Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS][Detections] - Actions migrations #1172

Closed
yctercero opened this issue Oct 21, 2021 · 3 comments
Closed

[DOCS][Detections] - Actions migrations #1172

yctercero opened this issue Oct 21, 2021 · 3 comments
Assignees
@joepeeples
Labels
documentation Improvements or additions to documentation Team: Detections/Response Detections and Response Team: Docs v7.16.0 v8.0.0

Comments

@yctercero
Copy link
Contributor

Description

As part of 7.16 we're migrating actions from our own security solution's implementation of actions, to use alerting's implementation of actions. After some discussion, migrating these actions all at once in the background was not possible, so migration will occur when a rule is touched.

  • When a rule is touched (edited), on save, the rule's actions will be migrated
  • When a rule is disabled/enabled, the rule's actions will be migrated
  • When a rule is imported, the rule's actions will be migrated

If a user would like to migrate ALL their rules' actions at once:

  • If not moving to a new system, they can just export all rules and import them back in
  • If they're looking to move to a clean build, they'll need to also export their connectors through the SOM (Saved Object Management). Then in their clean build, import the connectors first via the SOM, then import the rules
    • Important: Users should be notified that on import, the rules are enabled using that user's permissions. This means that if an admin exports and imports, the rules will run using an API key with admin privileges, resulting in possible elevated privileges and unexpected behavior.

Here's our (security solution) docs on actions -
https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-notifications

Alerting's docs on actions -
https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html#alerting-concepts-actions

Possible docs needing updates

Notes

  • Terminology is a bit tricky since in security solution (at least in the docs) we refer to actions as External alerts and alerting refers to them as actions, so more of a product question of whether this matters and if it needs to be changed
  • Visually, the user will not notice any changes in the UI. However, the old and new actions systems work a bit differently
    • @jethr0null couldn't remember if we'd settled on describing the difference to the user or just notifying them that the actions will now function the same as alertings
@yctercero yctercero added Team: Docs v8.0.0 Team: Detections/Response Detections and Response v7.16.0 documentation Improvements or additions to documentation labels Oct 21, 2021
@yctercero
Copy link
Contributor Author

Users will also see a link to these docs in their logs along with warning of what rule action version they're using - elastic/kibana#113055

@joepeeples
Copy link
Contributor

Per discussion with @yctercero, @jethr0null, @jmikell821, we will document this in release notes only. Added to 7.16 release notes issue (#1179).

@joepeeples
Copy link
Contributor

Closing this issue because we aren't creating any additional documentation beyond 7.16 release notes (#1179).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joepeeples joepeeples

Labels
documentation Improvements or additions to documentation Team: Detections/Response Detections and Response Team: Docs v7.16.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yctercero @joepeeples