Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Allow users to edit related_integrations field for custom rules #178295

Merged
merged 56 commits into from
May 2, 2024

Conversation

maximpn
Copy link
Contributor

@maximpn maximpn commented Mar 8, 2024

Resolves: #173595

Summary

This PR adds an ability to add and edit custom rule's related integrations. Functionality is necessary to start working on Prebuilt Rule Customization Epic Milestone 3.

Details

Rule's related integrations represent optional dependencies on Elastic integrations to ingest data. Currently prebuilt rule's related integrations are shown on rule details page. This information contains integration's name, installation status and a version mismatch warning when related integration's version dependency doesn't match with an installed integration's version. A subset of Semver is used to specify version dependency. Elastic prebuilt rules use only caret syntax like ^1.2.3.

To make it possible to add and edit related integrations for custom rules the following has been done

  • New internal endpoint /internal/detection_engine/fleet/integrations/all has been added. It returns the full list of available integrations containing title, latest available version and installed version if available. This is necessary to display an options list where users can pick a desired integration. Since some Elastic Prebuilt rules depend not only on integrations from security category this endpoint returns all available integrations (not only related to Security Solution).
  • Rule create form has been adjusted by adding Related Integrations form controls
  • Rule edit form has been adjusted by adding Related Integrations form controls
  • Related integrations installation status has been adjusted to conform with the design
  • Functional Jest tests have been added
  • Functional tests have been added to make sure it's possible to (bulk) create/patch/update/export/import with related integrations
  • A limited number of Cypress tests have been added

Integration installation status

Integration installation status has been adjusted. There are following statuses shown

  • Enabled for installed and enabled integrations. Enabled integrations are detected by checking Elastic Agent policies for presence of such an integration. It's not guaranteed the policy is picked by agents and data is being ingested.
  • Disabled for installed and disabled integrations. An agent policy containing such an integration isn't found.
  • Not installed for not installed integrations.
  • Nothing is shown for unknown integrations. If there is no such integration found in /internal/detection_engine/fleet/integrations/all result it's considered as unknown.

Version dependency

Semver allows a wide range of version range declaration. Such flexibility will complicate constructing of an integration link on rule details page. Since Elastic Prebuilt rules use only caret version dependency like ^1.2.3 related integration's version dependency is limited to a subset of semver semantic. The following is supported

  • A plain version dependency e.g. 1.2.3
  • Tilde version dependency e.g. ~1.2.3
  • Caret version dependency e.g. ^1.2.3

Misc

Flaky test runner results

Screenshots

Screenshot 2024-04-16 at 10 01 25

Screenshot 2024-04-16 at 10 02 03

Screenshot 2024-04-16 at 10 02 16

Screenshot 2024-04-16 at 10 04 19

Screenshot 2024-04-16 at 10 02 33

Screenshot 2024-04-16 at 10 04 40

Screenshot 2024-04-16 at 10 05 03

@maximpn maximpn added enhancement New value added to drive a business result impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. release_note:feature Makes this part of the condensed release notes Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team v8.14.0 labels Mar 8, 2024
@maximpn maximpn self-assigned this Mar 8, 2024
@maximpn maximpn force-pushed the edit-related-integrations branch from 42c3e83 to f2c8c8b Compare March 13, 2024 19:55
@maximpn maximpn force-pushed the edit-related-integrations branch 4 times, most recently from bdd588a to e4a9f86 Compare April 5, 2024 15:01
@maximpn maximpn force-pushed the edit-related-integrations branch 3 times, most recently from 41a03b5 to 166e94f Compare April 8, 2024 11:09
@maximpn maximpn changed the title [Security Solution][WIP] Allow users to edit related_integrations field for custom rules [Security Solution] Allow users to edit related_integrations field for custom rules Apr 9, 2024
@maximpn maximpn force-pushed the edit-related-integrations branch 2 times, most recently from 596bc6b to 1763ca1 Compare April 9, 2024 13:09
@maximpn maximpn marked this pull request as ready for review April 9, 2024 14:03
@maximpn maximpn requested review from a team as code owners April 9, 2024 14:03
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@maximpn maximpn requested a review from nikitaindik April 9, 2024 14:03
@maximpn maximpn force-pushed the edit-related-integrations branch from 7f08e43 to 82acefe Compare May 2, 2024 11:08
@kibana-ci
Copy link
Collaborator

kibana-ci commented May 2, 2024

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 5466 5477 +11

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
lists 141.1KB 141.2KB +72.0B
securitySolution 13.7MB 13.7MB +9.6KB
total +9.7KB

Canvas Sharable Runtime

The Canvas "shareable runtime" is an bundle produced to enable running Canvas workpads outside of Kibana. This bundle is included in third-party webpages that embed canvas and therefor should be as slim as possible.

id before after diff
module count - 5407 +5407
total size - 9.1MB +9.1MB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
core 407.0KB 407.1KB +72.0B

History

  • 💚 Build #207415 succeeded 7f08e435829357c98f02c0f959837afe469b5912
  • 💛 Build #207383 was flaky 395aceab6cc29050d2018b005da153a7e19650e8
  • 💔 Build #207309 failed 71cc73280b62fd293c1137bcbc3b9eb58ef6bb7f
  • 💔 Build #207145 failed ca049ffd16757104bc5009e202d26a01b350d6f5
  • 💔 Build #207060 failed d41c45f00edfd6c2878222b551ee66b350c035b2

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @maximpn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting enhancement New value added to drive a business result Feature:Rule Creation Security Solution Detection Rule Creation workflow Feature:Rule Edit Security Solution Detection Rule Editing workflow release_note:feature Makes this part of the condensed release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.15.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security Solution] Allow users to edit related_integrations field for custom rules
10 participants