[Security Solution] [PRC Milestone 3] Update KQL filters and convertRulesFilterToKQL
method to rely on new Prebuilt schema
#175708
Labels
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
release_note:skip
Skip the PR/issue when compiling release notes
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Prebuilt Rule Customization Epic - Milestone 3: #174168
Main Epic: https://github.com/elastic/security-team/issues/1974 (internal)
Additional Material:
- Milestone 3 - Software Design RFC
- Prebuilt Rules Customization Technical Design
Description:
Across our application, both in the frontend and serverside, we use KQL filters to retrieve rules based on whether they are prebuilt rules or not - this means that the current behaviour of these values relies on the
immutable
field being set to either true or false.With the introduction of the new
prebuilt
field, we will want to rely on this new field to determine if a rule is prebuilt during retrieval of rules.At the same time, we need to maintain backwards compatibility: in order to determine if a rule is prebuilt, preferentially search for the existence of the
prebuilt
field; if that doesn't exist, fallback to the legacy logic of checking a rule's immutable value.This means that we will need to update the constants and KQL filters that we have hardcoded in our application, as well as the
convertRulesFilterToKQL
method, to reflect the new schema.The updates needed are described in the
KQL filters and the convertRulesFilterToKQL method
section of the RFC.The text was updated successfully, but these errors were encountered: