Skip to content

[Security Solution] DetectionRulesClient refactoring. Part 2 #184364

Closed
#186988
Closed
[Security Solution] DetectionRulesClient refactoring. Part 2#184364
#186988
Assignees
xcrzxnikitaindik
Labels
8.16 candidateFeature:Rule ManagementSecurity Solution Detection Rule Management areaTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response Teamrefactoringv8.15.0v8.16.0
@xcrzx

Description

@xcrzx
xcrzx
opened on May 28, 2024

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Follow-up to: #180128

Summary

We need to finalize the DetectionRulesClient (formerly known as RulesManagementClient) refactoring and address the remaining comments left after the initial PR: #182802.

PRs

PR 1 (merged)

  • Come up with a better client name (see this comment). Consider DetectionRulesClient

PR 2 (merged)

  • Wrap all public client methods with withSecuritySpan (comment)
  • Move non-public client methods (starting with _) outside of the main client implementation for better code readability.

PR 3 (merged)

  • Rename DetectionRulesClient containing directory from rule_management to detection_rules_client
  • Move DetectionRulesClient methods into the detection_rules_client/methods dir
  • Move the TS interface of DetectionRulesClient into a separate file detection_rules_client_interface.ts
  • Simplify importRule method parameters
  • Add memoization to getDetectionRulesClient

PR 4 (merged)

  • Replace PrebuiltRuleAsset type with RuleCreateProps and RulePatchProps in upgradePrebuiltRule and createPrebuiltRule
  • Do not return the internal RuleAlertType from RulesManagementClient (see this comment). Transition to returning RuleResponse for these methods: createCustomRule and createPrebuiltRule

PR 5 (merged)

  • Do not return the internal RuleAlertType from RulesManagementClient (see this comment). Transition to returning RuleResponse for the remaining methods: updateRule, patchRule, deleteRule, upgradePrebuiltRule and importRule.
  • Make toggleRuleEnabledOnUpdate return enabled and then use it in return value
  • Check upgradePrebuiltRule enable behaviour - there might be a bug (place in code). Check if we need to explicitly toggle "enabled" on upgrade.

PR 6 (in review)

  • Colocate rule converters (rule_management/normalization/rule_converters) inside the new rules management client. Check how the converters are used outside the client to see if we can encapsulate them inside the client.
  • Refactor the converters. Split them into multiple functions, each should have a single responsibility.
  • Extract duplicated piece of code that converts to RuleResponse and throws an error into a function (comment)
  • Extract "transform and validate" code into a function (comment). Consider doing this together with refactoring converters.

Left to do

Leftovers moved to #187656.

Metadata

Metadata

Assignees

Labels

8.16 candidateFeature:Rule ManagementSecurity Solution Detection Rule Management areaTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response Teamrefactoringv8.15.0v8.16.0

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions