[Cases] Update cases ids in the alerts schema when attaching an alert to a case #147985
Conversation
cnasikas
added
release_note:skip
cnasikas
force-pushed
the
link_alerts_to_case
branch
2 times, most recently
from
1746c00 to
227d858
Compare
cnasikas
force-pushed
the
link_alerts_to_case
branch
from
227d858 to
f9205c0
Compare
| indexName: string; | ||
| operation: ReadOperations.Find | ReadOperations.Get | WriteOperations.Update; | ||
| }) { | ||
| return this.mgetAlertsAuditOperate({ |
There was a problem hiding this comment.
I make mgetAlertsAuditOperate generic to accept any field and I created the mgetAlertsAuditOperateStatus for the status
| ids, | ||
| indexName, | ||
| operation, | ||
| fieldToUpdate: (source) => this.getAlertStatusFieldUpdate(source, status), |
There was a problem hiding this comment.
Same logic as before. I moved it out from mgetAlertsAuditOperate. The consumer of mgetAlertsAuditOperate should define how to get the field based on the source.
| indexName: index, | ||
| operation: ReadOperations.Get, | ||
| fieldToUpdate: (source) => this.getAlertCaseIdsFieldUpdate(source, caseIds), | ||
| validate: (source) => this.validateTotalCasesPerAlert(source, caseIds), |
There was a problem hiding this comment.
The mgetAlertsAuditOperate is extended to do validation per alert.
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
There was a problem hiding this comment.
Code review of the alerts client in the rule registry changes only, which LGTM. Would be nice to have unit tests for the new function but I see there are no existing unit tests for the alerts client :( and that functionality is covered by the integration test. Will let the cases team review the overall PR :)
x-pack/plugins/cases/server/common/models/case_with_comments.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/cases/server/common/models/case_with_comments.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/cases/server/common/models/case_with_comments.ts
Outdated
Show resolved
Hide resolved
cnasikas
force-pushed
the
link_alerts_to_case
branch
from
065558f to
bd6c48d
Compare
|
|
||
| return mgetRes; | ||
| } catch (exc) { | ||
| this.logger.error(`error in ensureAlertsAuthorized ${exc}`); |
There was a problem hiding this comment.
nit: error in ensureAllAlertsAuthorized ${exc}
| user: superUser, | ||
| space: 'space1', | ||
| }, | ||
| attachmentAuth: { user: secOnlyReadAlerts, space: 'space1' }, |
There was a problem hiding this comment.
I think the reason that this user fails to when they don't have index privileges is because we're trying to update the status of the alert in this test:
Failed to update alert status ids: [{"id":"155bf8908ab2dee36b72f6e304fcd7de3de53104b3f8fb351f4e0463a704e63d","index":".internal.alerts-security.alerts-default-000001","status":"in-progress"}]: ResponseError: security_exception
| @@ -190,6 +190,29 @@ export const securitySolutionOnlyRead: Role = { | |||
| }, | |||
| }; | |||
|
|
|||
| export const securitySolutionOnlyReadAlerts: Role = { | |||
There was a problem hiding this comment.
How about we create another user that does not have access to the elasticsearch indices and ensure that the user cannot update the status of an alert. We may already have a test that does that I can't remember.
Either way I think it'd be good to test adding the case ID to an alert when the security solution user does not have access to the elasticsearch index.
x-pack/test/cases_api_integration/security_and_spaces/tests/common/comments/post_comment.ts
Show resolved
Hide resolved
| }); | ||
| }); | ||
|
|
||
| it('should change the status of the alert when the user has read access only', async () => { |
There was a problem hiding this comment.
I think this test should fail if the user only has read access to the elasticsearch index. Or we can keep it but change the test name to say something like: when the user has write access to the indices and only read access to the siem solution
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Public APIs missing exports
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: cc @cnasikas |
cnasikas
added
release_note:breaking
and removed
release_note:skip
Summary
PR #147013 extended the alert's schema to be able to store the case id an alert is attached to. This PR adds the ability to update the
case_idsfield of the alert when an alert is attached to a case. It also limits the number of cases an alert can be attached to ten.Permissions
A user to attach an alert to a case needs a) to have read access to the solution via the kibana feature privileges and b) to have write access to the case. The user that did the request should not need to have written access to the alert for Cases to add the case ID to the alert's data. For that reason, the alert data client is extended to cover this particular need: update an alert even if the user has read access.
Alerts client aside
For future reference, the alerts client uses the request to check the kibana feature authorization but uses the internal system user to perform any write and get operations on the alert indices themselves. For security solution this means that a user with only read access to the security solution kibana feature, write access to cases, and no read or write access to the alert indices could attach an alert to a case and have the case id stored in the alert.
For observability, users intentionally do not have access to the alert indices so we want to bypass the authorization check on the indices which is why the current alerts client uses an es client that is an internal system user.
Related issue: #146864
Checklist
Delete any items that are not applicable to this PR.
For maintainers
Release notes
Attaching an alert to a case requires read permissions on the alert.