-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Allow users to edit related_integrations field for custom rules #178295
Conversation
42c3e83
to
f2c8c8b
Compare
bdd588a
to
e4a9f86
Compare
41a03b5
to
166e94f
Compare
596bc6b
to
1763ca1
Compare
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
7f08e43
to
82acefe
Compare
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Canvas Sharable Runtime
Page load bundle
History
To update your PR or re-run it, just comment with: cc @maximpn |
Resolves: #173595
Summary
This PR adds an ability to add and edit custom rule's related integrations. Functionality is necessary to start working on Prebuilt Rule Customization Epic Milestone 3.
Details
Rule's related integrations represent optional dependencies on Elastic integrations to ingest data. Currently prebuilt rule's related integrations are shown on rule details page. This information contains integration's name, installation status and a version mismatch warning when related integration's version dependency doesn't match with an installed integration's version. A subset of Semver is used to specify version dependency. Elastic prebuilt rules use only caret syntax like
^1.2.3
.To make it possible to add and edit related integrations for custom rules the following has been done
/internal/detection_engine/fleet/integrations/all
has been added. It returns the full list of available integrations containing title, latest available version and installed version if available. This is necessary to display an options list where users can pick a desired integration. Since some Elastic Prebuilt rules depend not only on integrations fromsecurity
category this endpoint returns all available integrations (not only related to Security Solution).Related Integrations
form controlsRelated Integrations
form controlscreate
/patch
/update
/export
/import
with related integrationsIntegration installation status
Integration installation status has been adjusted. There are following statuses shown
Enabled
for installed and enabled integrations. Enabled integrations are detected by checking Elastic Agent policies for presence of such an integration. It's not guaranteed the policy is picked by agents and data is being ingested.Disabled
for installed and disabled integrations. An agent policy containing such an integration isn't found.Not installed
for not installed integrations./internal/detection_engine/fleet/integrations/all
result it's considered as unknown.Version dependency
Semver allows a wide range of version range declaration. Such flexibility will complicate constructing of an integration link on rule details page. Since Elastic Prebuilt rules use only caret version dependency like
^1.2.3
related integration's version dependency is limited to a subset of semver semantic. The following is supported1.2.3
~1.2.3
^1.2.3
Misc
/internal/detection_engine/fleet/integrations/installed
endpoint hasn't been removed. We need to make sure it's not needed anymore.Flaky test runner results
Screenshots