Skip to content

Commit

Permalink
[Security Solution] Add AlertSuppression and Investigation Fields
Browse files Browse the repository at this point in the history 
… to Rule Upgrade workflow (elastic#195499)

Resolves: elastic#190597

## Summary

Adds `AlertSuppression` and `Investigation Fields` to Rule Upgrade
workflow:
- Fields had already been added to DiffableRule schema and diffing
algorithms in elastic#190128
- Current PR adds them to the UI field list so they get displayed in the
diff

## Screenshots

#### Investigation Fields


![image](https://github.com/user-attachments/assets/bff90832-cbf7-4804-888f-b62db5d08127)

#### Alert Suppression


![image](https://github.com/user-attachments/assets/a46fc2db-53d1-4aab-92fc-c92ff88a60b0)


## Testing

Little bit tricky: no prebuilt rules have these fields, so no matter
which packages you install you wont' see this upgrade. You'll need to
tinker with the security-rule assets, for example:
```ts
POST .kibana_security_solution/_update_by_query
{
  "script": {
    "source": """
        ctx._source['security-rule']['alert_suppression'] = [
        'group_by': ['agent.hostname'],
        'missing_fields_strategy': 'suppress'
      ];
    """,
    "lang": "painless"
  },
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "type": {
              "value": "security-rule"
            }
          }
        },
        {
          "term": {
            "security-rule.rule_id": {
              "value": "0564fb9d-90b9-4234-a411-82a546dc1343"
            }
          }
        },
        {
          "term": {
            "security-rule.version": {
              "value": "111"
            }
          }
        }
      ]
    }
  }
}
```

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
  • Loading branch information
@jpdjere
jpdjere authored Oct 11, 2024
1 parent e4dec39 commit ed144bd
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ...ity_solution/public/detection_engine/rule_management/components/rule_details/constants.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ export const ABOUT_UPGRADE_FIELD_ORDER: Array<keyof DiffableAllFields> = [
'description',
'author',
'building_block',
'investigation_fields',
'severity',
'severity_mapping',
'risk_score',
Expand Down Expand Up @@ -52,6 +53,7 @@ export const DEFINITION_UPGRADE_FIELD_ORDER: Array<keyof DiffableAllFields> = [
'new_terms_fields',
'history_window_start',
'max_signals',
'alert_suppression',
];

export const SCHEDULE_UPGRADE_FIELD_ORDER: Array<keyof DiffableAllFields> = ['rule_schedule'];
Expand Down

0 comments on commit ed144bd

Please sign in to comment.