[8.x] [Security Solution] Fix inability to unset optional field values (#204231) #205041
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…stic#204231) **Resolves: elastic#203634 ## Summary This PR fixes bugs blocking unsetting optional rule field values in rule upgrade workflow. ## Details Changes here cover 3 groups of fields optional, string fields allowing empty strings and array fields allowing empty arrays. It was verified that fields in that groups allow to unset the value. The following issues were fixed - inability to set an empty string or `setup` and `note` fields It required adding `stripEmptyFields: false` for rule upgrade fields edit form. - inability to unset `timestamp_override` field Timestamp override form deserializer was fixed. - inability to unset `alert_suppression` Alert Suppression was excluded from special special fields list always upgrading to the current value. It's expected Alert Suppression won't be included in Prebuilt Rules delivered in prebuilt rules packages. The only way to get this setting and have it included in rule upgrade flyout is editing a prebuilt rule by a user with a sufficient licence. The following fields were verified and fixed where necessary ### Optional fields - ✅ `investigation_fields` - ✅ `rule_name_override` -⚠️ `timestamp_override` (field's form deserializer was fixed) - ✅ `timeline_template` - ✅ `building_block` -⚠️ `alert_suppression` (the field was excluded from special special fields list always upgrading to the current value) - ✅ `threat_indicator_path` (empty value resets to default `threat.indicator`) ### String fields allowing empty strings -⚠️ `note` (required adding `stripEmptyFields: false` to the form) -⚠️ `setup` (required adding `stripEmptyFields: false` to the form) ### Array fields allowing empty arrays - ✅ `tags` - ✅ `references` - ✅ `false_positives` - ✅ `threat` - ✅ `related_integrations` - ✅ `required_fields` - ✅ `severity_mapping` - ✅ `risk_score_mapping` ## Screenshots  https://github.com/user-attachments/assets/bd36e5ba-e7fb-4733-a792-ea5435d579e2 ## How to test? - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Customize one or more rules (change fields to see them in rule upgrade workflow) - Open Rule upgrade for the rule(s) - Unset field values - Upgrade rule(s) --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 54989a5)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.x:Questions ?
Please refer to the Backport tool documentation