Skip to content

Rules exceptions subfeatures#243095

Closed
dhurley14 wants to merge 136 commits intoelastic:mainfrom
dhurley14:rules-exceptions-subfeatures
Closed

Rules exceptions subfeatures#243095
dhurley14 wants to merge 136 commits intoelastic:mainfrom
dhurley14:rules-exceptions-subfeatures

Conversation

@dhurley14
Copy link
Copy Markdown
Contributor

@dhurley14 dhurley14 commented Nov 14, 2025

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
  • Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.

rylnd and others added 30 commits October 29, 2025 16:12
@rylnd @denar50
Introduces Rules feature and subsequent app changes
958deed 
This does not include changes to existing roles, nor the role migration
machinery.
@rylnd @denar50
style: revert linting changes to large yaml/JSON files
4e60d94 
These changes were made automatically in an initial commit that added
our new features to roles; those changes have since been reverted
(320c34f), and thus there should not currently be any behavioral
changes in these files, which makes these stylistic changes even more
unnecessary.

Note: I also noticed that a few old references had (accidentally?)
remained in `security_roles.json` after `320c34f485`; this cleans those
up as well.
@denar50
update the siem migrations required permissions
02765d8 
Instead of requiring siemVX read/all, it now requires securitySolutionRulesV1 read/all
@denar50
update attack discovery required permissions
b35f598
@denar50
update timeline required permissions
686745e
@denar50
fix onboarding sections
2f7cff4 
It is unclear on wether "dashboards" and "integrations" should be exclusive to `siemV5` or `securitySolutionRulesV1`. So for now we are showing it when the user has either of those.
@kibanamachine @denar50
[CI] Auto-commit changed files from 'node scripts/eslint_all_files --…
4cb8ba0 
…no-cache --fix'
@denar50
allow alert management operations for roles with read only access
65d000a 
This is the current behaviour accoring do the documentation https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-requirements.
@denar50
fix create shared exception list endpoint
d70db6e 
Now it requires the `securitySolutionRulesV1.all` privilege
@denar50
fix unit test
3cc5064
@dplumlee
fixes bulk_action route to allow export on rules-read
4738084
@kibanamachine
Changes from node scripts/eslint_all_files --no-cache --fix
191d62c
@denar50
fix cypress test: endpoint_role_rbac_with_space_awareness.cy.ts
5ed674e 
No security subfeature is required in all spaces anymore. The test was failing because the `siemV5` feature file never got updated and it was still referencing a feature flag that has been enabled and removed in `main`.
The feature flag in question is `endpointManagementSpaceAwarenessEnabled` which was being used to override the subfeature configuration by setting `requireAllSpaces=false` and `privilegesTooltip=undefined`. Now that the feature flag doesn't exist, it makes sense to remove these properties directly in the subfeature configuration instead of overriding them outside of it.
@denar50
Merge branch 'main' into rules-rbac-new
0ceb610
@kibanamachine
Changes from node scripts/eslint_all_files --no-cache --fix
f2b15ee
@denar50
fix manage value lists button disabled for rules-all
f47b16e 
The logic to show it was relying on the old siemPrivileges, however value lists is now under rules.
@dplumlee
fix showing rule update callouts when users don't have rules-all
51c9819
@denar50
fix authorization tests
603be1f 
Reshuffling privileges and removal of alerting privileges from siemV5. These alerting privileges exist exclusively in securitySolutionRulesV1
@denar50
Merge branch 'main' into rules-rbac-new
9089355
@rylnd
Merge branch 'main' into rules-rbac-new
33896fa 
This notably includes the fix to the infinite loop on the alerts page
when a role lacks sufficient lists privileges.
@denar50
Merge remote-tracking branch 'upstream/main' into rules-rbac-1
319a17b
@denar50
add missing socManagement sub feature config to siemV4 and siemV5
80ce6a5
@denar50
fix ai4soc cypress test
17018e6 
The test broke after merging main into the branch
@denar50
add missing siemV5 case to trusted devices rbac cypress test
11b9349
@denar50
fix authorization tests after new ai4soc changes
63635af
@denar50
fix api privileges tests after ai4soc changes
daa8579
@dplumlee
fixes respectLicenseLevel test that broke merging upstream
dd43f8b
@denar50
Merge branch 'main' into rules-rbac-new
fc6baad
@denar50
add cypress tests for the rules management page
5b544bc
@dplumlee
removes unused code and resolves PR TODOs
698722a
dplumlee and others added 24 commits December 3, 2025 10:16
@dplumlee
updates roles for rule cypress tests
33f8eae
@rylnd
Merge branch 'main' into rules-rbac-new
339b8ee
@dplumlee
allows users with read privileges to view uninstalled prebuilt rules …
d04dd7f 
…and updateable rules
@dplumlee
adds mocks to rule upgrade tests
b66434e
@dplumlee
updates rule upgrade cypress tests
56d7cae
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
c22fa97 
…ions-subfeatures
@rylnd
Add SIEM V4 user to AI4DSOC capabilities tests
5f6fbd5 
This will ensure behaviors are correct for all intermediate SIEM
features.
@dplumlee
fix rules management cypress tests
d86686c
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
9c2a813 
…ions-subfeatures
@dplumlee
fix types
2f1bc77
@dplumlee
Merge remote-tracking branch 'upstream/main' into rules-rbac-new
b45cdce
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
16487f6 
…ions-subfeatures

Files conflicting: x-pack/solutions/security/plugins/security_solution/common/index.ts
@dplumlee
updates security replacedBy's to include exceptions subfeature
6213109
@dplumlee
guards endpoint list call in create rule
084f027
@rylnd
Merge branch 'main' into rules-rbac-new
ce7bffc
@dhurley14
set authz strings for exceptions api's to use lists authz strings so …
293d38c 
…endpoint exceptions tests stop failing. Added a TODO for discussion on how to move forward with the eventual plan to make lists it's own feature
@dhurley14
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
7d08307 
…ions-subfeatures
@dhurley14
first attempt at 'patching' update function when only read authz fiel…
b1c2c57 
…ds are modified in ruleUpdate object
@rylnd
Merge branch 'main' into rules-rbac-new
21ae269 
 Conflicts:
	x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/rules_tables.tsx
	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/bulk_actions/route.ts
	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/find_rules/route.ts
	x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
6f9d695 
…ions-subfeatures
@dhurley14
utilizes two way diff to determine which fields are modified in updat…
f03a694 
…e route, if exceptions list is the only field 'updated' then we can use the special patch function from alerting
@dhurley14
Merge remote-tracking branch 'origin/rules-exceptions-subfeatures' in…
0faa713 
…to rules-exceptions-subfeatures
@dhurley14
limit use case for exceptions comparison to the update route so we do…
a154500 
…n't interfere with prebuilt rules customization logic
@dhurley14
type check failed in test suite
c93f81f
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 9, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #53 / Actions APIs - Trial License/Complete Tier @serverless @ess update_actions updating actions @skipInServerlessMKI should be able to create a new webhook action, attach it to an immutable rule and the count of prepackaged rules should not increase. If this fails, suspect the immutable tags are not staying on the rule correctly.
  • [job] [logs] FTR Configs #55 / Actions APIs - Trial License/Complete Tier @serverless @ess update_actions updating actions @skipInServerlessMKI should be able to create a new webhook action, attach it to an immutable rule and the count of prepackaged rules should not increase. If this fails, suspect the immutable tags are not staying on the rule correctly.
  • [job] [logs] FTR Configs #53 / Actions APIs - Trial License/Complete Tier @serverless @ess update_actions updating actions @skipInServerlessMKI should be able to create a new webhook action, attach it to an immutable rule and the count of prepackaged rules should not increase. If this fails, suspect the immutable tags are not staying on the rule correctly.
  • [job] [logs] FTR Configs #55 / Actions APIs - Trial License/Complete Tier @serverless @ess update_actions updating actions @skipInServerlessMKI should be able to create a new webhook action, attach it to an immutable rule and the count of prepackaged rules should not increase. If this fails, suspect the immutable tags are not staying on the rule correctly.
  • [job] [logs] Jest Tests #17 / calculateRuleSourceForImport calculates as external with customizations if a matching asset/version is found
  • [job] [logs] Jest Tests #17 / calculateRuleSourceForImport calculates as external with customizations if a matching asset/version is found
  • [job] [logs] Jest Tests #17 / DetectionRulesClient.updateRule calls the rulesClient when updating a system action groupingBy property from agent.name to agent.type
  • [job] [logs] Jest Tests #17 / DetectionRulesClient.updateRule calls the rulesClient when updating a system action groupingBy property from agent.name to agent.type
  • [job] [logs] Jest Tests #17 / EntityStoreCrudClient update entities bulk when valid create entities
  • [job] [logs] Jest Tests #17 / EntityStoreCrudClient update entities bulk when valid create entities
  • [job] [logs] Jest Tests #17 / EntityStoreCrudClient update entities bulk when valid create entity using force
  • [job] [logs] Jest Tests #17 / EntityStoreCrudClient update entities bulk when valid create entity using force
  • [job] [logs] FTR Configs #62 / Rules Management - Prebuilt Rules Customization (Customization Enabled) @ess @serverless @skipInServerlessMKI Skip customization detection for unaffected prebuilt rule fields when base version is available "is_customized" calculation is not affected by "exceptions_list" field
  • [job] [logs] FTR Configs #119 / Rules Management - Prebuilt Rules Customization (Customization Enabled) @ess @serverless @skipInServerlessMKI Skip customization detection for unaffected prebuilt rule fields when base version is available "is_customized" calculation is not affected by "exceptions_list" field
  • [job] [logs] FTR Configs #62 / Rules Management - Prebuilt Rules Customization (Customization Enabled) @ess @serverless @skipInServerlessMKI Skip customization detection for unaffected prebuilt rule fields when base version is available "is_customized" calculation is not affected by "exceptions_list" field
  • [job] [logs] FTR Configs #119 / Rules Management - Prebuilt Rules Customization (Customization Enabled) @ess @serverless @skipInServerlessMKI Skip customization detection for unaffected prebuilt rule fields when base version is available "is_customized" calculation is not affected by "exceptions_list" field
  • [job] [logs] FTR Configs #119 / Rules Management - Rule Update APIs @ess @serverless @skipInServerlessMKI update_rules update rules should overwrite exception list value on update - non additive
  • [job] [logs] FTR Configs #137 / Rules Management - Rule Update APIs @ess @serverless @skipInServerlessMKI update_rules update rules should overwrite exception list value on update - non additive
  • [job] [logs] FTR Configs #119 / Rules Management - Rule Update APIs @ess @serverless @skipInServerlessMKI update_rules update rules should overwrite exception list value on update - non additive
  • [job] [logs] FTR Configs #137 / Rules Management - Rule Update APIs @ess @serverless @skipInServerlessMKI update_rules update rules should overwrite exception list value on update - non additive
  • [job] [logs] FTR Configs #114 / Serverless security API Platform security APIs security/authorization available features composite features
  • [job] [logs] FTR Configs #114 / Serverless security API Platform security APIs security/authorization available features composite features
  • [job] [logs] Jest Tests #17 / synchronizing 2-way and 3-way rule diff calculations non-customizable fields "exceptions_list" field
  • [job] [logs] Jest Tests #17 / synchronizing 2-way and 3-way rule diff calculations non-customizable fields "exceptions_list" field

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
alerting 342 343 +1
securitySolution 8476 8478 +2
total +3

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/security-solution-features 30 31 +1
securitySolution 134 135 +1
total +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.1MB 11.1MB -331.0B

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
@kbn/security-solution-features 10 11 +1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 169.6KB 170.2KB +647.0B
securitySolutionEss 34.4KB 34.5KB +85.0B
securitySolutionServerless 46.1KB 46.2KB +81.0B
total +813.0B
Unknown metric groups

API count

id before after diff
@kbn/security-solution-features 36 37 +1
securitySolution 204 205 +1
total +2

History

cc @dhurley14 @dplumlee

dplumlee added a commit that referenced this pull request Dec 9, 2025
@dplumlee
squash commits from rules-exceptions-subfeatures (#243095)
a367428
@dplumlee dplumlee mentioned this pull request Dec 10, 2025
Merged
@rylnd
Copy link
Copy Markdown
Contributor

rylnd commented Dec 10, 2025

This PR was based on (the now squashed/merged) #239634 . Closing in favor of the squashed/rebased #245722.

@rylnd rylnd closed this Dec 10, 2025
dhurley14 added a commit that referenced this pull request Jan 31, 2026
@dplumlee @dhurley14
[Security Solution] Rules exceptions subfeatures (#245722)
32efd9b 
## Summary

Squashed commits from: #243095

Epic: elastic/security-team#9533

Adds a new subfeature to the Rules RBAC feature implemented
[here](#239634) for rule
exceptions permissions.


---------

Co-authored-by: Devin Hurley <devin.hurley@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dhurley14 dhurley14

@dplumlee dplumlee

Labels

ci:cloud-deploy Create or update a Cloud deployment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@dhurley14 @elasticmachine @rylnd @logeekal @dplumlee @denar50 @kibanamachine @gergoabraham