[Security Solution] Allow users to edit related_integrations field for custom rules #173595
Comments
approksiu
added
the
Team:Detection Rule Management
approksiu
changed the title
|
The related integrations field has the schema: RelatedIntegrationArray:
type: array
items:
$ref: '#/components/schemas/RelatedIntegration'
RelatedIntegration:
type: object
properties:
package:
$ref: '#/components/schemas/NonEmptyString'
version:
$ref: '#/components/schemas/NonEmptyString'
integration:
$ref: '#/components/schemas/NonEmptyString'
required:
- package
- versionfor example, for existing rules: [
{
"name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"ri": [{ "package": "endpoint", "version": "^8.2.0" }]
},
{
"name": "Potential Credential Access via DCSync",
"ri": [
{ "package": "system", "version": "^1.6.4" },
{ "package": "windows", "version": "^1.5.0" }
]
},
{
"name": "Microsoft Build Engine Using an Alternate Name",
"ri": [
{ "package": "endpoint", "version": "^8.2.0" },
{ "package": "windows", "version": "^1.5.0" }
]
},
{
"name": "Unusual AWS Command for a User",
"ri": [{ "package": "aws", "version": "^2.0.0" }]
},
{
"name": "First Time Seen AWS Secret Value Accessed in Secrets Manager",
"ri": [
{ "package": "aws", "version": "^2.0.0", "integration": "cloudtrail" }
]
},
{
"name": "AWS S3 Bucket Configuration Deletion",
"ri": [
{ "package": "aws", "version": "^2.0.0", "integration": "cloudtrail" }
]
}
]
Notice that the We link to the page: /app/integrations/detail/aws-2.0.0/overview while for the integration: we link to: /app/integrations/detail/aws-2.0.0/overview?integration=cloudtrail We can fetch all packages via the Fleet endpoint {
"items": [
{
"name": "aws",
"title": "AWS",
"version": "2.11.1",
"release": "ga",
"description": "Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.",
"type": "integration",
"download": "/epr/aws/aws-2.11.1.zip",
"path": "/package/aws/2.11.1",
"icons": [
{
"src": "/img/logo_aws.svg",
"path": "/package/aws/2.11.1/img/logo_aws.svg",
"title": "logo aws",
"size": "32x32",
"type": "image/svg+xml"
}
],
"policy_templates": [
// more ingration policies
{
"name": "cloudtrail",
"title": "AWS CloudTrail",
"description": "Collect AWS CloudTrail logs with Elastic Agent",
"icons": [
{
"src": "/img/logo_cloudtrail.svg",
"path": "/package/aws/2.11.1/img/logo_cloudtrail.svg",
"title": "AWS Cloudtrail logo",
"size": "32x32",
"type": "image/svg+xml"
}
],
"categories": [
"security"
]
},
{
"name": "cloudwatch",
"title": "AWS CloudWatch",
"description": "Use this integration to collect logs and metrics from Amazon CloudWatch with Elastic Agent, where no out of the box integration is available.",
"icons": [
{
"src": "/img/logo_cloudwatch.svg",
"path": "/package/aws/2.11.1/img/logo_cloudwatch.svg",
"title": "AWS CloudWatch logo",
"size": "32x32",
"type": "image/svg+xml"
}
],
"categories": [
"observability",
"monitoring"
]
},
// more ingration policies
],
"conditions": {
"kibana": {
"version": "^8.10.2"
},
"elastic": {
"subscription": "basic"
}
},
"owner": {
"type": "elastic",
"github": "elastic/obs-ds-hosted-services"
},
"categories": [
"aws"
],
"signature_path": "/epr/aws/aws-2.11.1.zip.sig",
"id": "aws",
"status": "not_installed"
},
// more integration packages
{
"name": "windows",
"title": "Windows",
"version": "1.43.0",
"release": "ga",
"description": "Collect logs and metrics from Windows OS and services with Elastic Agent.",
"type": "integration",
"download": "/epr/windows/windows-1.43.0.zip",
"path": "/package/windows/1.43.0",
"icons": [
{
"src": "/img/logo_windows.svg",
"path": "/package/windows/1.43.0/img/logo_windows.svg",
"title": "logo windows",
"size": "32x32",
"type": "image/svg+xml"
}
],
"policy_templates": [
{
"name": "windows",
"title": "Windows logs and metrics",
"description": "Collect logs and metrics from Windows instances"
}
],
"conditions": {
"kibana": {
"version": "^8.8.0"
}
},
"owner": {
"github": "elastic/elastic-agent-data-plane"
},
"categories": [
"os_system",
"security"
],
"signature_path": "/epr/windows/windows-1.43.0.zip.sig",
"id": "windows",
"status": "not_installed"
},
]
}So:
Open questions:
|
|
For installed integrations - select current version, for non-installed - latest version. |
|
Consider showing packages and integrations in the "flat" drop-down. |
We should show all security integrations. Would be nice to indicate which ones are installed/not installed - maybe as a follow up? cc @ARWNightingale |
|
Great @approksiu . So we just met with @ARWNightingale and discussed this. I think it makes sense to give the user a dropdown of all possible related integrations, pulling the list from Fleet. At the same time, we should show the user which of those integrations are installed, with some kind of label on each integration's row, if it is actually installed. Maybe Alex you can think an example of how this should look like. Also, integrations that are installed should be pushed up to the top of the list, because we can presume that the user will be selecting one of those with much higher probability. Makes sense to you @approksiu ? |
|
@jpdjere totally, thanks! |
banderror
added
enhancement
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@maximpn my preference is Design 2 option from the figma file. Let's pre-fill version value if possible for the user to accept or modify. Thanks! |
|
@approksiu thank you for an update 👍 I attach the current Design 2 Figma snapshot for quick reference:
|
|
@maximpn Since #178295 has been approved by reviewers (I'd like to take a look, but it shouldn't block the work on the ticket), I think we should notify the stakeholders that work on acceptance testing, exploratory testing, and documentation can start. Once you have the PR deployed to Cloud for testing, please ping @approksiu, @ARWNightingale, and @vgomez-el in this thread and share credentials with them. Please also open a documentation ticket for related_integrations similar to elastic/security-docs#4917 and elastic/security-docs#5029 and ping @joepeeples here in this thread. It would be great if you could also try to align with the stakeholders on timing and plan a release date in Serverless. |
|
@approksiu, @ARWNightingale, and @vgomez-el could you perform testing of #178295?
@banderror there is a problem with automatic cloud deploy via tags. I had to use another approach to deploy my PR. It's only possible to deploy in ESS env atm. UPDATE: Serverless cloud deploy works well. I updated the information above. UPDATE 2: It seems Serverless cloud deploy stoped working. |
|
Great work Maxim, looks good to me! |
|
Looks good to me!! |
|
@approksiu @banderror According to the issue title, user Story and @maximpn's PR description, I understand that this feature is only available for custom rules, but If I select another rule type rather than Custom rules, the related integrations option is displayed as well: Is that intended? In case it is, it should be reflected on any of the existing issues, because the current issues description can lead to confusion. |
|
Hi @vgomez-el! Sorry for the confusion. Custom rules mean NOT Prebuilt rules since it's a prerequisite for Milestone 3 prebuilt rules customization. It's applicable to all rule types. Word |
|
Sorry for not understanding it correctly, @maximpn. I have performed exploratory testing on your environment and the feature looks nice to me. I will perform the Kibana Upgrade scenarios and the CCS scenarios once I have the first build candidate of the 8.15 version. Please, Ping me if someone needs more details on the exploratory testing performed. |
|
@maximpn and all, a docs PR is now open for serverless docs: https://github.com/elastic/staging-serverless-security-docs/pull/337 |
…r custom rules (#178295) **Resolves: #173595 ## Summary This PR adds an ability to add and edit custom rule's related integrations. Functionality is necessary to start working on [Prebuilt Rule Customization Epic Milestone 3](#174168). ## Details Rule's related integrations represent optional dependencies on [Elastic integrations](https://docs.elastic.co/en/integrations) to ingest data. Currently prebuilt rule's related integrations are shown on rule details page. This information contains integration's name, installation status and a version mismatch warning when related integration's version dependency doesn't match with an installed integration's version. A subset of [Semver](https://semver.org/) is used to specify version dependency. Elastic prebuilt rules use only caret syntax like `^1.2.3`. To make it possible to add and edit related integrations for custom rules the following has been done - New internal endpoint `/internal/detection_engine/fleet/integrations/all` has been added. It returns the full list of available integrations containing title, latest available version and installed version if available. This is necessary to display an options list where users can pick a desired integration. Since some Elastic Prebuilt rules depend not only on integrations from `security` category this endpoint returns all available integrations (not only related to Security Solution). - Rule create form has been adjusted by adding `Related Integrations` form controls - Rule edit form has been adjusted by adding `Related Integrations` form controls - Related integrations installation status has been adjusted to conform with the design - Functional Jest tests have been added - Functional tests have been added to make sure it's possible to (bulk) `create`/`patch`/`update`/`export`/`import` with related integrations - A limited number of Cypress tests have been added ### Integration installation status Integration installation status has been adjusted. There are following statuses shown - `Enabled` for installed and enabled integrations. Enabled integrations are detected by checking Elastic Agent policies for presence of such an integration. It's not guaranteed the policy is picked by agents and data is being ingested. - `Disabled` for installed and disabled integrations. An agent policy containing such an integration isn't found. - `Not installed` for not installed integrations. - Nothing is shown for unknown integrations. If there is no such integration found in `/internal/detection_engine/fleet/integrations/all` result it's considered as unknown. ### Version dependency [Semver](https://semver.org/) allows a wide range of version range declaration. Such flexibility will complicate constructing of an integration link on rule details page. Since Elastic Prebuilt rules use only caret version dependency like `^1.2.3` related integration's version dependency is limited to a subset of semver semantic. The following is supported - A plain version dependency e.g. `1.2.3` - Tilde version dependency e.g. `~1.2.3` - Caret version dependency e.g. `^1.2.3` ### Misc - #152408 has been fixed by this PR. - `/internal/detection_engine/fleet/integrations/installed` endpoint hasn't been removed. We need to make sure it's not needed anymore. - E2e testing of the current functionality is complicated by dependency on EPR and difficulties to mock it. EPR periodically may respond with an error resulting in flaky Cypress tests. ### Flaky test runner results - 🟢 [Create rule](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5632) (100 runs ESS and 100 runs in Serverless) - 🟢 [Rule Management related integrations](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5632) (100 runs ESS and 100 runs in Serverless) ### Screenshots       
…r custom rules (elastic#178295) **Resolves: elastic#173595 ## Summary This PR adds an ability to add and edit custom rule's related integrations. Functionality is necessary to start working on [Prebuilt Rule Customization Epic Milestone 3](elastic#174168). ## Details Rule's related integrations represent optional dependencies on [Elastic integrations](https://docs.elastic.co/en/integrations) to ingest data. Currently prebuilt rule's related integrations are shown on rule details page. This information contains integration's name, installation status and a version mismatch warning when related integration's version dependency doesn't match with an installed integration's version. A subset of [Semver](https://semver.org/) is used to specify version dependency. Elastic prebuilt rules use only caret syntax like `^1.2.3`. To make it possible to add and edit related integrations for custom rules the following has been done - New internal endpoint `/internal/detection_engine/fleet/integrations/all` has been added. It returns the full list of available integrations containing title, latest available version and installed version if available. This is necessary to display an options list where users can pick a desired integration. Since some Elastic Prebuilt rules depend not only on integrations from `security` category this endpoint returns all available integrations (not only related to Security Solution). - Rule create form has been adjusted by adding `Related Integrations` form controls - Rule edit form has been adjusted by adding `Related Integrations` form controls - Related integrations installation status has been adjusted to conform with the design - Functional Jest tests have been added - Functional tests have been added to make sure it's possible to (bulk) `create`/`patch`/`update`/`export`/`import` with related integrations - A limited number of Cypress tests have been added ### Integration installation status Integration installation status has been adjusted. There are following statuses shown - `Enabled` for installed and enabled integrations. Enabled integrations are detected by checking Elastic Agent policies for presence of such an integration. It's not guaranteed the policy is picked by agents and data is being ingested. - `Disabled` for installed and disabled integrations. An agent policy containing such an integration isn't found. - `Not installed` for not installed integrations. - Nothing is shown for unknown integrations. If there is no such integration found in `/internal/detection_engine/fleet/integrations/all` result it's considered as unknown. ### Version dependency [Semver](https://semver.org/) allows a wide range of version range declaration. Such flexibility will complicate constructing of an integration link on rule details page. Since Elastic Prebuilt rules use only caret version dependency like `^1.2.3` related integration's version dependency is limited to a subset of semver semantic. The following is supported - A plain version dependency e.g. `1.2.3` - Tilde version dependency e.g. `~1.2.3` - Caret version dependency e.g. `^1.2.3` ### Misc - elastic#152408 has been fixed by this PR. - `/internal/detection_engine/fleet/integrations/installed` endpoint hasn't been removed. We need to make sure it's not needed anymore. - E2e testing of the current functionality is complicated by dependency on EPR and difficulties to mock it. EPR periodically may respond with an error resulting in flaky Cypress tests. ### Flaky test runner results - 🟢 [Create rule](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5632) (100 runs ESS and 100 runs in Serverless) - 🟢 [Rule Management related integrations](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5632) (100 runs ESS and 100 runs in Serverless) ### Screenshots       
|
The feature went live in Serverless today 🚀 Thanks to everyone for your efforts! |
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Summary
We need to expose the
related_integrationsfield in the rule edit page and allow editing it.We should provide a list of valid security integrations for the users to choose from.
It is an optional field.
Background
We want to allow users to easily specify the prerequisites for their custom rules.
User story
Acceptance criteria
Designs
Figma file
Release progress
Planned release date in Serverless: Week of May 6, 2024.
Planned release date in ESS: June 18 2024 (
v8.15.0).The text was updated successfully, but these errors were encountered: