Add information for airgapped environments about upgrade process of Security prebuilt detection rules

[111andre111]

Related to: elastic/kibana#181808

Documentation links

https://www.elastic.co/guide/en/elastic-stack/current/air-gapped-install.html#air-gapped-kibana
https://www.elastic.co/guide/en/fleet/current/air-gapped.html
https://www.elastic.co/guide/en/security/current/offline-endpoint.html

Description

Looking to the documentation links we have information about how to set up in an airgapped environment Fleet, Endpoint and other artifacts.

However we should care as well about a detailed guide for maintaining out of band detection rules in kibana:
https://www.elastic.co/guide/en/security/current/prebuilt-rules-downloadable-updates.html
which is coming afaik from this integration:
https://docs.elastic.co/integrations/security_detection_engine

Which documentation set(s) does this bug apply to?

ECK / ECE / on-premise

Release version

N/A

Testing environment

on premise installation in airgapped environments.
Maybe might make sense as well to think about ECE and ECK installations.

[florent-leborgne]

@approksiu Hi! I've read the issue and am not sure I understand fully the context & request. Can you provide more details? Or point us to a team/someone who can help feed the correct information to add to the docs?

[approksiu]

cc @111andre111 @jkelas

[jkelas]

If I understand this correctly, @111andre111 would like to document the learnings that we made while working on this ticket elastic/kibana#181808
Am I correct @111andre111 ?
I am thinking about documenting the fact that with the xpack.fleet.isAirGapped set to true, Kibana doesn't try to contact EPR, and correctly uses the prepackaged security detection rules, if available (e.g. in the container or in the correct path on the file system).

[111andre111]

This issue here is a slightly other one. elastic/kibana#181808 tries to define what to do when Airgapped and using no EPR.

This issue here is more about Airgapped and using EPR and how to keep Rules artifacts up to date.
This is now the more interesting in the context of the now available rules diff feature
https://www.elastic.co/docs/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified

Hope that helps.

[jkelas]

FYI @banderror

[approksiu]

I can work on this with @nastasha-solomon.
@nastasha-solomon what do you think if we add a section on this page https://www.elastic.co/docs/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules about airgapped environments. We can mention that updates for the rules are shipped via detection-engine integration, so to get the biweekly updates you need to update the EPR https://www.elastic.co/docs/deploy-manage/deploy/self-managed/air-gapped-install#air-gapped-elastic-package-registry, the rest of the rules functionality will remain the same.

[banderror]

Hey @approksiu, before we document I think we should test it. Let's chat offline.

[banderror]

Hey @pborgonovi, since you worked on testing of elastic/kibana#181808 and are familiar with air-gapped environments, could you please help us with testing here as well?

We want to know if users in air-gapped environments are able to consume OOTB prebuilt rule updates without upgrading their whole stack to the new version. Presumingly, this should be possible for those users whose air-gapped environment contains an air-gapped EPR deployed to it. In other words, for those who run both Kibana and EPR within the air-gapped env. The assumption is: if the user upgrades their air-gapped EPR to the new version, they will get prebuilt rule updates in Kibana.

We want to test it and make sure this works before we document it in the Security documentation.

EPR docs: https://www.elastic.co/docs/deploy-manage/deploy/self-managed/air-gapped-install#air-gapped-elastic-package-registry

[pborgonovi]

Hi @banderror
Sure. I'll work on executing this flow and share the steps + results.

[deatonlm]

We are using an air-gapped environment and are interested in this issue. We are just now having discussions about how we will do rule updates in the future. Can you please elaborate on what you mean by "OOTB prebuilt rule updates". We are running the EPR within the same air-gapped environment and on the same server.