[Security Solutions][Detection Engine][Meta][Remix] - Migration of security_solution rules to Stack Management export/import/copy #124294
Labels
8.2 candidate
considered, but not committed, for 8.2 release
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Threat Hunting:Investigations
Security Solution Investigations Team
Team:Threat Hunting
Security Solution Threat Hunting Team
Objective
At it's most basic, we want to enable security solution rules to be exported using the Stack Management UI/APIs and begin deprecating our own import/export API.
A ticket that dives more into the technical details and different considerations/use cases thought through exists here. This issue is meant to be more high level.
Security Solution Rules At a Glance
Current Experience
As a security solution user, I want to export my security solution rules and all saved objects associated with it:
As a user of multiple solutions, I want to export my rules and all saved objects associated with it:
Proposed Experience
As a security solution user, I want to export my security solution rules and all saved objects associated with it:
As a user of multiple solutions, I want to export my rules and all saved objects associated with it:
Exclusions
Possible effects to user experience
TLDR
This effort is more than just a matter of user experience. On the technical side, security solution is currently maintaining a separate export/import API and needing to implement functionality to maintain parity with the SOM. Complexity has increased as shareable saved objects are introduced.
Open questions
rule_id
,timeline_template_id
,item_id
,list_id
) - is there any support for this in core? What would signature id clashes look like in export/import?The text was updated successfully, but these errors were encountered: