Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field component #171520

Closed
54 tasks done
Tracked by #174168
jpdjere opened this issue Nov 20, 2023 · 8 comments
Assignees
Labels
8.18 candidate enhancement New value added to drive a business result Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0 v8.17.0 v8.18.0

Comments

@jpdjere
Copy link
Contributor

jpdjere commented Nov 20, 2023

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Design Discussion context: #178211
Design: Figma (internal)
Miro board with UI components breakdown: https://miro.com/app/board/uXjVK0gqjjQ=/?share_link_id=554028328760
Screenshot of the Miro board (click to expand)

TODO (click to expand)

This is roughly the order I plan to implement these.

Front-end logic

  • Make there is clear understanding of edge cases in the rules upgrade workflow
  • Come up with initial React Context implementation
  • Integrate React Context with the components below
  • Integrate UI with the _perform upgrade API (PR)

Components: ComparisonSide (left side, please refer to the Miro board to see where it is)

  • [PR #188302: merged] Add VersionPicker component that displays a dropdown component to select which 2 versions to compare.
  • [PR #189384: merged] Add an InlineDiffView component that uses the existing DiffView component, but in inline diff mode.
  • [PR #189384: merged] Add a ComparisonSide component that combines VersionPicker and InlineDiffView
  • Get rid of resovedValue ?? merged_version logic

Components: FinalSide (right side)

  • Add SaveButton component that saves user changes when they are valid and ready.
  • Add EditButton component that switches the edit mode on
  • [PR #191499: merged, PR #192342: merged, PR #193261: merged] Add FieldReadOnly component that renders a suitable component / components from the Rule Details page based on the passed field name.
  • Add FinalReadOnly component that combines EditButton and FieldReadOnly

Components: FieldEdit
FieldEdit components are components that render one or more UI elements from the Rule Editing page for every field.

Field edit components

  • Common Diffable rule fields (PR) @nikitaindik (2d)

    • name (done in PR)
    • tags
    • description
    • severity
    • severity_mapping
    • risk_score
    • risk_score_mapping
    • references
    • false_positives
    • threat
    • note
    • setup
    • related_integrations
    • required_fields
    • rule_schedule
    • max_signals
    • investigation_fields
    • rule_name_override
    • timestamp_override
    • timeline_template
    • building_block
  • data_source (PR)

  • alert_suppression (PR) (2d)

  • kql_query (PR)

  • eql_query (PR) @maximpn (3d)

    • event_category_override
    • timestamp_field
    • tiebreaker_field
  • esql_query (PR) @maximpn (2d)

  • Threat Match rule specific fields (PR) @maximpn (5d)

    • threat_query
    • threat_index
    • threat_language
    • threat_mapping
    • threat_indicator_path
  • ML rule specific fields (PR on hold, approx. until 2nd half of December) @nikitaindik

    • threshold
    • machine_learning_job_id
    • anomaly_threshold
  • New terms rule (PR on hold, waiting for review and testing, approx. until 2nd half of December) @nikitaindik

    • new_terms_fields
    • history_window_start

Common functional components

  • Add FinalEdit component that combines SaveButton, Prefill and FieldEdit components.
  • Add FinalSide component that displays either a FinalReadOnly or a FinalEdit component depending on the state.

Components: Basic layout

  • Add a new tab component for the three-way diff and hide it behind the prebuiltRulesCustomizationEnabled feature flag

  • Add PerformUpgradeButton component that will trigger the upgrade.

  • Add UpdateInfoBar component that will display the number of updatable fields and a number of fields that have conflicts.

  • Add RuleDiffSection component that will display a collapsible section with a label like "Definition", "About" or "Schedule".

  • Add RuleFieldDiff collapsible component that is expanded by default if conflict is SOLVABLE or NON_SOLVABLE.

  • Add RuleDiffFieldHeader component that displays the conflict bagde and Accepted/Auto-accepted label. (needs conflict)

  • Display fields with SOLVABLE and NON_SOLVABLE conflicts expanded

  • Display fields with SOLVABLE conflicts in readonly mode

  • Display fields with NON_SOLVABLE conflicts in editing mode (PR) @maximpn

  • Implement changes accepting workflow (see Miro chart) (PR) @maximpn

    • Make sure UI and copy match the design in Figma. Display Save, Accept and Save and accept buttons in the field's right side header. Remove Save button from field's right side content.
    • No conflict - Readonly mode doesn't show Save nor Accept buttons, Edit mode shows Save button, badge Auto-accepted (green) after accepting changes
    • Solvable conflict - Readonly mode shows Accept button, Edit mode shows Save and accept or Save button, badge Solved conflict (yellow) before accepting and Solved conflict (green) after accepting
    • Non Solvable conflict - Edit mode shows Save and accept button, badge Unsolved conflict (red) before accepting and Solved conflict (green) after accepting
  • Improvements to the UI and copy of the flyout (PR) @maximpn

    • Change icons to more informative badges
    • Update high level callout to : Update status callout, updated copy
    • Updated copy for field update information in the header
    • Update the copy for the transition of solved/Unsolved to ready for update.
  • Improvements to the copy of the dropdown to select the diff view (Make diff options more human friendly) (PR) @maximpn
    Base = Original
    Current = Current
    Target = Elastic update

    Image

Editable components issues

Demo feedback

  • Add help texts (popup texts should contain helpful information regarding comparison side like diff options and final side like what will be saved eventually) (PR) @nikitaindik
    Image
  • Display readonly placeholders when there is field value is empty (PR) @nikitaindik
  • Make diff view options easier to understand (PR) @nikitaindik
    • Fields without customization should have less diff selector options. When base == current we may omit base (AAB case).
    • Customized fields without updates shouldn't have Elastic update option (ABA case).
    • Options should be goal oriented for example Review my changes showing base vs current and Review Elastic update showing base vs target, Review result showing current vs final. We also can consider removing some options.
    • Current vs Final often shows No changes. It's confusing. We could show Review Elastic update by default instead.
    • Some diffs options might be better readable when flipped. For example current vs target may show rows removed while user added data when editing a rule but target version doesn't have that data.

Summary

As part of the Prebuilt Rules customization epic, we need to:

  1. Update the Update tab from the flyout that pops up open when clicking on a rule in the Rule Updates table.
  2. Build a Three-Way-Diff field update component that will be used multiple times for each rule update in the Update tab from point 1, one for each rule field that has an update.

1. Update tab

image

The Updates tab currently displays a list of fields to be updated, in side-by-side view of the current and target version of each. This basic structure will be maintained, but for each field, the side-by-side diff component will be replaced by the Three-Way-Diff field component described in step 2.

The tab needs other changes:

  • An info bar at the top that displays:
    • How many fields have reviewable updates.
    • How many conflicts the upgrade presents
  • The "Update" button at the bottom needs to be updated to "Preview update" with the following functionality:
    • Will be disabled until all changes are saved and accepted by the user
    • When clicked, will transition the tab to a Rule Update Preview view.
  • Implementation of the "Rule Update Preview view":
    • Reuses the existing JSON diff component to display the side-by-side diff between the Current version and the Final version of the rule in JSON format.
    • The Final version is: the Current version + all autoaccepted field updated + all changes accepted by the user

2. Build a Three-Way-Diff field update component

The Three-Way-Diff field update component allows users to:

  1. see and understand the current value for a rule's field
  2. see what updates the next version of the rule (coming from the upstream Prebuilt Rules package) proposes for that field
  3. be offered a merged version of the current value and the target version of the field
  4. edit the "merged version" of the field as they prefer, write one from scratch if no proposal for a merged version is automatically made; or use the base, current, or target version as a starting point from which to create a new value for the field
  5. accept the new value for the field

The initial designs for the current component look like so:

Figure 1:
image

Figure 2:
image

Notice that this is only an initial iteration and does not include the specs written in this ticket.

Component description

We are thinking about a component that, by default, shows two columns:

  • Left column: Used to compare different version of the rules, with an inline diff. For example, current vs target, base vs. target. (This is outdated in the design screenshots pasted above)
  • Right column: Used to display, update and confirm the Final version of the field, which will be saved on upgrade.

Left column

The Left column will display, by default, an inline diff between the current and the target version of the field.

This column will additionally display two dropdowns that enable the user to select the two versions being compared. Alternatively, it could be just one, offering the combinations:

  • Base vs target
  • Base vs current
  • Base vs final version
  • Current vs target
  • Current vs final version
  • Target vs final version

Selecting one of the options above will update the content of the Left column to display the diff between those two version.

Right column

The Right Column (Final Version) will contain:

A component displaying the Final Version of the field that will be saved when the upgrade is confirmed. This component can be switched between a read-only view (as seen on the first image above, at the top) and an editable component (as seen on Figure 1, above).

The Read-Only view can be switched to the editable component by clicking on the "Edit" button, and vice-versa by clicking on the "Save button".

The Final version will be displayed differently depending on the value of the conflict field from API response for that field:

  • if the value is NO:
    • display, by default, the Read-Only component containing the merge, as seen in Figure 1 above. The "Edit" button can be clicked to switch to the editable component and further edit the field.
    • the field component will be Auto-Accepted and thus collapsed by default
    • a label with the "Auto-Accepted" and a green checkmark will be displayed
  • if the value is SOLVABLE:
    • display, by default, the Read-Only component containing the merge proposal. The "Edit" button can still be clicked to switch to the editable component and further edit the field.
    • the field component will be expanded by default
    • a label with the "Conflict" text should be displayed
  • if the value is NON_SOLVABLE:
    • display, by default, the Edit component containing the merge proposal (which matches the current version). The "Save" button can be clicked to accept the change.
    • the field component will be expanded by default
    • a label with the "Conflict" text should be displayed
Prefill version dropdown

The Right column will have a button located on top of the component that displays the Final Version that allows the user to fill in (prepopulate) the editable field, by offering the options:

  • Prefill with Base Version
  • Prefill with Current Version
  • Prefill with Target Version
  • Prefill with Merge Version (only if merge proposal is available)

Selecting any of the first two options will populate the merge proposal column with either the Current or Target version, respectively.

"Accepted" label

When the user has finished editing the field (prefilled, or edited manually, or just want to keep the proposed merged value), they should click on the "Save" button to "Accept" the changes.

Once the user clicks on the "Save" button, the field updates to display an "Accepted" label with a green tick to confirm that the change for the field was approved by the user and validated by the app.

(If the API response has the value of the conflict field set to NO or SOLVABLE, the field will appear from start as auto-accepted)

When the user clicks on "Save", if the change is validated, the accordion container of the field will collapse. If the accordion is reopened, the component should be in read-only view.

The user can "Un-Accept" a change by manually opening the accordion and clicking on the "Edit" button. That action will "Un-Accept" the field and will "block" the the update of the rule until the field is saved again, by clicking on the "Save" button (all fields to needs to be accepted in order to update the rule).

**EXPAND:** This is a UX similar to the file per file review in Github PR's and the feature to mark a file as "Reviewed":

Before marking file as reviewed

image

After marking file as reviewed

image

ONLY once all fields have been confirmed (all have green ticks) the user can make the request to update the rule. (This however is not part of the spec for this component, but important context to understand its role)

Other considerations:

  • When updating a rule, the Three-Way-Diff components for all fields should be ordered in such a way that the fields that have CONFLICTS are located first, at the top.
  • Certain fields needs to be read-only: the right in the right should be either disabled, or we should prevent the user from going into edit mode. The fields that should be read-only are:
    • version
    • revision
    • author
    • license
@jpdjere jpdjere added triage_needed needs design Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area labels Nov 20, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@jpdjere
Copy link
Contributor Author

jpdjere commented Nov 20, 2023

FYI @approksiu @ARWNightingale

@banderror
Copy link
Contributor

banderror commented Feb 23, 2024

This is a great writeup @jpdjere, very comprehensive and accurate 👍 Thank you!

I made a few small adjustments in the text (description is already updated):

-Selecting any of the first two fields will populate the **merge proposal** column
+Selecting any of the first two options will populate the **merge proposal** column
with either the Current or Target version, respectively.
+When the user finished editing the field (prefilled, or edited manually, or just want to
+keep the proposed merged value), they should explicitly accept the change for this field.
-Once the user selects a version, and accepts it via an **"Accept" button**
+Once the user clicks an **"Accept" button** 
located somewhere in the component (preferably near the third column?),
a **checkbox** gets automatically ticked located on the top right, to confirm
-that the change for the field was successfully selected.
+that the change for the field was approved by the user and validated by the app.

@jpdjere @ARWNightingale @approksiu I have a few other thoughts:

  • We should find a more user-friendly terminology for the "Current", "Target" and especially "Merged" versions in the UI. I suspect many users might not be familiar with versioning concepts and what merging means in VCS. The third column could be called "Final version" or "Version to save" or something like that.
  • Maybe we should explicitly show a field if it was customized by the user but NOT changed by Elastic in the Target version (which we don't do at the moment). And prefill the 3rd column with the Current (customized) version.
  • Maybe we should auto-accept changes in trivial cases (but still allow the user to change the value after it was accepted):
    • StockValueCanUpdate = 'BASE=A, CURRENT=A, TARGET=B'
    • CustomizedValueNoUpdate = 'BASE=A, CURRENT=B, TARGET=A'
    • CustomizedValueSameUpdate = 'BASE=A, CURRENT=B, TARGET=B'
  • We should never auto-accept changes when the field was customized + there's an update from Elastic, regardless of whether it's a conflict (we were NOT able to auto-merge) or non-conflict (we were able to auto-merge). In such cases the user should always have to manually accept the change.
    • CustomizedValueCanUpdate = 'BASE=A, CURRENT=B, TARGET=C'
  • In the CustomizedValueCanUpdate = 'BASE=A, CURRENT=B, TARGET=C' cases, we could not only highlight conflicts, but also add some extra indicators/labels for non-conflicts when we were able to auto-merge the changes.

@jpdjere jpdjere changed the title [Security Solution] Build Three-Way-Diff field update component [Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field update component Apr 9, 2024
@jpdjere jpdjere changed the title [Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field update component [Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field component Apr 9, 2024
@banderror banderror added enhancement New value added to drive a business result 8.15 candidate 8.16 candidate and removed 8.15 candidate labels Jun 25, 2024
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this issue Dec 9, 2024
…validation errors (elastic#202544)

**Addresses:** elastic#171520

## Summary

This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability.

## Screenshots

<img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18">

https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9

https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8

<img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac">

<img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6">

<img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece">

<img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 9, 2024
…validation errors (elastic#202544)

**Addresses:** elastic#171520

## Summary

This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability.

## Screenshots

<img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18">

https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9

https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8

<img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac">

<img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6">

<img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece">

<img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
Samiul-TheSoccerFan pushed a commit to Samiul-TheSoccerFan/kibana that referenced this issue Dec 10, 2024
…validation errors (elastic#202544)

**Addresses:** elastic#171520

## Summary

This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability.

## Screenshots

<img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18">

https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9

https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8

<img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac">

<img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6">

<img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece">

<img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
mykolaharmash pushed a commit to mykolaharmash/kibana that referenced this issue Dec 11, 2024
…validation errors (elastic#202544)

**Addresses:** elastic#171520

## Summary

This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability.

## Screenshots

<img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18">

https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9

https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8

<img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac">

<img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6">

<img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece">

<img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
maximpn added a commit that referenced this issue Dec 11, 2024
…out (#201501)

**Addresses:** #171520

## Summary

This PR updates Prebuilt Rules Customization UI to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820). On top of that it renames and toss files to organize them in a much more clear way.

## Details

A number of changes required to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820)

- move save/accept button to the field's right side header
- expose additional field upgrade state `NoConflicts` to distinguish between `Accepted` and `NoConflicts` states
- consume `ruleUpgradeState` in different components to display proper badges and texts

Additional refactoring was done to facilitate the changes

- `FinalRuleContext` and `FieldFinalEditContext` were merged together into `FieldUpgradeContext`
- files and some folders were renamed and tossed to make the structure simpler and transparent
  There is still space for improvement. Current PR tries to minimize the changes to avoid too many conflicts since development is still in progress. And an additional limit of 200 path characters is imposed in Kibana preventing too deep foldering. Some functionality could be moved to a package later on to mitigate that obstacle.

## How to test locally

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`
- Clear Elasticsearch data
- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
- Install an outdated version of the `security_detection_engine` Fleet package
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
```

- Install prebuilt rules
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
```
- Open `Detection Rules (SIEM)` Page -> `Rule Updates`
- Modify one or more prebuilt rules with updates to see unresolved conflicts (don't forget to refresh the page after rule's modification, it's required to clear the cache)

## Screenshots and screen recordings

![Screenshot 2024-11-26 at 13 42 16](https://github.com/user-attachments/assets/126bdc64-b810-424a-b81e-7674480a66cf)

![Screenshot 2024-11-26 at 13 42 27](https://github.com/user-attachments/assets/af5d9c2c-055d-423d-880a-b69e95ba129c)

![Screenshot 2024-11-26 at 13 42 40](https://github.com/user-attachments/assets/b0f87a95-df23-42a8-883b-29665f3db325)


https://github.com/user-attachments/assets/7befe77a-3af7-48ea-a23f-aa0017d94be5


https://github.com/user-attachments/assets/2837b405-3889-44a0-b1cb-d6c51cd9d051


https://github.com/user-attachments/assets/7cbc411d-a927-45e9-8607-7ef515337ab5
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 11, 2024
…out (elastic#201501)

**Addresses:** elastic#171520

## Summary

This PR updates Prebuilt Rules Customization UI to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820). On top of that it renames and toss files to organize them in a much more clear way.

## Details

A number of changes required to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820)

- move save/accept button to the field's right side header
- expose additional field upgrade state `NoConflicts` to distinguish between `Accepted` and `NoConflicts` states
- consume `ruleUpgradeState` in different components to display proper badges and texts

Additional refactoring was done to facilitate the changes

- `FinalRuleContext` and `FieldFinalEditContext` were merged together into `FieldUpgradeContext`
- files and some folders were renamed and tossed to make the structure simpler and transparent
  There is still space for improvement. Current PR tries to minimize the changes to avoid too many conflicts since development is still in progress. And an additional limit of 200 path characters is imposed in Kibana preventing too deep foldering. Some functionality could be moved to a package later on to mitigate that obstacle.

## How to test locally

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`
- Clear Elasticsearch data
- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
- Install an outdated version of the `security_detection_engine` Fleet package
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
```

- Install prebuilt rules
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
```
- Open `Detection Rules (SIEM)` Page -> `Rule Updates`
- Modify one or more prebuilt rules with updates to see unresolved conflicts (don't forget to refresh the page after rule's modification, it's required to clear the cache)

## Screenshots and screen recordings

![Screenshot 2024-11-26 at 13 42 16](https://github.com/user-attachments/assets/126bdc64-b810-424a-b81e-7674480a66cf)

![Screenshot 2024-11-26 at 13 42 27](https://github.com/user-attachments/assets/af5d9c2c-055d-423d-880a-b69e95ba129c)

![Screenshot 2024-11-26 at 13 42 40](https://github.com/user-attachments/assets/b0f87a95-df23-42a8-883b-29665f3db325)

https://github.com/user-attachments/assets/7befe77a-3af7-48ea-a23f-aa0017d94be5

https://github.com/user-attachments/assets/2837b405-3889-44a0-b1cb-d6c51cd9d051

https://github.com/user-attachments/assets/7cbc411d-a927-45e9-8607-7ef515337ab5
(cherry picked from commit 2dcbc5d)
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 12, 2024
… fields (elastic#199115)

**Partially addresses:** elastic#171520

## Summary

This PR adds is built on top of elastic#193828 and elastic#196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.

## Details

This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done

- EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible.
- Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component.
- Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.

## How to test

The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Run Kibana locally
- Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e`
- Patch the installed rule by running a query below

```bash
curl -X PATCH --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"2a692072-d78d-42f3-a48a-775677d79c4e","version":1,"query":"process where process.name == \"cmd.exe\"","language":"eql","event_category_override": "test","timestamp_field": "@timestamp","tiebreaker_field": "tiebreaker"}' http://localhost:5601/kbn/api/detection_engine/rules
```

- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button

## Screenshots

- EQL Query in Prebuilt Rules Update workflow
<img width="2560" alt="image" src="https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2">

- event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow
<img width="2552" alt="image" src="https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a">

- Examples of invalid EQL
<img width="2560" alt="image" src="https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c">

<img width="2548" alt="image" src="https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523">
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 12, 2024
**Partially addresses:** elastic#171520

## Summary

This PR adds is built on top of elastic#193828 and elastic#196948 and adds an ES|QL Query editable component for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.

## Details

This PR extracts ES|QL Query edit component from Define rule form step and makes it reusable. The following changes were made

- ES|QL validator was refactored and covered by unit tests
- Query persistence was addressed and covered by tests (previous functionality didn't work out of the box and didn't have tests)

## How to test

The simplest way to test is via patching installed prebuilt rules (a.k.a. downgrading a prebuilt rule) via Rule Patch API. Please follow steps below

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Run Kibana locally
- Install an ES|QL prebuilt rule, e.g. `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` with rule_id `0cd2f3e6-41da-40e6-b28b-466f688f00a6`
- Patch the installed rule by running a query below

```bash
curl -X PATCH --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"0cd2f3e6-41da-40e6-b28b-466f688f00a6","version":1,"query":"from logs-*","language":"esql"}' http://localhost:5601/kbn/api/detection_engine/rules
```

- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button

## Screenshots

<img width="2550" alt="image" src="https://github.com/user-attachments/assets/f65d04d5-9fd9-4d3f-8741-eba04a3be8a6">

<img width="2552" alt="image" src="https://github.com/user-attachments/assets/dd0a2613-5262-44b2-bbeb-d0ed34d57d9c">
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 12, 2024
…validation errors (elastic#202544)

**Addresses:** elastic#171520

## Summary

This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability.

## Screenshots

<img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18">

https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9

https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8

<img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac">

<img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6">

<img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece">

<img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this issue Dec 12, 2024
…out (elastic#201501)

**Addresses:** elastic#171520

## Summary

This PR updates Prebuilt Rules Customization UI to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820). On top of that it renames and toss files to organize them in a much more clear way.

## Details

A number of changes required to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820)

- move save/accept button to the field's right side header
- expose additional field upgrade state `NoConflicts` to distinguish between `Accepted` and `NoConflicts` states
- consume `ruleUpgradeState` in different components to display proper badges and texts

Additional refactoring was done to facilitate the changes

- `FinalRuleContext` and `FieldFinalEditContext` were merged together into `FieldUpgradeContext`
- files and some folders were renamed and tossed to make the structure simpler and transparent
  There is still space for improvement. Current PR tries to minimize the changes to avoid too many conflicts since development is still in progress. And an additional limit of 200 path characters is imposed in Kibana preventing too deep foldering. Some functionality could be moved to a package later on to mitigate that obstacle.

## How to test locally

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`
- Clear Elasticsearch data
- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
- Install an outdated version of the `security_detection_engine` Fleet package
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
```

- Install prebuilt rules
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
```
- Open `Detection Rules (SIEM)` Page -> `Rule Updates`
- Modify one or more prebuilt rules with updates to see unresolved conflicts (don't forget to refresh the page after rule's modification, it's required to clear the cache)

## Screenshots and screen recordings

![Screenshot 2024-11-26 at 13 42 16](https://github.com/user-attachments/assets/126bdc64-b810-424a-b81e-7674480a66cf)

![Screenshot 2024-11-26 at 13 42 27](https://github.com/user-attachments/assets/af5d9c2c-055d-423d-880a-b69e95ba129c)

![Screenshot 2024-11-26 at 13 42 40](https://github.com/user-attachments/assets/b0f87a95-df23-42a8-883b-29665f3db325)


https://github.com/user-attachments/assets/7befe77a-3af7-48ea-a23f-aa0017d94be5


https://github.com/user-attachments/assets/2837b405-3889-44a0-b1cb-d6c51cd9d051


https://github.com/user-attachments/assets/7cbc411d-a927-45e9-8607-7ef515337ab5
nikitaindik added a commit that referenced this issue Dec 13, 2024
… empty (#203826)

**Partially addresses: #171520

## Summary
This PR updates readonly components of the Rule Upgrade flyout to
display placeholders in cases when a field value is empty.

## Changes
 - Added placeholders to readonly components in the Rule Upgrade flyout
- Simplified Storybook stories to make them more readable and less
dependent on flyout context
- Added stories that showcase empty states. You can run Storybook with
`yarn storybook security_solution`.

## Screenshots
**Before / After**
<img width="2560" alt="Scherm­afbeelding 2024-12-12 om 00 05 56"
src="https://github.com/user-attachments/assets/e85a4514-4861-4be7-b0d2-534f7ad2d8cf"
/>

Work started on 11-Dec-2024
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 13, 2024
… empty (elastic#203826)

**Partially addresses: elastic#171520

## Summary
This PR updates readonly components of the Rule Upgrade flyout to
display placeholders in cases when a field value is empty.

## Changes
 - Added placeholders to readonly components in the Rule Upgrade flyout
- Simplified Storybook stories to make them more readable and less
dependent on flyout context
- Added stories that showcase empty states. You can run Storybook with
`yarn storybook security_solution`.

## Screenshots
**Before / After**
<img width="2560" alt="Scherm­afbeelding 2024-12-12 om 00 05 56"
src="https://github.com/user-attachments/assets/e85a4514-4861-4be7-b0d2-534f7ad2d8cf"
/>

Work started on 11-Dec-2024

(cherry picked from commit 27fe7e4)
nikitaindik added a commit that referenced this issue Dec 14, 2024
… in Rule Upgrade flyout (#203222)

**Partially addresses: #171520**

## Summary

This PR updates the tooltips for the ‘Diff view’ and ‘Final update’
sections in the prebuilt rule upgrade flyout. It also streamlines the
version picker by removing redundant options, making the UI simpler and
clearer for users.

## Changes
- Reduced the number of version picker items based on the diff outcome.
Updated item names for better clarity.
- Revised the tooltip text for the ‘Diff view’ section to better explain
the available dropdown options. The tooltip now describes only the
options in the dropdown to avoid overwhelming the user with unrelated
information.
-  Updated the tooltip text for the ‘Final update’ section.

## Screenshots
<img width="922" alt="Scherm­afbeelding 2024-12-11 om 11 54 48"
src="https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451">

<img width="640" alt="Scherm­afbeelding 2024-12-11 om 11 55 32"
src="https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3">

<img width="433" alt="Scherm­afbeelding 2024-12-11 om 11 55 58"
src="https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13">


Work started on 06-Dec-2024.

---------

Co-authored-by: Maxim Palenov <[email protected]>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Dec 14, 2024
… in Rule Upgrade flyout (elastic#203222)

**Partially addresses: elastic#171520**

## Summary

This PR updates the tooltips for the ‘Diff view’ and ‘Final update’
sections in the prebuilt rule upgrade flyout. It also streamlines the
version picker by removing redundant options, making the UI simpler and
clearer for users.

## Changes
- Reduced the number of version picker items based on the diff outcome.
Updated item names for better clarity.
- Revised the tooltip text for the ‘Diff view’ section to better explain
the available dropdown options. The tooltip now describes only the
options in the dropdown to avoid overwhelming the user with unrelated
information.
-  Updated the tooltip text for the ‘Final update’ section.

## Screenshots
<img width="922" alt="Scherm­afbeelding 2024-12-11 om 11 54 48"
src="https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451">

<img width="640" alt="Scherm­afbeelding 2024-12-11 om 11 55 32"
src="https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3">

<img width="433" alt="Scherm­afbeelding 2024-12-11 om 11 55 58"
src="https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13">

Work started on 06-Dec-2024.

---------

Co-authored-by: Maxim Palenov <[email protected]>
(cherry picked from commit 90e35a0)
kibanamachine added a commit that referenced this issue Dec 14, 2024
… texts in Rule Upgrade flyout (#203222) (#204314)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Reduce dropdown options and improve tooltip texts
in Rule Upgrade flyout
(#203222)](#203222)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Nikita
Indik","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-14T11:40:45Z","message":"[Security
Solution] Reduce dropdown options and improve tooltip texts in Rule
Upgrade flyout (#203222)\n\n**Partially addresses: #171520**\r\n\r\n##
Summary\r\n\r\nThis PR updates the tooltips for the ‘Diff view’ and
‘Final update’\r\nsections in the prebuilt rule upgrade flyout. It also
streamlines the\r\nversion picker by removing redundant options, making
the UI simpler and\r\nclearer for users.\r\n\r\n## Changes\r\n- Reduced
the number of version picker items based on the diff outcome.\r\nUpdated
item names for better clarity.\r\n- Revised the tooltip text for the
‘Diff view’ section to better explain\r\nthe available dropdown options.
The tooltip now describes only the\r\noptions in the dropdown to avoid
overwhelming the user with unrelated\r\ninformation.\r\n- Updated the
tooltip text for the ‘Final update’ section.\r\n\r\n##
Screenshots\r\n<img width=\"922\" alt=\"Scherm­afbeelding 2024-12-11 om
11 54
48\"\r\nsrc=\"https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451\">\r\n\r\n<img
width=\"640\" alt=\"Scherm­afbeelding 2024-12-11 om 11 55
32\"\r\nsrc=\"https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3\">\r\n\r\n<img
width=\"433\" alt=\"Scherm­afbeelding 2024-12-11 om 11 55
58\"\r\nsrc=\"https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13\">\r\n\r\n\r\nWork
started on 06-Dec-2024.\r\n\r\n---------\r\n\r\nCo-authored-by: Maxim
Palenov
<[email protected]>","sha":"90e35a04bc795aebdd62c11cd53e279b566582b8","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","ci:cloud-deploy","backport:version","v8.18.0"],"title":"[Security
Solution] Reduce dropdown options and improve tooltip texts in Rule
Upgrade
flyout","number":203222,"url":"https://github.com/elastic/kibana/pull/203222","mergeCommit":{"message":"[Security
Solution] Reduce dropdown options and improve tooltip texts in Rule
Upgrade flyout (#203222)\n\n**Partially addresses: #171520**\r\n\r\n##
Summary\r\n\r\nThis PR updates the tooltips for the ‘Diff view’ and
‘Final update’\r\nsections in the prebuilt rule upgrade flyout. It also
streamlines the\r\nversion picker by removing redundant options, making
the UI simpler and\r\nclearer for users.\r\n\r\n## Changes\r\n- Reduced
the number of version picker items based on the diff outcome.\r\nUpdated
item names for better clarity.\r\n- Revised the tooltip text for the
‘Diff view’ section to better explain\r\nthe available dropdown options.
The tooltip now describes only the\r\noptions in the dropdown to avoid
overwhelming the user with unrelated\r\ninformation.\r\n- Updated the
tooltip text for the ‘Final update’ section.\r\n\r\n##
Screenshots\r\n<img width=\"922\" alt=\"Scherm­afbeelding 2024-12-11 om
11 54
48\"\r\nsrc=\"https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451\">\r\n\r\n<img
width=\"640\" alt=\"Scherm­afbeelding 2024-12-11 om 11 55
32\"\r\nsrc=\"https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3\">\r\n\r\n<img
width=\"433\" alt=\"Scherm­afbeelding 2024-12-11 om 11 55
58\"\r\nsrc=\"https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13\">\r\n\r\n\r\nWork
started on 06-Dec-2024.\r\n\r\n---------\r\n\r\nCo-authored-by: Maxim
Palenov
<[email protected]>","sha":"90e35a04bc795aebdd62c11cd53e279b566582b8"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203222","number":203222,"mergeCommit":{"message":"[Security
Solution] Reduce dropdown options and improve tooltip texts in Rule
Upgrade flyout (#203222)\n\n**Partially addresses: #171520**\r\n\r\n##
Summary\r\n\r\nThis PR updates the tooltips for the ‘Diff view’ and
‘Final update’\r\nsections in the prebuilt rule upgrade flyout. It also
streamlines the\r\nversion picker by removing redundant options, making
the UI simpler and\r\nclearer for users.\r\n\r\n## Changes\r\n- Reduced
the number of version picker items based on the diff outcome.\r\nUpdated
item names for better clarity.\r\n- Revised the tooltip text for the
‘Diff view’ section to better explain\r\nthe available dropdown options.
The tooltip now describes only the\r\noptions in the dropdown to avoid
overwhelming the user with unrelated\r\ninformation.\r\n- Updated the
tooltip text for the ‘Final update’ section.\r\n\r\n##
Screenshots\r\n<img width=\"922\" alt=\"Scherm­afbeelding 2024-12-11 om
11 54
48\"\r\nsrc=\"https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451\">\r\n\r\n<img
width=\"640\" alt=\"Scherm­afbeelding 2024-12-11 om 11 55
32\"\r\nsrc=\"https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3\">\r\n\r\n<img
width=\"433\" alt=\"Scherm­afbeelding 2024-12-11 om 11 55
58\"\r\nsrc=\"https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13\">\r\n\r\n\r\nWork
started on 06-Dec-2024.\r\n\r\n---------\r\n\r\nCo-authored-by: Maxim
Palenov
<[email protected]>","sha":"90e35a04bc795aebdd62c11cd53e279b566582b8"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Nikita Indik <[email protected]>
nikitaindik added a commit that referenced this issue Dec 18, 2024
… editable fields (#200304)

**Partially addresses: #171520

## Summary
**Changes in this PR**:
- `history_window_start` and `new_terms_fields` are now editable in the
Rule Upgrade flyout
- Extracted fields into separate components that are easier to reuse
(`NewTermsFieldsEdit` and `HistoryWindowStartEdit`)

<img width="1392" alt="Scherm­afbeelding 2024-11-15 om 15 51 04"
src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9">

### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
nikitaindik added a commit to nikitaindik/kibana that referenced this issue Dec 18, 2024
… editable fields (elastic#200304)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `history_window_start` and `new_terms_fields` are now editable in the
Rule Upgrade flyout
- Extracted fields into separate components that are easier to reuse
(`NewTermsFieldsEdit` and `HistoryWindowStartEdit`)

<img width="1392" alt="Scherm­afbeelding 2024-11-15 om 15 51 04"
src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9">

### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
nikitaindik added a commit that referenced this issue Dec 18, 2024
…nomaly_threshold` editable fields (#200323)

**Partially addresses: #171520

## Summary
**Changes in this PR**:
- `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now
editable in the Rule Upgrade flyout

<img width="1840" alt="Scherm­afbeelding 2024-11-26 om 08 59 24"
src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83">


### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
nikitaindik added a commit to nikitaindik/kibana that referenced this issue Dec 18, 2024
…nomaly_threshold` editable fields (elastic#200323)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now
editable in the Rule Upgrade flyout

<img width="1840" alt="Scherm­afbeelding 2024-11-26 om 08 59 24"
src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83">

### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.

(cherry picked from commit 042344e)
JoseLuisGJ pushed a commit to JoseLuisGJ/kibana that referenced this issue Dec 19, 2024
… editable fields (elastic#200304)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `history_window_start` and `new_terms_fields` are now editable in the
Rule Upgrade flyout
- Extracted fields into separate components that are easier to reuse
(`NewTermsFieldsEdit` and `HistoryWindowStartEdit`)

<img width="1392" alt="Scherm­afbeelding 2024-11-15 om 15 51 04"
src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9">

### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
JoseLuisGJ pushed a commit to JoseLuisGJ/kibana that referenced this issue Dec 19, 2024
…nomaly_threshold` editable fields (elastic#200323)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now
editable in the Rule Upgrade flyout

<img width="1840" alt="Scherm­afbeelding 2024-11-26 om 08 59 24"
src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83">


### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
benakansara pushed a commit to benakansara/kibana that referenced this issue Jan 2, 2025
… editable fields (elastic#200304)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `history_window_start` and `new_terms_fields` are now editable in the
Rule Upgrade flyout
- Extracted fields into separate components that are easier to reuse
(`NewTermsFieldsEdit` and `HistoryWindowStartEdit`)

<img width="1392" alt="Scherm­afbeelding 2024-11-15 om 15 51 04"
src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9">

### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
benakansara pushed a commit to benakansara/kibana that referenced this issue Jan 2, 2025
…nomaly_threshold` editable fields (elastic#200323)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now
editable in the Rule Upgrade flyout

<img width="1840" alt="Scherm­afbeelding 2024-11-26 om 08 59 24"
src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83">


### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
maximpn added a commit that referenced this issue Jan 7, 2025
…200308)

**Partially addresses:** #171520

## Summary

This PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type

- threat_index
- threat_query
- threat_mapping
- threat_indicator_path
- ~~threat_language~~ `threat_language` was merged with `threat_query`

## Details

This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done

- Fixes a bug blocking Threat Match rules upgrading
- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields 
- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar
- threat mapping input was split into separate component for individual fields to be reused
- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled
 `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent`  was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.
- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](#200308 (comment))
- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](#200308 (comment))

## How to test

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`
- Clear Elasticsearch data
- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
- Install an outdated version of the `security_detection_engine` Fleet package
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
```

- Install prebuilt rules
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
```

- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.

- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields

- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button

## Screenshots

Threat Match Query edit component
<img width="1720" alt="image" src="https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69">

Threat Match Index edit component
<img width="1727" alt="image" src="https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d">

Threat Match Mapping edit component
<img width="1725" alt="image" src="https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e">

Threat Match Indicator Path edit component
<img width="1725" alt="image" src="https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e">

Threat Match Mapping unknown field names validation warnings
<img width="979" alt="Screenshot 2024-12-18 at 12 45 41" src="https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671" />

<img width="1094" alt="Screenshot 2024-12-18 at 12 45 53" src="https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3" />

<img width="2552" alt="Screenshot 2024-12-18 at 12 47 05" src="https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d" />

<img width="2550" alt="Screenshot 2024-12-18 at 12 47 15" src="https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700" />
maximpn added a commit to maximpn/kibana that referenced this issue Jan 7, 2025
…lastic#200308)

**Partially addresses:** elastic#171520

## Summary

This PR adds is built on top of elastic#193828 and elastic#196948 and adds the following editable components for Threat Match rule type

- threat_index
- threat_query
- threat_mapping
- threat_indicator_path
- ~~threat_language~~ `threat_language` was merged with `threat_query`

## Details

This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done

- Fixes a bug blocking Threat Match rules upgrading
- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields
- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar
- threat mapping input was split into separate component for individual fields to be reused
- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled
 `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent`  was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.
- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](elastic#200308 (comment))
- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](elastic#200308 (comment))

## How to test

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`
- Clear Elasticsearch data
- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
- Install an outdated version of the `security_detection_engine` Fleet package
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
```

- Install prebuilt rules
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
```

- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.

- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields

- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button

## Screenshots

Threat Match Query edit component
<img width="1720" alt="image" src="https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69">

Threat Match Index edit component
<img width="1727" alt="image" src="https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d">

Threat Match Mapping edit component
<img width="1725" alt="image" src="https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e">

Threat Match Indicator Path edit component
<img width="1725" alt="image" src="https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e">

Threat Match Mapping unknown field names validation warnings
<img width="979" alt="Screenshot 2024-12-18 at 12 45 41" src="https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671" />

<img width="1094" alt="Screenshot 2024-12-18 at 12 45 53" src="https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3" />

<img width="2552" alt="Screenshot 2024-12-18 at 12 47 05" src="https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d" />

<img width="2550" alt="Screenshot 2024-12-18 at 12 47 15" src="https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700" />

(cherry picked from commit 40f6628)

# Conflicts:
#	x-pack/platform/plugins/private/translations/translations/zh-CN.json
@maximpn
Copy link
Contributor

maximpn commented Jan 7, 2025

Functionality is implemented in the corresponding PRs linked in the description.

@maximpn maximpn closed this as completed Jan 7, 2025
kowalczyk-krzysztof pushed a commit to kowalczyk-krzysztof/kibana that referenced this issue Jan 7, 2025
…lastic#200308)

**Partially addresses:** elastic#171520

## Summary

This PR adds is built on top of elastic#193828 and elastic#196948 and adds the following editable components for Threat Match rule type

- threat_index
- threat_query
- threat_mapping
- threat_indicator_path
- ~~threat_language~~ `threat_language` was merged with `threat_query`

## Details

This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done

- Fixes a bug blocking Threat Match rules upgrading
- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields 
- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar
- threat mapping input was split into separate component for individual fields to be reused
- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled
 `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent`  was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.
- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](elastic#200308 (comment))
- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](elastic#200308 (comment))

## How to test

- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled
- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`
- Clear Elasticsearch data
- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)
- Install an outdated version of the `security_detection_engine` Fleet package
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1
```

- Install prebuilt rules
```bash
curl -X POST --user elastic:changeme  -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform
```

- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.

- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields

- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button

## Screenshots

Threat Match Query edit component
<img width="1720" alt="image" src="https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69">

Threat Match Index edit component
<img width="1727" alt="image" src="https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d">

Threat Match Mapping edit component
<img width="1725" alt="image" src="https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e">

Threat Match Indicator Path edit component
<img width="1725" alt="image" src="https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e">

Threat Match Mapping unknown field names validation warnings
<img width="979" alt="Screenshot 2024-12-18 at 12 45 41" src="https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671" />

<img width="1094" alt="Screenshot 2024-12-18 at 12 45 53" src="https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3" />

<img width="2552" alt="Screenshot 2024-12-18 at 12 47 05" src="https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d" />

<img width="2550" alt="Screenshot 2024-12-18 at 12 47 15" src="https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700" />
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.18 candidate enhancement New value added to drive a business result Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0 v8.17.0 v8.18.0
Projects
None yet
Development

No branches or pull requests

5 participants