Is your feature request related to a problem? Please describe.
This feature request is not related to a problem. At the moment, detection rule versions are whole integers whereas we have the capability to change those to semantic versioning.
Describe the solution you'd like
Rather than rule versions be whole integers, we can change them to semantic versioning. This would allow more granularity when determining rule version changes programmatically by determining what is constitutes a major, minor or path update. From this, we can also enhance our communication via documentation about what specific rule changes indicate. For example if a major bump in the rule change is noticed, this indicates the detection logic or query has been modified.
Describe alternatives you've considered
The alternative to consider is staying with whole integers. At the moment, because we have to account for forked rules, rule versions are programmatically given a buffer space of ~100 so that rule collisions do not take place. As a result, minor changes to any data field could will cause a whole integer version bump. Worse, a new min-stack is given to the rule, the version bumps 100 spaces and thus can be misleading to customers.
Additional context
There are several considerations that need to take place for this.
Consult with Security Detections Response team about requirements for Kibana
Review semantic versioning and develop design for semantic versioning rules and logic
Develop feature request PR with logic as designed and planned
Test with local Kibana and Kibana CI testing to ensure successful results and rule change logic and comparison in Kibana works
Potential - Develop blog to explain the new changes to rules and what semantic versioning indicates
Update detection rules README to deliver clear communication about versioning
Consider any changes necessary for the prebuilt rules package releases
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is your feature request related to a problem? Please describe. This feature request is not related to a problem. At the moment, detection rule versions are whole integers whereas we have the capability to change those to semantic versioning.
Describe the solution you'd like Rather than rule versions be whole integers, we can change them to semantic versioning. This would allow more granularity when determining rule version changes programmatically by determining what is constitutes a major, minor or path update. From this, we can also enhance our communication via documentation about what specific rule changes indicate. For example if a major bump in the rule change is noticed, this indicates the detection logic or query has been modified.
Describe alternatives you've considered The alternative to consider is staying with whole integers. At the moment, because we have to account for forked rules, rule versions are programmatically given a buffer space of ~100 so that rule collisions do not take place. As a result, minor changes to any data field could will cause a whole integer version bump. Worse, a new min-stack is given to the rule, the version bumps 100 spaces and thus can be misleading to customers.
Additional context There are several considerations that need to take place for this.