Closed
Description
Epic: elastic/kibana#174168
Related to: #6238
Summary
Description
We are introducing the ability for users to customize prebuilt Elastic rules and adjusting the rule upgrade workflow to adapt to that change. This includes ability to:
- edit and customize prebuilt rules (modify almost all rule parameters, besides rule actions);
- export and import prebuilt rules, including customized ones;
- upgrade prebuilt rules while keeping the user customizations whenever possible.
See more details below.
Background & resources
- PRs: many, created between the 8.14 and 8.18 release cycles
- Issues/metas: [Security Solution] Users can Customize Prebuilt Detection Rules: Milestone 3 kibana#174168
- Points of contact: @banderror @xcrzx @maximpn @nikitaindik @dplumlee; please reach out via the team channel
- Test environments: document (internal)
Which documentation set does this change impact?
ESS and Serverless
ESS release
8.18.0
Serverless release
TBD, currently targeting first half of February
Feature differences
None.
API docs impact
No impact - most of the changes are made to the internal prebuilt rules API endpoints.
Prerequisites, privileges, feature flags
Feature flag: prebuiltRulesCustomizationEnabled
xpack.securitySolution.enableExperimental: ['prebuiltRulesCustomizationEnabled']User stories
Source: elastic/kibana#174168
Prebuilt rule customization workflow
- User can edit a single prebuilt rule. User can click "edit" button for prebuilt rules and customize (almost) any field on the Rule Editing page, just like it's possible to do with custom rules.
| Before | After |
|---|---|
|
|
- User can't edit the Author and License fields.
| Before | After |
|---|---|
|
- User can bulk edit multiple prebuilt rules via bulk actions.
| Before | After |
|---|---|
|
|
- User can see if the rule is customized on the Rule Details page.
Note: we do not yet show which fields were customised in UI ( the annotations below are for illustration), the rule customization is shown with the "Modified Elastic rule" badge.
- User can see which rules are customized on the Rule Management page.
Prebuilt rule upgrade workflow
- User can upgrade a single prebuilt rule to its latest version with previewing the incoming updates.
- User can preview updates from Elastic, for each rule field that has an update from Elastic.
Screen.Recording.2025-01-15.at.17.28.06.mov
- User can preview their customizations, for each rule field that was customized.
Screen.Recording.2025-01-15.at.17.40.23.mov
- User can compare their customizations with updates from Elastic and see if there are any conflicts between them, per each rule field.
Screen.Recording.2025-01-15.at.18.27.36.mov
Screen.Recording.2025-01-15.at.18.29.07.mov
- User can manually resolve conflicts between their customizations and updates from Elastic, per each rule field.
Screen.Recording.2025-01-15.at.18.41.03.mov
- User can edit the final field values before submitting the update.
Screen.Recording.2025-01-15.at.18.43.53.mov
- User can upgrade a rule if its type has been changed by Elastic in the latest version, but can only accept the incoming changes.
Screen.Recording.2025-01-15.at.18.48.23.mov
Screen.Recording.2025-01-15.at.18.49.40.mov
- User can upgrade a single prebuilt rule to its latest version without previewing the incoming updates. But only if this rule doesn't contain conflicts (a rule with conflicts must be updated with previewing it in the flyout).
Screen.Recording.2025-01-15.at.18.57.54.mov
- User can bulk upgrade multiple prebuilt rules to their latest versions. But only those which don't contain conflicts (rules with conflicts must be updated one-by-one with previewing them in the flyout).
Screen.Recording.2025-01-15.at.19.15.53.mov
- We've added a copy for a case when Building Block property is disabled. Copy:
Will not mark alerts as "building block" alerts. Please check if this needs to be reworded. Context: PR comment.
Schermopname.2025-01-18.om.11.53.24.mov
Prebuilt rule export/import workflow
Relevant ticket: https://github.com/elastic/security-team/issues/11502
New behavior in 8.18 and 9.0
Import
| Rule Type | License | Import allowed? |
|---|---|---|
| Custom rule | Any | ✅ Allowed |
| Non-customized prebuilt rule | Any | ✅ Allowed |
| Customized prebuilt rule | Basic/Platinum/Essentials | ❌ NOT allowed |
| Customized prebuilt rule | Enterprise/Complete | ✅ Allowed |
Export
| Rule Type | License | Export allowed? |
|---|---|---|
| Custom rule | Any | ✅ Allowed |
| Non-customized prebuilt rule | Any | ✅ Allowed |
| Customized prebuilt rule | Any | ✅ Allowed |
Old behavior in 8.17 and before
Import
| Rule Type | License | Import allowed? |
|---|---|---|
| Custom rule | Any | ✅ Allowed |
| Non-customized prebuilt rule | Any | ❌ NOT allowed |
| Customized prebuilt rule | Any | ❌ NOT allowed |
Export
| Rule Type | License | Export allowed? |
|---|---|---|
| Custom rule | Any | ✅ Allowed |
| Non-customized prebuilt rule | Any | ❌ NOT allowed |
| Customized prebuilt rule | Any | ❌ NOT allowed |
- User can export a single prebuilt rule.
- Pages: Rule Details, Rule Management
- It can be a prebuilt non-customized or prebuilt customized rule
Screen.Recording.2025-01-15.at.19.26.48.mov
- User can bulk export multiple prebuilt rules via bulk actions.
- Pages: Rule Management
- We support exporting prebuilt non-customized, prebuilt customized, and custom rules in any combination
Screen.Recording.2025-01-15.at.19.34.00.mov
- User can bulk import multiple prebuilt rules.
- Pages: Rule Management
- We support importing prebuilt non-customized, prebuilt customized, and custom rules - in any combination
Screen.Recording.2025-01-15.at.19.38.37.mov
Licensing restrictions
Related tickets and PRs:
- [Security Solution] Implement rule customization license checks kibana#206079
- https://github.com/elastic/security-team/issues/11502
Starting from 8.18, users will be able to
- export customized and non-customized prebuilt rules on any license/tier
- import non-customized prebuilt rules (any license) and customized prebuilt rules (Enterprise/Complete only)
Rule editing
- Editing rule actions, exceptions, snoozing and enabling/disabling a rule is available on any license (as before)
- Changing rule content in UI (fields in Definition, About and Schedule tabs) is only available on Enterprise/Complete. We show upsell messages in a few places if the license is insufficient. Screenshots of upsell messages can be seen in this PR.
- Changing rule content using API is also only available in Enterprise/Complete.
Rule upgrade
- Upgrading customized prebuilt rules is only available on Enterprise/Complete. Basic/Platinum/Essentials users are restricted to the old readonly flow where the old prebuilt rule gets completely replaced by the new version from Elastic.