[RFC] Stage 0: Introducing new field in rule namespace #2330
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,6 +12,7 @@ Feel free to remove these comments as you go along. | |
| <!-- | ||
| Stage 0: Provide a high level summary of the premise of these changes. Briefly describe the nature, purpose, and impact of the changes. ~2-5 sentences. | ||
| --> | ||
| This RFC proposes addition of 2 new fields (rule.tags and rule.remediation) in rule fieldset to the Elastic Common Schema (ECS). The goal of these fields is to provide more context to the users in the rule fieldset, rule.tags will be used to track the set of tags applied to the rule, customers can use it to indicate metadata about the rule, and rule.remediation will be used to capture the remediation instructions associated with rules, it is generally provided by the benchmark or framework from which the rule is published. | ||
|
|
||
| <!-- | ||
| Stage 1: If the changes include field additions or modifications, please create a folder titled as the RFC number under rfcs/text/. This will be where proposed schema changes as standalone YAML files or extended example mappings and larger source documents will go as the RFC is iterated upon. | ||
|
|
@@ -23,6 +24,13 @@ Stage X: Provide a brief explanation of why the proposal is being marked as aban | |
|
|
||
| ## Fields | ||
|
|
||
| The `rule` fields being proposed are as follows: | ||
|
|
||
| Field | Type | Description /Usage | ||
| -- | -- | -- | ||
|
|
||
| rule.remediation | array | Used to capture remediation instructions that come from the benchmark / framework the rule is from | ||
|
There was a problem hiding this comment. How would this value be used as an There was a problem hiding this comment. There is possibility to have multiple remediation options for same misconfiguration, hence an array makes more sense. For example, we provide remediation manual steps, cli commands for CSPM misconfigurations. There was a problem hiding this comment. @kfirpeled @maxcold thoughts on this? As @smriti0321 mentioned, from a product perspective, if there are multiple remediation options, we'd love to capture them all and present them in our flyout. From a technical perspective we can group all of these into one field we render as markdown, or as an array of values, etc. Can you help decide what the best path is here from a data type perspective? Thx! There was a problem hiding this comment. Right now it's just a markdown text for our native integration, for Wiz it's also just a string. Unless we want to have a more complex structure for each remediation instruction, There was a problem hiding this comment.
I'm not sure I followed, currently, we don't have any examples of multiple remediation instructions. Can you please provide one? and another FYI, it introduces a breaking change. so we need to think it through from a technical perspective as well |
||
|
|
||
| <!-- | ||
| Stage 1: Describe at a high level how this change affects fields. Include new or updated yml field definitions for all of the essential fields in this draft. While not exhaustive, the fields documented here should be comprehensive enough to deeply evaluate the technical considerations of this change. The goal here is to validate the technical details for all essential fields and to provide a basis for adding experimental field definitions to the schema. Use GitHub code blocks with yml syntax formatting, and add them to the corresponding RFC folder. | ||
| --> | ||
|
|
@@ -79,7 +87,10 @@ Stage 3: Document resolutions for all existing concerns. Any new concerns should | |
|
|
||
| The following are the people that consulted on the contents of this RFC. | ||
|
|
||
| * @smriti0321 | author | ||
| * @tinnytintin10 | Product Manager Cloud Security | ||
| * @oren-zohar | Engineering Manager Cloud Security | ||
| * @orouz | Engineer | ||
|
|
||
| <!-- | ||
| Who will be or has been consulted on the contents of this RFC? Identify authorship and sponsorship, and optionally identify the nature of involvement of others. Link to GitHub aliases where possible. This list will likely change or grow stage after stage. | ||
|
|
@@ -98,6 +109,7 @@ e.g.: | |
|
|
||
| <!-- Insert any links appropriate to this RFC in this section. --> | ||
|
|
||
|
|
||
| ### RFC Pull Requests | ||
|
|
||
| <!-- An RFC should link to the PRs for each of it stage advancements. --> | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The table isn't rendering. Removing this line break (31) will fix it.