Closed jpdjere closed 4 hours ago
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)
@jpdjere Thanks for creating this ticket. One small reminder, please: every ticket in the backlog should have custom fields filled in, because that's what powers all our tabs in the GH project. I moved it to Inbox
for now, but feel free to fill them in and move back to Backlog
@jpdjere is this work still required if we feel these fields should be deprecated? I guess even if they are we'll need to support past versions having it.
I think this work would be needed no matter what, but what might be a better way forward is to delete the fields from the DiffableRule
type and instead just always use the current version as we don't seem to push updates to these fields anyways since they're performance based. This will forgo any elastic specific updates but will just automatically keep the user customized fields if they have changed them.
Right now, I'm not sure we'd need a diff algorithm for it as we will never return the fields in the eyes of the users anyways
Closed by #190440
Epics: https://github.com/elastic/security-team/issues/1974 (internal), https://github.com/elastic/kibana/issues/174168
Summary
Implement algorithms for diffing and merging changes in
concurrent_searches
anditems_per_search
fieldsThese two fields require a specialized algorithm because of the following reasons:
/upgrade/_review
endpoint to include the diff calculation for these fields, but they shouldn't show up in the UI, since that would allow the user to customize it via the UI, during the upgrade workflow.ABC
conflict scenario, the value for theconflict
prop for these fields will beNO
. This way we can ensure that these two fields are not displayed in the upgrade workflow UI. The value for themerged_version
should be thecurrent_version
.The field diff for an ABC scenario for these two fields should be:
Context from the Rule Customization RFC:
To do