[Security Solution] Users can Customize Prebuilt Detection Rules: Milestone 4

[banderror]

Epic: https://github.com/elastic/security-team/issues/1974 (internal)
Milestones: << • >>

Status: In development.

Summary

Milestone 4: Short-term stabilization.

The goal of this milestone is to stabilize the functionality implemented in Milestone 3:

• Complete the tests plans and add missing test coverage.
• Fix higher-impact / low effort bugs that didn't make it to Milestone 3.
• Continue optimizing performance and improving reliability.
• Implement telemetry for prebuilt rules.
• Pay pressing technical debt.

Useful info

• Test plans for workflows related to prebuilt rules.
• RFC: Prebuilt Rules Customization - an architecture design document created for Milestone 3.
• Prebuilt Rules Customization Technical Design - an architecture design document created for Milestone 1.

Implementation tasks

Manual testing

Owner: @pborgonovi

• [Security Solution] Exploratory testing of prebuilt rule customization workflows in production #180399

Automated testing

Owners: @maximpn, @banderror

• [Security Solution] Tests for prebuilt rule customization workflow #202068
• [Security Solution] Tests for prebuilt rule upgrade workflow #202078
• [Security Solution] Tests for prebuilt rule import/export workflow #202079
• [Security Solution] Write tests for "Customized Elastic rule" badge on the Rule Details page #186916
• [Security Solution] Write tests for filtering, sorting, pagination in the Rule Installation and Upgrade tables #166215

Performance and reliability

Owner: @xcrzx

• [Security Solution] Implement reliable tests to catch OOMs during rules package installation before the package is released in EPR #188090
• [Security Solution] Reduce response sizes of prebuilt rules _review API endpoints #210544

High-priority and low-risk technical debt

Owner: ?

• ?

Telemetry

Owner: @jkelas

• [Security Solution] Collect usage statistics for prebuilt rule customization #140369

Bug fixing: low effort

Owners: @dplumlee, @nikitaindik

• [Security Solution] See what's new in Prebuilt Security Detection Rules link on Add Elastic Rules page works with clicking anywhere on the blank space available on the right side of the page. #194275
• [Security Solution] Inconsistent naming for prebuilt rules across rule installation and flows #202783
• [Security Solution] Grammar error in prebuilt rule import error message #213843
• [Security Solution] Import Error Message Window Is Not Scrollable, Preventing Users from Viewing Full Error Details #213845
• [Security Solution] Duplicate Error Messages When Importing Multiple Modified Prebuilt Rules #213844

Bug fixing: rule customization

Owners: @dplumlee

• [Security Solution] Searchbar edit filter does not populate with prebuilt rules #209518
• [Security Solution] Large number of related integrations can impact performance on rule creation/edit form #183607

Bug fixing: rule installation

Owners: @dplumlee, @nikitaindik

• [Security Solution] Suppress prebuilt rule SO duplicates in review install endpoint #218123

Bug fixing: rule upgrade

Owners: @dplumlee, @nikitaindik

• [Security Solution] Installing Elastic Defend causes all available rules to be installed and updates to be cleared automatically when a new rules package version is available. #218150
• https://github.com/elastic/security-team/issues/7216
• [Security Solution] Exceptions and actions are reset when rule is upgraded using legacy methods #218000
• [Security Solution] Threat mapping overflows in rule upgrade flyout on narrow screens #205722
• [Security Solution] Warning is shown for updated Prebuilt rule with filter containing "AND" or "OR" condition #203615
• [Security Solution] Warning flashes when editing rule index patterns #203600
• [Security Solution] Placeholder “Semver” Appears in the Related Integrations “Version” Text Field in Rule Upgrade Flyout #200079
• [Security Solution] Incorrect Toast Message After Bulk Updating Rules with Conflicts #214292
• [Bug] Package v8.16.2 contains new rule versions without updates detection-rules#4276

Bug fixing: licensing

Owners: @dplumlee

• [Security Solution] Detection Rules fail to install/update with basic license #197246
• [Security Solution] Detection rule fails to install but does not show reason and the toast in the UI shows up as success #190753

Product enhancements

Owners: @dplumlee

• [Security Solution] Rule Details page: show what fields are customized and what are these customizations exactly #207172
• [Security Solution] Rule Details page: allow to revert a customized prebuilt rule back to its base version #215506

Documentation and UI copies

Owner: @nastasha-solomon

• UX copy request for Detection rule workflows - Revert a customized prebuilt rule docs-content#1241
• [UI copy]: Refine copy for bulk-updating prebuilt rules docs-content#1063

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[pborgonovi]

@banderror please feel free to add some exploratory tests for the enhancements 😃

[banderror]

@pborgonovi Absolutely! I think we will be tracking exploratory testing efforts using the enhancement tickets themselves, instead of creating dedicated ticket(s) for that. See release progress checklists in #207172 and #215506. Let's sync on that later as a team.