoint to view:

Test upgrade flow dev tools request

POST kbn:/internal/detection_engine/prebuilt_rules/upgrade/_review

PUT kbn:/api/detection_engine/rules
{
  "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f",
  "name": "SSH Authorized Keys File Modifications",
  "tags": [
    "Elastic",
    "Host",
    "Linux",
    "macOS",
    "Threat Detection",
    "Lateral Movement",
    "Persistence"
  ],
  "interval": "5m",
  "enabled": false,
  "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).",
  "risk_score": 47,
  "severity": "medium",
  "license": "Elastic License v2",
  "output_index": "",
  "timestamp_override": "event.ingested",
  "author": [
    "Elastic"
  ],
  "false_positives": [],
  "from": "now-9m",
  "to": "now",
  "max_signals": 100,
  "risk_score_mapping": [],
  "severity_mapping": [],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0003",
        "name": "Persistence",
        "reference": "https://attack.mitre.org/tactics/TA0003/"
      },
      "technique": [
        {
          "id": "T1098",
          "name": "Account Manipulation",
          "reference": "https://attack.mitre.org/techniques/T1098/",
          "subtechnique": [
            {
              "id": "T1098.004",
              "name": "SSH Authorized Keys",
              "reference": "https://attack.mitre.org/techniques/T1098/004/"
            }
          ]
        }
      ]
    },
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0008",
        "name": "Lateral Movement",
        "reference": "https://attack.mitre.org/tactics/TA0008/"
      },
      "technique": [
        {
          "id": "T1563",
          "name": "Remote Service Session Hijacking",
          "reference": "https://attack.mitre.org/techniques/T1563/",
          "subtechnique": [
            {
              "id": "T1563.001",
              "name": "SSH Hijacking",
              "reference": "https://attack.mitre.org/techniques/T1563/001/"
            }
          ]
        },
        {
          "id": "T1021",
          "name": "Remote Services",
          "reference": "https://attack.mitre.org/techniques/T1021/",
          "subtechnique": [
            {
              "id": "T1021.004",
              "name": "SSH",
              "reference": "https://attack.mitre.org/techniques/T1021/004/"
            }
          ]
        }
      ]
    }
  ],
  "references": [],
  "version": 100,
  "exceptions_list": [],
  "type": "query",
  "language": "kuery",
  "index": [
    "auditbeat-*",
    "logs-endpoint.events.*"
  ],
  "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n             (/Library/Developer/CommandLineTools/usr/bin/git or\n              /usr/local/Cellar/maven/*/libexec/bin/mvn or\n              /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n              /usr/bin/vim or\n              /usr/local/Cellar/coreutils/*/bin/gcat or\n              /usr/bin/bsdtar or\n              /usr/bin/nautilus or\n              /usr/bin/scp or\n              /usr/bin/touch or\n              /var/lib/docker/* or\n              /usr/bin/google_guest_agent or \n              /opt/jc/bin/jumpcloud-agent)\n",
  "throttle": "no_actions",
  "actions": []
}

[kibana-ci]

💔 Build Failed

• Buildkite Build
• Commit: c60ac48
• Interpreting CI Failures
• Storybooks Preview

Failed CI Steps

• Build Kibana Distribution and Plugins
• Build API Docs
• Jest Tests #6
• Jest Tests #7
• Jest Tests #12
• Linting
• Linting (with types)
• Checks
• Check Types
• Post-Build

Test Failures

• [job] [logs] Jest Tests #6 / helpers filterJobs returns all jobs when no filter is suplied
• [job] [logs] Jest Tests #6 / helpers searchFilter returns correct DisplayJobs when filterQuery matches job.description
• [job] [logs] Jest Tests #6 / helpers searchFilter returns correct DisplayJobs when filterQuery matches job.id
• [job] [logs] Jest Tests #6 / JobsTableComponent renders correctly against snapshot
• [job] [logs] Jest Tests #6 / JobsTableFilters renders correctly against snapshot
• [job] [logs] Jest Tests #7 / LoadPrebuiltRulesAndTemplatesButton renders correct button with correct text - Load Elastic prebuilt rules
• [job] [logs] Jest Tests #7 / LoadPrebuiltRulesAndTemplatesButton renders correct button with correct text - Load Elastic prebuilt rules and timeline templates
• [job] [logs] Jest Tests #7 / LoadPrebuiltRulesAndTemplatesButton renders correct button with correct text - Load Elastic prebuilt timeline templates
• [job] [logs] Jest Tests #12 / RulesTableContextProvider persisted state restores default rules table state
• [job] [logs] Jest Tests #12 / RulesTableContextProvider persisted state restores persisted rules table state
• [job] [logs] Jest Tests #12 / RulesTableContextProvider state rules returns an empty array upon error
• [job] [logs] Jest Tests #12 / RulesTableContextProvider state rules returns an empty array while loading
• [job] [logs] Jest Tests #12 / RulesTableContextProvider state rules returns rules after snooze settings loaded
• [job] [logs] Jest Tests #12 / RulesTableContextProvider state rules returns rules even if snooze settings failed to be loaded
• [job] [logs] Jest Tests #12 / RulesTableContextProvider state rules returns rules while snooze settings are not loaded yet
• [job] [logs] Jest Tests #12 / RulesTableContextProvider state rules snooze settings returns snooze settings
• [job] [logs] Jest Tests #6 / UtilityBar it applies border styles when border is true

Metrics [docs]

‼️ ERROR: metrics for c60ac48 were not reported

History

• 💔 Build #125676 failed e959006
• 💔 Build #124663 failed 510947f
• 💔 Build #124662 failed a9744bc
• 💔 Build #123209 failed 6640cc0

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @spong