diff --git a/x-pack/plugins/security_solution/docs/prebuilt_rules_customization_rfc.md b/x-pack/plugins/security_solution/docs/prebuilt_rules_customization_rfc.md index 099b0b81d54d1d4..a0ec988db40f970 100644 --- a/x-pack/plugins/security_solution/docs/prebuilt_rules_customization_rfc.md +++ b/x-pack/plugins/security_solution/docs/prebuilt_rules_customization_rfc.md @@ -109,7 +109,7 @@ All of the following endpoints either fetch the rule before updating it, or send - **Update Rule** - `PUT /rules`: same as Patch Rule. - Used **only** when updating/modifying a single rule via the Rule Details page - **Patch Rule** - `PATCH /rules`: should migrate patched rule to prevent the endpoint from returning an outdated (non-migrated) rule. - - Used for creating shared exceptions list (and other shared lists logic) + - Used for attaching shared exceptions list to rules - **Bulk Update Rules** - `PUT /rules/_bulk_update`: same as for Patch Rule - Deprecated and unused by the UI (might still be used by API users) - **Bulk Patch Rules** - `PATCH /rules/_bulk_update`: same as for Patch Rule @@ -247,28 +247,54 @@ $\space$ ### Endpoints -With the rule schema updated, we will allow users to **edit their prebuilt rules** in a similar way to how they currently edit/modify their custom rules. +With the rule schema updated, we will allow users to **edit their prebuilt rules** in a similar way to how they currently edit/modify their custom rules. A full detail of which fields we will allow the users to edit can be found in the section "Rule fields" below. Endpoints that users will be able to use to modify rules are: -- Update Rule - `PUT /rules`: called when updating/modifying a single rule via the Rule Details page -- Bulk Actions - `POST /rules/_bulk_action` - with `edit` action: called when applying bulk actions via the Rules Table -- Patch Rule - `PATCH /rules`: used for creating shared exceptions list (and other shared lists logic) +- Update Rule - `PUT /rules`: called by the UI when updating/modifying a single rule via the Rule Details page +- Patch Rule - `PATCH /rules`: used for attaching shared exceptions list to rules - Bulk Patch Rules - `PATCH /rules/_bulk_update`: deprecated and unused by the UI (might still be used by public API users) - Bulk Update Rules - `PUT /rules/_bulk_update`: deprecated and unused by the UI (might still be used by public API users) +- Bulk Actions - `POST /rules/_bulk_action` - with `edit` action: called when applying bulk actions via the Rules Table -The first four endpoints listed above **currently allow users to modify their Elastic prebuilt rules** as well, in (almost) any of their fields, and no difference is made between updating/patching prebuilt rules and custom rules in the docs. However, none of those four endpoints allow to change a prebuilt rule to a custom rule (or vice-versa) by changing the current `immutable` field (i.e. the field is maintained from the existing rule). +The first four endpoints listed above **currently allow users to modify their Elastic prebuilt rules** as well, in (almost) all of their fields, and no difference is made between updating/patching prebuilt rules and custom rules in the docs. However, none of those four endpoints allow to change a prebuilt rule to a custom rule (or vice-versa) by changing the current `immutable` field (i.e. the field is maintained from the existing rule). > - **Will we want to allow users to modify (via API) a prebuilt rule to transform into a Custom Rule, by modifying the `prebuilt` parameter?** - > - No. We want to keep the current endpoint logic where the `immutable` field for the updated value comes from the existing value of the rule. Allowing that modification would create issues with the corresponding `security_detection_engine` package rule, as it won't longer be able to be installed if the `rule_id` is not modified as well. We will now offer users the option to customize a prebuilt rule, or alternatively, duplicate a prebuilt rule. + > - No. We want to keep the current endpoint logic where the `immutable` field for the updated value comes from the existing value of the rule. Allowing that modification would create issues with the corresponding `security_detection_engine` package rule, as it will clash with the modified rule if the `rule_id` is not modified as well. This requirement is therefore not needed anyway since will now offer users the option to customize a prebuilt rule, or alternatively, duplicate a prebuilt rule. + +The last endpoint, **Bulk Update Rules** - `PUT /rules/_bulk_update`, does provide validation in the endpoint logic itself: if a user attempts to edit prebuilt rule (`immutable: true`) the endpoint rejects that edit with an error in the `dryRun` call to the endpoint: "editing prebuilt rules is not supported". + +#### Changes needed to endpoints + +##### Update Rule - `PUT /rules` -The last endpoint, **Bulk Update Rules** - `PUT /rules/_bulk_update`, does provide validation in the endpoint logic itself: if a user attempts to edit prebuilt rule (`immutable: true`) the endpoint rejects that edit with an error: "editing prebuilt rules is not supported". +- Addition of rule schema migration logic (described above) +- Calculation of `customized` field +- No other changes needed as endpoint already allows modifying prebuilt rules +##### Patch Rule - `PATCH /rules` +- Addition of rule schema migration logic (described above) +- Calculation of `customized` field +- No other changes needed as endpoint already allows modifying prebuilt rules ----- changes needed to the endpoints??? explain each +##### Bulk Patch Rules - `PATCH /rules/_bulk_update` +- Addition of rule schema migration logic (described above) +- Calculation of `customized` field for each modified rule +- No other changes needed as endpoint already allows modifying prebuilt rules +##### Bulk Update Rules - `PUT /rules/_bulk_update` + +- Addition of rule schema migration logic (described above) +- Calculation of `customized` field for each modified rule +- No other changes needed as endpoint already allows modifying prebuilt rules + +##### Bulk Actions - `POST /rules/_bulk_action` + +- Addition of rule schema migration logic (described above) +- Calculation of `customized` field for each modified rule +- Removal of the check that prevents modifying prebuilt rules in `dryRun` mode ### In the UI @@ -277,6 +303,9 @@ The current behaviour of the app allows to modify a rule's fields in the followi #### Via the Rule Edit Page +- Edit Page +- Calls the **Update Rule** - `PUT /rules` + - which endpoint it calls - what fields it allows to edit - how it does "frontend validation" to only edit Custom Rules