search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.62k stars 8.22k forks source link

[Security Solution] Add `source_updated_at` field to `RuleResponse` via `ResponseFields` #174740

Open jpdjere opened 10 months ago

jpdjere commented 10 months ago

Epic: https://github.com/elastic/kibana/issues/174168 Related to: https://github.com/elastic/detection-rules/issues/2826 Depends on: https://github.com/elastic/kibana/issues/176286, https://github.com/elastic/kibana/issues/175680

Summary

We're going to add a new optional field source_updated_at to prebuilt rule assets (saved objects of type security-rule) we ship via the package with prebuilt rules. The TRADE team is working on it as part of https://github.com/elastic/detection-rules/issues/2826. We are adding this field to the assets' schema in https://github.com/elastic/kibana/issues/176286.

Besides adding this field to the schema of PrebuiltRuleAsset, we need to make it part of our rule schema and available for use as part of the response of the POST /prebuilt_rules/installation/_review and POST /prebuilt_rules/upgrade/_review responses.

The location of this field within our schema is still TBD, based on the RFC for Prebuilt Rule Customization.. See section Necessary rule schema changes for details.

But TL;DR: we'll be adding a new prebuilt object at the root level, where this new field should live (as it only applies to prebuilt rules):

{  
  prebuilt?: {
    isPrebuilt: boolean;
    sourceUpdatedAt?: ISO Date
  }  
}
elasticmachine commented 10 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 10 months ago

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine commented 9 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)