Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] [Platform] Adds support for data views and runtime field mappings in rule creation, exceptions, and during execution #130929

Merged
merged 107 commits into from
Jun 16, 2022
Merged

[Security Solution] [Platform] Adds support for data views and runtime field mappings in rule creation, exceptions, and during execution #130929

Show file tree
Hide file tree
Changes from 98 commits
Commits
Show all changes
107 commits
Select commit Hold shift + click to select a range
4ab6be4
WIP
dhurley14 Feb 9, 2022
195480b
WIP - reset me
dhurley14 Feb 14, 2022
c29db7d
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Feb 24, 2022
1e5de0d
more WIP, added runtime_mappings field to search after function in ru…
dhurley14 Mar 7, 2022
452e7ea
data view id saved on rule creation, then pull runtime mappings from …
dhurley14 Mar 8, 2022
818e0eb
fix bug where runtime mappings were not parsed
dhurley14 Mar 9, 2022
51c9db1
merge with master
dhurley14 Mar 17, 2022
111e7c0
Merge branch 'main' into dataview-rule-exec
dhurley14 Mar 21, 2022
c241aa6
undo me - combo box. not working / funtional / demo-able right now
dhurley14 Mar 22, 2022
e3c0d21
merge with main
dhurley14 Mar 31, 2022
a463132
working data view selector
dhurley14 Apr 1, 2022
628e7e7
adds radio group buttons, need to update callback to disable when one…
dhurley14 Apr 5, 2022
1744714
on change of radio selection we update which index patterns to use
dhurley14 Apr 5, 2022
603b72c
more working stuff, need to fix rule preview and getIsRulePreviewDisa…
dhurley14 Apr 11, 2022
47c9baf
WIP - undo me
dhurley14 Apr 13, 2022
95bebf0
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 13, 2022
9f554de
when editing a rule, the data view id stored on that rules params wil…
dhurley14 Apr 13, 2022
b684a26
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 15, 2022
1c51bea
add dataViewId to preview rule route + preview rule state
dhurley14 Apr 21, 2022
8ab0609
fixes types
dhurley14 Apr 25, 2022
864c178
fix test
dhurley14 Apr 25, 2022
2e7381a
fixes linting errors
dhurley14 Apr 25, 2022
c77ec73
remove extra console.log
dhurley14 Apr 25, 2022
d68a8b9
remove unnecessary new line
dhurley14 Apr 25, 2022
c6088f2
possibly fixed everything
dhurley14 Apr 26, 2022
bad4c7e
we do not use this field anymore so we can probably get rid of it.
dhurley14 Apr 26, 2022
b152cf8
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 27, 2022
52985b2
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Apr 27, 2022
9966b44
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Apr 27, 2022
120e02f
Merge remote-tracking branch 'origin/dataview-rule-exec' into datavie…
dhurley14 Apr 27, 2022
9b2b7d9
fixes cypress tests, updates response validation from server to inclu…
dhurley14 Apr 27, 2022
113c937
updates validation
dhurley14 Apr 28, 2022
e48bb65
update validation logic and updates import rule route validations to …
dhurley14 Apr 28, 2022
f754090
WIP - using dataview services
dhurley14 May 2, 2022
d734c12
fixes missing fields in rule overrides in about rule section
dhurley14 May 3, 2022
cab37f3
WIP -fixed exception flyout, fixed threshold rule input selector
dhurley14 May 4, 2022
c36ccae
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine May 4, 2022
b57ed3a
merge with master
dhurley14 May 9, 2022
60328cc
fix jest test for about rule
dhurley14 May 9, 2022
28de147
Merge remote-tracking branch 'origin/dataview-rule-exec' into datavie…
dhurley14 May 9, 2022
362a3e1
working EQL runtime mapping fields
dhurley14 May 9, 2022
5f94d20
fixes double exceptions viewer and fixes bug where data viewer select…
dhurley14 May 10, 2022
c2776c6
use dataViewId injected by saved objects references, not the one stor…
dhurley14 May 13, 2022
3f416bb
remove data view id during bulk update of rules + changing index patt…
dhurley14 May 16, 2022
b2c5586
fixed a test
dhurley14 May 16, 2022
14a6c55
remove console.errors
dhurley14 May 16, 2022
bb97d75
fixes type check errors, need to replace ruleIndices prop in exceptio…
dhurley14 May 16, 2022
f272d37
adds runtime mappings parameters to threshold and threat match rule t…
dhurley14 May 17, 2022
1c1b8fa
update pre-execution checks to work with data views and runtime mappings
dhurley14 May 17, 2022
4774d8f
bug fixes, cleanup, still trying to figure out how to get the default…
dhurley14 May 17, 2022
6a5e490
merge main with master
dhurley14 May 17, 2022
7fd22fb
fixes last typescript error
dhurley14 May 17, 2022
c39e57d
return undefined instead of empty string when a data view is not foun…
dhurley14 May 18, 2022
58b2432
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 May 18, 2022
3722a4a
[Data View Rule Creation] - Update UI and data view check on rule run…
yctercero May 19, 2022
a4c90b4
possible test fixes
dhurley14 May 19, 2022
d0fbb9b
Merge branch 'dataview-rule-exec' of github.com:dhurley14/kibana into…
dhurley14 May 19, 2022
b9e8656
fixes data view bug with indicator and threshold rules
dhurley14 May 19, 2022
bdddbce
resolve type check failures
dhurley14 May 19, 2022
0696ce8
fix cypress
dhurley14 May 19, 2022
1bb5867
fix exceptions cypress test and update typecheck error
dhurley14 May 19, 2022
c076b76
forgot to uncomment tests
dhurley14 May 19, 2022
b873b55
do not block displaying / selection of options when fetching the data…
dhurley14 May 19, 2022
d91afd4
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 May 19, 2022
110f277
[Data Views for Rules] - adding unit tests (#24)
yctercero May 20, 2022
51cd358
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine May 20, 2022
2ce7c44
updates with type fixes from review and test re-names. I still need t…
dhurley14 May 20, 2022
3ff1d99
Merge branch 'dataview-rule-exec' of github.com:dhurley14/kibana into…
dhurley14 May 20, 2022
34dd775
display data view title in rule details, not the id
dhurley14 May 20, 2022
da37d23
fixes bug where validation was failing and users could not reset/clea…
dhurley14 May 20, 2022
471d9fb
fix type check errors
dhurley14 May 20, 2022
39d1f3d
adds data view id to patch rules and patch rules bulk route, also add…
dhurley14 May 23, 2022
e8bb209
fix jest tests and type failuers
dhurley14 May 23, 2022
7b8e62a
update jest tests and fix bug found by saved query integration test
dhurley14 May 23, 2022
a8a8d98
fix code + tests related to bulk editing rules + dataviews
dhurley14 May 23, 2022
8974a8f
update snapshot
dhurley14 May 23, 2022
d27f613
remove console.logs, clean up logic for get input indices
dhurley14 May 24, 2022
45a6f70
skipping related_cases tests as they are timing out
dhurley14 May 24, 2022
1b4a9c6
fix e2e test
dhurley14 May 24, 2022
f26eeae
remove null from type
dhurley14 May 24, 2022
9c85a3f
remove changes from useFetchIndex
dhurley14 May 24, 2022
e35a168
merge with main
dhurley14 May 24, 2022
e8e9e5a
skipping add exceptions flyout as possible root cause for timeouts in…
dhurley14 May 24, 2022
5be1079
remove unnecessary useEffect which was causing jest test to hang in CI
dhurley14 May 25, 2022
7754d84
undo changes while trying to figure out why jest tests were hanging i…
dhurley14 May 25, 2022
c9d18ad
undo cypress changes
dhurley14 May 26, 2022
ebeed1f
merge with main
dhurley14 May 26, 2022
6954036
undo changes to query_bar test
dhurley14 May 26, 2022
9baef65
intermediary work for resolving cypress failures with exceptions
dhurley14 Jun 2, 2022
f5e0989
merge with main
dhurley14 Jun 2, 2022
24d181a
fix missed merge conflict
dhurley14 Jun 2, 2022
357121e
update jest test
dhurley14 Jun 3, 2022
c1bb307
do not reset querybar
dhurley14 Jun 3, 2022
b5954cc
set the rule indices state in rule details page if the rule has a non…
dhurley14 Jun 3, 2022
4f69c78
undo change made while debugging t_grid
dhurley14 Jun 6, 2022
b535d5c
exports Ancestor830 from alerts schema, removes fetching of data view…
dhurley14 Jun 6, 2022
ef10521
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Jun 6, 2022
3b39205
undo changes to endpoint data loader while testing
dhurley14 Jun 7, 2022
2b2e531
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Jun 13, 2022
6ef4f2a
removes commented out useEffect
dhurley14 Jun 13, 2022
6637e05
fix bug where rule form was blowing up because of a missing index fie…
dhurley14 Jun 14, 2022
5d069c8
fix validation logic in eql validator
dhurley14 Jun 15, 2022
645ca2b
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
dhurley14 Jun 15, 2022
594b1c0
fix logic for only adding data_view_id to rule form if ml rule type
dhurley14 Jun 15, 2022
56bed04
remove commented out code
dhurley14 Jun 15, 2022
bebc731
Revert "fix bug where rule form was blowing up because of a missing i…
dhurley14 Jun 16, 2022
d2da1da
Revert "fix validation logic in eql validator"
dhurley14 Jun 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/8.3.0/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { ALERT_BUILDING_BLOCK_TYPE, ALERT_UUID } from '@kbn/rule-data-utils';
import { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
import {
ALERT_GROUP_ID,
ALERT_GROUP_INDEX,
ALERT_RULE_INDICES,
} from '../../../../field_maps/field_names';
import type {
Ancestor800,
BaseFields800,
EqlBuildingBlockAlert800,
EqlShellAlert800,
} from '../8.0.0';

export type { Ancestor800 as Ancestor830 };

/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.3.0.
Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.3.0.
If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
for the version to be released and add the field(s) to the schema in that folder.
Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
*/
export interface BaseFields830 extends BaseFields800 {
[ALERT_RULE_INDICES]: string[];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

}

export interface WrappedFields830<T extends BaseFields830> {
_id: string;
_index: string;
_source: T & { [ALERT_UUID]: string };
}

export type GenericAlert830 = AlertWithCommonFields800<BaseFields830>;

// This is the type of the final generated alert including base fields, common fields
// added by the alertWithPersistence function, and arbitrary fields copied from source documents
export type DetectionAlert830 = GenericAlert830 | EqlShellAlert800 | EqlBuildingBlockAlert800;

export interface EqlShellFields830 extends BaseFields830 {
[ALERT_GROUP_ID]: string;
[ALERT_UUID]: string;
}

export interface EqlBuildingBlockFields830 extends BaseFields830 {
[ALERT_GROUP_ID]: string;
[ALERT_GROUP_INDEX]: number;
[ALERT_BUILDING_BLOCK_TYPE]: 'default';
}
30 changes: 16 additions & 14 deletions x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,25 @@
*/

import type {
Ancestor800,
BaseFields800,
DetectionAlert800,
WrappedFields800,
EqlBuildingBlockFields800,
EqlShellFields800,
} from './8.0.0';
EqlBuildingBlockFields830,
EqlShellFields830,
WrappedFields830,
DetectionAlert830,
BaseFields830,
Ancestor830,
} from './8.3.0';

import type { DetectionAlert800 } from './8.0.0';

// When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
// here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
export type DetectionAlert = DetectionAlert800;
export type DetectionAlert = DetectionAlert800 | DetectionAlert830;

export type {
Ancestor800 as AncestorLatest,
BaseFields800 as BaseFieldsLatest,
DetectionAlert800 as DetectionAlertLatest,
WrappedFields800 as WrappedFieldsLatest,
EqlBuildingBlockFields800 as EqlBuildingBlockFieldsLatest,
EqlShellFields800 as EqlShellFieldsLatest,
Ancestor830 as AncestorLatest,
BaseFields830 as BaseFieldsLatest,
DetectionAlert830 as DetectionAlertLatest,
WrappedFields830 as WrappedFieldsLatest,
EqlBuildingBlockFields830 as EqlBuildingBlockFieldsLatest,
EqlShellFields830 as EqlShellFieldsLatest,
};
25 changes: 17 additions & 8 deletions x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,12 @@ export type IdOrUndefined = t.TypeOf<typeof idOrUndefined>;
export const index = t.array(t.string);
export type Index = t.TypeOf<typeof index>;

export const data_view_id = t.string;
export type DataViewId = t.TypeOf<typeof data_view_id>;

export const dataViewIdOrUndefined = t.union([data_view_id, t.undefined]);
export type DataViewIdOrUndefined = t.TypeOf<typeof dataViewIdOrUndefined>;
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved

export const indexOrUndefined = t.union([index, t.undefined]);
export type IndexOrUndefined = t.TypeOf<typeof indexOrUndefined>;

Expand Down Expand Up @@ -462,14 +468,17 @@ const bulkActionEditPayloadTags = t.type({

export type BulkActionEditPayloadTags = t.TypeOf<typeof bulkActionEditPayloadTags>;

const bulkActionEditPayloadIndexPatterns = t.type({
type: t.union([
t.literal(BulkActionEditType.add_index_patterns),
t.literal(BulkActionEditType.delete_index_patterns),
t.literal(BulkActionEditType.set_index_patterns),
]),
value: index,
});
const bulkActionEditPayloadIndexPatterns = t.intersection([
t.type({
type: t.union([
t.literal(BulkActionEditType.add_index_patterns),
t.literal(BulkActionEditType.delete_index_patterns),
t.literal(BulkActionEditType.set_index_patterns),
]),
value: index,
}),
t.exact(t.partial({ overwriteDataViews: t.boolean })),
]);

export type BulkActionEditPayloadIndexPatterns = t.TypeOf<
typeof bulkActionEditPayloadIndexPatterns
Expand Down
2 changes: 2 additions & 0 deletions ...security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ import {
anomaly_threshold,
filters,
index,
data_view_id,
saved_id,
timeline_id,
timeline_title,
Expand Down Expand Up @@ -114,6 +115,7 @@ export const addPrepackagedRulesSchema = t.intersection([
filters, // defaults to undefined if not set during decode
from: DefaultFromString, // defaults to "now-6m" if not set during decode
index, // defaults to undefined if not set during decode
data_view_id, // defaults to undefined if not set during decode
interval: DefaultIntervalString, // defaults to "5m" if not set during decode
query, // defaults to undefined if not set during decode
language, // defaults to undefined if not set during decode
Expand Down
120 changes: 120 additions & 0 deletions ...ins/security_solution/common/detection_engine/schemas/request/import_rules_schema.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1773,4 +1773,124 @@ describe('import rules schema', () => {
expect(message.schema).toEqual(expected);
});
});

describe('data_view_id', () => {
test('Defined data_view_id and empty index does validate', () => {
const payload: ImportRulesSchema = {
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
from: 'now-5m',
to: 'now',
name: 'some-name',
severity: 'low',
type: 'query',
query: 'some query',
data_view_id: 'logs-*',
index: [],
interval: '5m',
};

const decoded = importRulesSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);
expect(getPaths(left(message.errors))).toEqual([]);
const expected: ImportRulesSchemaDecoded = {
author: [],
severity_mapping: [],
risk_score_mapping: [],
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
from: 'now-5m',
to: 'now',
name: 'some-name',
severity: 'low',
type: 'query',
query: 'some query',
index: [],
data_view_id: 'logs-*',
interval: '5m',
references: [],
actions: [],
enabled: true,
false_positives: [],
max_signals: DEFAULT_MAX_SIGNALS,
tags: [],
threat: [],
throttle: null,
version: 1,
exceptions_list: [],
immutable: false,
};
expect(message.schema).toEqual(expected);
});

// Both can be defined, but if a data_view_id is defined, rule will use that one
test('Defined data_view_id and index does validate', () => {
const payload: ImportRulesSchema = {
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
from: 'now-5m',
to: 'now',
name: 'some-name',
severity: 'low',
type: 'query',
query: 'some query',
data_view_id: 'logs-*',
index: ['auditbeat-*'],
interval: '5m',
};

const decoded = importRulesSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);
expect(getPaths(left(message.errors))).toEqual([]);
const expected: ImportRulesSchemaDecoded = {
author: [],
severity_mapping: [],
risk_score_mapping: [],
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
from: 'now-5m',
to: 'now',
name: 'some-name',
severity: 'low',
type: 'query',
query: 'some query',
index: ['auditbeat-*'],
data_view_id: 'logs-*',
interval: '5m',
references: [],
actions: [],
enabled: true,
false_positives: [],
max_signals: DEFAULT_MAX_SIGNALS,
tags: [],
threat: [],
throttle: null,
version: 1,
exceptions_list: [],
immutable: false,
};
expect(message.schema).toEqual(expected);
});

test('data_view_id cannot be a number', () => {
const payload: Omit<ImportRulesSchema, 'data_view_id'> & { data_view_id: number } = {
...getImportRulesSchemaMock(),
data_view_id: 5,
};

const decoded = importRulesSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);
expect(getPaths(left(message.errors))).toEqual([
'Invalid value "5" supplied to "data_view_id"',
]);
expect(message.schema).toEqual({});
});
});
});
2 changes: 2 additions & 0 deletions .../plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ import {
filters,
RuleId,
index,
data_view_id,
output_index,
saved_id,
timeline_id,
Expand Down Expand Up @@ -123,6 +124,7 @@ export const importRulesSchema = t.intersection([
filters, // defaults to undefined if not set during decode
from: DefaultFromString, // defaults to "now-6m" if not set during decode
index, // defaults to undefined if not set during decode
data_view_id, // defaults to undefined if not set during decode
dhurley14 marked this conversation as resolved.
Show resolved Hide resolved
immutable: OnlyFalseAllowed, // defaults to "false" if not set during decode
interval: DefaultIntervalString, // defaults to "5m" if not set during decode
query, // defaults to undefined if not set during decode
Expand Down
2 changes: 2 additions & 0 deletions ...k/plugins/security_solution/common/detection_engine/schemas/request/patch_rules_schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import {
anomaly_threshold,
filters,
index,
data_view_id,
output_index,
saved_id,
timeline_id,
Expand Down Expand Up @@ -89,6 +90,7 @@ export const patchRulesSchema = t.exact(
from,
rule_id,
index,
data_view_id,
interval,
query,
language,
Expand Down
14 changes: 13 additions & 1 deletion ...ck/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.mock.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,18 @@ export const getCreateRulesSchemaMock = (ruleId = 'rule-1'): QueryCreateSchema =
rule_id: ruleId,
});

export const getCreateRulesSchemaMockWithDataView = (ruleId = 'rule-1'): QueryCreateSchema => ({
data_view_id: 'logs-*',
description: 'Detecting root and admin users',
name: 'Query with a rule id',
query: 'user.name: root or user.name: admin',
severity: 'high',
type: 'query',
risk_score: 55,
language: 'kuery',
rule_id: ruleId,
});

export const getCreateSavedQueryRulesSchemaMock = (ruleId = 'rule-1'): SavedQueryCreateSchema => ({
description: 'Detecting root and admin users',
name: 'Query with a rule id',
Expand Down Expand Up @@ -56,7 +68,7 @@ export const getCreateThreatMatchRulesSchemaMock = (
language: 'kuery',
rule_id: ruleId,
threat_query: '*:*',
threat_index: ['list-index'],
threat_index: ['auditbeat-*'],
threat_indicator_path: DEFAULT_INDICATOR_SOURCE_PATH,
interval: '5m',
from: 'now-6m',
Expand Down
Loading