[Security Solution] Separate rule versions and revisions #136213
Comments
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
This sounds great to me, thanks for the writeup and the helpful diagram! 👍 For existing users, were you imagining migrating custom rules' Until such time as revisions contain diff history (and the point is mostly moot), prebuilt upgrades remain semantically ambiguous; I could see them being "revisions" just as easily as not. |
@rylnd It could be tricky to migrate existing user rules as they could be exported and saved elsewhere. So if we migrate only the local version of their rules, it will become problematic to compare them with exported rules. So, if it is possible to avoid migrations, I would do that. We can mention in the documentation that what was The other option is to swap the proposed semantic meaning of |
|
The separation of revision and version makes sense to me, but we'll need to think about how the package upgrade logic is intended to be implemented. Today, integration packages install their SOs simply by doing a bulk import with kibana/x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts Lines 267 to 272 in 7fa6813 This isn't going to work with this change, since it will overwrite the entire object, including user edits and revision numbers. The UX designs for this feature also include a review and confirm workflow which also isn't supported by this install logic. I wonder if we need to separate the objects installed by Fleet from the rules actually used by detection engine. This would work like:
This would closely mirror how the CSP team structured their |
@joshdover This separation is already implemented in Security Solution. Fleet installs rules as |
Great, thanks for clarifying that! |
|
Separating the concepts of "revision" and "version" makes total sense to me and I completely agree with the differences in behavior that you've outlined @xcrzx. However, I think we should use the name
Using the name |
I agree, the use of |
|
The proposal makes total sense ihmo, and the workflow / scenarios examples seems fine.
++. We already have 99 things called Just for my information, what is the current |
I agree. We already have many things named |
Currently, the revision could be used to refer to a specific historical version of a rule. For example, I have an alert generated by a rule that was edited/deleted. Using revision, I could find that specific historical version of the rule when needed (if I have backups). And in the future, we're also planning to implement features like rollback to a previous revision. |
I completely agree that we should be cautious about removing fields that our users rely on. However, we also need to show some caution in changing the semantics of existing fields. For non-prebuilt rules, the |
Yes, unfortunately, the current field usage is ambiguous. So its behavior will inevitably change either for prebuilt rules or for custom. If we want to play very safe, we could keep the semantics of
|
|
We have discussed renaming the |
|
Just to keep it clear what our suggested implementation plan is (and @xcrzx please correct me here if I'm wrong): Stage 1 (we're only discussing this right now): 1.1. Implement Stage 2 (this is out of the scope and will require a separate ticket): 2.1. Move |
We will 100% be renaming the version field when it is moved to the alerting framework. |
|
This looks fine for Observability, we don't have any "out of the box" rules that we create on behalf of the customer so we are mostly unaffected by this change. |
## Summary Resolves #137164. This PR adds a new `revision` field (number) to Alerting Rules that auto-increments when relevant content changes have been made via the `Rules Client`. _Relevant content changes_ are defined as any content change that the user may either want to be notified about, or have the option to later revert to. This will include most all changes, except the enabling/disabling of the rule, or updates to metadata fields like `executionStatus` or `monitoring`. This `revision` field is not intended to be user editable, and should be ignored if ever provided via the API. See #136213 for additional details. To be followed-up by #137168, which will remove the version bump logic from security solution. ## Details ### Migrations Includes SO migration to default `revision` to `0` when upgrading a cluster, or when importing `pre-8.8.0` rules via the SO Management UI. For consistency, security rule import follows the same logic as SO Management and will not reset the `revision` to `0` when overriding or creating a new rule. ### Downstream Index Updates * EventLog _has not_ been updated to include `revision` along with basic rule fields currently being written. Should we? * AAD Schema will be updated in #151388 (as this one is getting pretty big) to include `revision` so alerts written will include which specific revision of the rule created the alert. ### Reference Fields Any creation of or modification to `actions` will result in a revision increment. More typical reference fields like `exception lists` on the security side will only result in a revision increment when the list is initially associated/deleted from the rule (as subsequent updates will be done directly against the list). ### RuleClient Updates The following methods within the RuleClient have been updated to support incrementing revision when relevant field changes have been detected: * `clone()` - resets to 0 currently (see open question) * `update()` - increments `revision` so long a change has been made to relevant fields (fields not in [ignore list](https://github.com/elastic/kibana/pull/147398/files#diff-6736e143ede2dc06e825bddcdc23b4d088a6620805751db4eddc5900d586c4dfR69-R85)) * `bulkEdit()` - increments `revision` for relevant fields (all current bulk edit fields minus api key/snooze/mute) Mutation methods not updated to include revision log: * `snooze()` * `unsnooze()` * `clearExpiredSnoozes()` * `muteAll()` * `unmuteAll()` * `muteInstance()` * `unmuteInstance()` * `updateApiKey()` - increments revision as rule functionality could be impacted ## Open questions: - [X] Should `clone()` in RulesClient reset revision to 0 as if it's a new rule, or keep the current value? (see [comment](https://github.com/elastic/kibana/pull/147398/files#r1106484105)) - [X] What about snooze/un-snooze, and mute/unmute? Should we update revision on these field changes as well? (see [comment](https://github.com/elastic/kibana/pull/147398/files#r1106431966)) - Discussed with @XavierM and determined to not update on snooze/mute/API key changes as this actions could be plentiful and don't necessarily represent a version of the rule a user would want to revert to, thus polluting the revision history. - [ ] Should we write `revision` to EventLog? --- ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] To work with docs team - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [X] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary Resolves elastic#137164. This PR adds a new `revision` field (number) to Alerting Rules that auto-increments when relevant content changes have been made via the `Rules Client`. _Relevant content changes_ are defined as any content change that the user may either want to be notified about, or have the option to later revert to. This will include most all changes, except the enabling/disabling of the rule, or updates to metadata fields like `executionStatus` or `monitoring`. This `revision` field is not intended to be user editable, and should be ignored if ever provided via the API. See elastic#136213 for additional details. To be followed-up by elastic#137168, which will remove the version bump logic from security solution. ## Details ### Migrations Includes SO migration to default `revision` to `0` when upgrading a cluster, or when importing `pre-8.8.0` rules via the SO Management UI. For consistency, security rule import follows the same logic as SO Management and will not reset the `revision` to `0` when overriding or creating a new rule. ### Downstream Index Updates * EventLog _has not_ been updated to include `revision` along with basic rule fields currently being written. Should we? * AAD Schema will be updated in elastic#151388 (as this one is getting pretty big) to include `revision` so alerts written will include which specific revision of the rule created the alert. ### Reference Fields Any creation of or modification to `actions` will result in a revision increment. More typical reference fields like `exception lists` on the security side will only result in a revision increment when the list is initially associated/deleted from the rule (as subsequent updates will be done directly against the list). ### RuleClient Updates The following methods within the RuleClient have been updated to support incrementing revision when relevant field changes have been detected: * `clone()` - resets to 0 currently (see open question) * `update()` - increments `revision` so long a change has been made to relevant fields (fields not in [ignore list](https://github.com/elastic/kibana/pull/147398/files#diff-6736e143ede2dc06e825bddcdc23b4d088a6620805751db4eddc5900d586c4dfR69-R85)) * `bulkEdit()` - increments `revision` for relevant fields (all current bulk edit fields minus api key/snooze/mute) Mutation methods not updated to include revision log: * `snooze()` * `unsnooze()` * `clearExpiredSnoozes()` * `muteAll()` * `unmuteAll()` * `muteInstance()` * `unmuteInstance()` * `updateApiKey()` - increments revision as rule functionality could be impacted ## Open questions: - [X] Should `clone()` in RulesClient reset revision to 0 as if it's a new rule, or keep the current value? (see [comment](https://github.com/elastic/kibana/pull/147398/files#r1106484105)) - [X] What about snooze/un-snooze, and mute/unmute? Should we update revision on these field changes as well? (see [comment](https://github.com/elastic/kibana/pull/147398/files#r1106431966)) - Discussed with @XavierM and determined to not update on snooze/mute/API key changes as this actions could be plentiful and don't necessarily represent a version of the rule a user would want to revert to, thus polluting the revision history. - [ ] Should we write `revision` to EventLog? --- ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] To work with docs team - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [X] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Summary
Currently, we use the
versionfield of the rule object for two purposes:As we plan to make prebuilt Elastic rules editable, we won't be able to bump the
versionfield on user edit anymore as that would break rule update logic that relies on theversionto not be mutable on the user's side. So the idea is to separate the two use cases above by introducing a newrevisionrule field.Version vs revision
Rule edit workflows
Other notes
Subtasks
The text was updated successfully, but these errors were encountered: