[Security Solution] Stream-based installation of the package with prebuilt rules #192350
Labels
8.16 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
performance
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Related to: #187646
Summary
The Fleet team won't be able to implement stream-based package installation by mid October, which means we will need to implement it on our side to complete Milestone 3 in time.
Rough plan:
bootstrap
endpoint. The key point is that the implementation will be entirely on the Security Solution side.savedObject.import
tosavedObject.bulkCreate
for better memory efficiency.Details
An important note here is that we'll be using the EPR API directly to fetch package information and download package content (or read from disk if it's prebundled). To ensure compatibility with Fleet, we'll reuse the package saved object type, so even if the package is installed through the Security Solution endpoint, it will still be visible in the Integrations UI. The detection rules package will remain installable and upgradeable via Fleet's UI, but this will not be the recommended method. In Security Solution, we'll exclusively use the new installation endpoint.
The text was updated successfully, but these errors were encountered: