Open jonathan-buttner opened 3 years ago
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-threat-hunting (Team:Threat Hunting)
cc: @tsg @XavierM @dhurley14 @yctercero @cnasikas @asnehalb
Pinging @elastic/response-ops (Team:ResponseOps)
When syncing is enabled the Cases plugin updates the status of alerts to keep them synced with the case status. This is done directly through requests to Elasticsearch. This functionality is located here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/cases/server/services/alerts/index.ts#L48
When the alerts as data RBAC PR (https://github.com/elastic/kibana/pull/100705) is merged we'll need to transition this code to use the provided client here: https://github.com/elastic/kibana/blob/52eab943b93a3190550ccd6e21dac01a72032f8a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts#L158
Update 11/18/21
We removed this functionality prior to 7.16 because RBAC for alert within Security Solution was not implemented yet. So cases still updates the status of alerts directly through Elasticsearch. In 7.16 Observability enabled RBAC for alerts using the rule registry. This isn't an issue for Cases currently because Observability disables the sync alerts functionality within Cases.
If observability ever turns that functionality on within Cases we'll need to start using the rule registry. This would lead to needing specific functionality for Observability (using the rule registry) and for Security Solution (not using the rule registry).