[Security Solution] RFC: Saved Objects versioning capability

[sdesalas]

RFC: Saved Objects versioning capability

• Author(s): @sdesalas
• Status: Draft
• Created: 31 Oct 2025
• Product Initiatives: https://github.com/elastic/security-team/issues/12431 (internal)
• Product Requirements Document: (tba)
• Reviewers: @elastic/security-detection-rule-management, @marshallmain

This RFC proposes changes to the Saved Objects service in order to support optional versioning and change tracking capabilities in order to meet security product requirements.

👉 Click for complete RFC - Rendered view 👈

Motivation

Security departments need to comply with an ever increasing set of standards and regulations (DORA, ISO 27001).

As such, users of our security platform are expecting a modern and robust change management process when it comes to modifying their detection rules and related entities such as rule exceptions, which are currently stored in Kibana as Saved Objects (1, 2, 3, 4, 5).

Specifically, users need to be able to show the state of the rule at a specific point in time. They need to be able to review historical changes made to rules, including those that have been deleted. And they also expect the ability revert to a previous state of the rule as needed. They need this for compliance reasons, to understand why the changes were made, as well as to troubleshoot and ensure their correct behaviour.

This is currently one of top SIEM topics in terms of value and impact to our users.

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!

[sdesalas]

Please note that this RFC has been moved and is now being hosted as a Google Doc on 👉 this link (internal)