Skip to content

Add Support for Multiple Kibana Security Detection Rule Types #1292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 96 commits into from
Oct 6, 2025
Merged

Add Support for Multiple Kibana Security Detection Rule Types #1292

Changes from 1 commit
Commits
Show all changes
96 commits
Select commit Hold shift + click to select a range
7d0e420
Initial plan
Copilot Sep 8, 2025
f422394
Implement core functionality for Kibana Security Detection Rule resource
Copilot Sep 8, 2025
da03510
Complete Kibana Security Detection Rule implementation with docs and …
Copilot Sep 8, 2025
1f92d49
Set composite id in updateDataFromRule
nick-benoit Sep 9, 2025
c71d69f
Handle nullable setup field
nick-benoit Sep 9, 2025
ac26851
Use id instead of rule_id for update payloads (for now)
nick-benoit Sep 9, 2025
e7df951
Add test destroyed
nick-benoit Sep 9, 2025
1f28a7f
Fix lint error
nick-benoit Sep 9, 2025
b31762b
If provided send rule_id otherwise use id
nick-benoit Sep 9, 2025
828ef7a
Refactor security detection rule implementation based on code review …
Copilot Sep 10, 2025
c5f9a57
Add comprehensive schema and create logic for all detection rule types
Copilot Sep 10, 2025
41c8b0a
Refactor update logic and improve error handling for different rule t…
Copilot Sep 10, 2025
3d1a020
Add EQL rule support for create, update, and read operations
Copilot Sep 10, 2025
373e3c9
Use discriminator for parsing rule
nick-benoit Sep 11, 2025
6acc02e
Support other rule types
nick-benoit Sep 11, 2025
0702d81
Extract read implementation into helper
nick-benoit Sep 12, 2025
cbeab6d
Properly write composite id when reading
nick-benoit Sep 12, 2025
f22ab1d
Set nil values with types
nick-benoit Sep 12, 2025
ef054eb
Add basic acceptance tests for all rule types
nick-benoit Sep 15, 2025
9674efb
Add update acc tests
nick-benoit Sep 15, 2025
6d86040
Handle UUID parsing error
nick-benoit Sep 15, 2025
730c578
Add correct discriminators to generated client
nick-benoit Sep 15, 2025
d0a88bb
Various schema tweaks
nick-benoit Sep 15, 2025
3658797
Support setting nested types (Threshold, ThreatMapping)
nick-benoit Sep 15, 2025
b570027
Skip tests for unsupported versions
nick-benoit Sep 16, 2025
bd2b666
Use common props structs
nick-benoit Sep 16, 2025
2e90abc
Extract building threshold / threat_mapping into shared helpers
nick-benoit Sep 16, 2025
1537f6d
Update internal/kibana/security_detection_rule/schema.go
nick-benoit Sep 17, 2025
b0b1b95
Extract language mapping into shared function
nick-benoit Sep 18, 2025
64379fa
Add type assertions
nick-benoit Sep 18, 2025
a0bae20
Remove `parseRuleResponse`
nick-benoit Sep 18, 2025
da655cb
Trigger replacement when rule_id changes
nick-benoit Sep 18, 2025
6538bba
Remove tmpl file
nick-benoit Sep 18, 2025
156dfc4
Generate docs
nick-benoit Sep 18, 2025
ba13d09
Merge branch 'main' into copilot/fix-1290-2
nick-benoit Sep 18, 2025
6584b30
Generate docs... again
nick-benoit Sep 18, 2025
085c9d1
Update docs
nick-benoit Sep 18, 2025
38f299e
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 19, 2025
ea6aeaf
Return pointer to SecurityDetectionRuleData from read
nick-benoit Sep 19, 2025
f87e3f1
Support "actions" field
nick-benoit Sep 19, 2025
2218757
Merge branch 'copilot/fix-1290-2' of github.com:elastic/terraform-pro…
nick-benoit Sep 19, 2025
48f798f
Add support for exceptions_list
nick-benoit Sep 19, 2025
4a3105b
Add support for `risk_score_mapping`
nick-benoit Sep 21, 2025
725c400
Add support building_block_type
nick-benoit Sep 21, 2025
18ff977
Add support for data_view_id, namespace
nick-benoit Sep 21, 2025
eec419a
Lint
nick-benoit Sep 21, 2025
280e3ed
Add support for rule_name_override, timestamp_override, timestamp_ove…
nick-benoit Sep 21, 2025
0127197
Add support for investigation_fields
nick-benoit Sep 22, 2025
51de6c0
Add support for related_integrations, required_fields, severity_mapping
nick-benoit Sep 22, 2025
2b4c56b
Add support for related_integrations, required_fields, severity_mapping
nick-benoit Sep 22, 2025
57a8924
Merge branch 'copilot/fix-1290-2' of github.com:elastic/terraform-pro…
nick-benoit Sep 22, 2025
bab3774
Merge branch 'main' of github.com:elastic/terraform-provider-elastics…
nick-benoit Sep 22, 2025
a918c46
Support for response_actions
nick-benoit Sep 23, 2025
4e0fc38
Psuedo discriminator for "params"
nick-benoit Sep 23, 2025
3b3f79d
Add support for "meta"
nick-benoit Sep 23, 2025
c7e1f2d
Support filters
nick-benoit Sep 23, 2025
ef6828a
Update docs
nick-benoit Sep 23, 2025
15ce2c5
Add support for alert_suppression
nick-benoit Sep 23, 2025
b171dcd
Update docs
nick-benoit Sep 23, 2025
808210b
Dont force replacement for rule_id
nick-benoit Sep 23, 2025
75cade8
Fix threshold test for alert_supression
nick-benoit Sep 24, 2025
9662f6c
Add minimal query rule test case
nick-benoit Sep 24, 2025
2244d09
Fix various update cases
nick-benoit Sep 24, 2025
f5ea9a2
Add models_test.go
nick-benoit Sep 24, 2025
fcab004
Add model_<type> for all rule types
nick-benoit Sep 24, 2025
e847f2e
Reorganize common field defaults
nick-benoit Sep 24, 2025
7055b89
Add helper for setting common fields from rules
nick-benoit Sep 24, 2025
8c5e8e9
Add version check for response_actions
nick-benoit Sep 25, 2025
64a43e4
Update docs
nick-benoit Sep 25, 2025
f39b546
Add diags to response diags
nick-benoit Sep 29, 2025
782671e
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 29, 2025
e9d1439
Merge branch 'copilot/fix-1290-2' of github.com:elastic/terraform-pro…
nick-benoit Sep 29, 2025
97b875b
Use schema definitions for runtime types
nick-benoit Sep 29, 2025
0517526
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 29, 2025
348bd9f
Update internal/kibana/security_detection_rule/models_saved_query.go
nick-benoit Sep 29, 2025
6d45b5d
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 29, 2025
43f94ec
Use schema definitions for runtime types
nick-benoit Sep 29, 2025
4c3f032
Merge branch 'copilot/fix-1290-2' of github.com:elastic/terraform-pro…
nick-benoit Sep 29, 2025
b14b6ed
Remove nil check in conjunction with isKnown
nick-benoit Sep 29, 2025
9939fe8
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 29, 2025
eef2d11
Refactor to remove IsNull checks
nick-benoit Sep 29, 2025
229e40e
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 29, 2025
671fab4
Update internal/kibana/security_detection_rule/models.go
nick-benoit Sep 29, 2025
713a4a6
Only send machine_learning_job_id as array
nick-benoit Sep 29, 2025
9b2fea9
Use utils.ListValueFrom for empty slice
nick-benoit Sep 29, 2025
aa72fee
Support reading multiple or single job id
nick-benoit Sep 30, 2025
ca37831
Add response processor abstraction / Rearrange utilities
nick-benoit Oct 1, 2025
ca4fe82
Use custom duration type
nick-benoit Oct 1, 2025
0e6b02a
Update docs
nick-benoit Oct 1, 2025
aaacd4c
Replace if rule_id is configured
nick-benoit Oct 2, 2025
bcd1f05
Merge branch 'main' into copilot/fix-1290-2
tobio Oct 2, 2025
aebe532
Remove meta field
nick-benoit Oct 4, 2025
fc1a135
Merge branch 'copilot/fix-1290-2' of github.com:elastic/terraform-pro…
nick-benoit Oct 4, 2025
2ef50a1
Remove meta field in acc_test
nick-benoit Oct 4, 2025
246ed2e
Update docs
nick-benoit Oct 4, 2025
d6780b9
Make lint
nick-benoit Oct 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 14 additions & 43 deletions internal/kibana/security_detection_rule/models_machine_learning.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,24 +30,12 @@ func (d SecurityDetectionRuleData) toMachineLearningRuleCreateProps(ctx context.
if utils.IsKnown(d.MachineLearningJobId) {
jobIds := utils.ListTypeAs[string](ctx, d.MachineLearningJobId, path.Root("machine_learning_job_id"), &diags)
if !diags.HasError() {
if len(jobIds) == 1 {
// Single job ID
var mlJobId kbapi.SecurityDetectionsAPIMachineLearningJobId
err := mlJobId.FromSecurityDetectionsAPIMachineLearningJobId0(jobIds[0])
if err != nil {
diags.AddError("Error setting ML job ID", err.Error())
} else {
mlRule.MachineLearningJobId = mlJobId
}
} else if len(jobIds) > 1 {
// Multiple job IDs
var mlJobId kbapi.SecurityDetectionsAPIMachineLearningJobId
err := mlJobId.FromSecurityDetectionsAPIMachineLearningJobId1(jobIds)
if err != nil {
diags.AddError("Error setting ML job IDs", err.Error())
} else {
mlRule.MachineLearningJobId = mlJobId
}
var mlJobId kbapi.SecurityDetectionsAPIMachineLearningJobId
err := mlJobId.FromSecurityDetectionsAPIMachineLearningJobId1(jobIds)
if err != nil {
diags.AddError("Error setting ML job IDs", err.Error())
} else {
mlRule.MachineLearningJobId = mlJobId
}
}
}
Expand Down Expand Up @@ -135,24 +123,12 @@ func (d SecurityDetectionRuleData) toMachineLearningRuleUpdateProps(ctx context.
if utils.IsKnown(d.MachineLearningJobId) {
jobIds := utils.ListTypeAs[string](ctx, d.MachineLearningJobId, path.Root("machine_learning_job_id"), &diags)
if !diags.HasError() {
if len(jobIds) == 1 {
// Single job ID
var mlJobId kbapi.SecurityDetectionsAPIMachineLearningJobId
err := mlJobId.FromSecurityDetectionsAPIMachineLearningJobId0(jobIds[0])
if err != nil {
diags.AddError("Error setting ML job ID", err.Error())
} else {
mlRule.MachineLearningJobId = mlJobId
}
} else if len(jobIds) > 1 {
// Multiple job IDs
var mlJobId kbapi.SecurityDetectionsAPIMachineLearningJobId
err := mlJobId.FromSecurityDetectionsAPIMachineLearningJobId1(jobIds)
if err != nil {
diags.AddError("Error setting ML job IDs", err.Error())
} else {
mlRule.MachineLearningJobId = mlJobId
}
var mlJobId kbapi.SecurityDetectionsAPIMachineLearningJobId
err := mlJobId.FromSecurityDetectionsAPIMachineLearningJobId1(jobIds)
if err != nil {
diags.AddError("Error setting ML job IDs", err.Error())
} else {
mlRule.MachineLearningJobId = mlJobId
}
}
}
Expand Down Expand Up @@ -254,13 +230,8 @@ func (d *SecurityDetectionRuleData) updateFromMachineLearningRule(ctx context.Co
// ML-specific fields
d.AnomalyThreshold = types.Int64Value(int64(rule.AnomalyThreshold))

// Handle ML job ID(s) - can be single string or array
// Try to extract as single job ID first, then as array
if singleJobId, err := rule.MachineLearningJobId.AsSecurityDetectionsAPIMachineLearningJobId0(); err == nil {
// Single job ID
d.MachineLearningJobId = utils.ListValueFrom(ctx, []string{string(singleJobId)}, types.StringType, path.Root("machine_learning_job_id"), &diags)
} else if multipleJobIds, err := rule.MachineLearningJobId.AsSecurityDetectionsAPIMachineLearningJobId1(); err == nil {
// Multiple job IDs
// Handle ML job ID(s)
if multipleJobIds, err := rule.MachineLearningJobId.AsSecurityDetectionsAPIMachineLearningJobId1(); err == nil {
jobIdStrings := make([]string, len(multipleJobIds))
for i, jobId := range multipleJobIds {
jobIdStrings[i] = string(jobId)
Expand Down
Loading