Removing detection rules from the lmd package

[ajosh0504]

What does this PR do?

This PR moves detection rules associated with Lateral Movement Detection (lmd) out of the integration package.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

• Spin up a local Elasticsearch cluster
• Install the Lateral Movement Detection assets
• Verify that no detection rules with the Lateral Movement Detection tag show up on the Rules Management page under Security

Related Issues

Not linking since these are internal issues

Screenshots

• Package updated to version 2.0.0

• Job IDs have been updated to reflect the changes in this PR

• No rules have been installed upon installing the package assets

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-05T18:47:12.215+0000

• Duration: 15 min 46 sec

Test stats 🧪

Test	Results
Failed	0
Passed	1
Skipped	0
Total	1

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[qn895]

Is the expectation for subsequent higher versions (say in 3.0.0) that this version' destination index should be deleted? If the results from this transform might be helpful to keep in the future, we recommend appending the fleet transform version to the dest index's name, and adding aliases.

Reason I'm noting this when user upgrade to a higher version in the future, Fleet does not delete ml-rdp-lmd, so we will need to make sure teh dest.index of that future version is different.

[sodhikirti07]

I removed the version as this transform ingests all the data in a users' environment, so, the upgrade will not affect the data collection at all. Also, tested it locally by bumping the fleet version (2.1.0) and can confirm that the data remains unchanged, only the name of the underlying transform i.e., logs-lmd.pivot_transform-default-2.0.0 changes to logs-lmd.pivot_transform-default-2.1.0.

[sodhikirti07]

Any reason to believe that fleet will delete the dest.index? I haven't seen it while testing!

[ajosh0504]

@qn895 @sodhikirti07 Did y'all reach a consensus on this? This PR is ready to merge pending y'all's 🟢 .

[qn895]

Sorry @sodhikirti07, I meant to clarify that Fleet will NOT delete the dest.index of the old version, so in case there's any incompatibility in the future. But if we have tested potential future upgrades and found that the current package works well then that's great. The rest LGTM 🎉

[sodhikirti07]

Approving as I've already tested dest.index name for upgrades. Thank you @qn895 for taking a look!

[qn895]

Transform changes LGTM 🎉

[ajosh0504]

Keeping this open until a new Detection Engine release goes out. Please do not merge.

[elasticmachine]

Package lmd - 2.0.0 containing this change is available at https://epr.elastic.co/search?package=lmd