[Security Solution] Refactor prebuilt rule customization test plans, …

…part 2 (#211472) **Epic:** #174168 **Partially addresses:** #202068, #202078, #202079 **Follow-up to:** #211300 ## Summary We're cleaning up and refactoring our existing test plans for prebuilt rule customization, upgrade, and export/import workflows. Specifically, this PR: - Creates an "entrypoint" file that should help navigate all the test plans for prebuilt rules. - Creates a file for keeping common information about prebuilt rules that can be shared between the test plans. - Extracts duplicated terminology to the file with common information. - Extracts duplicated assumptions to the file with common information. - Extracts duplicated non-functional requirements to the file with common information. - Adds user stories to each test plan. - Updates links to tickets in every test plan. No "functional" changes have been made to any test plans, such as adding, removing, or updating any scenarios. This refactoring prepares the test plans for being "functionally" changed and improved in follow-up PRs. For example, we're going to cover the logic described in #210358 and address any other gaps in coverage. ## Review tip It might be easier to review this PR commit-by-commit as each of them contains logically cohesive changes.
elastic · Feb 18, 2025 · 786df79 · 786df79
1 parent 8a55fdf
commit 786df79
Show file tree

Hide file tree

Showing 10 changed files with 331 additions and 145 deletions.
diff --git a/...ing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_customization.md b/...ing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_customization.md
@@ -24,8 +24,10 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 - [Useful information](#useful-information)
   - [Tickets](#tickets)
+  - [User stories](#user-stories)
   - [Terminology](#terminology)
   - [Assumptions](#assumptions)
+  - [Non-functional requirements](#non-functional-requirements)
 - [Scenarios](#scenarios)
   - [Editing prebuilt rules](#editing-prebuilt-rules)
     - [**Scenario: User can edit a non-customized prebuilt rule from the rule edit page**](#scenario-user-can-edit-a-non-customized-prebuilt-rule-from-the-rule-edit-page)
@@ -54,33 +56,42 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 ### Tickets
 
-- [Test plan issue](https://github.com/elastic/kibana/issues/202068)
-- [Prebuilt rule customization](https://github.com/elastic/kibana/issues/174168) epic
+- [Users can Customize Prebuilt Detection Rules](https://github.com/elastic/security-team/issues/1974) (internal)
+- [Users can Customize Prebuilt Detection Rules: Milestone 3](https://github.com/elastic/kibana/issues/174168)
+- [Tests for prebuilt rule customization workflow](https://github.com/elastic/kibana/issues/202068)
 
-### Terminology
-
-- **Base version**: Prebuilt rule asset we ship in the rule package corresponding to the currently installed prebuilt rules. It represents "original" version of the rule. During prebuilt rules installation prebuilt rule assets data is copied over and becomes an installed prebuilt rule.
-
-- **Customized prebuilt rule**: An installed prebuilt rule that has been changed by the user in the way rule fields semantically differ from the base version. Also referred to as "Modified" in the UI.
-
-- **Non-customized prebuilt rule**: An installed prebuilt rule that has rule fields values matching the base version.
-
-- **Custom rule**: A rule created by the user themselves
+### User stories
 
-- **rule source, or ruleSource**: A field on the rule that defines the rule's categorization. Can be `internal` or `external`.
+**Prebuilt rule customization workflow:**
 
-- **`is_customized`**: A field within `ruleSource` that exists when rule source is set to `external`. It is a boolean value based on if the rule has been changed from its base version
+- User can edit a single prebuilt rule from the Rule Details page.
+- User can edit single prebuilt rules one-by-one from the Rule Management page.
+- User can edit multiple prebuilt rules in bulk via bulk actions on the Rule Management page. For example:
+  - User can bulk add index patterns to prebuilt rules.
+  - User can bulk update rule schedule in prebuilt rules.
+- User can customize most of the fields of prebuilt rules:
+  - User can edit and customize almost any field of a prebuilt rule, just like it's possible to do with custom rules, via editing it directly or via bulk editing via bulk actions.
+  - User can't edit the Author and License fields.
+- User can see if the rule is customized on the Rule Details page.
+- User can see which rules are customized on the Rule Management page in the Upgrade table.
+- User can un-customize a prebuilt rule by editing it and reverting its parameters back to their original values.
 
-- **customizable rule field**: A rule field that is able to be customized on a prebuilt rule. A comprehenseive list can be found in `./shared_assets/customizable_rule_fields.md`.
-
-- **non-customizable rule field**: A rule field that is unable to be customized on a prebuilt rule. A comprehenseive list can be found in `./shared_assets/non_customizable_rule_fields.md`.
+### Terminology
 
-- **non-semantic change**: A change to a rule field that is functionally different. We normalize certain fields so for a time-related field such as `from`, `1m` vs `60s` are treated as the same value. We also trim leading and trailing whitespace for query fields.
+- [Common terminology](./prebuilt_rules_common_info.md#common-terminology).
+- **Rule source**, or **`ruleSource`**: a rule field that defines the rule's origin. Can be `internal` or `external`. Currently, custom rules have `internal` rule source and prebuilt rules have `external` rule source.
+- **`is_customized`**: a field within `ruleSource` that exists when rule source is set to `external`. It is a boolean value based on if the rule has been changed from its base version.
+- **non-semantic change**: a change to a rule field that is functionally different. We normalize certain fields so for a time-related field such as `from`, `1m` vs `60s` are treated as the same value. We also trim leading and trailing whitespace for query fields.
 
 ### Assumptions
 
+- [Common assumptions](./prebuilt_rules_common_info.md#common-assumptions).
 - Rule package used will have all previous rule versions present (no missing base versions)
 
+### Non-functional requirements
+
+- [Common non-functional requirements](./prebuilt_rules_common_info.md#common-non-functional-requirements).
+
 ## Scenarios
 
 ### Editing prebuilt rules

diff --git a/...cs/testing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_export.md b/...cs/testing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_export.md
@@ -25,7 +25,10 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 - [Useful information](#useful-information)
   - [Tickets](#tickets)
+  - [User stories](#user-stories)
   - [Terminology](#terminology)
+  - [Assumptions](#assumptions)
+  - [Non-functional requirements](#non-functional-requirements)
 - [Scenarios](#scenarios)
   - [Core Functionality](#core-functionality)
     - [Scenario: Exporting prebuilt rule individually from rule details page](#scenario-exporting-prebuilt-rule-individually-from-rule-details-page)
@@ -42,15 +45,35 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 ### Tickets
 
-- [Rule Immutability/Customization](https://github.com/elastic/security-team/issues/1974)
-- [Rule Exporting Feature](https://github.com/elastic/kibana/issues/180167#issue-2227974379)
-- [Rule Export API PR](https://github.com/elastic/kibana/pull/194498)
+- [Users can Customize Prebuilt Detection Rules](https://github.com/elastic/security-team/issues/1974) (internal)
+- [Users can Customize Prebuilt Detection Rules: Milestone 3](https://github.com/elastic/kibana/issues/174168)
+- [Allow exporting prebuilt rules at the API level](https://github.com/elastic/kibana/issues/180167)
+- [Support exporting prebuilt rules from the Rule Management page](https://github.com/elastic/kibana/issues/180173)
+- [Support exporting prebuilt rules from the Rule Details page](https://github.com/elastic/kibana/issues/180176)
+- [Tests for prebuilt rule import/export workflow](https://github.com/elastic/kibana/issues/202079)
+
+### User stories
+
+**Prebuilt rule export workflow:**
+
+- User can export a single prebuilt rule from the Rule Details page.
+- User can export multiple prebuilt rules one-by-one from the Rule Management page.
+- User can export multiple prebuilt rules in bulk from the Rule Management page via bulk actions.
+- User can export prebuilt non-customized rules.
+- User can export prebuilt customized rules.
+- User can export any combination of prebuilt non-customized, prebuilt customized, and custom rules.
 
 ### Terminology
 
-- **prebuilt rule**: A rule contained in our `Prebuilt Security Detection Rules` integration in Fleet.
-- **custom rule**: A rule defined by the user, which has no relation to the prebuilt rules
-- **rule source, or ruleSource**: A field on the rule that defines the rule's categorization
+- [Common terminology](./prebuilt_rules_common_info.md#common-terminology).
+
+### Assumptions
+
+- [Common assumptions](./prebuilt_rules_common_info.md#common-assumptions).
+
+### Non-functional requirements
+
+- [Common non-functional requirements](./prebuilt_rules_common_info.md#common-non-functional-requirements).
 
 ## Scenarios
 

diff --git a/...cs/testing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_import.md b/...cs/testing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_import.md
@@ -21,7 +21,10 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 - [Useful information](#useful-information)
   - [Tickets](#tickets)
+  - [User stories](#user-stories)
   - [Terminology](#terminology)
+  - [Assumptions](#assumptions)
+  - [Non-functional requirements](#non-functional-requirements)
 - [Scenarios](#scenarios)
   - [Core Functionality](#core-functionality)
     - [Scenario: Importing an unmodified prebuilt rule with a matching rule\_id and version](#scenario-importing-an-unmodified-prebuilt-rule-with-a-matching-rule_id-and-version)
@@ -43,15 +46,33 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 ### Tickets
 
-- [Rule Immutability/Customization](https://github.com/elastic/security-team/issues/1974)
-- [Rule Importing Feature](https://github.com/elastic/kibana/issues/180168)
-- [Rule Import API PR](https://github.com/elastic/kibana/pull/190198)
+- [Users can Customize Prebuilt Detection Rules](https://github.com/elastic/security-team/issues/1974) (internal)
+- [Users can Customize Prebuilt Detection Rules: Milestone 3](https://github.com/elastic/kibana/issues/174168)
+- [Allow importing prebuilt rules at the API level](https://github.com/elastic/kibana/issues/180168)
+- [Benchmark performance of importing a large number of prebuilt rules](https://github.com/elastic/kibana/issues/195632)
+- [Tests for prebuilt rule import/export workflow](https://github.com/elastic/kibana/issues/202079)
+
+### User stories
+
+**Prebuilt rule import workflow:**
+
+- User can import a single prebuilt rule on the Rule Management page.
+- User can import multiple prebuilt rules on the Rule Management page.
+- User can import prebuilt non-customized rules.
+- User can import prebuilt customized rules.
+- User can import any combination of prebuilt non-customized, prebuilt customized, and custom rules.
 
 ### Terminology
 
-- **prebuilt rule**: A rule contained in our `Prebuilt Security Detection Rules` integration in Fleet.
-- **custom rule**: A rule defined by the user, which has no relation to the prebuilt rules
-- **rule source, or ruleSource**: A field on the rule that defines the rule's categorization
+- [Common terminology](./prebuilt_rules_common_info.md#common-terminology).
+
+### Assumptions
+
+- [Common assumptions](./prebuilt_rules_common_info.md#common-assumptions).
+
+### Non-functional requirements
+
+- [Common non-functional requirements](./prebuilt_rules_common_info.md#common-non-functional-requirements).
 
 ## Scenarios
 

diff --git a/...ting/test_plans/detection_response/prebuilt_rules/prebuilt_rule_installation.md b/...ting/test_plans/detection_response/prebuilt_rules/prebuilt_rule_installation.md
@@ -20,6 +20,7 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 - [Useful information](#useful-information)
   - [Tickets](#tickets)
+  - [User stories](#user-stories)
   - [Terminology](#terminology)
   - [Assumptions](#assumptions)
   - [Non-functional requirements](#non-functional-requirements)
@@ -58,50 +59,36 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 ### Tickets
 
-- [Rule Immutability/Customization epic](https://github.com/elastic/security-team/issues/1974)(internal)
+- [Users can Customize Prebuilt Detection Rules](https://github.com/elastic/security-team/issues/1974) (internal)
+- [Users can Customize Prebuilt Detection Rules: Milestone 2](https://github.com/elastic/kibana/issues/174167)
+- [Users can Customize Prebuilt Detection Rules: Milestone 3](https://github.com/elastic/kibana/issues/174168)
 
-**Milestone 3 - Prebuilt Rules Customization:**
-- [Milestone 3 epic ticket](https://github.com/elastic/kibana/issues/174168)
-- [Tests for prebuilt rule upgrade workflow #202078](https://github.com/elastic/kibana/issues/202078)
+### User stories
 
-**Milestone 2:**
-- [Ensure full test coverage for existing workflows of installing and upgrading prebuilt rules](https://github.com/elastic/kibana/issues/148176)
-- [Write test plan and add test coverage for the new workflows of installing and upgrading prebuilt rules](https://github.com/elastic/kibana/issues/148192)
+**Prebuilt rule installation workflow:**
 
-### Terminology
-
-- **EPR**: [Elastic Package Registry](https://github.com/elastic/package-registry), service that hosts our **Package**.
-
-- **Package**: `security_detection_engine` Fleet package that we use to distribute prebuilt detection rules in the form of `security-rule` assets (saved objects).
-
-- **Real package**: actual latest stable package distributed and pulled from EPR via Fleet.
+- User can install single prebuilt rules one-by-one from the Rule Installation page.
+- User can install multiple prebuilt rules in bulk from the Rule Installation page.
+- User can install all available prebuilt rules in bulk from the Rule Installation page.
+- User can preview properties of a prebuilt rule before installing it.
 
-- **Mock rules**: `security-rule` assets that are indexed into the `.kibana_security_solution` index directly in the test setup, either by using the ES client _in integration tests_ or by an API request _in Cypress tests_.
-
-- **Air-gapped environment**: an environment where Kibana doesn't have access to the internet. In general, EPR is not available in such environments, except the cases when the user runs a custom EPR inside the environment.
+### Terminology
 
-- **CTA**: "call to action", usually a button, a link, or a callout message with a button, etc, that invites the user to do some action.
-  - CTA to install prebuilt rules - at this moment, it's a link button with a counter (implemented) and a callout with a link button (not yet implemented) on the Rule Management page.
-  - CTA to upgrade prebuilt rules - at this moment, it's a tab with a counter (implemented) and a callout with a link button (not yet implemented) on the Rule Management page.
+- [Common terminology](./prebuilt_rules_common_info.md#common-terminology).
+- **CTA to install prebuilt rules**: a link button with a counter on the Rule Management page.
+- **CTA to upgrade prebuilt rules**: a tab with a counter on the Rule Management page.
 
 ### Assumptions
 
-- Below scenarios only apply to prebuilt detection rules.
-- Users should be able to install prebuilt rules on the `Basic` license and higher.
-- EPR is available for fetching the package unless explicitly indicated otherwise.
-- Only the latest **stable** package is checked for installation/upgrade and pre-release packages are ignored.
+- [Common assumptions](./prebuilt_rules_common_info.md#common-assumptions).
 
 ### Non-functional requirements
 
-- Notifications, rule installation workflows should work:
-  - regardless of the package type: with historical rule versions or without;
-  - regardless of the package registry availability: i.e., they should also work in air-gapped environments.
-- Rule installation and upgrade workflows should work with packages containing up to 15000 historical rule versions. This is the max number of versions of all rules in the package. This limit is enforced by Fleet.
-- Kibana should not crash with Out Of Memory exception during package installation.
-- For test purposes, it should be possible to use detection rules package versions lower than the latest.
+- [Common non-functional requirements](./prebuilt_rules_common_info.md#common-non-functional-requirements).
 
 ### Functional requirements
 
+- Users should be able to install prebuilt rules on the `Basic` license and higher.
 - User should be able to install prebuilt rules with and without previewing what exactly they would install (rule properties).
 - If user chooses to preview a prebuilt rule to be installed/upgraded, we currently show this preview in a flyout.
 - In the prebuilt rule preview a tab that doesn't have any sections should not be displayed and a section that doesn't have any properties also should not be displayed.

diff --git a/...lans/detection_response/prebuilt_rules/prebuilt_rule_upgrade_diff_algorithms.md b/...lans/detection_response/prebuilt_rules/prebuilt_rule_upgrade_diff_algorithms.md
@@ -19,6 +19,7 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
   - [Tickets](#tickets)
   - [Terminology](#terminology)
   - [Assumptions](#assumptions)
+  - [Non-functional requirements](#non-functional-requirements)
 - [Scenarios](#scenarios)
   - [Rule field doesn't have an update and has no custom value - `AAA`](#rule-field-doesnt-have-an-update-and-has-no-custom-value---aaa)
     - [**Scenario: `AAA` - Rule field is any type**](#scenario-aaa---rule-field-is-any-type)
@@ -53,21 +54,22 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 ### Tickets
 
-- [Users can customize prebuilt detection rules](https://github.com/elastic/kibana/issues/174168) epic
-- [Implement single-line string diff algorithm](https://github.com/elastic/kibana/issues/180158)
+- [Users can Customize Prebuilt Detection Rules](https://github.com/elastic/security-team/issues/1974) (internal)
+- [Users can Customize Prebuilt Detection Rules: Milestone 3](https://github.com/elastic/kibana/issues/174168)
 - [Implement number diff algorithm](https://github.com/elastic/kibana/issues/180160)
+- [Implement single-line string diff algorithm](https://github.com/elastic/kibana/issues/180158)
+- [Implement multi-line string diff algorithm](https://github.com/elastic/kibana/issues/180159)
 - [Implement array of scalar values diff algorithm](https://github.com/elastic/kibana/issues/180162)
+- [Implement data source fields diff algorithm](https://github.com/elastic/kibana/issues/187659)
+- [Implement query fields diff algorithms](https://github.com/elastic/kibana/issues/187658)
+- [Implement `concurrent_searches` and `items_per_search` fields diff algorithms](https://github.com/elastic/kibana/issues/188061)
+- [Implement rule type diff algorithm](https://github.com/elastic/kibana/issues/190482)
+- [Tests for prebuilt rule customization workflow](https://github.com/elastic/kibana/issues/202068)
+- [Tests for prebuilt rule upgrade workflow](https://github.com/elastic/kibana/issues/202078)
 
 ### Terminology
 
-- **Base version**: Also labeled as `base_version`. This is the version of a rule authored by Elastic as it is installed from the `security_detection_engine` package, with no customizations to any fields by the user.
-
-- **Current version**: Also labeled as `current_version`. This is the version of the rule that the user currently has installed. Consists of the `base_version` of the rules plus all customization applies to its fields by the user.
-
-- **Target version**: Also labeled as `target_version`. This is the version of the rule that contains the update from Elastic.
-
-- **Merged version**: Also labeled as `merged_version`. This is the version of the rule that we determine via the various algorithms. It could contain a mix of all the rule versions on a per-field basis to create a singluar version of the rule containing all relevant updates and user changes to display to the user.
-
+- [Common terminology](./prebuilt_rules_common_info.md#common-terminology).
 - **Grouped fields**
   - `data_source`: an object that contains a `type` field with a value of `data_view_id` or `index_patterns` and another field that's either `data_view_id` of type string OR `index_patterns` of type string array
   - `kql_query`: an object that contains a `type` field with a value of `inline_query` or `saved_query` and other fields based on whichever type is defined. If it's `inline_query`, the object contains a `query` string field, a `language` field that's either `kuery` or `lucene`, and a `filters` field which is an array of kibana filters. If the type field is `saved_query`, the object only contains a `saved_query_id` string field.
@@ -76,9 +78,14 @@ https://marketplace.visualstudio.com/items?itemName=yzhang.markdown-all-in-one
 
 ### Assumptions
 
+- [Common assumptions](./prebuilt_rules_common_info.md#common-assumptions).
 - All scenarios will contain at least 1 prebuilt rule installed in Kibana.
 - A new version will be available for rule(s).
 
+### Non-functional requirements
+
+- [Common non-functional requirements](./prebuilt_rules_common_info.md#common-non-functional-requirements).
+
 ## Scenarios
 
 ### Rule field doesn't have an update and has no custom value - `AAA`