-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Write an RFC for customizing prebuilt rules #171309
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
RFC draft link: https://docs.google.com/document/d/1uUkcCGo7wgI7CjQauZrk7EE7tqN6OhOMRm-1I10eAEg/edit (internal) UPDATE: moved to PR |
@jpdjere Just checking what items from the Do software design for:
Document this software design in an RFC. The RFC should answer the following questions:
Misc:
|
#171856) Resolves: #171309 ## Summary - Creates an RFC for Milestone 3 of the Prebuilt Rules Customization, including: - rule schema changes - mappings - migration strategy and technical implementation - exporting and importing rules - schema-related changes needed in endpoints - calculation of `isCustomized` field on endpoints that update/patch rules. - additional changes needed to `/upgrade/_review` and `/upgrade/_perform` endpoints - concrete diff algorithms - UI Changes - Creates `x-pack/plugins/security_solution/docs/rfcs/detection_response` folder and adds it to CODEOWNER file, with owners the Detection Engine and Rule Management teams.
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
We've been designing and implementing the new workflows of installing and upgrading prebuilt rules, keeping in mind that the upgrade rule workflow should support upgrading those prebuilt rules that the user will customize. The gaps as of today are:
We need to come up with an understanding of how this all should work and cover the gaps mentioned above.
Todo
Do software design for:
Document this software design in an RFC. The RFC should answer the following questions:
security-rule
?upgrade/_review
andupgrade/_perform
endpoints we should make? In terms of both their API contract and internal implementation.Misc:
Prior art
For context, please refer to the following previously written artifacts:
RFC
The RFC is being worked on in #171856. We will need to find a place for permanently storing it in some docs and having an easy way for accessing it.
The text was updated successfully, but these errors were encountered: