[Security Solution] Handle specific fields in `/upgrade/_perform` endpoint upgrade workflow

jpdjere commented 3 months ago

Epics: https://github.com/elastic/security-team/issues/1974 (internal), https://github.com/elastic/kibana/issues/174168 Depends on: https://github.com/elastic/kibana/issues/166376 Related to: https://github.com/elastic/kibana/issues/180393

Summary

Based on the discussions that took place in https://github.com/elastic/kibana/issues/147239, we need to treat different rule fields in different ways in the context of the upgrade workflow.

For each field we must decide:

How should the field be handled in /upgrade/_perform?: should the endpoint accept any PICK_VERSION value for this field? (base, target, current, merged, resolved) Should it always upgrade to the current version?
- ➖ : irrelevant, field not upgradeable/customizable
- ✏️ : should always update to the current version of the field's value
- ❗ : should always update to the target version of the field's value, or managed automatically under the hood
- ✅ : needs to accept all PICK_VERSIONs

Field list

Field name	How to handle in `/upgrade/_perform`?
`id`	➖
`rule_source`	➖
`immutable`	➖
`version`	❗
`revision`	❗
`enabled`	✏️
`execution_summary`	✏️
`alert_suppression`	✏️
`actions`	✏️
`throttle`	✏️
`response_actions`	✏️
`meta`	✏️
`output_index`	✏️
`namespace`	✏️
`alias_purpose`	✏️
`alias_target_id`	✏️
`outcome`	✏️
`created_at`	➖
`created_by`	➖
`updated_at`	❗
`updated_by`	❗
`author`	❗
`license`	❗
`exceptions_list`	✏️
`rule_id`	➖
`concurrent_searches` (IM Rules)	✏️
`items_per_search` (IM Rules)	✏️
`name`	✅
`tags`	✅
`description`	✅
`severity`	✅
`severity_mapping`	✅
`risk_score`	✅
`risk_score_mapping`	✅
`references`	✅
`false_positives`	✅
`threat`	✅
`note`	✅
`setup`	✅
`related_integrations`	✅
`required_fields`	✅
`max_signals`	✅
`building_block_type`	✅
`from` (rule_schedule)	✅
`interval` (rule_schedule)	✅
`rule_name_override`	✅
`timestamp_override`	✅
`timestamp_override_fallback_disabled`	✅
`timeline_id` (timeline_template)	✅
`timeline_title` (timeline_template)	✅
`index` (data_source)	✅
`data_view_id` (data_source)	✅
`query`	✅
`language`	✅
`filters`	✅
`saved_id`	✅
`machine_learning_job_id` (ML Rules)	✅
`anomaly_threshold` (ML Rules)	✅
`threat_filters` (IM Rules)	✅
`threat_query` (IM Rules)	✅
`threat_mapping` (IM Rules)	✅
`threat_language` (IM Rules)	✅
`threat_index` (IM Rules)	✅
`threat_indicator_path` (IM Rules)	✅
`new_terms_fields` (New Terms Rules)	✅
`history_window_start` (New Terms Rules)	✅

Notes on fields

alert_suppression and investigation_fields: https://github.com/elastic/kibana/issues/190597

elasticmachine commented 3 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 3 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 3 months ago

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elastic / kibana