Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Allow prebuilt rules import and export #212509

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[Security Solution] Allow prebuilt rules import and export #212509

wants to merge 10 commits into from
+1,026 −59

Conversation

nikitaindik
Copy link
Contributor

@nikitaindik nikitaindik commented Feb 26, 2025
edited
Loading

Resolves: https://github.com/elastic/security-team/issues/11502 (internal)

This PR implements following changes and adds API integration tests for them:

  • Users with any license can export prebuilt rules (with enabled feature flag)
  • Users with Basic/Essentials license can import prebuilt rules only if they are non-customized and the feature flag is enabled
  • Users with Enterprise/Complete license can import prebuilt rules without restrictions

Flaky test runner (had to create 4 separate runs to test all configs):

@nikitaindik nikitaindik added release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Import/Export Security Solution Detection Rule Import & Export workflow backport:version Backport to applied version labels v8.18.0 v9.1.0 v8.19.0 labels Feb 26, 2025
@nikitaindik nikitaindik self-assigned this Feb 26, 2025
@nikitaindik nikitaindik requested a review from xcrzx March 3, 2025 10:27
@nikitaindik nikitaindik force-pushed the allow-import-export-prebuilt-rules branch from 8df69e5 to d3e1af5 Compare March 3, 2025 13:28
@nikitaindik nikitaindik force-pushed the allow-import-export-prebuilt-rules branch from d3e1af5 to 08b9f1b Compare March 4, 2025 10:44
@nikitaindik nikitaindik marked this pull request as ready for review March 4, 2025 15:51
@nikitaindik nikitaindik requested review from a team as code owners March 4, 2025 15:51
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

jbudz
jbudz approved these changes Mar 4, 2025
View reviewed changes
Copy link
Member

@jbudz jbudz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.ftr_configs.yml LGTM

@banderror
Copy link
Contributor

@nikitaindik Can you please run all the new and changed tests via the flaky test runner?

xcrzx
xcrzx reviewed Mar 5, 2025
View reviewed changes
...ons_response/rules_management/rule_import_export/trial_license_complete_tier/import_rules.ts Outdated
@@ -1626,6 +1626,7 @@ export default ({ getService }: FtrProviderContext): void => {
describe('supporting prebuilt rule customization', () => {
describe('compatibility with prebuilt rule fields', () => {
it('rejects rules with "immutable: true" when the feature flag is disabled', async () => {
// duplicate test
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's remove it then

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heh, good catch! This was a note to myself that I forgot to handle :)

...security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_all.ts Outdated
Comment on lines 35 to 37
const ruleAlertTypes = prebuiltRulesCustomizationEnabled
? await getRules({ rulesClient, filter: '' })
: await getNonPackagedRules({ rulesClient });
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

...t_suites/detections_response/rules_management/rule_bulk_actions/export/bulk_action_export.ts Outdated
await deleteAllPrebuiltRuleAssets(es, log);
});

it(`exports prebuilt rules if the feature flag is enabled`, async () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it(`exports prebuilt rules if the feature flag is enabled`, async () => {
it(`exports prebuilt rules`, async () => {

...ustomized_prebuilt_rules/feature_disabled/not_allowed_importing_customized_prebuilt_rules.ts Outdated
await deleteAllPrebuiltRuleAssets(es, log);
});

it(`does NOT import customized prebuilt rules when feature flag is disabled`, async () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
it(`does NOT import customized prebuilt rules when feature flag is disabled`, async () => {
it(`does NOT import customized prebuilt rules when rule customization is disabled`, async () => {

xcrzx
xcrzx requested changes Mar 5, 2025
View reviewed changes
Copy link
Contributor

@xcrzx xcrzx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested the changes locally and found a few issues with Export buttons disabled in UI

1. FF enabled, sufficient license

  • 🟢 Prebuilt rules can be exported
  • 🟢 Customized rules can be imported
  • 🟢 Non-customized rules can be imported

2. FF enabled, insufficient license

  • 🔴 Prebuilt rules cannot be exported, the export option is disabled. It should be enabled
    image
  • 🟡 Customized rules cannot be imported. This is expected, but the error message should be more clear saying that the rule cannot be imported because it is Modified
    image
  • 🟢 Non-customized rules can be imported

3. FF disabled, sufficient license

  • 🔴 Prebuilt rules cannot be exported, the export option is disabled. It should be enabled
    image
  • 🟢 Customized rules cannot be imported
  • 🟢 Non-customized rules cannot be imported
    image

@nikitaindik
Copy link
Contributor Author

Thanks for review and testing, @xcrzx! As discussed I've reverted the exporting behaviour to only allow exporting if the feature flag is disabled.

Also, I've addressed your feedback, so feel free to do another review pass.

@nikitaindik nikitaindik requested a review from xcrzx March 5, 2025 15:55
@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 5, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @nikitaindik

@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#7987

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_disabled/configs/ess_feature_flag_disabled.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/export_prebuilt_rules/feature_enabled/configs/ess_basic_license.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/export_prebuilt_rules/feature_disabled/configs/ess_feature_flag_disabled.config.ts: 50/50 tests passed.

see run history

@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#7986

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_non_customized_prebuilt_rules/feature_enabled/configs/ess_basic_license.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_non_customized_prebuilt_rules/feature_disabled/configs/ess_feature_flag_disabled.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_enabled/configs/ess_enterprise_license.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_disabled/configs/ess_basic_license.config.ts: 50/50 tests passed.

see run history

@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🟠 Some tests failed. - kibana-flaky-test-suite-runner#7985

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_disabled/configs/serverless_feature_flag_disabled.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/export_prebuilt_rules/feature_enabled/configs/serverless_essentials_tier.config.ts: 50/50 tests passed.
[❌] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/export_prebuilt_rules/feature_disabled/configs/serverless_feature_flag_disabled.config.ts: 49/50 tests passed.
[❌] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/export/configs/serverless_feature_flag_disabled.config.ts: 0/50 tests passed.

see run history

@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🟠 Some tests failed. - kibana-flaky-test-suite-runner#7984

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_non_customized_prebuilt_rules/feature_enabled/configs/serverless_essentials_tier.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_non_customized_prebuilt_rules/feature_disabled/configs/serverless_feature_flag_disabled.config.ts: 50/50 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_enabled/configs/serverless_complete_tier.config.ts: 50/50 tests passed.
[❌] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_disabled/configs/serverless_essentials_tier.config.ts: 28/50 tests passed.

see run history

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbudz jbudz jbudz approved these changes

@xcrzx xcrzx Awaiting requested review from xcrzx

Requested changes must be addressed to merge this pull request.

Assignees

@nikitaindik nikitaindik

Labels
backport:version Backport to applied version labels Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Import/Export Security Solution Detection Rule Import & Export workflow release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0 v8.19.0 v9.0.0 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@nikitaindik @elasticmachine @banderror @kibanamachine @xcrzx @jbudz