[Security Solution] Discuss rule fields in the context of the prebuilt rule upgrade workflow

[banderror]

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Forked from: #144060

Summary

We need to figure out what rule fields we’re going to show in the rule upgrade flyout.

• Which fields will be "customizable" (the user will be able to see a diff and resolve conflicts in the flyout)?
• Which fields will be "technical" (we will handle their update under the hood)?

You can see a detailed breakdown of all the existing rule fields below. They are categorized by multiple dimensions which will hopefully help us with reasoning about each field and making decisions.

Please scroll down to find fields to pay attention to and discuss.

Rule fields

Kind:

• Technical: is needed for the app to work
• Domain: is needed for the users' use cases and/or detection rule business logic to work

Change:

• Static: changes at least once (e.g. on rule creation) or at most every time a user updates this field in a rule
• Dynamic: may change often and/or in the background without any user actions

Level:

• Framework: defined at the Alerting Framework level, is known to the Framework, is common to many rule types including Observability and Stack rules
• Solution: defined on the Security Solution side, in most cases stored in the rule params object
• Both: defined at both levels simultaneously (sometimes it's one part at the Framework and another one at the Solution level)

Prebuilt?

• ✅: supported by the prebuilt rule schema and can be specified in https://github.com/elastic/detection-rules
• ✅ (unused): supported by the schema but is not used in https://github.com/elastic/detection-rules
• ✅⁉️: supported by the schema but probably shouldn't be
• ✅⁉️ (unused): supported by the schema but probably shouldn't be + not used in https://github.com/elastic/detection-rules
• ❌: is specific to the app and not supported by the prebuilt rule schema

User editable?

• Editable: currently, users can create and update the field via the UI or the API
• Editable (1): currently, users can specify this field only once during rule creation, they cannot update it after a rule is created
• Editable (no UI): currently, users can create and update the field only via the API
• Readonly: currently, users can only read the field

Customizable?

• ✅: users will be able to edit this field in prebuilt rules and then be able to resolve potential conflicts during the rule upgrade process (the field will be visible in the rule upgrade UI)
• ⚙️ (auto): users will be able to edit this field in prebuilt rules, but conflicts during the rule upgrade process will be resolved automatically under the hood (the field won't be visible in the rule upgrade UI)
• ❌: users won't be able to edit this field in prebuilt rules (the field won't be visible in the rule upgrade UI)

Fields common to all rule types

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
Main technical fields
id	Technical	Static	Framework	❌	Readonly	❌
rule_id	Technical	Static	Solution	✅	Readonly	❌
created_at	Technical	Static	Framework	❌	Readonly	❌
created_by	Technical	Static	Framework	❌	Readonly	❌
updated_at	Technical	Static	Framework	❌	Readonly	❌
updated_by	Technical	Static	Framework	❌	Readonly	❌
immutable	Technical	Static	Solution	❌	Readonly	❌
version	Technical	Static	Solution	✅	Readonly	❌
revision	Technical	Static	Framework	✅	Readonly	❌
enabled	Technical	Static	Framework	✅	Editable	⚙️ (auto)
execution_summary	Technical	Dynamic	Both	❌	Readonly	❌
meta	Technical	Static	Solution	✅⁉️(unused)	Editable (no UI)	⚙️ (auto)
Attributes related to SavedObjectsClient.resolve API
outcome	Technical	Dynamic	Framework	✅⁉️(unused)	Readonly	❌
alias_target_id	Technical	Dynamic	Framework	✅⁉️(unused)	Readonly	❌
alias_purpose	Technical	Dynamic	Framework	✅⁉️(unused)	Readonly	❌
Main domain fields
type	Domain	Static	Both	✅	Editable (1)	❌
name	Domain	Static	Framework	✅	Editable	✅
tags	Domain	Static	Framework	✅	Editable	✅
description	Domain	Static	Solution	✅	Editable	✅
severity	Domain	Static	Solution	✅	Editable	✅
severity_mapping	Domain	Static	Solution	✅	Editable	✅
risk_score	Domain	Static	Solution	✅	Editable	✅
risk_score_mapping	Domain	Static	Solution	✅	Editable	✅
About -> Advanced settings
references - reference URLs	Domain	Static	Solution	✅	Editable	✅
false_positives - false positive examples	Domain	Static	Solution	✅	Editable	✅
threat - MITRE ATT&CK classification	Domain	Static	Solution	✅	Editable	✅
note - investigation guide	Domain	Static	Solution	✅	Editable	✅
setup - setup guide	Domain	Static	Solution	✅	Readonly	❌ ?
related_integrations	Domain	Static	Solution	✅	Readonly	❌ ?
required_fields	Domain	Static	Solution	✅	Readonly	❌ ?
author	Domain	Static	Solution	✅	Editable	❌
license	Domain	Static	Solution	✅	Editable	❌
building_block_type	Domain	Static	Solution	✅	Editable	✅
rule_name_override	Domain	Static	Solution	✅	Editable	✅
timestamp_override	Domain	Static	Solution	✅	Editable	✅
timestamp_override_fallback_disabled	Domain	Static	Solution	✅ (unused)	Editable	✅
Timeline template
timeline_id	Domain	Static	Solution	✅	Editable	✅
timeline_title	Domain	Static	Solution	✅	Editable	✅
Rule schedule
interval	Domain	Static	Framework	✅	Editable	✅
from	Domain	Static	Solution	✅	Editable	✅
to	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
Rule actions
actions	Domain	Static	Framework	✅⁉️ (unused)	Editable	⚙️ (auto) ?
throttle	Domain	Static	Framework	✅⁉️ (unused)	Editable	⚙️ (auto) ?
Rule exceptions
exceptions_list	Domain	Static	Solution	✅	Editable (extra UI)	⚙️ (auto) ?
Alerts indexing
max_signals - cirquit breaker	Domain	Static	Solution	✅	Editable (no UI)	?
output_index - deprecated and unused?	Domain	Static	Solution	✅⁉️ (unused)	Editable (no UI)	?
namespace - unused?	Domain	Static	Solution	✅⁉️ (unused)	Editable (no UI)	?

Fields specific to Custom Query and Saved Query rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
index	Domain	Static	Solution	✅	Editable	✅
data_view_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
query	Domain	Static	Solution	✅	Editable	✅
language	Domain	Static	Solution	✅	Editable	✅
filters	Domain	Static	Solution	✅	Editable	✅
saved_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
response_actions	Domain	Static	Solution	✅⁉️ (unused)	Editable	⚙️ (auto) ?
alert_suppression	Domain	Static	Solution	✅ (unused)	Editable	✅

Fields specific to EQL rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
index	Domain	Static	Solution	✅	Editable	✅
data_view_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
query	Domain	Static	Solution	✅	Editable	✅
language	Domain	Static	Solution	✅	❌	❌
filters	Domain	Static	Solution	✅	Editable	✅
event_category_override	Domain	Static	Solution	✅ (unused)	Editable	✅
timestamp_field	Domain	Static	Solution	✅ (unused)	Editable	✅
tiebreaker_field	Domain	Static	Solution	✅ (unused)	Editable	✅

Fields specific to Indicator Match rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
index	Domain	Static	Solution	✅	Editable	✅
data_view_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
query	Domain	Static	Solution	✅	Editable	✅
language	Domain	Static	Solution	✅	Editable	✅
filters	Domain	Static	Solution	✅	Editable	✅
saved_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
threat_query	Domain	Static	Solution	✅	Editable	✅
threat_mapping	Domain	Static	Solution	✅	Editable	✅
threat_index	Domain	Static	Solution	✅	Editable	✅
threat_filters	Domain	Static	Solution	✅	Editable	✅
threat_indicator_path	Domain	Static	Solution	✅	Editable	✅
threat_language	Domain	Static	Solution	✅	Editable	✅
concurrent_searches	Domain	Static	Solution	✅ (unused)	Editable (no UI)	?
items_per_search	Domain	Static	Solution	✅ (unused)	Editable (no UI)	?
alert_suppression	Domain	Static	Solution	✅ (unused)	Editable	✅

Fields specific to Threshold rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
index	Domain	Static	Solution	✅	Editable	✅
data_view_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
query	Domain	Static	Solution	✅	Editable	✅
language	Domain	Static	Solution	✅	Editable	✅
filters	Domain	Static	Solution	✅	Editable	✅
saved_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
threshold	Domain	Static	Solution	✅	Editable	✅

Fields specific to Machine Learning rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
machine_learning_job_id	Domain	Static	Solution	✅	Editable	✅
anomaly_threshold	Domain	Static	Solution	✅	Editable	✅

Fields specific to New Terms rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
index	Domain	Static	Solution	✅	Editable	✅
data_view_id	Domain	Static	Solution	✅⁉️ (unused)	Editable	✅
query	Domain	Static	Solution	✅	Editable	✅
language	Domain	Static	Solution	✅	Editable	✅
filters	Domain	Static	Solution	✅	Editable	✅
new_terms_fields	Domain	Static	Solution	✅	Editable	✅
history_window_start	Domain	Static	Solution	✅	Editable	✅

Fields specific to ES|QL Rules

Field name	Kind	Change	Level	Prebuilt?	User editable?	Customizable?
query	Domain	Static	Solution	✅	Editable	✅
language	Domain	Static	Solution	✅	❌	❌

Rule fields to discuss

Fields common to all rule types:

• type ― Confirm that we're not going to support changing the rule type on upgrade.
• related_integrations, required_fields, setup ― These can be specified in https://github.com/elastic/detection-rules but we don't support editing them in the app. Since we don't have UI for editing them, I'm wondering if it's time to finally build it. When we build the UI we will be able to support these fields in the rule upgrade flyout.
• author, license ― Are we going to allow the user to customize these? Could there be any legal restrictions on that?
• actions, throttle ― We allow the user to specify actions for installed prebuilt rules, but no prebuilt rules actually have actions in https://github.com/elastic/detection-rules. Can we remove support for actions from the prebuilt rule schema and handle the upgrade for these 2 fields under the hood (always take the current user's version)?
• exceptions_list ― We allow the user to specify exceptions for installed prebuilt rules, but only one prebuilt rule actually have exceptions in https://github.com/elastic/detection-rules. It's the "Endpoint Security" rule. How should we handle potential conflicts between Elastic's and user's versions of this field? Can we use some simple heuristic and handle this under the hood instead of building some kind of UI?
• max_signals ― This is a circuit breaker value. A few prebuilt rules have it in https://github.com/elastic/detection-rules. Users can modify it via the API. We don't have a UI for it. How do we resolve conflicts in this field?
• output_index ― This is a name of a concrete target index where the rule is supposed to write alerts. I believe this field is deprecated and unused in the app. No prebuilt rules have it in https://github.com/elastic/detection-rules. Users can still modify it via the API because it's in the schema. I don't think we have a UI for it. What should we do with this field?
• namespace ― This is a namespace (a suffix) of the alerts-as-data index where the rule is supposed to write alerts. AFAIR this is a replacement for output_index but it looks to be unused in the app. No prebuilt rules have it in https://github.com/elastic/detection-rules. Users can still modify it via the API because it's in the schema. I don't think we have a UI for it. What should we do with this field?

Fields specific to Custom Query and Saved Query rules:

• response_actions ― This is fully user-editable and supported by the prebuilt rule schema, but no prebuilt rules have it in https://github.com/elastic/detection-rules. Our suggestion would be to remove it from the schema and handle it under the hood of the upgrade workflow.

Fields specific to EQL rules:

• language ― Specifically for EQL rules, do we allow the user to change this? From the rule schema, it looks like this can accept only one value: "eql".
  • EDIT: No, we don't want users to be able to change language for EQL (and neither for ES|QL) rules. Language should be eql and esql respectively. The field might change if a rule changes its type from an upstream update, but a user should not be able to manually force this.

Fields specific to Indicator Match rules:

• threat_indicator_path ― What is this field used for? Do we have a UI for it? A few prebuilt rules have it in https://github.com/elastic/detection-rules.
  • EDIT: corresponds to Indicator prefix override field, is currently editable in the UI and should be customizable.
• concurrent_searches ― This one is user-editable via API but we have no UI for it. No prebuilt rules have it in https://github.com/elastic/detection-rules. How should we handle it in the upgrade workflow?
• items_per_search ― This one is user-editable via API but we have no UI for it. No prebuilt rules have it in https://github.com/elastic/detection-rules. How should we handle it in the upgrade workflow?

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[banderror]

@jethr0null @peluja1012 Can we please have your input on this?

• Please review the tables in the Rule fields section.
• Please check the Rule fields to discuss and submit your thoughts here in the comments per each field.

Feel free to ping us if you have any questions and would like to chat over zoom.