Description
openedon Feb 24, 2021
Currently the rules and timelines update process is coupled together, meaning that through the UI, when asked to update the timelines, all Elastic SIEM rules will be updated and INSTALLED (and some enabled).
Since the UI requests the user to update the timeline, IMHO, ~500 rules should not be installed.
Kibana/Elasticsearch Stack version: 7.11.1
Server OS version: Elastic Cloud
Browser and Browser OS versions: All
Elastic Endpoint version: 7.11.
Original install method (e.g. download page, yum, from source, etc.): Elastic Cloud
Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Timelines and SIEM rules API
Steps to reproduce:
- Update a deployment where Elastic SIEM is being used.
- If timelines were updated in the release in question, user will be asked to update the SIEM timelines
- After clicking update, all rules will be installed
This is a follow up after a conversation with spong
on Slack. For reference, I'll include his remark about this issue:
Unfortunately new/updated rules and timelines are currently tied to the same user action. We're working on improvements here in prep for delivering out of band rule updates, and will hopefully be able to address the UX here as part of that in a future release. There is a manual way to update timeline templates if you're interested. Just need to run a script/hit the timeline API directly as outlined in the readme here: https://github.com/elastic/kibana/blob/9c91fd9cb7aab4f46f0c6bee5ca5df049697c20c/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/README.md#how-to-update-an-existing-prepackage-timeline