[Security Solution] Separate rules/timelines update process #92553
Labels
enhancement
New value added to drive a business result
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Feature:Timeline
Security Solution Timeline feature
needs design
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: simp_prot_mgmt
Security Solution Simplified Protection Management Theme
UX
Currently the rules and timelines update process is coupled together, meaning that through the UI, when asked to update the timelines, all Elastic SIEM rules will be updated and INSTALLED (and some enabled).
Since the UI requests the user to update the timeline, IMHO, ~500 rules should not be installed.
Kibana/Elasticsearch Stack version: 7.11.1
Server OS version: Elastic Cloud
Browser and Browser OS versions: All
Elastic Endpoint version: 7.11.
Original install method (e.g. download page, yum, from source, etc.): Elastic Cloud
Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Timelines and SIEM rules API
Steps to reproduce:
This is a follow up after a conversation with
spong
on Slack. For reference, I'll include his remark about this issue:Unfortunately new/updated rules and timelines are currently tied to the same user action. We're working on improvements here in prep for delivering out of band rule updates, and will hopefully be able to address the UX here as part of that in a future release. There is a manual way to update timeline templates if you're interested. Just need to run a script/hit the timeline API directly as outlined in the readme here: https:/elastic/kibana/blob/9c91fd9cb7aab4f46f0c6bee5ca5df049697c20c/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/README.md#how-to-update-an-existing-prepackage-timeline
The text was updated successfully, but these errors were encountered: