[Security Solution] Test plan for upgrading prebuilt rules with previ…

…ew (Rule Upgrade flyout) v1 (elastic#205645) **Epics:** elastic/security-team#1974 (internal), elastic#174168 **Addresses:** elastic#202078 ## Summary This PR adds a test plan for rule upgrade flyout. --------- Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co> (cherry picked from commit ecd3316)
kibanamachine · Feb 14, 2025 · 947a8d4 · 947a8d4
1 parent 22a7481
commit 947a8d4
Show file tree

Hide file tree

Showing 3 changed files with 756 additions and 50 deletions.
diff --git a/...ans/detection_response/prebuilt_rules/shared_assets/customizable_rule_fields.md b/...ans/detection_response/prebuilt_rules/shared_assets/customizable_rule_fields.md
@@ -2,49 +2,47 @@
 
 These are fields in the detection rule schema that are able to be customized on a prebuilt rule.
 
-| field_name |
-| name |
-| description |
-| interval |
-| from |
-| to |
-| note |
-| severity |
-| tags |
-| severity_mapping |
-| risk_score |
-| risk_score_mapping |
-| references |
-| false_positives |
-| threat |
-| note |
-| setup |
-| related_integrations |
-| required_fields |
-| max_signals |
-| investigation_fields |
-| rule_name_override |
-| timestamp_override |
-| timeline_template |
-| building_block_type |
-| query |
-| language |
-| filters |
-| index |
-| data_view_id |
-| alert_suppression |
-| event_category_override |
-| timestamp_field |
-| tiebreaker_field |
-| threat_index |
-| threat_mapping |
-| threat_indicator_path |
-| threat_query |
-| threat_language |
-| threat_filters |
-| threshold |
-| machine_learning_job_id |
-| anomaly_threshold |
-| new_terms_fields |
-| history_window_start |
-| type |
+| Rule type        | Field name in UI          | Diffable rule field       |
+| ---------------- | ------------------------- | ------------------------- |
+| All rule types   | Rule name                 | `name`                    |
+| All rule types   | Rule description          | `description`             |
+| All rule types   | Tags                      | `tags`                    |
+| All rule types   | Default severity          | `severity`                |
+| All rule types   | Severity Override         | `severity_mapping`        |
+| All rule types   | Default risk score        | `risk_score`              |
+| All rule types   | Risk score override       | `risk_score_mapping`      |
+| All rule types   | Reference URLs            | `references`              |
+| All rule types   | False positive examples   | `false_positives`         |
+| All rule types   | MITRE ATT&CK™ threats     | `threat`                  |
+| All rule types   | Setup guide               | `setup`                   |
+| All rule types   | Investigation guide       | `note`                    |
+| All rule types   | Related integrations      | `related_integrations`    |
+| All rule types   | Required fields           | `required_fields`         |
+| All rule types   | Rule schedule             | `rule_schedule`           |
+| All rule types   | Max alerts per run        | `max_signals`             |
+| All rule types   | Rule name override        | `rule_name_override`      |
+| All rule types   | Timestamp override        | `timestamp_override`      |
+| All rule types   | Timeline template         | `timeline_template`       |
+| All rule types   | Building block `*`        | `building_block`          |
+| All rule types   | Investigation fields      | `investigation_fields`    |
+| All rule types   | Data source `**`          | `data_source`             |
+| All rule types   | Suppress alerts           | `alert_suppression`       |
+| Custom Query     | Custom query              | `kql_query`               |
+| Saved Query      | Custom query              | `kql_query`               |
+| EQL              | EQL query                 | `eql_query`               |
+| ESQL             | ESQL query                | `esql_query`              |
+| Threat Match     | Custom query              | `kql_query`               |
+| Threat Match     | Indicator index patterns  | `threat_index`            |
+| Threat Match     | Indicator index query     | `threat_query`            |
+| Threat Match     | Indicator mapping         | `threat_mapping`          |
+| Threat Match     | Indicator prefix override | `threat_indicator_path`   |
+| Threshold        | Custom query              | `kql_query`               |
+| Threshold        | Threshold config          | `threshold`               |
+| Machine Learning | Machine Learning job      | `machine_learning_job_id` |
+| Machine Learning | Anomaly score threshold   | `anomaly_threshold`       |
+| New Terms        | Custom query              | `kql_query`               |
+| New Terms        | Fields                    | `new_terms_fields`        |
+| New Terms        | History Window Size       | `history_window_start`    |
+
+- `*` Building block field is used to mark alerts as building block alerts.
+- `**` Data Source represents index patterns or a data view. Machine Learning rules don't have data_source field.
diff --git a/...detection_response/prebuilt_rules/shared_assets/non_customizable_rule_fields.md b/...detection_response/prebuilt_rules/shared_assets/non_customizable_rule_fields.md
@@ -2,7 +2,9 @@
 
 These are fields in the detection rule schema that cannot be customized for a prebuilt rule.
 
-| version |
-| id |
-| author |
-| license |
+| Field name   | Diffable rule field |
+| ------------ | ------------------- |
+| Rule type    | `type`              |
+| Rule version | `version`           |
+| Rule author  | `author`            |
+| Rule license | `license`           |