Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes #71321

Merged
merged 8 commits into from
Jul 14, 2020

Conversation

peluja1012
Copy link
Contributor

@peluja1012 peluja1012 commented Jul 9, 2020

Summary

Adds the bulk close feature to the Exception modal. A couple of items of note:

  • Bulk closing will not be supported exceptions that use Value Lists or for exceptions that contain non-ECS fields
  • Bulk closing will close alerts in the .signals index that match the exception's fields and values included in the Exception Modal

Bulk close disabled when "is in list" operator is selected

image

Bulk closing 4,100 alerts from Edit Modal

bulk_close_1 mov

Testing

Navigate to the Alerts page, click on the overflow menu and select Add exception. After selecting the exception attributes, click the checkbox with text Close all alerts that match attributes in this exception.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

'',
'kuery',
[],
['.siem-signals'],
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll need to use the siemSignalsIndex hook here to get the right indexPattern

}: {
query: Query;
language: Language;
lists: ExceptionListItemSchema[] | undefined;
lists: Array<ExceptionListItemSchema | CreateExceptionListItemSchema> | undefined;
exclude?: boolean;
Copy link
Contributor Author

@peluja1012 peluja1012 Jul 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed because the logic is negated when adding an exception (we want to exclude), but when closing alerts we don't want to do that.

exceptionItemsToAddOrUpdate,
false
);
await updateAlertStatus({
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FrankHassanabad I think we may need to use wait_for_completion=false on the updateByQuery here. Otherwise the request could take a while.

? [buildExceptionItemEntries({ lists: exceptionItem.entries, language, exclude })]
: []),
];
}, [] as string[]);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should be able to do, lists.reduce<string>( and avoid the as string cast fwiw.

'kuery',
[],
['.siem-signals'],
exceptionItemsToAddOrUpdate,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The query for bulk closing has to account for the event fields in the original event being moved to original_event in the signal - https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts#L57

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that i'll have to replace any exception item fields that start with event. with signal.original_event. before creating the ES Filter?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah in general signal.original_event holds the original event's event fieldset and event. in the signal refers to the "signal creation" event rather than the original event - so replacing all event. uses with signal.original_event. would be safest in case we use more signal specific event fields later on. Right now the only difference between I know of between event and signal.original_event is that event.kind is hardcoded to signal.

@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@@ -22,10 +22,82 @@ import {
EntryMatch,
EntryMatchAny,
EntriesArray,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of changes in this file because I refactored the code a bit to keep it more DRY, especially since I was going to use similar expected values for the tests I was adding. The end result looks like this:
Screen Shot 2020-07-12 at 9 08 45 AM
Screen Shot 2020-07-12 at 9 09 11 AM
Screen Shot 2020-07-12 at 9 09 37 AM


return exceptionItems.map((item: ExceptionListItemSchema | CreateExceptionListItemSchema) => {
if (item.entries !== undefined) {
const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => {
const newEntries = item.entries.map((itemEntry: Entry | EntryNested) => {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm adding this too

if (item.entries !== undefined) {
const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => {
if (itemEntry.type === 'nested') {
const newNestedEntries = itemEntry.entries.map((nestedEntry: EntryMatch) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we only want to replace top level entries that start with event. so we can remove the whole if (itemEntry.type === 'nested') { block and always execute what is currently the else part.

entries: [
{
...getEntryMatchMock(),
field: 'event.module',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the full path to this field would be host.name.event.module? In that case the field would stay the same, it wouldn't move to host.name.signal.original_event.module

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

@kbn/optimizer bundle module count

id value diff baseline
securitySolution 755 +2 753

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@peluja1012 peluja1012 merged commit f4091df into elastic:master Jul 14, 2020
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jul 14, 2020
* master: (314 commits)
  [APM] Use status_code field to calculate error rate (elastic#71109)
  [Observability] Change appLink passing the date range (elastic#71259)
  [Security] Add Timeline improvements (elastic#71506)
  adjust vislib bar opacity (elastic#71421)
  Fix ScopedHistory mock and adapt usages (elastic#71404)
  [Security Solution] Add hook for reading/writing resolver query params (elastic#70809)
  [APM] Bug fixes from ML integration testing (elastic#71564)
  [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404)
  [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275)
  [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321)
  Change signal.rule.risk score mapping from keyword to float (elastic#71126)
  Added help text where needed on connectors and alert actions UI (elastic#69601)
  [SIEM][Detections] Value Lists Management Modal (elastic#67068)
  [test] Skips test preventing promotion of ES snapshot elastic#71582
  [test] Skips test preventing promotion of ES snapshot elastic#71555
  [ILM] Fix alignment of the timing field (elastic#71273)
  [SIEM][Detection Engine][Lists] Adds the ability for exception lists to be multi-list queried. (elastic#71540)
  initial telemetry setup (elastic#69330)
  [Reporting] Formatting fixes for CSV export in Discover, CSV download from Dashboard panel (elastic#67027)
  Search across spaces (elastic#67644)
  ...
jloleysens added a commit to jloleysens/kibana that referenced this pull request Jul 14, 2020
…t-apps-page-titles

* 'master' of github.com:elastic/kibana: (88 commits)
  [ML] Functional tests - disable DFA creation and cloning tests
  [APM] Use status_code field to calculate error rate (elastic#71109)
  [Observability] Change appLink passing the date range (elastic#71259)
  [Security] Add Timeline improvements (elastic#71506)
  adjust vislib bar opacity (elastic#71421)
  Fix ScopedHistory mock and adapt usages (elastic#71404)
  [Security Solution] Add hook for reading/writing resolver query params (elastic#70809)
  [APM] Bug fixes from ML integration testing (elastic#71564)
  [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404)
  [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275)
  [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321)
  Change signal.rule.risk score mapping from keyword to float (elastic#71126)
  Added help text where needed on connectors and alert actions UI (elastic#69601)
  [SIEM][Detections] Value Lists Management Modal (elastic#67068)
  [test] Skips test preventing promotion of ES snapshot elastic#71582
  [test] Skips test preventing promotion of ES snapshot elastic#71555
  [ILM] Fix alignment of the timing field (elastic#71273)
  [SIEM][Detection Engine][Lists] Adds the ability for exception lists to be multi-list queried. (elastic#71540)
  initial telemetry setup (elastic#69330)
  [Reporting] Formatting fixes for CSV export in Discover, CSV download from Dashboard panel (elastic#67027)
  ...

# Conflicts:
#	x-pack/plugins/index_management/public/application/index.tsx
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jul 14, 2020
* master: (72 commits)
  [test] Skips test preventing promotion of ES snapshot elastic#71612
  [Logs UI] Remove UUID from Alert Instances (elastic#71340)
  [Metrics UI] Remove UUID from Alert Instance IDs (elastic#71335)
  [ML] Functional tests - disable DFA creation and cloning tests
  [APM] Use status_code field to calculate error rate (elastic#71109)
  [Observability] Change appLink passing the date range (elastic#71259)
  [Security] Add Timeline improvements (elastic#71506)
  adjust vislib bar opacity (elastic#71421)
  Fix ScopedHistory mock and adapt usages (elastic#71404)
  [Security Solution] Add hook for reading/writing resolver query params (elastic#70809)
  [APM] Bug fixes from ML integration testing (elastic#71564)
  [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404)
  [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275)
  [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321)
  Change signal.rule.risk score mapping from keyword to float (elastic#71126)
  Added help text where needed on connectors and alert actions UI (elastic#69601)
  [SIEM][Detections] Value Lists Management Modal (elastic#67068)
  [test] Skips test preventing promotion of ES snapshot elastic#71582
  [test] Skips test preventing promotion of ES snapshot elastic#71555
  [ILM] Fix alignment of the timing field (elastic#71273)
  ...
peluja1012 added a commit that referenced this pull request Jul 14, 2020
…t match exception attributes (#71321) (#71590)

* progress on bulk close

* works but could be slow

* clean up, add tests

* fix reduce types

* address 'event.' fields

* remove duplicate import

* don't replace nested fields

* my best friend typescript
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants