search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k stars 492 forks source link

[Bug] Development Rules Should not be part of Prebuilt Rule Reference #4008

Closed shashank-elastic closed 3 weeks ago

shashank-elastic commented 1 month ago

Describe the Bug

User Report in Community Channel

Does anyone know if there is a delay between Elastic announcing a rule and its release? For instance, this rule: https://www.elastic.co/guide/en/security/8.14/microsoft-365-mass-download-by-a-single-user.html suggests that it is part of 8.14, but our 8.14.3 cluster does not have it as an available rule to install. I also checked the elastic rule repo: https://github.com/elastic/detection-rules/tree/main/detection_rules and it doesn't appear in there either.

To Reproduce

  1. Pick any rule in development mode from detection-rules repository
  2. These documents should be present in Prebuilt Rule Reference
  3. However the rule should not be available for installation as its in development mode.

Expected Behavior

  1. A rule in development mode should not be be available for user docs

The Fix can happen in 2 parts

  1. Remove the Rule references from the documents for supported versions 8.12 - 8.15
  2. Then modify the generation code to not add rules to docs if in "development"

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

No response

shashank-elastic commented 3 weeks ago

The following rules are in development mode that need removal from security docs

Branch PR
8.12 https://github.com/elastic/security-docs/pull/5828
8.13 https://github.com/elastic/security-docs/pull/5826
8.14 https://github.com/elastic/security-docs/pull/5825
8.15 https://github.com/elastic/security-docs/pull/5824

We also a PR to correct the source population that needs testing - https://github.com/elastic/detection-rules/pull/4073, but the above docs PR can move independently of these.