[Security Solution] Account for missing base rule versions in is_customized calculation #213250
+310
−235
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
xcrzx
force-pushed
the
import-rule-source
branch
from
3d19755 to
f4f7ff1
Compare
xcrzx
added
v9.0.0
Feature:Prebuilt Detection Rules
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
xcrzx
force-pushed
the
import-rule-source
branch
from
f4f7ff1 to
24cdb9a
Compare
maximpn
approved these changes
Mar 6, 2025
Comment on lines
+182
to
+183
| // No base version | ||
| prebuiltRuleAssetClient.fetchAssetsByVersion.mockResolvedValueOnce([]); |
There was a problem hiding this comment.
nit: It feels like this line could potentially be forgotten when adding new tests. Maybe move it to beforeEach()?
| ruleCustomizationStatus, | ||
| }: CalculateRuleSourceProps): Promise<RuleSource> { | ||
| if (rule.immutable) { | ||
| if (nextRule.immutable) { |
There was a problem hiding this comment.
nit: Inverse logic and early exit will make this function a bit simpler
if (!nextRule.immutable) {
return {
type: 'internal',
};
}
...
Comment on lines
32
to
33
| prebuiltRuleAssetsByRuleId, | ||
| isKnownPrebuiltRule, |
There was a problem hiding this comment.
nit: It could be simplified by having only prebuiltRuleAssets: PrebuiltRuleAsset | undefined matching the rule version instead of isKnownPrebuiltRule and prebuiltRuleAssetsByRuleId .
| @@ -26,31 +27,44 @@ import { convertRuleToImportToRuleResponse } from './converters/convert_rule_to_ | |||
| * @returns The calculated rule_source and immutable fields for the rule | |||
| */ | |||
| export const calculateRuleSourceForImport = ({ | |||
| rule, | |||
| importedRule, | |||
There was a problem hiding this comment.
nit: It doesn't look like a has been imported when this function is invoked. A name like ruleToImport or beingImportedRule feels like resonating better.
| }); | ||
| }); | ||
|
|
||
| it('calculates as non modified external type if an asset is found without a matching version and current rule present without changes', () => { |
There was a problem hiding this comment.
There is a missing scenario covering that is_customized: true is preserved when imported rule matches with the current.
| @@ -271,7 +271,7 @@ export default ({ getService }: FtrProviderContext): void => { | |||
| expect(importedRule).toMatchObject({ | |||
| rule_id: rule.rule_id, | |||
| version: 9999, | |||
| rule_source: { type: 'external', is_customized: true }, | |||
| rule_source: { type: 'external', is_customized: false }, | |||
There was a problem hiding this comment.
nit: It doesn't look like something besides version should be in that assertion.
| private ruleCustomizationStatus: PrebuiltRulesCustomizationStatus; | ||
| private latestPackagesInstalled: boolean = false; | ||
| private matchingAssetsByRuleId: Record<string, PrebuiltRuleAsset> = {}; | ||
| private knownRules: RuleSpecifier[] = []; | ||
| private currentRulesById: Record<string, RuleResponse> = {}; |
There was a problem hiding this comment.
Suggested change
| private currentRulesById: Record<string, RuleResponse> = {}; | |
| private currentRulesById: Record<RuleSignatureId, RuleResponse> = {}; |
| @@ -165,11 +176,18 @@ export class RuleSourceImporter implements IRuleSourceImporter { | |||
| }, {}); | |||
| } | |||
|
|
|||
| private async fetchInstalledRulesByIds(ruleIds: string[]): Promise<Record<string, RuleResponse>> { | |||
There was a problem hiding this comment.
nit: Add Map to the name for clarity
Suggested change
| private async fetchInstalledRulesByIds(ruleIds: string[]): Promise<Record<string, RuleResponse>> { | |
| private async fetchInstalledRulesMapByIds(ruleIds: string[]): Promise<Record<RuleSignatureId, RuleResponse>> { |
|
Starting backport for target branches: 8.18, 8.x, 9.0 https://github.com/elastic/kibana/actions/runs/13705510140 |
💚 Build Succeeded
Metrics [docs]
History
cc @xcrzx |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 6, 2025
…omized calculation (elastic#213250) **Partially addresses: elastic#210358 ## Summary ### Editing of prebuilt rules with missing base versions **When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule: - We should mark the rule as customized, only if the new rule settings are different from the current rule settings. - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior. - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior. ### Importing of prebuilt rules with missing base versions **When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule: - If this rule is not installed, it should be created with `is_customized` field set to `false`. - If this rule is already installed, it should be updated. - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule. - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule. (cherry picked from commit 87e7cd9)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 6, 2025
…omized calculation (elastic#213250) **Partially addresses: elastic#210358 ## Summary ### Editing of prebuilt rules with missing base versions **When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule: - We should mark the rule as customized, only if the new rule settings are different from the current rule settings. - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior. - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior. ### Importing of prebuilt rules with missing base versions **When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule: - If this rule is not installed, it should be created with `is_customized` field set to `false`. - If this rule is already installed, it should be updated. - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule. - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule. (cherry picked from commit 87e7cd9)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
banderror
pushed a commit
to banderror/kibana
that referenced
this pull request
Mar 6, 2025
…omized calculation (elastic#213250) **Partially addresses: elastic#210358 ## Summary ### Editing of prebuilt rules with missing base versions **When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule: - We should mark the rule as customized, only if the new rule settings are different from the current rule settings. - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior. - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior. ### Importing of prebuilt rules with missing base versions **When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule: - If this rule is not installed, it should be created with `is_customized` field set to `false`. - If this rule is already installed, it should be updated. - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule. - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule. (cherry picked from commit 87e7cd9)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
banderror
pushed a commit
that referenced
this pull request
Mar 6, 2025
…s_customized calculation (#213250) (#213462) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)](#213250) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Dmitrii Shevchenko","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-06T18:22:17Z","message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Account for missing base rule versions in is_customized calculation","number":213250,"url":"https://github.com/elastic/kibana/pull/213250","mergeCommit":{"message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213250","number":213250,"mergeCommit":{"message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Dmitrii Shevchenko <[email protected]>
banderror
pushed a commit
that referenced
this pull request
Mar 6, 2025
…is_customized calculation (#213250) (#213460) # Backport This will backport the following commits from `main` to `8.18`: - [[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)](#213250) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Dmitrii Shevchenko","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-06T18:22:17Z","message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Account for missing base rule versions in is_customized calculation","number":213250,"url":"https://github.com/elastic/kibana/pull/213250","mergeCommit":{"message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213250","number":213250,"mergeCommit":{"message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Dmitrii Shevchenko <[email protected]>
banderror
added a commit
that referenced
this pull request
Mar 6, 2025
…s_customized calculation (#213250) (#213466) # Backport This will backport the following commits from `main` to `9.0`: - [[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)](#213250) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Dmitrii Shevchenko","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-06T18:22:17Z","message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Account for missing base rule versions in is_customized calculation","number":213250,"url":"https://github.com/elastic/kibana/pull/213250","mergeCommit":{"message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845"}},"sourceBranch":"main","suggestedTargetBranches":["9.0"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/213460","number":213460,"state":"OPEN"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213250","number":213250,"mergeCommit":{"message":"[Security Solution] Account for missing base rule versions in is_customized calculation (#213250)\n\n**Partially addresses: https://github.com/elastic/kibana/issues/210358**\n\n## Summary\n\n### Editing of prebuilt rules with missing base versions\n\n**When the base version** of a currently installed prebuilt rule **is missing** among the `security-rule` asset saved objects, and the user edits this rule:\n\n- We should mark the rule as customized, only if the new rule settings are different from the current rule settings.\n - For example, adding a new tag should mark the rule as customized. Then, if the user removes this tag, the rule should remain to be marked as customized. This matches the current behavior.\n - However, if the user saves the rule without making any changes to it, it should keep its `is_customized` field as is. This is different from the current behavior.\n\n### Importing of prebuilt rules with missing base versions\n\n**When the base version** of a prebuilt rule that is being imported **is missing** among the `security-rule` asset saved objects, and the user imports this rule:\n\n- If this rule is not installed, it should be created with `is_customized` field set to `false`.\n- If this rule is already installed, it should be updated.\n - Its `is_customized` field should be set to `true` if the rule from the import payload is not equal to the installed rule.\n - Its `is_customized` field should be be kept unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.","sha":"87e7cd94d1d649596dc0f23bf4cf730704fb4845"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/213462","number":213462,"state":"OPEN"}]}] BACKPORT--> Co-authored-by: Dmitrii Shevchenko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Partially addresses: #210358
Summary
Editing of prebuilt rules with missing base versions
When the base version of a currently installed prebuilt rule is missing among the
security-ruleasset saved objects, and the user edits this rule:is_customizedfield as is. This is different from the current behavior.Importing of prebuilt rules with missing base versions
When the base version of a prebuilt rule that is being imported is missing among the
security-ruleasset saved objects, and the user imports this rule:is_customizedfield set tofalse.is_customizedfield should be set totrueif the rule from the import payload is not equal to the installed rule.is_customizedfield should be be kept unchanged (falseortrue) if the rule from the import payload is equal to the installed rule.