Skip to content

[Security Solution] Write the rule source field together with the immutable#183895

Merged
xcrzx merged 1 commit intoelastic:mainfrom
xcrzx:write-rule-source
May 29, 2024
Merged

[Security Solution] Write the rule source field together with the immutable#183895
xcrzx merged 1 commit intoelastic:mainfrom
xcrzx:write-rule-source

Conversation

@xcrzx
Copy link
Copy Markdown
Contributor

@xcrzx xcrzx commented May 21, 2024
edited
Loading

Resolves: #180141

Summary

As part of our migration strategy to the new schema, we need to start writing the rule_source field together with the immutable field to prepare for data migration. We need to ensure that all our endpoints write the rule_source field before we start migrating detection rules so we do not end up in a situation when our data is migrated but rule CRUD endpoints continue writing the old format.

With this PR, we start writing rule_source on every rule modification or creation. The immutable field is treated as the main field, and rule_source is always derived from it.

@xcrzx xcrzx self-assigned this May 21, 2024
@xcrzx xcrzx mentioned this pull request May 23, 2024
Closed
@xcrzx xcrzx marked this pull request as ready for review May 24, 2024 10:22
@xcrzx xcrzx requested review from a team as code owners May 24, 2024 10:22
@xcrzx xcrzx requested review from maximpn and nkhristinin May 24, 2024 10:22
@xcrzx xcrzx added release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team v8.15.0 labels May 24, 2024
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented May 24, 2024

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented May 24, 2024

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented May 24, 2024

Pinging @elastic/security-solution (Team: SecuritySolution)

@xcrzx xcrzx requested review from jpdjere and removed request for maximpn May 24, 2024 13:29
jpdjere
jpdjere approved these changes May 24, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@jpdjere jpdjere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for these changes!

Tested:

  • creating a new rule
  • duplicating a custom rule
  • duplicating a prebuilt rule
  • installing a prebuilt rule
  • importing a rule
  • upgrading a rule with a type change

All scenarios create a rule with the expected ruleSource.

logeekal
logeekal approved these changes May 28, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@logeekal logeekal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Investigations Code Review look good to me.

@kibana-ci
Copy link
Copy Markdown

kibana-ci commented May 28, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History

  • 💔 Build #211937 failed fad9b26954f88073fcb1fa5b49f012c3e026d4ee
  • 💛 Build #211801 was flaky 9263a6a99efff968c82770b5345eaec05892fb38
  • 💔 Build #211701 failed 9f58f4fd878e0e1f69202ebce09d68ea0ed173b6
  • 💔 Build #211685 failed 85b902a29bb509e7b5285f7f764e330e623dce85
  • 💔 Build #211458 failed 20260a6dd5667c5396da2a31d3a32344645867e0

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @xcrzx

@xcrzx xcrzx merged commit 81191c9 into elastic:main May 29, 2024
@kibanamachine kibanamachine added the backport:skip This PR does not require backporting label May 29, 2024
@xcrzx xcrzx deleted the write-rule-source branch May 29, 2024 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@logeekal logeekal logeekal approved these changes

@nkhristinin nkhristinin nkhristinin approved these changes

+1 more reviewer

@jpdjere jpdjere jpdjere approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@xcrzx xcrzx

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.15.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Solution] Write the rule_source field together with immutable

7 participants

@xcrzx @elasticmachine @kibana-ci @jpdjere @logeekal @nkhristinin @kibanamachine