[Security Solution][Alerting] Add rulesClient.bulkCreate(), with feedback from ResponseOps

[sdesalas]

Resolves: #264893
Relates to: #264890 (epic)
Relates to: #271722 (similar draft PR with security-solution wiring)

Summary

Adds rulesClient.bulkCreateRules() to the Alerting framework.

The method natively handles both disabled and enabled rules in a single call (validation, per-rule API-key minting, taskManager.bulkSchedule, demotion-on-failure, audit, SO writes, post-failure cleanup). Optimizing for code simplicity, speed of rule creation and memory footprint.

Feedback from ResponseOps

This round (6 out of 6) incorporates the following feedback from @elastic/response-ops team relayed by @cnasikas:

1. Batching to be done INSIDE rulesClient.bulkCreateRules()
2. Supports exit-early on error.
3. Ordering: Create the tasks as enabled, and then the rules as enabled. No extra step to enable at the end.
4. Do not transform and return whole rule (memory footgun). Just return the rule id.
5. Rule prep (validation, api key generation) is done up-front before ES writes.
6. Best effort clean up of resources (TM deletes, API key invalidation)
7. Configurable batchSize and maxLimit, with internal hard limit for number of rules passed in.
8. Deliberately "light" on testing to make sure further feedback can be incorporated easily.

CLARIFICATION ON 5. Rule prep

before doing any API calls to ES (like API generation, rule creation, etc), let's do first the operations that can fail fast like schema validation. Then, when all checks have passed, we can go and start doing the ES calls. This will help us with doing as few reverts as possible.

Additional feedback - implemented on a separate PR:

1. TaskManage.bulkSchedule() should implement the same logic as bulkEnable() to avoid overlapping tasks (randomly assigning them over next 5 minutes).

• PR -> [Security Solution] Randomize task schedules when bulk scheduling #269991

Feedback from Response Ops not implemented:

• Configurable maxLimit: Implemented hard limit of 10K rules (with pre-existing const MAX_RULES_NUMBER_FOR_BULK_OPERATION). It doesn't make sense for consumers to provide a maxLimit, since they are passing an array whose size is known so they can simply check it and return 403/404.

How the code works

The flow is split into two phases — A (in-memory and whole-batch pre checks, fast) and B (batched ES writes, slow), each instrumented with an APM span.

Bulk insertion is "best-effort", unless exitEarlyOnError is used.

• exitEarlyOnError: true: short-circuits after A (zero ES writes) and after any B4 failure.
• exitEarlyOnError: false/undefined: drops invalid rules from A, demotes invalid rules in B (inserts as disabled)

Phase	APM Span	What it does
A1	preValidate.checkInMemory	Per-rule schema / rule-type / params / interval checks. Sequential, fail-fast, no ES.
A2	preValidate.ensureAuthorized	Deduped authz per (ruleTypeId, consumer) pair. Failures are audited and dropped pre-batch.
B1	runBatch.pMap.prepareRule	Per-rule prepare: action validation + uuid, API-key minting. Concurrent (API_KEY_GENERATE_CONCURRENCY).
B2	runBatch.validateScheduleLimit	Circuit-breaker check on the enabled subset; demote-to-disabled on overflow.
B3	runBatch.bulkSchedule	taskManager.bulkSchedule for survivors; demote on whole-call throw or silent per-task drop.
B4	runBatch.bulkCreateRulesSo	Bulk SO create. Per-row 409s surface as errors; failures trigger TM + API-key cleanup.

How to test this code

The changes in this PR do not have any actual wiring that allows them to be tested.

However. You can check out the branch in this pull request 👉 #271722. It contains the exact same changes as this branch with an additional commit 9c80944 that provides wiring through the Security > Detection Rules.

gh pr checkout 271722

Note that the wiring is also available as a patch you can apply locally.

gh pr checkout 269340 && git apply wiring-for-bulk-create-and-changes-history.patch

Enabling security solution wiring via kibana.dev.yml

Make sure that the feature flag is turned on so we can route security solution requests through the new rules client bulkCreateRules() method.

# kibana.dev.yml 
xpack.securitySolution.enableExperimental:
- 'bulkCreateRulesEnabled'

Prebuilt Rule Installation (disabled rules)

For testing creation of disabled rules, the best approach is to install the whole set (1850) of "prebuilt" detection rules.

Security > Detection Rules (SIEM) > Add Elastic Rules > Install All

Make sure you add some debug breakpoints if you want to walk through the code.

If you try it normally on your local machine, you should notice a significant speed improvement (8-9x) vs main.

Bulk deletion (so you can run another batch)

Select all 1850 rules > Bulk actions > Delete

Rule Import (enabled rules)

Enabled rules are trickier to test, but can be done via rule import process.

Security > Detection Rules (SIEM) > Import Rules

👉 Some 📁 SAMPLE DATA.

Note: there is currently a 10MB upload threshold for rule imports, which equates roughly to 1000 rules.

Verify task creation

You can verify the creation of tasks locally with check-tasks.sh

$ ./check-tasks.sh

Or if you are using ports different to the standard 5601 and 9200

$ KIBANA_DEV_PORT=5606 ES_DEV_PORT=9205 ./check-tasks.sh

If you just imported 1000 enabled tasks, counts should match:

starting..
KIBANA_URL=http://localhost:5601/kbn
ES_URL=http://localhost:9200
1. 2. 3. 4. 5. 6.
rules:           1000
rules_enabled:   1000
tasks:           1000
tasks_enabled:   1000
api_key_owner:   1000
apiKey present:  1000

Memory usage

No significant difference in memory usage, within error margin, if anything the new changes appear to reduce usage slightly, even though we're inserting in batches of 100 at a time.

Identify risks

Low to none at present. Mid to high later when wired into Security solution.

Worth mentioning:

1. New method. No production impact. bulkCreateRules() is not called by anything yet, existing flows are unaffected.
2. "Best-effort" rule demotion (to enabled:false) changes caller contract. If we cant add scheduling for a rule enabled: true it is flipped to enabled: false returning errors entry. This is unexpected and different to existing behavior.
3. Cleanup is best-effort, not transactional. Cleanup relies on later calls actually making it to ES. On B4 failure for example, TM bulkRemove and API-key invalidation require an active connection, if it does not exist we could leave dangling tasks and API keys.

Mitigating circumstances:

This functionality will be gated behind a flag when released into Security solution. As per bulkCreateRulesEnabled in commit 9c80944. To ensure proper testing takes place before making available to users.

[infra-vault-gh-plugin-prod]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!

[sdesalas]

/ci

[sdesalas]

/ci

[sdesalas]

Applying clarification from @elastic/response-ops team @cnasikas on point 5 "Rule prep" in commit 1fca692

Yes, what I mean is that before doing any API calls to ES (like API generation, rule creation, etc), let's do first the operations that can fail fast like schema validation. Then, when all checks have passed, we can go and start doing the ES calls. This will help us with doing as few reverts as possible.

Also incorporating changes from:

• [Security Solution] Randomize task schedules when bulk scheduling #269991

[sdesalas]

/ci

[sdesalas]

☝️ This is a follow-up to work done on this PR:

#269991

More "correct" interpretation of ticket #195136

Definition of Done

• When bulkSchedule API is called with one task, we make it run now (as it does today)
• When bulkSchedule API is called with more than one task, we schedule the tasks with a randomized runAt

Ie. Instead of skipping jittering for the first task (which bulkEnable used to do before PR #269991, confusing the intent), we skip it when there is more than one task.

What does this mean in practical terms?

If we have 20 batches of 50 rules, we avoid bulkScheduleing 20 tasks "now" (the first task in each batch), which start firing right away blocking further batches inserted during bulkCreateRules().

Ie: ~10% speed improvement (26s -> 24s on localhost) when bulk creating 1000 enabled rules in batches of 50. Note that this has not verified with a large set of tests, it could be something within margin of error.

[kibanamachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 4242109
• Build duration: 63 mins

Failed CI Steps

• FTR Configs #53
• FTR Configs #53
• FTR Configs #221
• Scout Lane #12 - stateful-classic / default
• Serverless Detection Engine - Security Solution Cypress Tests #1

Test Failures

• [job] [logs] FTR Configs #221 / Entity Analytics - Watchlists @ess @serverless @skipInServerlessMKI Watchlist Lifecycle should remove all entities from the watchlist index when the watchlist is deleted
• [job] [logs] FTR Configs #53 / integrations For each artifact list under management When on the Event Filters entries list should be able to update an existing Event Filters entry
• [job] [logs] FTR Configs #53 / integrations When in the Fleet application and on the Endpoint Integration details page should display the endpoint custom content
• [job] [logs] Scout Lane #12 - stateful-classic / default / local-stateful-classic - Saved query menu — CRUD (Discover) - save, load, update, save-as-new, delete via the popover

Metrics [docs]

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
alerting	20.4KB	20.6KB	+209.0B

History

• 💔 Build #449703 failed d9badae
• 💔 Build #449612 failed 2caf941
• 💔 Build #448351 failed 15d0646
• 💔 Build #443649 failed 9c22341

cc @sdesalas