[SIEM][Detection Engine] - Update DE to work with new exceptions schema #69715
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yctercero
commented
Jun 23, 2020
| @@ -7,7 +7,7 @@ | |||
| import * as t from 'io-ts'; | |||
| import { Either } from 'fp-ts/lib/Either'; | |||
|
|
|||
| const namespaceType = t.keyof({ agnostic: null, single: null }); | |||
| export const namespaceType = t.keyof({ agnostic: null, single: null }); | |||
There was a problem hiding this comment.
NOTE: Exported to use in detection engine.
yctercero
commented
Jun 23, 2020
| @@ -52,7 +52,7 @@ export type EntryExists = t.TypeOf<typeof entriesExists>; | |||
|
|
|||
| export const entriesNested = t.exact( | |||
| t.type({ | |||
| entries: t.array(t.union([entriesMatch, entriesMatchAny, entriesList, entriesExists])), | |||
| entries: t.array(entriesMatch), | |||
There was a problem hiding this comment.
NOTE: Looking at KQL nested support, looks like it would only support our match and not any of the other operators. Please feel free to comment if that's wrong.
yctercero
commented
Jun 23, 2020
| @@ -34,9 +34,9 @@ export type EntryMatchAny = t.TypeOf<typeof entriesMatchAny>; | |||
| export const entriesList = t.exact( | |||
| t.type({ | |||
| field: t.string, | |||
| list: t.exact(t.type({ id: t.string, type })), | |||
There was a problem hiding this comment.
NOTE: Changed this to list from value, SOs were screaming when trying to index value as string | string[] | object so updated.
yctercero
commented
Jun 23, 2020
| @@ -87,6 +88,16 @@ export const getFormattedEntries = (entries: EntriesArray): FormattedEntry[] => | |||
| return formattedEntries.flat(); | |||
| }; | |||
|
|
|||
| export const getEntryValue = (entry: Entry): string | string[] | null => { | |||
| if (entriesList.is(entry)) { | |||
| return entry.list.id; | |||
There was a problem hiding this comment.
NOTE: This is temporary, didn't want to dig into changing UI code in this PR that's already large. Thought maybe we wanted to add name to the the EntryList for ease of use here, but that would also then require any updates to large lists to search for references to it in exception list items.
yctercero
commented
Jun 23, 2020
| @@ -140,6 +136,18 @@ export const signalRulesAlertType = ({ | |||
| await ruleStatusService.error(gapMessage, { gap: gapString }); | |||
| } | |||
| try { | |||
| const { listClient, exceptionsClient } = await getListsClient({ | |||
There was a problem hiding this comment.
NOTE: Now needing to load exception items, where as before they lived on the rule.
yctercero
commented
Jun 23, 2020
| @@ -214,18 +222,6 @@ export const signalRulesAlertType = ({ | |||
| result.bulkCreateTimes.push(bulkCreateDuration); | |||
| } | |||
| } else { | |||
| let listClient: ListClient | undefined; | |||
There was a problem hiding this comment.
NOTE: Moved into util seen above.
|
Pinging @elastic/siem (Team:SIEM) |
spong
reviewed
Jun 24, 2020
x-pack/plugins/lists/server/scripts/exception_lists/new/exception_list_item_with_list.json
Outdated
Show resolved
Hide resolved
dhurley14
reviewed
Jun 24, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_exceptions_query.ts
Outdated
Show resolved
Hide resolved
dhurley14
reviewed
Jun 24, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts
Outdated
Show resolved
Hide resolved
spong
approved these changes
Jun 24, 2020
There was a problem hiding this comment.
Check out, tested locally and reviewed code -- LGMT! 👍
And many thanks for all the added tests here as well @yctercero! 🙂
yctercero
added a commit
to yctercero/kibana
that referenced
this pull request
Jun 25, 2020
…ma (elastic#69715) * Updates list entry schema, exposes exception list client, updates tests * create new de list schema and unit tests * updated route unit tests and types to match new list schema * updated existing DE exceptions code so it should now work as is with updated schema * test and types cleanup * cleanup * update unit test * updates per feedback
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jun 25, 2020
* master: (45 commits) [QA] Unskip functional tests (elastic#69760) [SIEM][Detection Engine] - Update DE to work with new exceptions schema (elastic#69715) Fixes elastic#69639: Ignore url.url fields above 2048 characters (elastic#69863) PR: Provide limit warnings to user when API limits are reached. (elastic#69590) [Maps] Remove broken button (elastic#69853) Makes usage collection methods available on start (elastic#69836) [SIEM][CASE] Improve Jira's labelling (elastic#69892) [Logs UI] Access ML via the programmatic plugin API (elastic#68905) [ML] DF Analytics: Creation wizard part 3 (elastic#69456) Update Resolver generator script documentation (elastic#69912) [ML] Changes View results button text on new job page (elastic#69809) Add master branch to backport config (elastic#69893) [Ingest Manager] Kibana, not EPR, controls removable packages (elastic#69761) unskips 'Events columns' test (elastic#69684) [ML] Changes the ML overview empty analytics panel text (elastic#69801) [DOCS] Emphasizes where File Data Visualizer is located. (elastic#69812) add the `exactRoute` property to app registration (elastic#69772) Bump backport to 5.4.6 (elastic#69880) [Logs UI] ML log integration splash screen (elastic#69288) Clean up TSVB type client code to conform to the schema (elastic#68519) ...
4 tasks
yctercero
added a commit
that referenced
this pull request
Jun 25, 2020
…ma (#69715) (#69932) ## Summary The purpose of this PR is to update the detection engine to work with the new exception list schema. Previously, exceptions lived directly in the rule, now they are stored separately, and the rule only stores a reference to said exception lists. Changes are concentrated in two areas. First `x-pack/plugins/lists`: - Updates the `EntryList` schema so it now takes a list `id` and `type` (as needed for the detections engine logic) as opposed to before where it was just a string for the `id` - Updates the lists plugin unit tests to account for the updated `EntryList` schema - Exposes the exceptions list client (in the lists plugin) to be used by the detection engine Second in `x-pack/plugins/security_solution`: - Updates the detection engine `exceptions_list` schema. Previously, exceptions sat directly on the rule itself, now that exceptions are stored separately, the `exceptions_list` property needs to only keep reference to the exceptions list - Updates schema unit tests - Updates routes to use new exceptions list schema - Updates route unit tests - Removes old exception list scripts that are no longer necessary
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jun 25, 2020
* master: (90 commits) [Encrypted Saved Objects] Adds support for migrations in ESO (elastic#69513) [SIEM] Replace WithSource with useWithSource hook (elastic#68722) [Endpoint]EMT-451: add ability to filter endpoint metadata based on presence of unenrolled events (elastic#69708) rename old siem kibana config to securitySolution (elastic#69874) Remove unused Resolver code (elastic#69914) [Observability] Fixing dynamic return type based on the appName (elastic#69894) [SECURITY SOLUTION][INGEST] Task/endpoint list tests (elastic#69419) Fixes special clicks and 3rd party icon sizes in nav (elastic#69767) [APM] Catch annotations index permission error and log warning (elastic#69881) [Endpoint][Ingest Manager] minor code cleanup (elastic#69844) [Logs UI] Logs ui context menu (elastic#69915) Index pattern serialize and de-serialize (elastic#68844) [QA] Unskip functional tests (elastic#69760) [SIEM][Detection Engine] - Update DE to work with new exceptions schema (elastic#69715) Fixes elastic#69639: Ignore url.url fields above 2048 characters (elastic#69863) PR: Provide limit warnings to user when API limits are reached. (elastic#69590) [Maps] Remove broken button (elastic#69853) Makes usage collection methods available on start (elastic#69836) [SIEM][CASE] Improve Jira's labelling (elastic#69892) [Logs UI] Access ML via the programmatic plugin API (elastic#68905) ...
4 tasks
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The purpose of this PR is to update the detection engine to work with the new exception list schema. Previously, exceptions lived directly in the rule, now they are stored separately, and the rule only stores a reference to said exception lists.
Changes are concentrated in two areas. First
x-pack/plugins/lists:EntryListschema so it now takes a listidandtype(as needed for the detections engine logic) as opposed to before where it was just a string for theidEntryListschemaSecond in
x-pack/plugins/security_solution:exceptions_listschema. Previously, exceptions sat directly on the rule itself, now that exceptions are stored separately, theexceptions_listproperty needs to only keep reference to the exceptions listTo Do
exception_list[SIEM][Detection Engine] - Update UI to read rule exceptions_list #69939Right now we have logic in
build_exceptions_query.tsthat takes exceptions that don't include large value lists and appends them to the main KQL query which is then translated into the elastic query dsl. We also have logic infilter_events_wtih_list.tsthat uses inverse logic to filter events search results against any exceptions with large value lists. On their own, each of these does what is expected. However, after all expansion of the exceptions list functionality, it is clear that these two separate pieces of logic would not suffice.This PR does not address that issue (it's in a follow up PR), but thought it worth noting here. It gets confusing with the boolean logic, but to try to simplify the issue we came upon with our existing solution is the following:
Imagine we had a rule, with
exceptions_list: [{ id: 'exception_list', namespace_type: 'single'}]. Theexception_listhas 2 exception list items:The initial search would query
(query && a && b) || (query && d). Then the results of that search would get filtered through the large value lists logic, so it would filter for(c || e). What this would result in, is signals that were filtered for:when what we want is:
These are not logically equivalent. Our current logic would work if there was a single exception item, but as soon as there is more than one as shown in the simplified example above, the logic breaks down. This issue is being addressed in another PR.
Testing
To turn on lists plugin - in kibana.dev.yml
Add
export ELASTIC_XPACK_SIEM_LISTS_FEATURE=trueto your bash file.Use the scripts in
x-pack/plugins/lists/server/scriptsto create some sample exception lists and items. You can use the following:If you've previously played around with lists, run
./hard_reset.sh(this will delete any lists you've created).Create large value list:
./post_list.sh./post_list_item.sh(I modified the value to be"value": "10.4.2.140")Create exception list:
./post_exception_list.sh./post_exception_list_item.sh ./exception_lists/new/exception_list_item_with_list.jsonUse the scripts in
x-pack/plugins/security_solution/server/lib/detection_engine/scriptsto create rule:./post_rule.sh ./rules/queries/query_with_list.json(Makes reference to the exception list created in step above)In the
Alertstable, you should see something like the following where you only see events where theevent.moduleiszeekandsource.ipis10.4.2.140(or whatever ip you specified).Checklist
For maintainers