Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules #180273

Closed
Tracked by #174168
jpdjere opened this issue Apr 8, 2024 · 4 comments
Closed
Tracked by #174168
Assignees
Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0

Comments

@jpdjere
Copy link
Contributor

jpdjere commented Apr 8, 2024

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Design Discussion context: #178211

Summary

  • Prevent from updating "non-customizable" fields in prebuilt rules via the API.
  • The field to prevent update for are:
    1. author
    2. license
  • Prevent their update only for prebuilt rules.
  • The fields should remain part of the rule asset schema and rule schema, so we need to add manual checks in the endpoint handlers that reject the update with 400 error if the request tries to update those fields. (comment)

Background

@jpdjere jpdjere added triage_needed Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area labels Apr 8, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@jpdjere jpdjere changed the title [Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules via the API [Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules Apr 8, 2024
@banderror banderror changed the title [Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules [Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules (DRAFT) Apr 17, 2024
@jpdjere jpdjere changed the title [Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules (DRAFT) [Security Solution] Prevent from updating "non-customizable" fields in prebuilt rules May 24, 2024
@jpdjere jpdjere assigned jpdjere and unassigned xcrzx Jul 2, 2024
@dplumlee dplumlee assigned dplumlee and unassigned jpdjere Sep 19, 2024
dplumlee added a commit that referenced this issue Oct 10, 2024
… Prebuilt rule types (#195318)

## Summary

Addresses #180273

Adds validation in the `detectionRulesClient` to prevent the updating of
non-customizable fields in Prebuilt rule types (i.e. external
`rule_source`). Returns a `400` error if `author` or `license` fields
are updated via `PUT` and `PATCH` endpoints for external rules.

Also updates related test utils to reflect this new logic

### Checklist

Delete any items that are not applicable to this PR.

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 10, 2024
… Prebuilt rule types (elastic#195318)

## Summary

Addresses elastic#180273

Adds validation in the `detectionRulesClient` to prevent the updating of
non-customizable fields in Prebuilt rule types (i.e. external
`rule_source`). Returns a `400` error if `author` or `license` fields
are updated via `PUT` and `PATCH` endpoints for external rules.

Also updates related test utils to reflect this new logic

### Checklist

Delete any items that are not applicable to this PR.

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
(cherry picked from commit 0004217)
@dplumlee
Copy link
Contributor

Completed by #195318

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.16 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.16.0
Projects
None yet
Development

No branches or pull requests

5 participants