From 62f53f4b53e568f720c2125c1de4cc0095da12fc Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Thu, 13 Oct 2022 21:10:51 +0200 Subject: [PATCH 01/11] Related integrations, required fields, setup guide --- .../detection_engine/rule_management/TODO | 0 .../rule_management/api/urls.ts | 7 ++ .../detection_engine/rule_management/index.ts | 7 ++ .../detection_engine/rule_management/mocks.ts | 7 ++ .../common/detection_engine/rule_schema/TODO | 0 .../detection_engine/rule_schema/index.ts | 10 +++ .../detection_engine/rule_schema/mocks.ts | 7 ++ .../rule_params/related_integrations.ts} | 72 ------------------- .../model/rule_params/required_fields.ts | 64 +++++++++++++++++ .../model/rule_params/setup_guide.ts | 17 +++++ .../detection_engine/schemas/common/index.ts | 1 - .../request/add_prepackaged_rules_schema.ts | 3 +- .../schemas/request/import_rules_schema.ts | 13 +--- .../schemas/request/rule_schemas.ts | 6 +- .../rule_management/logic/types.ts | 8 ++- .../rules/description_step/helpers.tsx | 6 +- .../rules/description_step/index.tsx | 2 +- .../integration_details.ts | 2 +- .../integrations_description/index.tsx | 2 +- .../integrations_popover/index.tsx | 2 +- .../rules/related_integrations/mock.ts | 2 +- .../use_related_integrations.ts | 2 +- .../pages/detection_engine/rules/types.ts | 8 ++- .../normalization/rule_converters.ts | 5 +- .../rule_schema/model/rule_schemas.ts | 8 ++- 25 files changed, 151 insertions(+), 110 deletions(-) delete mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_management/TODO create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_management/api/urls.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_management/index.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_management/mocks.ts delete mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/TODO create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/mocks.ts rename x-pack/plugins/security_solution/common/detection_engine/{schemas/common/rule_params.ts => rule_schema/model/rule_params/related_integrations.ts} (55%) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/required_fields.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_management/TODO b/x-pack/plugins/security_solution/common/detection_engine/rule_management/TODO deleted file mode 100644 index e69de29bb2d1d..0000000000000 diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/urls.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/urls.ts new file mode 100644 index 0000000000000..897f7647ce54c --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_management/api/urls.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_management/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_management/index.ts new file mode 100644 index 0000000000000..897f7647ce54c --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_management/index.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_management/mocks.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_management/mocks.ts new file mode 100644 index 0000000000000..897f7647ce54c --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_management/mocks.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/TODO b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/TODO deleted file mode 100644 index e69de29bb2d1d..0000000000000 diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts new file mode 100644 index 0000000000000..3808b0919b3df --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export * from './model/rule_params/related_integrations'; +export * from './model/rule_params/required_fields'; +export * from './model/rule_params/setup_guide'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/mocks.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/mocks.ts new file mode 100644 index 0000000000000..897f7647ce54c --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/mocks.ts @@ -0,0 +1,7 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_params.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/related_integrations.ts similarity index 55% rename from x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_params.ts rename to x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/related_integrations.ts index d65bce6e587ef..d99043d81e19e 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_params.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/related_integrations.ts @@ -8,9 +8,6 @@ import * as t from 'io-ts'; import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; -// ------------------------------------------------------------------------------------------------- -// Related integrations - /** * Related integration is a potential dependency of a rule. It's assumed that if the user installs * one of the related integrations of a rule, the rule might start to work properly because it will @@ -74,72 +71,3 @@ export const RelatedIntegration = t.exact( */ export type RelatedIntegrationArray = t.TypeOf; export const RelatedIntegrationArray = t.array(RelatedIntegration); - -// ------------------------------------------------------------------------------------------------- -// Required fields - -/** - * Almost all types of Security rules check source event documents for a match to some kind of - * query or filter. If a document has certain field with certain values, then it's a match and - * the rule will generate an alert. - * - * Required field is an event field that must be present in the source indices of a given rule. - * - * @example - * const standardEcsField: RequiredField = { - * name: 'event.action', - * type: 'keyword', - * ecs: true, - * }; - * - * @example - * const nonEcsField: RequiredField = { - * name: 'winlog.event_data.AttributeLDAPDisplayName', - * type: 'keyword', - * ecs: false, - * }; - */ -export const RequiredField = t.exact( - t.type({ - name: NonEmptyString, - type: NonEmptyString, - ecs: t.boolean, - }) -); - -/** - * Array of event fields that must be present in the source indices of a given rule. - * - * @example - * const x: RequiredFieldArray = [ - * { - * name: 'event.action', - * type: 'keyword', - * ecs: true, - * }, - * { - * name: 'event.code', - * type: 'keyword', - * ecs: true, - * }, - * { - * name: 'winlog.event_data.AttributeLDAPDisplayName', - * type: 'keyword', - * ecs: false, - * }, - * ]; - */ -export type RequiredFieldArray = t.TypeOf; -export const RequiredFieldArray = t.array(RequiredField); - -// ------------------------------------------------------------------------------------------------- -// Setup guide - -/** - * Any instructions for the user for setting up their environment in order to start receiving - * source events for a given rule. - * - * It's a multiline text. Markdown is supported. - */ -export type SetupGuide = t.TypeOf; -export const SetupGuide = t.string; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/required_fields.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/required_fields.ts new file mode 100644 index 0000000000000..0938612fd4654 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/required_fields.ts @@ -0,0 +1,64 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +/** + * Almost all types of Security rules check source event documents for a match to some kind of + * query or filter. If a document has certain field with certain values, then it's a match and + * the rule will generate an alert. + * + * Required field is an event field that must be present in the source indices of a given rule. + * + * @example + * const standardEcsField: RequiredField = { + * name: 'event.action', + * type: 'keyword', + * ecs: true, + * }; + * + * @example + * const nonEcsField: RequiredField = { + * name: 'winlog.event_data.AttributeLDAPDisplayName', + * type: 'keyword', + * ecs: false, + * }; + */ +export type RequiredField = t.TypeOf; +export const RequiredField = t.exact( + t.type({ + name: NonEmptyString, + type: NonEmptyString, + ecs: t.boolean, + }) +); + +/** + * Array of event fields that must be present in the source indices of a given rule. + * + * @example + * const x: RequiredFieldArray = [ + * { + * name: 'event.action', + * type: 'keyword', + * ecs: true, + * }, + * { + * name: 'event.code', + * type: 'keyword', + * ecs: true, + * }, + * { + * name: 'winlog.event_data.AttributeLDAPDisplayName', + * type: 'keyword', + * ecs: false, + * }, + * ]; + */ +export type RequiredFieldArray = t.TypeOf; +export const RequiredFieldArray = t.array(RequiredField); diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts new file mode 100644 index 0000000000000..2a99f187e2e0f --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts @@ -0,0 +1,17 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; + +/** + * Any instructions for the user for setting up their environment in order to start receiving + * source events for a given rule. + * + * It's a multiline text. Markdown is supported. + */ +export type SetupGuide = t.TypeOf; +export const SetupGuide = t.string; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/index.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/index.ts index 4f033a21bd7e6..e129a72362ed7 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/index.ts @@ -6,6 +6,5 @@ */ export * from './pagination'; -export * from './rule_params'; export * from './schemas'; export * from './sorting'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts index a836fc2ba2c10..d610ce6a700a4 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts @@ -9,7 +9,8 @@ import * as t from 'io-ts'; import { version } from '@kbn/securitysolution-io-ts-types'; -import { rule_id, RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../common'; +import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../../rule_schema'; +import { rule_id } from '../common'; import { baseCreateParams, createTypeSpecific } from './rule_schemas'; /** diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts index b3d533a167a7a..047907df9453f 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts @@ -8,17 +8,8 @@ import * as t from 'io-ts'; import { OnlyFalseAllowed } from '@kbn/securitysolution-io-ts-types'; -import { - rule_id, - id, - created_at, - updated_at, - created_by, - updated_by, - RelatedIntegrationArray, - RequiredFieldArray, - SetupGuide, -} from '../common'; +import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../../rule_schema'; +import { rule_id, id, created_at, updated_at, created_by, updated_by } from '../common'; import { baseCreateParams, createTypeSpecific } from './rule_schemas'; /** diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 61e28f1edb902..3fb3e58cde00f 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -30,6 +30,8 @@ import { listArray } from '@kbn/securitysolution-io-ts-list-types'; import { version } from '@kbn/securitysolution-io-ts-types'; import { RuleExecutionSummary } from '../../rule_monitoring'; +import { ResponseActionArray } from '../../rule_response_actions/schemas'; +import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../../rule_schema'; import { id, index, @@ -71,13 +73,9 @@ import { created_at, created_by, namespace, - RelatedIntegrationArray, - RequiredFieldArray, - SetupGuide, newTermsFields, historyWindowStart, } from '../common'; -import { ResponseActionArray } from '../../rule_response_actions/schemas'; export const createSchema = < Required extends t.Props, diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index f84da6e372846..1ee7729edfd13 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -23,6 +23,11 @@ import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types'; import { listArray } from '@kbn/securitysolution-io-ts-list-types'; import * as t from 'io-ts'; import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring'; +import { + RelatedIntegrationArray, + RequiredFieldArray, + SetupGuide, +} from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; import { alias_purpose as savedObjectResolveAliasPurpose, @@ -32,10 +37,7 @@ import { event_category_override, license, outcome as savedObjectResolveOutcome, - RelatedIntegrationArray, - RequiredFieldArray, rule_name_override, - SetupGuide, threshold, tiebreaker_field, timestamp_field, diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index fa432af4a9603..31dac58c24cfc 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -35,10 +35,8 @@ import type { EqlOptionsSelected } from '../../../../../common/search_strategy'; import { assertUnreachable } from '../../../../../common/utility_types'; import * as i18nSeverity from '../severity_mapping/translations'; import * as i18nRiskScore from '../risk_score_mapping/translations'; -import type { - RequiredFieldArray, - Threshold, -} from '../../../../../common/detection_engine/schemas/common'; +import type { RequiredFieldArray } from '../../../../../common/detection_engine/rule_schema'; +import type { Threshold } from '../../../../../common/detection_engine/schemas/common'; import { subtechniquesOptions, tacticsOptions, diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx index 19e0de66c14e2..92879c56e9885 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/index.tsx @@ -18,7 +18,7 @@ import { buildRelatedIntegrationsDescription } from '../related_integrations/int import type { RelatedIntegrationArray, RequiredFieldArray, -} from '../../../../../common/detection_engine/schemas/common'; +} from '../../../../../common/detection_engine/rule_schema'; import { DEFAULT_TIMELINE_TITLE } from '../../../../timelines/components/timeline/translations'; import type { EqlOptionsSelected } from '../../../../../common/search_strategy'; import { useKibana } from '../../../../common/lib/kibana'; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integration_details.ts b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integration_details.ts index c236980dc1682..361e542fa3f0f 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integration_details.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integration_details.ts @@ -15,7 +15,7 @@ import type { import type { RelatedIntegration, RelatedIntegrationArray, -} from '../../../../../common/detection_engine/schemas/common'; +} from '../../../../../common/detection_engine/rule_schema'; export interface IntegrationDetails { packageName: string; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_description/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_description/index.tsx index 5932faf1de6f0..5640abea69cc3 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_description/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_description/index.tsx @@ -8,7 +8,7 @@ import React from 'react'; import styled from 'styled-components'; -import type { RelatedIntegrationArray } from '../../../../../../common/detection_engine/schemas/common'; +import type { RelatedIntegrationArray } from '../../../../../../common/detection_engine/rule_schema'; import type { ListItems } from '../../description_step/types'; import type { IntegrationDetails } from '../integration_details'; import { useRelatedIntegrations } from '../use_related_integrations'; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_popover/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_popover/index.tsx index 6c17b182381ca..36fc206aa92ea 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_popover/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/integrations_popover/index.tsx @@ -16,7 +16,7 @@ import { EuiSpacer, } from '@elastic/eui'; -import type { RelatedIntegrationArray } from '../../../../../../common/detection_engine/schemas/common'; +import type { RelatedIntegrationArray } from '../../../../../../common/detection_engine/rule_schema'; import { IntegrationDescription } from '../integrations_description'; import { useRelatedIntegrations } from '../use_related_integrations'; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/mock.ts b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/mock.ts index 786e33ad69293..43a0c8a0602ef 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/mock.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/mock.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { RelatedIntegrationArray } from '../../../../../common/detection_engine/schemas/common'; +import type { RelatedIntegrationArray } from '../../../../../common/detection_engine/rule_schema'; export const relatedIntegrations: RelatedIntegrationArray = [ { diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/use_related_integrations.ts b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/use_related_integrations.ts index 3363abf2fe3c7..19e662746638a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/use_related_integrations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/related_integrations/use_related_integrations.ts @@ -7,7 +7,7 @@ import { useMemo } from 'react'; -import type { RelatedIntegrationArray } from '../../../../../common/detection_engine/schemas/common'; +import type { RelatedIntegrationArray } from '../../../../../common/detection_engine/rule_schema'; import type { IntegrationDetails } from './integration_details'; import { calculateIntegrationDetails } from './integration_details'; import { useInstalledIntegrations } from './use_installed_integrations'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index 950191acad3d9..d5e6f713603e9 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -24,15 +24,17 @@ import type { RuleAlertAction } from '../../../../../common/detection_engine/typ import type { FieldValueQueryBar } from '../../../components/rules/query_bar'; import type { FieldValueTimeline } from '../../../components/rules/pick_timeline'; import type { FieldValueThreshold } from '../../../components/rules/threshold_input'; +import type { + RelatedIntegrationArray, + RequiredFieldArray, + SetupGuide, +} from '../../../../../common/detection_engine/rule_schema'; import type { Author, BuildingBlockType, License, - RelatedIntegrationArray, - RequiredFieldArray, RuleNameOverride, SortOrder, - SetupGuide, TimestampOverride, } from '../../../../../common/detection_engine/schemas/common'; import type { EqlOptionsSelected } from '../../../../../common/search_strategy'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts index 0f68d13549863..6449397b7d90c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts @@ -38,12 +38,13 @@ import type { NewTermsSpecificRuleParams, } from '../../rule_schema'; import { assertUnreachable } from '../../../../../common/utility_types'; + +import type { RuleExecutionSummary } from '../../../../../common/detection_engine/rule_monitoring'; import type { RelatedIntegrationArray, RequiredFieldArray, SetupGuide, -} from '../../../../../common/detection_engine/schemas/common'; -import type { RuleExecutionSummary } from '../../../../../common/detection_engine/rule_monitoring'; +} from '../../../../../common/detection_engine/rule_schema'; import { eqlPatchParams, machineLearningPatchParams, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index afb1846defdbb..cabe93e8cb4f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -39,6 +39,11 @@ import { } from '@kbn/securitysolution-rules'; import type { SanitizedRuleConfig } from '@kbn/alerting-plugin/common'; +import { + RelatedIntegrationArray, + RequiredFieldArray, + SetupGuide, +} from '../../../../../common/detection_engine/rule_schema'; import { author, buildingBlockTypeOrUndefined, @@ -72,9 +77,6 @@ import { saved_id, thresholdNormalized, anomaly_threshold, - RelatedIntegrationArray, - RequiredFieldArray, - SetupGuide, newTermsFields, historyWindowStart, timestampOverrideFallbackDisabledOrUndefined, From 10e0852db3e187a81015f73a00dafeeed4fc4e58 Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Thu, 13 Oct 2022 23:21:04 +0200 Subject: [PATCH 02/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/index.ts | 1 + .../rule_schema/model/rule_params/temp.ts | 86 +++++++++++++++++++ .../schemas/common/schemas.ts | 39 +-------- .../request/add_prepackaged_rules_schema.ts | 16 +++- .../schemas/request/export_rules_schema.ts | 4 +- .../schemas/request/import_rules_schema.ts | 14 ++- .../request/query_rule_by_id_schema.ts | 5 +- .../schemas/request/query_rules_schema.ts | 7 +- .../schemas/request/rule_schemas.ts | 46 +++++----- .../schemas/response/error_schema.ts | 10 ++- .../find_exception_list_references_schema.ts | 8 +- .../rule_management/logic/types.ts | 8 +- .../pages/detection_engine/rules/types.ts | 4 +- .../logic/crud/delete_rules.ts | 4 +- .../rule_management/logic/crud/read_rules.ts | 10 +-- .../rule_schema/model/rule_schemas.ts | 30 +++---- .../mappings/build_rule_name_from_mapping.ts | 7 +- 17 files changed, 188 insertions(+), 111 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts index 3808b0919b3df..aa9fd14139364 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -8,3 +8,4 @@ export * from './model/rule_params/related_integrations'; export * from './model/rule_params/required_fields'; export * from './model/rule_params/setup_guide'; +export * from './model/rule_params/temp'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts new file mode 100644 index 0000000000000..4bfc25ad9ee00 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString, UUID } from '@kbn/securitysolution-io-ts-types'; + +// TODO: https://github.com/elastic/kibana/pull/142950 Split into multiple files + +// ------------------------------------------------------------------------------------------------- +// Attributes common to all rules (despite of the rule type) + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleObjectId = t.TypeOf; +export const RuleObjectId = UUID; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * + * NOTE: Never make this a strict uuid, we allow the rule_id to be any string at the moment + * in case we encounter 3rd party rule systems which might be using auto incrementing numbers + * or other different things. + */ +export type RuleSignatureId = t.TypeOf; +export const RuleSignatureId = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleName = t.TypeOf; +export const RuleName = NonEmptyString; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleDescription = t.TypeOf; +export const RuleDescription = NonEmptyString; + +// Rule authors + +type RuleAuthor = t.TypeOf; +const RuleAuthor = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleAuthorArray = t.TypeOf; +export const RuleAuthorArray = t.array(RuleAuthor); + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IsRuleEnabled = t.TypeOf; +export const IsRuleEnabled = t.boolean; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IsRuleImmutable = t.TypeOf; +export const IsRuleImmutable = t.boolean; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to Custom Query and Saved Query rules + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to EQL rules + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TimestampField = t.TypeOf; +export const TimestampField = t.string; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to Indicator Match rules + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to Threshold rules + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to New Terms rules diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index f7c5fe6307736..f999bf79acb4e 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -7,27 +7,20 @@ /* eslint-disable @typescript-eslint/naming-convention */ +import * as t from 'io-ts'; import { IsoDateString, NonEmptyString, PositiveInteger, PositiveIntegerGreaterThanZero, - UUID, LimitedSizeArray, } from '@kbn/securitysolution-io-ts-types'; -import * as t from 'io-ts'; - -export const author = t.array(t.string); -export type Author = t.TypeOf; export const building_block_type = t.string; export type BuildingBlockType = t.TypeOf; export const buildingBlockTypeOrUndefined = t.union([building_block_type, t.undefined]); -export const description = NonEmptyString; -export type Description = t.TypeOf; - // outcome is a property of the saved object resolve api // will tell us info about the rule after 8.0 migrations export const outcome = t.union([ @@ -42,8 +35,7 @@ export const alias_purpose = t.union([ t.literal('savedObjectConversion'), t.literal('savedObjectImport'), ]); -export const enabled = t.boolean; -export type Enabled = t.TypeOf; + export const event_category_override = t.string; export const eventCategoryOverrideOrUndefined = t.union([event_category_override, t.undefined]); @@ -51,10 +43,6 @@ export const tiebreaker_field = t.string; export const tiebreakerFieldOrUndefined = t.union([tiebreaker_field, t.undefined]); -export const timestamp_field = t.string; - -export const timestampFieldOrUndefined = t.union([timestamp_field, t.undefined]); - export const false_positives = t.array(t.string); export const file_name = t.string; @@ -76,24 +64,6 @@ export type Filters = t.TypeOf; // Filters are not easily type-a export const filtersOrUndefined = t.union([filters, t.undefined]); export type FiltersOrUndefined = t.TypeOf; -export const immutable = t.boolean; -export type Immutable = t.TypeOf; - -// Note: Never make this a strict uuid, we allow the rule_id to be any string at the moment -// in case we encounter 3rd party rule systems which might be using auto incrementing numbers -// or other different things. -export const rule_id = t.string; -export type RuleId = t.TypeOf; - -export const ruleIdOrUndefined = t.union([rule_id, t.undefined]); -export type RuleIdOrUndefined = t.TypeOf; - -export const id = UUID; -export type Id = t.TypeOf; - -export const idOrUndefined = t.union([id, t.undefined]); -export type IdOrUndefined = t.TypeOf; - export const index = t.array(t.string); export type Index = t.TypeOf; @@ -118,8 +88,6 @@ export type License = t.TypeOf; export const licenseOrUndefined = t.union([license, t.undefined]); -export const objects = t.array(t.type({ rule_id })); - export const output_index = t.string; export const saved_id = t.string; @@ -160,9 +128,6 @@ export type Meta = t.TypeOf; export const metaOrUndefined = t.union([meta, t.undefined]); export type MetaOrUndefined = t.TypeOf; -export const name = NonEmptyString; -export type Name = t.TypeOf; - export const rule_name_override = t.string; export type RuleNameOverride = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts index d610ce6a700a4..121fdb5d04b57 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts @@ -9,8 +9,13 @@ import * as t from 'io-ts'; import { version } from '@kbn/securitysolution-io-ts-types'; -import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../../rule_schema'; -import { rule_id } from '../common'; +import { + RelatedIntegrationArray, + RequiredFieldArray, + SetupGuide, + RuleSignatureId, +} from '../../rule_schema'; + import { baseCreateParams, createTypeSpecific } from './rule_schemas'; /** @@ -23,7 +28,12 @@ export const addPrepackagedRulesSchema = t.intersection([ createTypeSpecific, // version is required in addPrepackagedRulesSchema, so this supercedes the defaultable // version in baseParams - t.exact(t.type({ rule_id, version })), + t.exact( + t.type({ + rule_id: RuleSignatureId, + version, + }) + ), t.exact( t.partial({ related_integrations: RelatedIntegrationArray, diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/export_rules_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/export_rules_schema.ts index 9541d37c78049..8d30b99dd3e9e 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/export_rules_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/export_rules_schema.ts @@ -9,10 +9,10 @@ import * as t from 'io-ts'; import { DefaultExportFileName } from '@kbn/securitysolution-io-ts-alerting-types'; import { DefaultStringBooleanFalse } from '@kbn/securitysolution-io-ts-types'; +import { RuleSignatureId } from '../../rule_schema'; import type { FileName, ExcludeExportDetails } from '../common/schemas'; -import { rule_id } from '../common/schemas'; -const objects = t.array(t.exact(t.type({ rule_id }))); +const objects = t.array(t.exact(t.type({ rule_id: RuleSignatureId }))); export const exportRulesSchema = t.union([t.exact(t.type({ objects })), t.null]); export type ExportRulesSchema = t.TypeOf; export type ExportRulesSchemaDecoded = ExportRulesSchema; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts index 047907df9453f..72a1a55d7683b 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/import_rules_schema.ts @@ -8,8 +8,14 @@ import * as t from 'io-ts'; import { OnlyFalseAllowed } from '@kbn/securitysolution-io-ts-types'; -import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../../rule_schema'; -import { rule_id, id, created_at, updated_at, created_by, updated_by } from '../common'; +import { + RelatedIntegrationArray, + RequiredFieldArray, + RuleObjectId, + RuleSignatureId, + SetupGuide, +} from '../../rule_schema'; +import { created_at, updated_at, created_by, updated_by } from '../common'; import { baseCreateParams, createTypeSpecific } from './rule_schemas'; /** @@ -25,10 +31,10 @@ import { baseCreateParams, createTypeSpecific } from './rule_schemas'; export const importRulesSchema = t.intersection([ baseCreateParams, createTypeSpecific, - t.exact(t.type({ rule_id })), + t.exact(t.type({ rule_id: RuleSignatureId })), t.exact( t.partial({ - id, + id: RuleObjectId, immutable: OnlyFalseAllowed, updated_at, updated_by, diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rule_by_id_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rule_by_id_schema.ts index 44b9692e7977f..5438a1df81fb4 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rule_by_id_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rule_by_id_schema.ts @@ -6,12 +6,11 @@ */ import * as t from 'io-ts'; - -import { id } from '../common/schemas'; +import { RuleObjectId } from '../../rule_schema'; export const queryRuleByIdSchema = t.exact( t.type({ - id, + id: RuleObjectId, }) ); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rules_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rules_schema.ts index 704c2307181b9..4a28950b70e58 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rules_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/query_rules_schema.ts @@ -6,13 +6,12 @@ */ import * as t from 'io-ts'; - -import { rule_id, id } from '../common/schemas'; +import { RuleObjectId, RuleSignatureId } from '../../rule_schema'; export const queryRulesSchema = t.exact( t.partial({ - rule_id, - id, + rule_id: RuleSignatureId, + id: RuleObjectId, }) ); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 3fb3e58cde00f..8dc66b4eeb214 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -31,13 +31,23 @@ import { version } from '@kbn/securitysolution-io-ts-types'; import { RuleExecutionSummary } from '../../rule_monitoring'; import { ResponseActionArray } from '../../rule_response_actions/schemas'; -import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide } from '../../rule_schema'; import { - id, + IsRuleEnabled, + IsRuleImmutable, + RelatedIntegrationArray, + RequiredFieldArray, + RuleAuthorArray, + RuleDescription, + RuleName, + RuleObjectId, + RuleSignatureId, + SetupGuide, + TimestampField, +} from '../../rule_schema'; +import { index, data_view_id, filters, - timestamp_field, event_category_override, tiebreaker_field, building_block_type, @@ -49,11 +59,7 @@ import { rule_name_override, timestamp_override, timestamp_override_fallback_disabled, - author, - description, false_positives, - rule_id, - immutable, output_index, query, to, @@ -61,10 +67,8 @@ import { saved_id, threshold, anomaly_threshold, - name, tags, interval, - enabled, outcome, alias_target_id, alias_purpose, @@ -161,8 +165,8 @@ interface APIParams< const baseParams = { required: { - name, - description, + name: RuleName, + description: RuleDescription, risk_score, severity, }, @@ -185,10 +189,10 @@ const baseParams = { defaultable: { tags, interval, - enabled, + enabled: IsRuleEnabled, throttle, actions, - author, + author: RuleAuthorArray, false_positives, from, // maxSignals not used in ML rules but probably should be used @@ -214,20 +218,20 @@ export { baseCreateParams }; // to create the full schema for each route. export const sharedCreateSchema = t.intersection([ baseCreateParams, - t.exact(t.partial({ rule_id })), + t.exact(t.partial({ rule_id: RuleSignatureId })), ]); export type SharedCreateSchema = t.TypeOf; export const sharedUpdateSchema = t.intersection([ baseCreateParams, - t.exact(t.partial({ rule_id })), - t.exact(t.partial({ id })), + t.exact(t.partial({ rule_id: RuleSignatureId })), + t.exact(t.partial({ id: RuleObjectId })), ]); export type SharedUpdateSchema = t.TypeOf; export const sharedPatchSchema = t.intersection([ basePatchParams, - t.exact(t.partial({ rule_id, id })), + t.exact(t.partial({ rule_id: RuleSignatureId, id: RuleObjectId })), ]); // START type specific parameter definitions @@ -242,7 +246,7 @@ const eqlRuleParams = { index, data_view_id, filters, - timestamp_field, + timestamp_field: TimestampField, event_category_override, tiebreaker_field, }, @@ -483,9 +487,9 @@ export const updateRulesSchema = t.intersection([createTypeSpecific, sharedUpdat export type UpdateRulesSchema = t.TypeOf; const responseRequiredFields = { - id, - rule_id, - immutable, + id: RuleObjectId, + rule_id: RuleSignatureId, + immutable: IsRuleImmutable, updated_at, updated_by, created_at, diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/error_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/error_schema.ts index d6e1faa7a5180..2c1cf288afe03 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/error_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/error_schema.ts @@ -8,13 +8,19 @@ import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; import * as t from 'io-ts'; -import { rule_id, status_code, message } from '../common/schemas'; +import { RuleSignatureId } from '../../rule_schema'; +import { status_code, message } from '../common/schemas'; // We use id: t.string intentionally and _never_ the id from global schemas as // sometimes echo back out the id that the user gave us and it is not guaranteed // to be a UUID but rather just a string const partial = t.exact( - t.partial({ id: t.string, rule_id, list_id: NonEmptyString, item_id: NonEmptyString }) + t.partial({ + id: t.string, + rule_id: RuleSignatureId, + list_id: NonEmptyString, + item_id: NonEmptyString, + }) ); const required = t.exact( t.type({ diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/find_exception_list_references_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/find_exception_list_references_schema.ts index 2bdcd0ba4cc2b..abd9eb33e3033 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/response/find_exception_list_references_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/response/find_exception_list_references_schema.ts @@ -9,13 +9,13 @@ import * as t from 'io-ts'; import { exceptionListSchema, listArray, list_id } from '@kbn/securitysolution-io-ts-list-types'; -import { rule_id, id, name } from '../common/schemas'; +import { RuleName, RuleObjectId, RuleSignatureId } from '../../rule_schema'; export const ruleReferenceRuleInfoSchema = t.exact( t.type({ - name, - id, - rule_id, + name: RuleName, + id: RuleObjectId, + rule_id: RuleSignatureId, exception_lists: listArray, }) ); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index 1ee7729edfd13..31418778fdccf 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -27,11 +27,12 @@ import { RelatedIntegrationArray, RequiredFieldArray, SetupGuide, + RuleAuthorArray, + TimestampField, } from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; import { alias_purpose as savedObjectResolveAliasPurpose, - author, building_block_type, data_view_id, event_category_override, @@ -40,7 +41,6 @@ import { rule_name_override, threshold, tiebreaker_field, - timestamp_field, timestamp_override, timestamp_override_fallback_disabled, } from '../../../../common/detection_engine/schemas/common'; @@ -97,7 +97,7 @@ const MetaRule = t.intersection([ // TODO: make a ticket export const RuleSchema = t.intersection([ t.type({ - author, + author: RuleAuthorArray, created_at: t.string, created_by: t.string, description: t.string, @@ -157,7 +157,7 @@ export const RuleSchema = t.intersection([ timeline_title: t.string, timestamp_override, timestamp_override_fallback_disabled, - timestamp_field, + timestamp_field: TimestampField, event_category_override, tiebreaker_field, note: t.string, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index d5e6f713603e9..8240e5ceb218d 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -28,9 +28,9 @@ import type { RelatedIntegrationArray, RequiredFieldArray, SetupGuide, + RuleAuthorArray, } from '../../../../../common/detection_engine/rule_schema'; import type { - Author, BuildingBlockType, License, RuleNameOverride, @@ -217,7 +217,7 @@ export interface DefineStepRuleJson { } export interface AboutStepRuleJson { - author: Author; + author: RuleAuthorArray; building_block_type?: BuildingBlockType; exceptions_list?: List[]; name: string; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/delete_rules.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/delete_rules.ts index 061f990b1c9bf..a1190d8827c0d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/delete_rules.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/delete_rules.ts @@ -6,11 +6,11 @@ */ import type { RulesClient } from '@kbn/alerting-plugin/server'; -import type { Id } from '../../../../../../common/detection_engine/schemas/common'; +import type { RuleObjectId } from '../../../../../../common/detection_engine/rule_schema'; import type { IRuleExecutionLogForRoutes } from '../../../rule_monitoring'; export interface DeleteRuleOptions { - ruleId: Id; + ruleId: RuleObjectId; rulesClient: RulesClient; ruleExecutionLog: IRuleExecutionLogForRoutes; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/read_rules.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/read_rules.ts index 001da088f3f08..76969b31aab66 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/read_rules.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/read_rules.ts @@ -9,9 +9,9 @@ import type { ResolvedSanitizedRule, SanitizedRule } from '@kbn/alerting-plugin/ import type { RulesClient } from '@kbn/alerting-plugin/server'; import type { - IdOrUndefined, - RuleIdOrUndefined, -} from '../../../../../../common/detection_engine/schemas/common'; + RuleObjectId, + RuleSignatureId, +} from '../../../../../../common/detection_engine/rule_schema'; import { withSecuritySpan } from '../../../../../utils/with_security_span'; import type { RuleParams } from '../../../rule_schema'; import { isAlertType } from '../../../rule_schema'; @@ -19,8 +19,8 @@ import { findRules } from '../search/find_rules'; export interface ReadRuleOptions { rulesClient: RulesClient; - id: IdOrUndefined; - ruleId: RuleIdOrUndefined; + id: RuleObjectId | undefined; + ruleId: RuleSignatureId | undefined; } /** diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index cabe93e8cb4f7..486ba627e8153 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -40,20 +40,22 @@ import { import type { SanitizedRuleConfig } from '@kbn/alerting-plugin/common'; import { + IsRuleEnabled, + IsRuleImmutable, RelatedIntegrationArray, RequiredFieldArray, + RuleAuthorArray, + RuleDescription, + RuleName, + RuleSignatureId, SetupGuide, + TimestampField, } from '../../../../../common/detection_engine/rule_schema'; import { - author, buildingBlockTypeOrUndefined, - description, - enabled, namespaceOrUndefined, noteOrUndefined, false_positives, - rule_id, - immutable, dataViewIdOrUndefined, indexOrUndefined, licenseOrUndefined, @@ -61,7 +63,6 @@ import { timelineIdOrUndefined, timelineTitleOrUndefined, metaOrUndefined, - name, query, queryOrUndefined, filtersOrUndefined, @@ -70,7 +71,6 @@ import { timestampOverrideOrUndefined, to, references, - timestampFieldOrUndefined, eventCategoryOverrideOrUndefined, tiebreakerFieldOrUndefined, savedIdOrUndefined, @@ -88,15 +88,15 @@ const nonEqlLanguages = t.keyof({ kuery: null, lucene: null }); export const baseRuleParams = t.exact( t.type({ - author, + author: RuleAuthorArray, buildingBlockType: buildingBlockTypeOrUndefined, - description, + description: RuleDescription, namespace: namespaceOrUndefined, note: noteOrUndefined, falsePositives: false_positives, from, - ruleId: rule_id, - immutable, + ruleId: RuleSignatureId, + immutable: IsRuleImmutable, license: licenseOrUndefined, outputIndex: output_index, timelineId: timelineIdOrUndefined, @@ -129,7 +129,7 @@ const eqlSpecificRuleParams = t.type({ index: indexOrUndefined, query, filters: filtersOrUndefined, - timestampField: timestampFieldOrUndefined, + timestampField: t.union([TimestampField, t.undefined]), eventCategoryOverride: eventCategoryOverrideOrUndefined, dataViewId: dataViewIdOrUndefined, tiebreakerField: tiebreakerFieldOrUndefined, @@ -276,14 +276,14 @@ export const allRuleTypes = t.union([ ]); export const internalRuleCreate = t.type({ - name, + name: RuleName, tags, alertTypeId: allRuleTypes, consumer: t.literal(SERVER_APP_ID), schedule: t.type({ interval: t.string, }), - enabled, + enabled: IsRuleEnabled, actions: actionsCamel, params: ruleParams, throttle: throttleOrNull, @@ -292,7 +292,7 @@ export const internalRuleCreate = t.type({ export type InternalRuleCreate = t.TypeOf; export const internalRuleUpdate = t.type({ - name, + name: RuleName, tags, schedule: t.type({ interval: t.string, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts index ae7247c01b1af..8f57ba926df2e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts @@ -7,21 +7,22 @@ import * as t from 'io-ts'; import { get } from 'lodash/fp'; + +import type { RuleName } from '../../../../../common/detection_engine/rule_schema'; import type { Meta, - Name, RuleNameOverrideOrUndefined, } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SignalSource } from '../types'; interface BuildRuleNameFromMappingProps { eventSource: SignalSource; - ruleName: Name; + ruleName: RuleName; ruleNameMapping: RuleNameOverrideOrUndefined; } interface BuildRuleNameFromMappingReturn { - ruleName: Name; + ruleName: RuleName; ruleNameMeta: Meta; // TODO: Stricter types } From 34548c58e74f5c4215f2a51fef5cebc0c68860b5 Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 02:15:44 +0200 Subject: [PATCH 03/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/index.ts | 20 ++++- .../related_integrations.ts | 0 .../required_fields.ts | 0 .../model/common_to_all_types/risk_score.ts | 21 +++++ .../common_to_all_types/rule_descriptions.ts | 48 +++++++++++ .../model/common_to_all_types/rule_ids.ts | 25 ++++++ .../model/common_to_all_types/severity.ts | 31 +++++++ .../model/common_to_all_types/temp.ts | 25 ++++++ .../common_to_all_types/timeline_template.ts | 20 +++++ .../temp.ts} | 12 +-- .../rule_schema/model/rule_params/temp.ts | 86 ------------------- .../rule_schema/model/specific_to_eql/temp.ts | 30 +++++++ .../model/specific_to_indicator_match/temp.ts | 13 +++ .../model/specific_to_new_terms/temp.ts | 13 +++ .../model/specific_to_query/temp.ts | 13 +++ .../model/specific_to_threshold/temp.ts | 13 +++ .../schemas/common/schemas.ts | 26 ------ .../request/perform_bulk_action_schema.ts | 9 +- .../schemas/request/rule_schemas.ts | 40 ++++----- .../rule_management/logic/types.ts | 29 ++++--- .../rules/risk_score_mapping/index.tsx | 12 +-- .../components/rules/severity_badge/index.tsx | 5 +- .../rules/severity_mapping/index.tsx | 17 ++-- .../components/rules/step_about_rule/data.tsx | 4 +- .../pages/detection_engine/rules/helpers.tsx | 8 +- .../pages/detection_engine/rules/types.ts | 12 +-- .../rule_schema/model/rule_schemas.ts | 42 ++++----- .../build_risk_score_from_mapping.test.ts | 6 +- .../mappings/build_risk_score_from_mapping.ts | 9 +- .../build_severity_from_mapping.test.ts | 8 +- .../mappings/build_severity_from_mapping.ts | 11 ++- 31 files changed, 377 insertions(+), 231 deletions(-) rename x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/{rule_params => common_to_all_types}/related_integrations.ts (100%) rename x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/{rule_params => common_to_all_types}/required_fields.ts (100%) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/risk_score.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/severity.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/timeline_template.ts rename x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/{rule_params/setup_guide.ts => common_to_some_types/temp.ts} (50%) delete mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_eql/temp.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_indicator_match/temp.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_new_terms/temp.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_query/temp.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_threshold/temp.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts index aa9fd14139364..b480a98f27cea 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -5,7 +5,19 @@ * 2.0. */ -export * from './model/rule_params/related_integrations'; -export * from './model/rule_params/required_fields'; -export * from './model/rule_params/setup_guide'; -export * from './model/rule_params/temp'; +export * from './model/common_to_all_types/related_integrations'; +export * from './model/common_to_all_types/required_fields'; +export * from './model/common_to_all_types/risk_score'; +export * from './model/common_to_all_types/rule_descriptions'; +export * from './model/common_to_all_types/rule_ids'; +export * from './model/common_to_all_types/severity'; +export * from './model/common_to_all_types/temp'; +export * from './model/common_to_all_types/timeline_template'; + +export * from './model/common_to_some_types/temp'; + +export * from './model/specific_to_eql/temp'; +export * from './model/specific_to_indicator_match/temp'; +export * from './model/specific_to_new_terms/temp'; +export * from './model/specific_to_query/temp'; +export * from './model/specific_to_threshold/temp'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/related_integrations.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/related_integrations.ts similarity index 100% rename from x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/related_integrations.ts rename to x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/related_integrations.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/required_fields.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/required_fields.ts similarity index 100% rename from x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/required_fields.ts rename to x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/required_fields.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/risk_score.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/risk_score.ts new file mode 100644 index 0000000000000..325bf65d7ac87 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/risk_score.ts @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type * as t from 'io-ts'; +import { risk_score, risk_score_mapping } from '@kbn/securitysolution-io-ts-alerting-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RiskScore = t.TypeOf; +export const RiskScore = risk_score; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RiskScoreMapping = t.TypeOf; +export const RiskScoreMapping = risk_score_mapping; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts new file mode 100644 index 0000000000000..a2a0e89fc6a53 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts @@ -0,0 +1,48 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleName = t.TypeOf; +export const RuleName = NonEmptyString; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleDescription = t.TypeOf; +export const RuleDescription = NonEmptyString; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleAuthorArray = t.TypeOf; +export const RuleAuthorArray = t.array(t.string); // should be non-empty strings? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleLicense = t.TypeOf; +export const RuleLicense = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type InvestigationGuide = t.TypeOf; +export const InvestigationGuide = t.string; + +/** + * Any instructions for the user for setting up their environment in order to start receiving + * source events for a given rule. + * + * It's a multiline text. Markdown is supported. + */ +export type SetupGuide = t.TypeOf; +export const SetupGuide = t.string; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts new file mode 100644 index 0000000000000..5736009e7f852 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { UUID } from '@kbn/securitysolution-io-ts-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleObjectId = t.TypeOf; +export const RuleObjectId = UUID; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * + * NOTE: Never make this a strict uuid, we allow the rule_id to be any string at the moment + * in case we encounter 3rd party rule systems which might be using auto incrementing numbers + * or other different things. + */ +export type RuleSignatureId = t.TypeOf; +export const RuleSignatureId = t.string; // should be non-empty string? diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/severity.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/severity.ts new file mode 100644 index 0000000000000..a954b0ac4a5da --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/severity.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type * as t from 'io-ts'; +import { + severity, + severity_mapping, + severity_mapping_item, +} from '@kbn/securitysolution-io-ts-alerting-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type Severity = t.TypeOf; +export const Severity = severity; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type SeverityMapping = t.TypeOf; +export const SeverityMapping = severity_mapping; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type SeverityMappingItem = t.TypeOf; +export const SeverityMappingItem = severity_mapping_item; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts new file mode 100644 index 0000000000000..27569c5a13db8 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; + +// TODO: https://github.com/elastic/kibana/pull/142950 Split into multiple files + +// ------------------------------------------------------------------------------------------------- +// Attributes common to all rules (despite of the rule type) + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IsRuleEnabled = t.TypeOf; +export const IsRuleEnabled = t.boolean; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IsRuleImmutable = t.TypeOf; +export const IsRuleImmutable = t.boolean; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/timeline_template.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/timeline_template.ts new file mode 100644 index 0000000000000..4b427a1125254 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/timeline_template.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TimelineTemplateId = t.TypeOf; +export const TimelineTemplateId = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TimelineTemplateTitle = t.TypeOf; +export const TimelineTemplateTitle = t.string; // should be non-empty string? diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_some_types/temp.ts similarity index 50% rename from x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts rename to x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_some_types/temp.ts index 2a99f187e2e0f..0139300bf8c1a 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/setup_guide.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_some_types/temp.ts @@ -6,12 +6,8 @@ */ import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +// ------------------------------------------------------------------------------------------------- +// Attributes common to some of the rule types -/** - * Any instructions for the user for setting up their environment in order to start receiving - * source events for a given rule. - * - * It's a multiline text. Markdown is supported. - */ -export type SetupGuide = t.TypeOf; -export const SetupGuide = t.string; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts deleted file mode 100644 index 4bfc25ad9ee00..0000000000000 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/rule_params/temp.ts +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { NonEmptyString, UUID } from '@kbn/securitysolution-io-ts-types'; - -// TODO: https://github.com/elastic/kibana/pull/142950 Split into multiple files - -// ------------------------------------------------------------------------------------------------- -// Attributes common to all rules (despite of the rule type) - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type RuleObjectId = t.TypeOf; -export const RuleObjectId = UUID; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - * - * NOTE: Never make this a strict uuid, we allow the rule_id to be any string at the moment - * in case we encounter 3rd party rule systems which might be using auto incrementing numbers - * or other different things. - */ -export type RuleSignatureId = t.TypeOf; -export const RuleSignatureId = t.string; // should be non-empty string? - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type RuleName = t.TypeOf; -export const RuleName = NonEmptyString; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type RuleDescription = t.TypeOf; -export const RuleDescription = NonEmptyString; - -// Rule authors - -type RuleAuthor = t.TypeOf; -const RuleAuthor = t.string; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type RuleAuthorArray = t.TypeOf; -export const RuleAuthorArray = t.array(RuleAuthor); - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type IsRuleEnabled = t.TypeOf; -export const IsRuleEnabled = t.boolean; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type IsRuleImmutable = t.TypeOf; -export const IsRuleImmutable = t.boolean; - -// ------------------------------------------------------------------------------------------------- -// Attributes specific to Custom Query and Saved Query rules - -// ------------------------------------------------------------------------------------------------- -// Attributes specific to EQL rules - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type TimestampField = t.TypeOf; -export const TimestampField = t.string; - -// ------------------------------------------------------------------------------------------------- -// Attributes specific to Indicator Match rules - -// ------------------------------------------------------------------------------------------------- -// Attributes specific to Threshold rules - -// ------------------------------------------------------------------------------------------------- -// Attributes specific to New Terms rules diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_eql/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_eql/temp.ts new file mode 100644 index 0000000000000..abbac8496c280 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_eql/temp.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to EQL rules + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type EventCategoryOverride = t.TypeOf; +export const EventCategoryOverride = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TimestampField = t.TypeOf; +export const TimestampField = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TiebreakerField = t.TypeOf; +export const TiebreakerField = t.string; // should be non-empty string? diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_indicator_match/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_indicator_match/temp.ts new file mode 100644 index 0000000000000..74ea6d4200911 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_indicator_match/temp.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to Indicator Match rules + diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_new_terms/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_new_terms/temp.ts new file mode 100644 index 0000000000000..4aab5fffe7a2e --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_new_terms/temp.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to New Terms rules + diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_query/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_query/temp.ts new file mode 100644 index 0000000000000..191b44032634f --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_query/temp.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to Custom Query and Saved Query rules + diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_threshold/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_threshold/temp.ts new file mode 100644 index 0000000000000..006a8cc0f6a5a --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/specific_to_threshold/temp.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; + +// ------------------------------------------------------------------------------------------------- +// Attributes specific to Threshold rules + diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index f999bf79acb4e..7fd2393c44457 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -36,13 +36,6 @@ export const alias_purpose = t.union([ t.literal('savedObjectImport'), ]); -export const event_category_override = t.string; -export const eventCategoryOverrideOrUndefined = t.union([event_category_override, t.undefined]); - -export const tiebreaker_field = t.string; - -export const tiebreakerFieldOrUndefined = t.union([tiebreaker_field, t.undefined]); - export const false_positives = t.array(t.string); export const file_name = t.string; @@ -83,11 +76,6 @@ export type Query = t.TypeOf; export const queryOrUndefined = t.union([query, t.undefined]); export type QueryOrUndefined = t.TypeOf; -export const license = t.string; -export type License = t.TypeOf; - -export const licenseOrUndefined = t.union([license, t.undefined]); - export const output_index = t.string; export const saved_id = t.string; @@ -95,15 +83,6 @@ export const saved_id = t.string; export const savedIdOrUndefined = t.union([saved_id, t.undefined]); export type SavedIdOrUndefined = t.TypeOf; -export const timeline_id = t.string; -export type TimelineId = t.TypeOf; - -export const timelineIdOrUndefined = t.union([timeline_id, t.undefined]); - -export const timeline_title = t.string; - -export const timelineTitleOrUndefined = t.union([timeline_title, t.undefined]); - export const timestamp_override = t.string; export type TimestampOverride = t.TypeOf; @@ -254,13 +233,8 @@ export const timelines_updated = PositiveInteger; export const timelines_not_installed = PositiveInteger; export const timelines_not_updated = PositiveInteger; -export const note = t.string; -export type Note = t.TypeOf; - export const namespaceOrUndefined = t.union([namespace, t.undefined]); -export const noteOrUndefined = t.union([note, t.undefined]); - export const indexRecord = t.record( t.string, t.type({ diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts index 0140e5f8d9262..91ed75e1ed636 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts @@ -6,15 +6,16 @@ */ import * as t from 'io-ts'; -import { NonEmptyArray, TimeDuration, enumeration } from '@kbn/securitysolution-io-ts-types'; +import { NonEmptyArray, TimeDuration, enumeration } from '@kbn/securitysolution-io-ts-types'; import { action_group as actionGroup, action_params as actionParams, action_id as actionId, } from '@kbn/securitysolution-io-ts-alerting-types'; -import { queryOrUndefined, tags, index, timeline_id, timeline_title } from '../common/schemas'; +import { TimelineTemplateId, TimelineTemplateTitle } from '../../rule_schema'; +import { queryOrUndefined, tags, index } from '../common/schemas'; export enum BulkAction { 'enable' = 'enable', @@ -82,8 +83,8 @@ export type BulkActionEditPayloadIndexPatterns = t.TypeOf< const bulkActionEditPayloadTimeline = t.type({ type: t.literal(BulkActionEditType.set_timeline), value: t.type({ - timeline_id, - timeline_title, + timeline_id: TimelineTemplateId, + timeline_title: TimelineTemplateTitle, }), }); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 8dc66b4eeb214..2de43ebbc8d10 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -10,9 +10,7 @@ import * as t from 'io-ts'; import { actions, from, - risk_score, machine_learning_job_id, - risk_score_mapping, threat_filters, threat_query, threat_mapping, @@ -21,8 +19,6 @@ import { concurrent_searches, items_per_search, threats, - severity_mapping, - severity, max_signals, throttle, } from '@kbn/securitysolution-io-ts-alerting-types'; @@ -32,29 +28,33 @@ import { version } from '@kbn/securitysolution-io-ts-types'; import { RuleExecutionSummary } from '../../rule_monitoring'; import { ResponseActionArray } from '../../rule_response_actions/schemas'; import { + EventCategoryOverride, + InvestigationGuide, IsRuleEnabled, IsRuleImmutable, RelatedIntegrationArray, RequiredFieldArray, + RiskScore, + RiskScoreMapping, RuleAuthorArray, RuleDescription, + RuleLicense, RuleName, RuleObjectId, RuleSignatureId, SetupGuide, + Severity, + SeverityMapping, + TiebreakerField, + TimelineTemplateId, + TimelineTemplateTitle, TimestampField, } from '../../rule_schema'; import { index, data_view_id, filters, - event_category_override, - tiebreaker_field, building_block_type, - note, - license, - timeline_id, - timeline_title, meta, rule_name_override, timestamp_override, @@ -167,19 +167,19 @@ const baseParams = { required: { name: RuleName, description: RuleDescription, - risk_score, - severity, + risk_score: RiskScore, + severity: Severity, }, optional: { building_block_type, - note, - license, + note: InvestigationGuide, + license: RuleLicense, outcome, alias_target_id, alias_purpose, output_index, - timeline_id, - timeline_title, + timeline_id: TimelineTemplateId, + timeline_title: TimelineTemplateTitle, meta, rule_name_override, timestamp_override, @@ -197,8 +197,8 @@ const baseParams = { from, // maxSignals not used in ML rules but probably should be used max_signals, - risk_score_mapping, - severity_mapping, + risk_score_mapping: RiskScoreMapping, + severity_mapping: SeverityMapping, threat: threats, to, references, @@ -246,9 +246,9 @@ const eqlRuleParams = { index, data_view_id, filters, + event_category_override: EventCategoryOverride, timestamp_field: TimestampField, - event_category_override, - tiebreaker_field, + tiebreaker_field: TiebreakerField, }, defaultable: {}, }; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index 31418778fdccf..ad748d3cb71eb 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -7,9 +7,6 @@ import type { Type } from '@kbn/securitysolution-io-ts-alerting-types'; import { - risk_score_mapping, - severity, - severity_mapping, threats, threat_filters, threat_index, @@ -24,10 +21,17 @@ import { listArray } from '@kbn/securitysolution-io-ts-list-types'; import * as t from 'io-ts'; import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring'; import { + EventCategoryOverride, RelatedIntegrationArray, RequiredFieldArray, - SetupGuide, + RiskScore, + RiskScoreMapping, RuleAuthorArray, + RuleLicense, + SetupGuide, + Severity, + SeverityMapping, + TiebreakerField, TimestampField, } from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; @@ -35,12 +39,9 @@ import { alias_purpose as savedObjectResolveAliasPurpose, building_block_type, data_view_id, - event_category_override, - license, outcome as savedObjectResolveOutcome, rule_name_override, threshold, - tiebreaker_field, timestamp_override, timestamp_override_fallback_disabled, } from '../../../../common/detection_engine/schemas/common'; @@ -112,11 +113,11 @@ export const RuleSchema = t.intersection([ references: t.array(t.string), related_integrations: RelatedIntegrationArray, required_fields: RequiredFieldArray, - risk_score: t.number, - risk_score_mapping, + risk_score: RiskScore, + risk_score_mapping: RiskScoreMapping, rule_id: t.string, - severity, - severity_mapping, + severity: Severity, + severity_mapping: SeverityMapping, setup: SetupGuide, tags: t.array(t.string), type, @@ -137,7 +138,7 @@ export const RuleSchema = t.intersection([ index: t.array(t.string), data_view_id, language: t.string, - license, + license: RuleLicense, meta: MetaRule, machine_learning_job_id: t.array(t.string), new_terms_fields: t.array(t.string), @@ -157,9 +158,9 @@ export const RuleSchema = t.intersection([ timeline_title: t.string, timestamp_override, timestamp_override_fallback_disabled, + event_category_override: EventCategoryOverride, timestamp_field: TimestampField, - event_category_override, - tiebreaker_field, + tiebreaker_field: TiebreakerField, note: t.string, exceptions_list: listArray, uuid: t.string, diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx index ea5aac0bcae26..1296d1cb47aef 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx @@ -5,6 +5,9 @@ * 2.0. */ +import React, { useCallback, useMemo } from 'react'; +import styled from 'styled-components'; +import { noop } from 'lodash/fp'; import { EuiFormRow, EuiCheckbox, @@ -16,15 +19,14 @@ import { EuiSpacer, EuiRange, } from '@elastic/eui'; -import React, { useCallback, useMemo } from 'react'; -import styled from 'styled-components'; -import { noop } from 'lodash/fp'; -import type { RiskScoreMapping } from '@kbn/securitysolution-io-ts-alerting-types'; + import { FieldComponent } from '@kbn/securitysolution-autocomplete'; import type { DataViewBase, DataViewFieldBase } from '@kbn/es-query'; import type { FieldHook } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib'; -import * as i18n from './translations'; + +import type { RiskScoreMapping } from '../../../../../common/detection_engine/rule_schema'; import type { AboutStepRiskScore } from '../../../pages/detection_engine/rules/types'; +import * as i18n from './translations'; const NestedContent = styled.div` margin-left: 24px; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/severity_badge/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/severity_badge/index.tsx index af746d158e2a7..7e72be8dcaaf2 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/severity_badge/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/severity_badge/index.tsx @@ -5,10 +5,11 @@ * 2.0. */ -import { upperFirst } from 'lodash/fp'; import React from 'react'; +import { upperFirst } from 'lodash/fp'; import { euiLightVars } from '@kbn/ui-theme'; -import type { Severity } from '@kbn/securitysolution-io-ts-alerting-types'; + +import type { Severity } from '../../../../../common/detection_engine/rule_schema'; import { HealthTruncateText } from '../../../../common/components/health_truncate_text'; const { euiColorVis0, euiColorVis5, euiColorVis7, euiColorVis9 } = euiLightVars; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx index 961620d1521c4..2de8f3a2ee8ed 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx @@ -19,22 +19,23 @@ import { import { noop } from 'lodash/fp'; import React, { useCallback, useMemo } from 'react'; import styled from 'styled-components'; -import type { - Severity, - SeverityMapping, - SeverityMappingItem, -} from '@kbn/securitysolution-io-ts-alerting-types'; + +import type { DataViewBase, DataViewFieldBase } from '@kbn/es-query'; +import type { FieldHook } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib'; import { FieldComponent, AutocompleteFieldMatchComponent, } from '@kbn/securitysolution-autocomplete'; -import type { DataViewBase, DataViewFieldBase } from '@kbn/es-query'; -import type { FieldHook } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib'; -import * as i18n from './translations'; +import type { + Severity, + SeverityMapping, + SeverityMappingItem, +} from '../../../../../common/detection_engine/rule_schema'; import type { SeverityOptionItem } from '../step_about_rule/data'; import type { AboutStepSeverity } from '../../../pages/detection_engine/rules/types'; import { useKibana } from '../../../../common/lib/kibana'; +import * as i18n from './translations'; const NestedContent = styled.div` margin-left: 24px; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/data.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/data.tsx index d0d471e3a727b..a37114befc7b9 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/data.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/data.tsx @@ -5,12 +5,12 @@ * 2.0. */ +import React from 'react'; import styled from 'styled-components'; import { EuiHealth } from '@elastic/eui'; import { euiLightVars } from '@kbn/ui-theme'; -import React from 'react'; -import type { Severity } from '@kbn/securitysolution-io-ts-alerting-types'; +import type { Severity } from '../../../../../common/detection_engine/rule_schema'; import * as I18n from './translations'; export interface SeverityOptionItem { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx index 45216ed6b9236..a8f896275daeb 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx @@ -12,15 +12,11 @@ import { useLocation } from 'react-router-dom'; import styled from 'styled-components'; import { EuiFlexItem } from '@elastic/eui'; -import type { - Threats, - Type, - SeverityMapping, - Severity, -} from '@kbn/securitysolution-io-ts-alerting-types'; +import type { Threats, Type } from '@kbn/securitysolution-io-ts-alerting-types'; import { ENDPOINT_LIST_ID } from '@kbn/securitysolution-list-constants'; import type { Filter } from '@kbn/es-query'; import type { ActionVariables } from '@kbn/triggers-actions-ui-plugin/public'; +import type { Severity, SeverityMapping } from '../../../../../common/detection_engine/rule_schema'; import type { ResponseAction } from '../../../../../common/detection_engine/rule_response_actions/schemas'; import { normalizeThresholdField } from '../../../../../common/detection_engine/utils'; import type { RuleAlertAction } from '../../../../../common/detection_engine/types'; diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index 8240e5ceb218d..2e66a18796813 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -8,13 +8,10 @@ import type { List } from '@kbn/securitysolution-io-ts-list-types'; import type { - RiskScoreMapping, ThreatIndex, ThreatMapping, Threats, Type, - SeverityMapping, - Severity, } from '@kbn/securitysolution-io-ts-alerting-types'; import type { DataViewBase, Filter } from '@kbn/es-query'; import type { RuleAction } from '@kbn/alerting-plugin/common'; @@ -27,12 +24,15 @@ import type { FieldValueThreshold } from '../../../components/rules/threshold_in import type { RelatedIntegrationArray, RequiredFieldArray, - SetupGuide, + RiskScoreMapping, RuleAuthorArray, + RuleLicense, + SetupGuide, + Severity, + SeverityMapping, } from '../../../../../common/detection_engine/rule_schema'; import type { BuildingBlockType, - License, RuleNameOverride, SortOrder, TimestampOverride, @@ -222,7 +222,7 @@ export interface AboutStepRuleJson { exceptions_list?: List[]; name: string; description: string; - license: License; + license: RuleLicense; severity: string; severity_mapping: SeverityMapping; risk_score: number; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index 486ba627e8153..494f7114c2165 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -11,8 +11,6 @@ import { actionsCamel, from, machine_learning_job_id_normalized, - risk_score, - risk_score_mapping, threat_mapping, threat_index, threat_query, @@ -20,8 +18,6 @@ import { itemsPerSearchOrUndefined, threatIndicatorPathOrUndefined, threats, - severity, - severity_mapping, throttleOrNull, max_signals, } from '@kbn/securitysolution-io-ts-alerting-types'; @@ -40,28 +36,34 @@ import { import type { SanitizedRuleConfig } from '@kbn/alerting-plugin/common'; import { + EventCategoryOverride, + InvestigationGuide, IsRuleEnabled, IsRuleImmutable, RelatedIntegrationArray, RequiredFieldArray, + RiskScore, + RiskScoreMapping, RuleAuthorArray, RuleDescription, + RuleLicense, RuleName, RuleSignatureId, SetupGuide, + Severity, + SeverityMapping, + TiebreakerField, + TimelineTemplateId, + TimelineTemplateTitle, TimestampField, } from '../../../../../common/detection_engine/rule_schema'; import { buildingBlockTypeOrUndefined, namespaceOrUndefined, - noteOrUndefined, false_positives, dataViewIdOrUndefined, indexOrUndefined, - licenseOrUndefined, output_index, - timelineIdOrUndefined, - timelineTitleOrUndefined, metaOrUndefined, query, queryOrUndefined, @@ -71,8 +73,6 @@ import { timestampOverrideOrUndefined, to, references, - eventCategoryOverrideOrUndefined, - tiebreakerFieldOrUndefined, savedIdOrUndefined, saved_id, thresholdNormalized, @@ -92,23 +92,23 @@ export const baseRuleParams = t.exact( buildingBlockType: buildingBlockTypeOrUndefined, description: RuleDescription, namespace: namespaceOrUndefined, - note: noteOrUndefined, + note: t.union([InvestigationGuide, t.undefined]), falsePositives: false_positives, from, ruleId: RuleSignatureId, immutable: IsRuleImmutable, - license: licenseOrUndefined, + license: t.union([RuleLicense, t.undefined]), outputIndex: output_index, - timelineId: timelineIdOrUndefined, - timelineTitle: timelineTitleOrUndefined, + timelineId: t.union([TimelineTemplateId, t.undefined]), + timelineTitle: t.union([TimelineTemplateTitle, t.undefined]), meta: metaOrUndefined, // maxSignals not used in ML rules but probably should be used maxSignals: max_signals, - riskScore: risk_score, - riskScoreMapping: risk_score_mapping, + riskScore: RiskScore, + riskScoreMapping: RiskScoreMapping, ruleNameOverride: ruleNameOverrideOrUndefined, - severity, - severityMapping: severity_mapping, + severity: Severity, + severityMapping: SeverityMapping, timestampOverride: timestampOverrideOrUndefined, timestampOverrideFallbackDisabled: timestampOverrideFallbackDisabledOrUndefined, threat: threats, @@ -127,12 +127,12 @@ const eqlSpecificRuleParams = t.type({ type: t.literal('eql'), language: t.literal('eql'), index: indexOrUndefined, + dataViewId: dataViewIdOrUndefined, query, filters: filtersOrUndefined, + eventCategoryOverride: t.union([EventCategoryOverride, t.undefined]), timestampField: t.union([TimestampField, t.undefined]), - eventCategoryOverride: eventCategoryOverrideOrUndefined, - dataViewId: dataViewIdOrUndefined, - tiebreakerField: tiebreakerFieldOrUndefined, + tiebreakerField: t.union([TiebreakerField, t.undefined]), }); export const eqlRuleParams = t.intersection([baseRuleParams, eqlSpecificRuleParams]); export type EqlSpecificRuleParams = t.TypeOf; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.test.ts index ffd9e2b46d48f..33edb99bf1131 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.test.ts @@ -7,8 +7,8 @@ import type { RiskScore, - RiskScoreMappingOrUndefined, -} from '@kbn/securitysolution-io-ts-alerting-types'; + RiskScoreMapping, +} from '../../../../../common/detection_engine/rule_schema'; import { sampleDocRiskScore } from '../__mocks__/es_results'; import type { BuildRiskScoreFromMappingReturn } from './build_risk_score_from_mapping'; import { buildRiskScoreFromMapping } from './build_risk_score_from_mapping'; @@ -187,7 +187,7 @@ describe('buildRiskScoreFromMapping', () => { interface TestCase { fieldValue: unknown; scoreDefault: RiskScore; - scoreMapping: RiskScoreMappingOrUndefined; + scoreMapping: RiskScoreMapping | undefined; expected: BuildRiskScoreFromMappingReturn; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts index 9e875165cf469..42f8469dacc1a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts @@ -5,18 +5,19 @@ * 2.0. */ +import { get } from 'lodash/fp'; + import type { RiskScore, - RiskScoreMappingOrUndefined, -} from '@kbn/securitysolution-io-ts-alerting-types'; -import { get } from 'lodash/fp'; + RiskScoreMapping, +} from '../../../../../common/detection_engine/rule_schema'; import type { Meta } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SignalSource } from '../types'; export interface BuildRiskScoreFromMappingProps { eventSource: SignalSource; riskScore: RiskScore; - riskScoreMapping: RiskScoreMappingOrUndefined; + riskScoreMapping: RiskScoreMapping | undefined; } export interface BuildRiskScoreFromMappingReturn { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.test.ts index 75e53cdf0ae4c..59248e1422866 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.test.ts @@ -5,11 +5,7 @@ * 2.0. */ -import type { - Severity, - SeverityMappingOrUndefined, -} from '@kbn/securitysolution-io-ts-alerting-types'; - +import type { Severity, SeverityMapping } from '../../../../../common/detection_engine/rule_schema'; import { sampleDocSeverity } from '../__mocks__/es_results'; import type { BuildSeverityFromMappingReturn } from './build_severity_from_mapping'; import { buildSeverityFromMapping } from './build_severity_from_mapping'; @@ -141,7 +137,7 @@ interface TestCase { fieldName?: string; fieldValue: unknown; severityDefault: Severity; - severityMapping: SeverityMappingOrUndefined; + severityMapping: SeverityMapping | undefined; expected: BuildSeverityFromMappingReturn; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts index 4a57467040b5e..bcc41c8939053 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts @@ -8,11 +8,10 @@ import { get } from 'lodash/fp'; import type { - Severity, + SeverityMapping, SeverityMappingItem, - SeverityMappingOrUndefined, -} from '@kbn/securitysolution-io-ts-alerting-types'; -import { severity as SeverityIOTS } from '@kbn/securitysolution-io-ts-alerting-types'; +} from '../../../../../common/detection_engine/rule_schema'; +import { Severity } from '../../../../../common/detection_engine/rule_schema'; import type { Meta } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SearchTypes } from '../../../../../common/detection_engine/types'; import type { SignalSource } from '../types'; @@ -20,7 +19,7 @@ import type { SignalSource } from '../types'; export interface BuildSeverityFromMappingProps { eventSource: SignalSource; severity: Severity; - severityMapping: SeverityMappingOrUndefined; + severityMapping: SeverityMapping | undefined; } export interface BuildSeverityFromMappingReturn { @@ -66,7 +65,7 @@ export const buildSeverityFromMapping = ({ } }); - if (severityMatch != null && SeverityIOTS.is(severityMatch.severity)) { + if (severityMatch != null && Severity.is(severityMatch.severity)) { return overriddenSeverity(severityMatch.severity, severityMatch.field); } From ad46344fc93abbcfe1bcfd1ebf08b61621ebcd3e Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 03:51:23 +0200 Subject: [PATCH 04/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/index.ts | 6 +- .../common_to_all_types/main_attributes.ts | 61 +++++++++++++++++ ...ule_descriptions.ts => misc_attributes.ts} | 17 +++-- .../model/common_to_all_types/rule_ids.ts | 25 ------- .../common_to_all_types/rule_schedule.ts | 14 ++++ .../model/common_to_all_types/temp.ts | 25 ------- .../schemas/common/schemas.ts | 11 ---- .../request/perform_bulk_action_schema.ts | 6 +- .../schemas/request/rule_schemas.ts | 65 +++++++++++-------- .../rule_management/logic/types.ts | 44 +++++++++---- .../rule_schema/model/rule_schemas.ts | 18 ++--- 11 files changed, 167 insertions(+), 125 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts rename x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/{rule_descriptions.ts => misc_attributes.ts} (80%) delete mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts delete mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts index b480a98f27cea..1a202abbc57e5 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -5,13 +5,13 @@ * 2.0. */ +export * from './model/common_to_all_types/main_attributes'; +export * from './model/common_to_all_types/misc_attributes'; export * from './model/common_to_all_types/related_integrations'; export * from './model/common_to_all_types/required_fields'; export * from './model/common_to_all_types/risk_score'; -export * from './model/common_to_all_types/rule_descriptions'; -export * from './model/common_to_all_types/rule_ids'; +export * from './model/common_to_all_types/rule_schedule'; export * from './model/common_to_all_types/severity'; -export * from './model/common_to_all_types/temp'; export * from './model/common_to_all_types/timeline_template'; export * from './model/common_to_some_types/temp'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts new file mode 100644 index 0000000000000..4384164c26b59 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { NonEmptyString, version, UUID } from '@kbn/securitysolution-io-ts-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleObjectId = t.TypeOf; +export const RuleObjectId = UUID; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * + * NOTE: Never make this a strict uuid, we allow the rule_id to be any string at the moment + * in case we encounter 3rd party rule systems which might be using auto incrementing numbers + * or other different things. + */ +export type RuleSignatureId = t.TypeOf; +export const RuleSignatureId = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleName = t.TypeOf; +export const RuleName = NonEmptyString; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleDescription = t.TypeOf; +export const RuleDescription = NonEmptyString; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleVersion = t.TypeOf; +export const RuleVersion = version; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleTags = t.TypeOf; +export const RuleTags = t.array(t.string); // should be non-empty strings? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IsRuleImmutable = t.TypeOf; +export const IsRuleImmutable = t.boolean; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IsRuleEnabled = t.TypeOf; +export const IsRuleEnabled = t.boolean; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/misc_attributes.ts similarity index 80% rename from x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts rename to x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/misc_attributes.ts index a2a0e89fc6a53..573c8c100e7e9 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_descriptions.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/misc_attributes.ts @@ -6,31 +6,30 @@ */ import * as t from 'io-ts'; -import { NonEmptyString } from '@kbn/securitysolution-io-ts-types'; /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ -export type RuleName = t.TypeOf; -export const RuleName = NonEmptyString; +export type RuleLicense = t.TypeOf; +export const RuleLicense = t.string; // should be non-empty string? /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ -export type RuleDescription = t.TypeOf; -export const RuleDescription = NonEmptyString; +export type RuleAuthorArray = t.TypeOf; +export const RuleAuthorArray = t.array(t.string); // should be non-empty strings? /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ -export type RuleAuthorArray = t.TypeOf; -export const RuleAuthorArray = t.array(t.string); // should be non-empty strings? +export type RuleFalsePositiveArray = t.TypeOf; +export const RuleFalsePositiveArray = t.array(t.string); // should be non-empty strings? /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ -export type RuleLicense = t.TypeOf; -export const RuleLicense = t.string; // should be non-empty string? +export type RuleReferenceArray = t.TypeOf; +export const RuleReferenceArray = t.array(t.string); // should be non-empty strings? /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts deleted file mode 100644 index 5736009e7f852..0000000000000 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_ids.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; -import { UUID } from '@kbn/securitysolution-io-ts-types'; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type RuleObjectId = t.TypeOf; -export const RuleObjectId = UUID; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - * - * NOTE: Never make this a strict uuid, we allow the rule_id to be any string at the moment - * in case we encounter 3rd party rule systems which might be using auto incrementing numbers - * or other different things. - */ -export type RuleSignatureId = t.TypeOf; -export const RuleSignatureId = t.string; // should be non-empty string? diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts new file mode 100644 index 0000000000000..1312138cf23dd --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts @@ -0,0 +1,14 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleInterval = t.TypeOf; +export const RuleInterval = t.string; // should be non-empty more specific string diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts deleted file mode 100644 index 27569c5a13db8..0000000000000 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/temp.ts +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import * as t from 'io-ts'; - -// TODO: https://github.com/elastic/kibana/pull/142950 Split into multiple files - -// ------------------------------------------------------------------------------------------------- -// Attributes common to all rules (despite of the rule type) - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type IsRuleEnabled = t.TypeOf; -export const IsRuleEnabled = t.boolean; - -/** - * TODO: https://github.com/elastic/kibana/pull/142950 Add description - */ -export type IsRuleImmutable = t.TypeOf; -export const IsRuleImmutable = t.boolean; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index 7fd2393c44457..6501e82d54f4e 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -36,8 +36,6 @@ export const alias_purpose = t.union([ t.literal('savedObjectImport'), ]); -export const false_positives = t.array(t.string); - export const file_name = t.string; export type FileName = t.TypeOf; @@ -67,9 +65,6 @@ export const dataViewIdOrUndefined = t.union([data_view_id, t.undefined]); export const indexOrUndefined = t.union([index, t.undefined]); export type IndexOrUndefined = t.TypeOf; -export const interval = t.string; -export type Interval = t.TypeOf; - export const query = t.string; export type Query = t.TypeOf; @@ -133,18 +128,12 @@ export type QueryFilter = t.TypeOf; export const queryFilterOrUndefined = t.union([queryFilter, t.undefined]); export type QueryFilterOrUndefined = t.TypeOf; -export const references = t.array(t.string); -export type References = t.TypeOf; - export const signal_ids = t.array(t.string); export type SignalIds = t.TypeOf; // TODO: Can this be more strict or is this is the set of all Elastic Queries? export const signal_status_query = t.object; -export const tags = t.array(t.string); -export type Tags = t.TypeOf; - export const fields = t.array(t.string); export type Fields = t.TypeOf; export const fieldsOrUndefined = t.union([fields, t.undefined]); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts index 91ed75e1ed636..bae288f07c28b 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts @@ -14,8 +14,8 @@ import { action_id as actionId, } from '@kbn/securitysolution-io-ts-alerting-types'; -import { TimelineTemplateId, TimelineTemplateTitle } from '../../rule_schema'; -import { queryOrUndefined, tags, index } from '../common/schemas'; +import { RuleTags, TimelineTemplateId, TimelineTemplateTitle } from '../../rule_schema'; +import { queryOrUndefined, index } from '../common/schemas'; export enum BulkAction { 'enable' = 'enable', @@ -59,7 +59,7 @@ const bulkActionEditPayloadTags = t.type({ t.literal(BulkActionEditType.delete_tags), t.literal(BulkActionEditType.set_tags), ]), - value: tags, + value: RuleTags, }); export type BulkActionEditPayloadTags = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 2de43ebbc8d10..5e3a59609ae8c 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -23,7 +23,6 @@ import { throttle, } from '@kbn/securitysolution-io-ts-alerting-types'; import { listArray } from '@kbn/securitysolution-io-ts-list-types'; -import { version } from '@kbn/securitysolution-io-ts-types'; import { RuleExecutionSummary } from '../../rule_monitoring'; import { ResponseActionArray } from '../../rule_response_actions/schemas'; @@ -38,10 +37,15 @@ import { RiskScoreMapping, RuleAuthorArray, RuleDescription, + RuleFalsePositiveArray, + RuleInterval, RuleLicense, RuleName, RuleObjectId, + RuleReferenceArray, RuleSignatureId, + RuleTags, + RuleVersion, SetupGuide, Severity, SeverityMapping, @@ -59,16 +63,12 @@ import { rule_name_override, timestamp_override, timestamp_override_fallback_disabled, - false_positives, output_index, query, to, - references, saved_id, threshold, anomaly_threshold, - tags, - interval, outcome, alias_target_id, alias_purpose, @@ -165,45 +165,58 @@ interface APIParams< const baseParams = { required: { + // Main attributes name: RuleName, description: RuleDescription, - risk_score: RiskScore, + // Severity and risk score severity: Severity, + risk_score: RiskScore, }, optional: { - building_block_type, - note: InvestigationGuide, - license: RuleLicense, - outcome, - alias_target_id, - alias_purpose, - output_index, - timeline_id: TimelineTemplateId, - timeline_title: TimelineTemplateTitle, + // Main attributes meta, + // Field overrides rule_name_override, timestamp_override, timestamp_override_fallback_disabled, + // Reference to a timeline template + timeline_id: TimelineTemplateId, + timeline_title: TimelineTemplateTitle, + // Atributes related to SavedObjectsClient.resolve API + outcome, + alias_target_id, + alias_purpose, + // Misc attributes + license: RuleLicense, + note: InvestigationGuide, + building_block_type, + output_index, namespace, }, defaultable: { - tags, - interval, + // Main attributes + version: RuleVersion, + tags: RuleTags, enabled: IsRuleEnabled, - throttle, + // Field overrides + risk_score_mapping: RiskScoreMapping, + severity_mapping: SeverityMapping, + // Rule schedule + interval: RuleInterval, + from, + to, + // Rule actions actions, + throttle, + // Rule exceptions + exceptions_list: listArray, + // Misc attributes author: RuleAuthorArray, - false_positives, - from, + false_positives: RuleFalsePositiveArray, + references: RuleReferenceArray, // maxSignals not used in ML rules but probably should be used max_signals, - risk_score_mapping: RiskScoreMapping, - severity_mapping: SeverityMapping, threat: threats, - to, - references, - version, - exceptions_list: listArray, }, }; const { diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index ad748d3cb71eb..c26e7ca12211d 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -5,6 +5,8 @@ * 2.0. */ +import * as t from 'io-ts'; + import type { Type } from '@kbn/securitysolution-io-ts-alerting-types'; import { threats, @@ -18,22 +20,36 @@ import { } from '@kbn/securitysolution-io-ts-alerting-types'; import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types'; import { listArray } from '@kbn/securitysolution-io-ts-list-types'; -import * as t from 'io-ts'; + import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring'; import { EventCategoryOverride, + InvestigationGuide, + IsRuleEnabled, + IsRuleImmutable, RelatedIntegrationArray, RequiredFieldArray, RiskScore, RiskScoreMapping, RuleAuthorArray, + RuleDescription, + RuleFalsePositiveArray, RuleLicense, + RuleName, + RuleObjectId, + RuleReferenceArray, + RuleSignatureId, + RuleTags, + RuleVersion, SetupGuide, Severity, SeverityMapping, TiebreakerField, + TimelineTemplateId, + TimelineTemplateTitle, TimestampField, } from '../../../../common/detection_engine/rule_schema'; + import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; import { alias_purpose as savedObjectResolveAliasPurpose, @@ -101,25 +117,25 @@ export const RuleSchema = t.intersection([ author: RuleAuthorArray, created_at: t.string, created_by: t.string, - description: t.string, - enabled: t.boolean, - false_positives: t.array(t.string), + description: RuleDescription, + enabled: IsRuleEnabled, + false_positives: RuleFalsePositiveArray, from: t.string, - id: t.string, + id: RuleObjectId, interval: t.string, - immutable: t.boolean, - name: t.string, + immutable: IsRuleImmutable, + name: RuleName, max_signals: t.number, - references: t.array(t.string), + references: RuleReferenceArray, related_integrations: RelatedIntegrationArray, required_fields: RequiredFieldArray, risk_score: RiskScore, risk_score_mapping: RiskScoreMapping, - rule_id: t.string, + rule_id: RuleSignatureId, severity: Severity, severity_mapping: SeverityMapping, setup: SetupGuide, - tags: t.array(t.string), + tags: RuleTags, type, to: t.string, threat: threats, @@ -154,17 +170,17 @@ export const RuleSchema = t.intersection([ threat_indicator_path, threat_mapping, threat_language, - timeline_id: t.string, - timeline_title: t.string, + timeline_id: TimelineTemplateId, + timeline_title: TimelineTemplateTitle, timestamp_override, timestamp_override_fallback_disabled, event_category_override: EventCategoryOverride, timestamp_field: TimestampField, tiebreaker_field: TiebreakerField, - note: t.string, + note: InvestigationGuide, exceptions_list: listArray, uuid: t.string, - version: t.number, + version: RuleVersion, execution_summary: RuleExecutionSummary, }), ]); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index 494f7114c2165..e12195a728d8b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -22,7 +22,6 @@ import { max_signals, } from '@kbn/securitysolution-io-ts-alerting-types'; import { listArray } from '@kbn/securitysolution-io-ts-list-types'; -import { version } from '@kbn/securitysolution-io-ts-types'; import { SIGNALS_ID, EQL_RULE_TYPE_ID, @@ -46,9 +45,13 @@ import { RiskScoreMapping, RuleAuthorArray, RuleDescription, + RuleFalsePositiveArray, RuleLicense, RuleName, + RuleReferenceArray, RuleSignatureId, + RuleTags, + RuleVersion, SetupGuide, Severity, SeverityMapping, @@ -60,7 +63,6 @@ import { import { buildingBlockTypeOrUndefined, namespaceOrUndefined, - false_positives, dataViewIdOrUndefined, indexOrUndefined, output_index, @@ -69,10 +71,8 @@ import { queryOrUndefined, filtersOrUndefined, ruleNameOverrideOrUndefined, - tags, timestampOverrideOrUndefined, to, - references, savedIdOrUndefined, saved_id, thresholdNormalized, @@ -93,7 +93,7 @@ export const baseRuleParams = t.exact( description: RuleDescription, namespace: namespaceOrUndefined, note: t.union([InvestigationGuide, t.undefined]), - falsePositives: false_positives, + falsePositives: RuleFalsePositiveArray, from, ruleId: RuleSignatureId, immutable: IsRuleImmutable, @@ -113,8 +113,8 @@ export const baseRuleParams = t.exact( timestampOverrideFallbackDisabled: timestampOverrideFallbackDisabledOrUndefined, threat: threats, to, - references, - version, + references: RuleReferenceArray, + version: RuleVersion, exceptionsList: listArray, relatedIntegrations: t.union([RelatedIntegrationArray, t.undefined]), requiredFields: t.union([RequiredFieldArray, t.undefined]), @@ -277,7 +277,7 @@ export const allRuleTypes = t.union([ export const internalRuleCreate = t.type({ name: RuleName, - tags, + tags: RuleTags, alertTypeId: allRuleTypes, consumer: t.literal(SERVER_APP_ID), schedule: t.type({ @@ -293,7 +293,7 @@ export type InternalRuleCreate = t.TypeOf; export const internalRuleUpdate = t.type({ name: RuleName, - tags, + tags: RuleTags, schedule: t.type({ interval: t.string, }), From dff7768ec4fab8955241c44c08e874e2f6d0dbe2 Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 04:47:52 +0200 Subject: [PATCH 05/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/index.ts | 1 + .../common_to_all_types/field_overrides.ts | 20 +++++++++++++++++++ .../schemas/common/schemas.ts | 12 ----------- .../schemas/request/rule_schemas.ts | 10 +++++----- .../rule_management/logic/types.ts | 8 ++++---- .../pages/detection_engine/rules/types.ts | 4 ++-- .../rule_schema/model/rule_schemas.ts | 8 ++++---- .../signals/build_events_query.ts | 13 +++++------- .../mappings/build_rule_name_from_mapping.ts | 10 +++++----- .../signals/single_search_after.ts | 7 ++----- .../threshold/find_threshold_signals.ts | 9 +++------ .../lib/detection_engine/signals/utils.ts | 6 ++---- 12 files changed, 53 insertions(+), 55 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts index 1a202abbc57e5..c7f62ec62e045 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -5,6 +5,7 @@ * 2.0. */ +export * from './model/common_to_all_types/field_overrides'; export * from './model/common_to_all_types/main_attributes'; export * from './model/common_to_all_types/misc_attributes'; export * from './model/common_to_all_types/related_integrations'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts new file mode 100644 index 0000000000000..860d82ddfe398 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleNameOverride = t.TypeOf; +export const RuleNameOverride = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TimestampOverride = t.TypeOf; +export const TimestampOverride = t.string; // should be non-empty string? diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index 6501e82d54f4e..c8d2d85216784 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -78,12 +78,6 @@ export const saved_id = t.string; export const savedIdOrUndefined = t.union([saved_id, t.undefined]); export type SavedIdOrUndefined = t.TypeOf; -export const timestamp_override = t.string; -export type TimestampOverride = t.TypeOf; - -export const timestampOverrideOrUndefined = t.union([timestamp_override, t.undefined]); -export type TimestampOverrideOrUndefined = t.TypeOf; - export const anomaly_threshold = PositiveInteger; export const timestamp_override_fallback_disabled = t.boolean; @@ -102,12 +96,6 @@ export type Meta = t.TypeOf; export const metaOrUndefined = t.union([meta, t.undefined]); export type MetaOrUndefined = t.TypeOf; -export const rule_name_override = t.string; -export type RuleNameOverride = t.TypeOf; - -export const ruleNameOverrideOrUndefined = t.union([rule_name_override, t.undefined]); -export type RuleNameOverrideOrUndefined = t.TypeOf; - export const status = t.keyof({ open: null, closed: null, diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 5e3a59609ae8c..793f515d881e2 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -41,6 +41,7 @@ import { RuleInterval, RuleLicense, RuleName, + RuleNameOverride, RuleObjectId, RuleReferenceArray, RuleSignatureId, @@ -53,6 +54,7 @@ import { TimelineTemplateId, TimelineTemplateTitle, TimestampField, + TimestampOverride, } from '../../rule_schema'; import { index, @@ -60,8 +62,6 @@ import { filters, building_block_type, meta, - rule_name_override, - timestamp_override, timestamp_override_fallback_disabled, output_index, query, @@ -176,10 +176,10 @@ const baseParams = { // Main attributes meta, // Field overrides - rule_name_override, - timestamp_override, + rule_name_override: RuleNameOverride, + timestamp_override: TimestampOverride, timestamp_override_fallback_disabled, - // Reference to a timeline template + // Timeline template timeline_id: TimelineTemplateId, timeline_title: TimelineTemplateTitle, // Atributes related to SavedObjectsClient.resolve API diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index c26e7ca12211d..06a3c3474e547 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -36,6 +36,7 @@ import { RuleFalsePositiveArray, RuleLicense, RuleName, + RuleNameOverride, RuleObjectId, RuleReferenceArray, RuleSignatureId, @@ -48,6 +49,7 @@ import { TimelineTemplateId, TimelineTemplateTitle, TimestampField, + TimestampOverride, } from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; @@ -56,9 +58,7 @@ import { building_block_type, data_view_id, outcome as savedObjectResolveOutcome, - rule_name_override, threshold, - timestamp_override, timestamp_override_fallback_disabled, } from '../../../../common/detection_engine/schemas/common'; import type { @@ -161,7 +161,7 @@ export const RuleSchema = t.intersection([ history_window_start: t.string, output_index: t.string, query: t.string, - rule_name_override, + rule_name_override: RuleNameOverride, saved_id: t.string, threshold, threat_query, @@ -172,7 +172,7 @@ export const RuleSchema = t.intersection([ threat_language, timeline_id: TimelineTemplateId, timeline_title: TimelineTemplateTitle, - timestamp_override, + timestamp_override: TimestampOverride, timestamp_override_fallback_disabled, event_category_override: EventCategoryOverride, timestamp_field: TimestampField, diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index 2e66a18796813..520081e811a0b 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -27,15 +27,15 @@ import type { RiskScoreMapping, RuleAuthorArray, RuleLicense, + RuleNameOverride, SetupGuide, Severity, SeverityMapping, + TimestampOverride, } from '../../../../../common/detection_engine/rule_schema'; import type { BuildingBlockType, - RuleNameOverride, SortOrder, - TimestampOverride, } from '../../../../../common/detection_engine/schemas/common'; import type { EqlOptionsSelected } from '../../../../../common/search_strategy'; import type { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index e12195a728d8b..9cd7d7e6c3798 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -48,6 +48,7 @@ import { RuleFalsePositiveArray, RuleLicense, RuleName, + RuleNameOverride, RuleReferenceArray, RuleSignatureId, RuleTags, @@ -59,6 +60,7 @@ import { TimelineTemplateId, TimelineTemplateTitle, TimestampField, + TimestampOverride, } from '../../../../../common/detection_engine/rule_schema'; import { buildingBlockTypeOrUndefined, @@ -70,8 +72,6 @@ import { query, queryOrUndefined, filtersOrUndefined, - ruleNameOverrideOrUndefined, - timestampOverrideOrUndefined, to, savedIdOrUndefined, saved_id, @@ -106,10 +106,10 @@ export const baseRuleParams = t.exact( maxSignals: max_signals, riskScore: RiskScore, riskScoreMapping: RiskScoreMapping, - ruleNameOverride: ruleNameOverrideOrUndefined, + ruleNameOverride: t.union([RuleNameOverride, t.undefined]), severity: Severity, severityMapping: SeverityMapping, - timestampOverride: timestampOverrideOrUndefined, + timestampOverride: t.union([TimestampOverride, t.undefined]), timestampOverrideFallbackDisabled: timestampOverrideFallbackDisabledOrUndefined, threat: threats, to, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts index e3b05756709cc..b5f0615f09105 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts @@ -7,11 +7,8 @@ import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { isEmpty } from 'lodash'; import type { Filter } from '@kbn/es-query'; -import type { - FiltersOrUndefined, - TimestampOverrideOrUndefined, - TimestampOverride, -} from '../../../../common/detection_engine/schemas/common/schemas'; +import type { TimestampOverride } from '../../../../common/detection_engine/rule_schema'; +import type { FiltersOrUndefined } from '../../../../common/detection_engine/schemas/common/schemas'; import { getQueryFilter } from './get_query_filter'; interface BuildEventsSearchQuery { @@ -25,7 +22,7 @@ interface BuildEventsSearchQuery { sortOrder?: estypes.SortOrder; searchAfterSortIds: estypes.SortResults | undefined; primaryTimestamp: TimestampOverride; - secondaryTimestamp: TimestampOverrideOrUndefined; + secondaryTimestamp: TimestampOverride | undefined; trackTotalHits?: boolean; } @@ -37,7 +34,7 @@ interface BuildEqlSearchRequestParams { size: number; filters: FiltersOrUndefined; primaryTimestamp: TimestampOverride; - secondaryTimestamp: TimestampOverrideOrUndefined; + secondaryTimestamp: TimestampOverride | undefined; runtimeMappings: estypes.MappingRuntimeFields | undefined; eventCategoryOverride?: string; timestampField?: string; @@ -54,7 +51,7 @@ const buildTimeRangeFilter = ({ to: string; from: string; primaryTimestamp: TimestampOverride; - secondaryTimestamp: TimestampOverrideOrUndefined; + secondaryTimestamp: TimestampOverride | undefined; }): estypes.QueryDslQueryContainer => { // The primaryTimestamp is always provided and will contain either the timestamp override field or `@timestamp` otherwise. // The secondaryTimestamp is `undefined` if diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts index 8f57ba926df2e..8afc70fc73e31 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts @@ -8,17 +8,17 @@ import * as t from 'io-ts'; import { get } from 'lodash/fp'; -import type { RuleName } from '../../../../../common/detection_engine/rule_schema'; import type { - Meta, - RuleNameOverrideOrUndefined, -} from '../../../../../common/detection_engine/schemas/common/schemas'; + RuleName, + RuleNameOverride, +} from '../../../../../common/detection_engine/rule_schema'; +import type { Meta } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SignalSource } from '../types'; interface BuildRuleNameFromMappingProps { eventSource: SignalSource; ruleName: RuleName; - ruleNameMapping: RuleNameOverrideOrUndefined; + ruleNameMapping: RuleNameOverride | undefined; } interface BuildRuleNameFromMappingReturn { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts index 0a0534e887c5e..04fec0e21a467 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/single_search_after.ts @@ -14,10 +14,7 @@ import type { import type { SignalSearchResponse, SignalSource } from './types'; import { buildEventsSearchQuery } from './build_events_query'; import { createErrorsFromShard, makeFloatString } from './utils'; -import type { - TimestampOverride, - TimestampOverrideOrUndefined, -} from '../../../../common/detection_engine/schemas/common/schemas'; +import type { TimestampOverride } from '../../../../common/detection_engine/rule_schema'; import { withSecuritySpan } from '../../../utils/with_security_span'; import type { IRuleExecutionLogForExecutors } from '../rule_monitoring'; @@ -33,7 +30,7 @@ interface SingleSearchAfterParams { sortOrder?: estypes.SortOrder; filter: estypes.QueryDslQueryContainer; primaryTimestamp: TimestampOverride; - secondaryTimestamp: TimestampOverrideOrUndefined; + secondaryTimestamp: TimestampOverride | undefined; trackTotalHits?: boolean; runtimeMappings: estypes.MappingRuntimeFields | undefined; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts index 63e293401a77a..af7f3f9e16628 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts @@ -14,11 +14,8 @@ import type { } from '@kbn/alerting-plugin/server'; import type { ESBoolQuery } from '../../../../../common/typed_json'; -import type { - ThresholdNormalized, - TimestampOverride, - TimestampOverrideOrUndefined, -} from '../../../../../common/detection_engine/schemas/common/schemas'; +import type { TimestampOverride } from '../../../../../common/detection_engine/rule_schema'; +import type { ThresholdNormalized } from '../../../../../common/detection_engine/schemas/common/schemas'; import { singleSearchAfter } from '../single_search_after'; import { buildThresholdMultiBucketAggregation, @@ -43,7 +40,7 @@ interface FindThresholdSignalsParams { threshold: ThresholdNormalized; runtimeMappings: estypes.MappingRuntimeFields | undefined; primaryTimestamp: TimestampOverride; - secondaryTimestamp: TimestampOverrideOrUndefined; + secondaryTimestamp: TimestampOverride | undefined; aggregatableTimestampField: string; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts index 82b57a3c613e3..c8a98aeabd82a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts @@ -31,10 +31,8 @@ import type { } from '@kbn/alerting-plugin/server'; import { parseDuration } from '@kbn/alerting-plugin/server'; import type { ExceptionListClient, ListClient, ListPluginSetup } from '@kbn/lists-plugin/server'; -import type { - TimestampOverride, - Privilege, -} from '../../../../common/detection_engine/schemas/common'; +import type { TimestampOverride } from '../../../../common/detection_engine/rule_schema'; +import type { Privilege } from '../../../../common/detection_engine/schemas/common'; import { RuleExecutionStatus } from '../../../../common/detection_engine/rule_monitoring'; import type { BulkResponseErrorAggregation, From fdbde2e74ca18e0c5a36d64dccc20253d189f228 Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 05:03:34 +0200 Subject: [PATCH 06/11] TEMP COMMIT. REBASE ME --- .../model/common_to_all_types/field_overrides.ts | 6 ++++++ .../model/common_to_all_types/main_attributes.ts | 8 ++++++++ .../detection_engine/schemas/common/schemas.ts | 16 ---------------- .../schemas/request/rule_schemas.ts | 8 ++++---- .../rule_management/logic/types.ts | 4 ++-- .../rule_schema/model/rule_schemas.ts | 8 ++++---- .../mappings/build_risk_score_from_mapping.ts | 4 ++-- .../mappings/build_rule_name_from_mapping.ts | 4 ++-- .../mappings/build_severity_from_mapping.ts | 4 ++-- 9 files changed, 30 insertions(+), 32 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts index 860d82ddfe398..1853932bdfe3a 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/field_overrides.ts @@ -18,3 +18,9 @@ export const RuleNameOverride = t.string; // should be non-empty string? */ export type TimestampOverride = t.TypeOf; export const TimestampOverride = t.string; // should be non-empty string? + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type TimestampOverrideFallbackDisabled = t.TypeOf; +export const TimestampOverrideFallbackDisabled = t.boolean; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts index 4384164c26b59..02782922b0b8d 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts @@ -48,6 +48,14 @@ export const RuleVersion = version; export type RuleTags = t.TypeOf; export const RuleTags = t.array(t.string); // should be non-empty strings? +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * Note that this is a non-exact io-ts type as we allow extra meta information + * to be added to the meta object + */ +export type RuleMetadata = t.TypeOf; +export const RuleMetadata = t.object; // should be a more specific type? + /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index c8d2d85216784..8f238df685e1a 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -80,22 +80,6 @@ export type SavedIdOrUndefined = t.TypeOf; export const anomaly_threshold = PositiveInteger; -export const timestamp_override_fallback_disabled = t.boolean; - -export const timestampOverrideFallbackDisabledOrUndefined = t.union([ - timestamp_override_fallback_disabled, - t.undefined, -]); - -/** - * Note that this is a non-exact io-ts type as we allow extra meta information - * to be added to the meta object - */ -export const meta = t.object; -export type Meta = t.TypeOf; -export const metaOrUndefined = t.union([meta, t.undefined]); -export type MetaOrUndefined = t.TypeOf; - export const status = t.keyof({ open: null, closed: null, diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 793f515d881e2..768c0bc8ffcbd 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -40,6 +40,7 @@ import { RuleFalsePositiveArray, RuleInterval, RuleLicense, + RuleMetadata, RuleName, RuleNameOverride, RuleObjectId, @@ -55,14 +56,13 @@ import { TimelineTemplateTitle, TimestampField, TimestampOverride, + TimestampOverrideFallbackDisabled, } from '../../rule_schema'; import { index, data_view_id, filters, building_block_type, - meta, - timestamp_override_fallback_disabled, output_index, query, to, @@ -174,11 +174,11 @@ const baseParams = { }, optional: { // Main attributes - meta, + meta: RuleMetadata, // Field overrides rule_name_override: RuleNameOverride, timestamp_override: TimestampOverride, - timestamp_override_fallback_disabled, + timestamp_override_fallback_disabled: TimestampOverrideFallbackDisabled, // Timeline template timeline_id: TimelineTemplateId, timeline_title: TimelineTemplateTitle, diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index 06a3c3474e547..b2ff66efeaa85 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -50,6 +50,7 @@ import { TimelineTemplateTitle, TimestampField, TimestampOverride, + TimestampOverrideFallbackDisabled, } from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; @@ -59,7 +60,6 @@ import { data_view_id, outcome as savedObjectResolveOutcome, threshold, - timestamp_override_fallback_disabled, } from '../../../../common/detection_engine/schemas/common'; import type { CreateRulesSchema, @@ -173,7 +173,7 @@ export const RuleSchema = t.intersection([ timeline_id: TimelineTemplateId, timeline_title: TimelineTemplateTitle, timestamp_override: TimestampOverride, - timestamp_override_fallback_disabled, + timestamp_override_fallback_disabled: TimestampOverrideFallbackDisabled, event_category_override: EventCategoryOverride, timestamp_field: TimestampField, tiebreaker_field: TiebreakerField, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index 9cd7d7e6c3798..bc911421471ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -47,6 +47,7 @@ import { RuleDescription, RuleFalsePositiveArray, RuleLicense, + RuleMetadata, RuleName, RuleNameOverride, RuleReferenceArray, @@ -61,6 +62,7 @@ import { TimelineTemplateTitle, TimestampField, TimestampOverride, + TimestampOverrideFallbackDisabled, } from '../../../../../common/detection_engine/rule_schema'; import { buildingBlockTypeOrUndefined, @@ -68,7 +70,6 @@ import { dataViewIdOrUndefined, indexOrUndefined, output_index, - metaOrUndefined, query, queryOrUndefined, filtersOrUndefined, @@ -79,7 +80,6 @@ import { anomaly_threshold, newTermsFields, historyWindowStart, - timestampOverrideFallbackDisabledOrUndefined, } from '../../../../../common/detection_engine/schemas/common'; import { SERVER_APP_ID } from '../../../../../common/constants'; import { ResponseActionRuleParamsOrUndefined } from '../../../../../common/detection_engine/rule_response_actions/schemas'; @@ -101,7 +101,7 @@ export const baseRuleParams = t.exact( outputIndex: output_index, timelineId: t.union([TimelineTemplateId, t.undefined]), timelineTitle: t.union([TimelineTemplateTitle, t.undefined]), - meta: metaOrUndefined, + meta: t.union([RuleMetadata, t.undefined]), // maxSignals not used in ML rules but probably should be used maxSignals: max_signals, riskScore: RiskScore, @@ -110,7 +110,7 @@ export const baseRuleParams = t.exact( severity: Severity, severityMapping: SeverityMapping, timestampOverride: t.union([TimestampOverride, t.undefined]), - timestampOverrideFallbackDisabled: timestampOverrideFallbackDisabledOrUndefined, + timestampOverrideFallbackDisabled: t.union([TimestampOverrideFallbackDisabled, t.undefined]), threat: threats, to, references: RuleReferenceArray, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts index 42f8469dacc1a..2c138401c1910 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts @@ -10,8 +10,8 @@ import { get } from 'lodash/fp'; import type { RiskScore, RiskScoreMapping, + RuleMetadata, } from '../../../../../common/detection_engine/rule_schema'; -import type { Meta } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SignalSource } from '../types'; export interface BuildRiskScoreFromMappingProps { @@ -22,7 +22,7 @@ export interface BuildRiskScoreFromMappingProps { export interface BuildRiskScoreFromMappingReturn { riskScore: RiskScore; - riskScoreMeta: Meta; // TODO: Stricter types + riskScoreMeta: RuleMetadata; // TODO: Stricter types } /** diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts index 8afc70fc73e31..933a330a77098 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_rule_name_from_mapping.ts @@ -9,10 +9,10 @@ import * as t from 'io-ts'; import { get } from 'lodash/fp'; import type { + RuleMetadata, RuleName, RuleNameOverride, } from '../../../../../common/detection_engine/rule_schema'; -import type { Meta } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SignalSource } from '../types'; interface BuildRuleNameFromMappingProps { @@ -23,7 +23,7 @@ interface BuildRuleNameFromMappingProps { interface BuildRuleNameFromMappingReturn { ruleName: RuleName; - ruleNameMeta: Meta; // TODO: Stricter types + ruleNameMeta: RuleMetadata; // TODO: Stricter types } export const buildRuleNameFromMapping = ({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts index bcc41c8939053..373aa05a71335 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_severity_from_mapping.ts @@ -8,11 +8,11 @@ import { get } from 'lodash/fp'; import type { + RuleMetadata, SeverityMapping, SeverityMappingItem, } from '../../../../../common/detection_engine/rule_schema'; import { Severity } from '../../../../../common/detection_engine/rule_schema'; -import type { Meta } from '../../../../../common/detection_engine/schemas/common/schemas'; import type { SearchTypes } from '../../../../../common/detection_engine/types'; import type { SignalSource } from '../types'; @@ -24,7 +24,7 @@ export interface BuildSeverityFromMappingProps { export interface BuildSeverityFromMappingReturn { severity: Severity; - severityMeta: Meta; // TODO: Stricter types + severityMeta: RuleMetadata; // TODO: Stricter types } const severitySortMapping = { From 5a6fa0c8f5377e0994c88e8540031726067fe2ea Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 05:22:10 +0200 Subject: [PATCH 07/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/index.ts | 1 + .../model/common_to_all_types/saved_object.ts | 35 +++++++++++++++++++ .../schemas/common/schemas.ts | 15 -------- .../schemas/request/rule_schemas.ts | 12 +++---- .../common/types/timeline/index.ts | 13 ++++--- .../rule_management/logic/types.ts | 11 +++--- 6 files changed, 56 insertions(+), 31 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/saved_object.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts index c7f62ec62e045..426b96d763c14 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -12,6 +12,7 @@ export * from './model/common_to_all_types/related_integrations'; export * from './model/common_to_all_types/required_fields'; export * from './model/common_to_all_types/risk_score'; export * from './model/common_to_all_types/rule_schedule'; +export * from './model/common_to_all_types/saved_object'; export * from './model/common_to_all_types/severity'; export * from './model/common_to_all_types/timeline_template'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/saved_object.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/saved_object.ts new file mode 100644 index 0000000000000..2893749fac199 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/saved_object.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * Outcome is a property of the saved object resolve api + * will tell us info about the rule after 8.0 migrations + */ +export type SavedObjectResolveOutcome = t.TypeOf; +export const SavedObjectResolveOutcome = t.union([ + t.literal('exactMatch'), + t.literal('aliasMatch'), + t.literal('conflict'), +]); + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type SavedObjectResolveAliasTargetId = t.TypeOf; +export const SavedObjectResolveAliasTargetId = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type SavedObjectResolveAliasPurpose = t.TypeOf; +export const SavedObjectResolveAliasPurpose = t.union([ + t.literal('savedObjectConversion'), + t.literal('savedObjectImport'), +]); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index 8f238df685e1a..cce55af09dba4 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -21,21 +21,6 @@ export type BuildingBlockType = t.TypeOf; export const buildingBlockTypeOrUndefined = t.union([building_block_type, t.undefined]); -// outcome is a property of the saved object resolve api -// will tell us info about the rule after 8.0 migrations -export const outcome = t.union([ - t.literal('exactMatch'), - t.literal('aliasMatch'), - t.literal('conflict'), -]); -export type Outcome = t.TypeOf; - -export const alias_target_id = t.string; -export const alias_purpose = t.union([ - t.literal('savedObjectConversion'), - t.literal('savedObjectImport'), -]); - export const file_name = t.string; export type FileName = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 768c0bc8ffcbd..21a8b7623d064 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -48,6 +48,9 @@ import { RuleSignatureId, RuleTags, RuleVersion, + SavedObjectResolveAliasPurpose, + SavedObjectResolveAliasTargetId, + SavedObjectResolveOutcome, SetupGuide, Severity, SeverityMapping, @@ -69,9 +72,6 @@ import { saved_id, threshold, anomaly_threshold, - outcome, - alias_target_id, - alias_purpose, updated_at, updated_by, created_at, @@ -183,9 +183,9 @@ const baseParams = { timeline_id: TimelineTemplateId, timeline_title: TimelineTemplateTitle, // Atributes related to SavedObjectsClient.resolve API - outcome, - alias_target_id, - alias_purpose, + outcome: SavedObjectResolveOutcome, + alias_target_id: SavedObjectResolveAliasTargetId, + alias_purpose: SavedObjectResolveAliasPurpose, // Misc attributes license: RuleLicense, note: InvestigationGuide, diff --git a/x-pack/plugins/security_solution/common/types/timeline/index.ts b/x-pack/plugins/security_solution/common/types/timeline/index.ts index 9136827dfd764..31cadf99ed059 100644 --- a/x-pack/plugins/security_solution/common/types/timeline/index.ts +++ b/x-pack/plugins/security_solution/common/types/timeline/index.ts @@ -14,8 +14,11 @@ import { NoteSavedObjectToReturnRuntimeType } from './note'; import type { PinnedEvent } from './pinned_event'; import { PinnedEventToReturnSavedObjectRuntimeType } from './pinned_event'; import { - alias_purpose as savedObjectResolveAliasPurpose, - outcome as savedObjectResolveOutcome, + SavedObjectResolveAliasPurpose, + SavedObjectResolveAliasTargetId, + SavedObjectResolveOutcome, +} from '../../detection_engine/rule_schema'; +import { success, success_count as successCount, } from '../../detection_engine/schemas/common/schemas'; @@ -373,11 +376,11 @@ export type SingleTimelineResponse = runtimeTypes.TypeOf Date: Fri, 14 Oct 2022 05:42:57 +0200 Subject: [PATCH 08/11] TEMP COMMIT. REBASE ME --- .../model/common_to_all_types/main_attributes.ts | 4 ++-- .../model/common_to_all_types/rule_schedule.ts | 14 ++++++++++++++ .../detection_engine/schemas/common/schemas.ts | 4 ---- .../schemas/request/perform_bulk_action_schema.ts | 4 ++-- .../schemas/request/rule_schemas.ts | 12 ++++++------ .../rule_management/logic/types.ts | 13 ++++++++----- .../rule_schema/model/rule_schemas.ts | 14 +++++++------- 7 files changed, 39 insertions(+), 26 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts index 02782922b0b8d..c154970cdada9 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/main_attributes.ts @@ -45,8 +45,8 @@ export const RuleVersion = version; /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ -export type RuleTags = t.TypeOf; -export const RuleTags = t.array(t.string); // should be non-empty strings? +export type RuleTagArray = t.TypeOf; +export const RuleTagArray = t.array(t.string); // should be non-empty strings? /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts index 1312138cf23dd..586ee61c744d2 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_schedule.ts @@ -6,9 +6,23 @@ */ import * as t from 'io-ts'; +import { from } from '@kbn/securitysolution-io-ts-alerting-types'; /** * TODO: https://github.com/elastic/kibana/pull/142950 Add description */ export type RuleInterval = t.TypeOf; export const RuleInterval = t.string; // should be non-empty more specific string + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleIntervalFrom = t.TypeOf; +export const RuleIntervalFrom = from; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * TODO: Create a regular expression type or custom date math part type here + */ +export type RuleIntervalTo = t.TypeOf; +export const RuleIntervalTo = t.string; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index cce55af09dba4..8d00b8cf6e7e8 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -75,10 +75,6 @@ export type Status = t.TypeOf; export const conflicts = t.keyof({ abort: null, proceed: null }); -// TODO: Create a regular expression type or custom date math part type here -export const to = t.string; -export type To = t.TypeOf; - export const queryFilter = t.string; export type QueryFilter = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts index bae288f07c28b..b27ab77eb74e5 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts @@ -14,7 +14,7 @@ import { action_id as actionId, } from '@kbn/securitysolution-io-ts-alerting-types'; -import { RuleTags, TimelineTemplateId, TimelineTemplateTitle } from '../../rule_schema'; +import { RuleTagArray, TimelineTemplateId, TimelineTemplateTitle } from '../../rule_schema'; import { queryOrUndefined, index } from '../common/schemas'; export enum BulkAction { @@ -59,7 +59,7 @@ const bulkActionEditPayloadTags = t.type({ t.literal(BulkActionEditType.delete_tags), t.literal(BulkActionEditType.set_tags), ]), - value: RuleTags, + value: RuleTagArray, }); export type BulkActionEditPayloadTags = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 21a8b7623d064..b589eb0699254 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -9,7 +9,6 @@ import * as t from 'io-ts'; import { actions, - from, machine_learning_job_id, threat_filters, threat_query, @@ -39,6 +38,8 @@ import { RuleDescription, RuleFalsePositiveArray, RuleInterval, + RuleIntervalFrom, + RuleIntervalTo, RuleLicense, RuleMetadata, RuleName, @@ -46,7 +47,7 @@ import { RuleObjectId, RuleReferenceArray, RuleSignatureId, - RuleTags, + RuleTagArray, RuleVersion, SavedObjectResolveAliasPurpose, SavedObjectResolveAliasTargetId, @@ -68,7 +69,6 @@ import { building_block_type, output_index, query, - to, saved_id, threshold, anomaly_threshold, @@ -196,15 +196,15 @@ const baseParams = { defaultable: { // Main attributes version: RuleVersion, - tags: RuleTags, + tags: RuleTagArray, enabled: IsRuleEnabled, // Field overrides risk_score_mapping: RiskScoreMapping, severity_mapping: SeverityMapping, // Rule schedule interval: RuleInterval, - from, - to, + from: RuleIntervalFrom, + to: RuleIntervalTo, // Rule actions actions, throttle, diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index efb1c6b121c9a..f30be7f65f1a9 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -34,13 +34,16 @@ import { RuleAuthorArray, RuleDescription, RuleFalsePositiveArray, + RuleInterval, + RuleIntervalFrom, + RuleIntervalTo, RuleLicense, RuleName, RuleNameOverride, RuleObjectId, RuleReferenceArray, RuleSignatureId, - RuleTags, + RuleTagArray, RuleVersion, SavedObjectResolveAliasPurpose, SavedObjectResolveAliasTargetId, @@ -121,9 +124,9 @@ export const RuleSchema = t.intersection([ description: RuleDescription, enabled: IsRuleEnabled, false_positives: RuleFalsePositiveArray, - from: t.string, + from: RuleIntervalFrom, id: RuleObjectId, - interval: t.string, + interval: RuleInterval, immutable: IsRuleImmutable, name: RuleName, max_signals: t.number, @@ -136,9 +139,9 @@ export const RuleSchema = t.intersection([ severity: Severity, severity_mapping: SeverityMapping, setup: SetupGuide, - tags: RuleTags, + tags: RuleTagArray, type, - to: t.string, + to: RuleIntervalTo, threat: threats, updated_at: t.string, updated_by: t.string, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index bc911421471ed..18a750b422be8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -9,7 +9,6 @@ import * as t from 'io-ts'; import { actionsCamel, - from, machine_learning_job_id_normalized, threat_mapping, threat_index, @@ -46,13 +45,15 @@ import { RuleAuthorArray, RuleDescription, RuleFalsePositiveArray, + RuleIntervalFrom, + RuleIntervalTo, RuleLicense, RuleMetadata, RuleName, RuleNameOverride, RuleReferenceArray, RuleSignatureId, - RuleTags, + RuleTagArray, RuleVersion, SetupGuide, Severity, @@ -73,7 +74,6 @@ import { query, queryOrUndefined, filtersOrUndefined, - to, savedIdOrUndefined, saved_id, thresholdNormalized, @@ -94,7 +94,7 @@ export const baseRuleParams = t.exact( namespace: namespaceOrUndefined, note: t.union([InvestigationGuide, t.undefined]), falsePositives: RuleFalsePositiveArray, - from, + from: RuleIntervalFrom, ruleId: RuleSignatureId, immutable: IsRuleImmutable, license: t.union([RuleLicense, t.undefined]), @@ -112,7 +112,7 @@ export const baseRuleParams = t.exact( timestampOverride: t.union([TimestampOverride, t.undefined]), timestampOverrideFallbackDisabled: t.union([TimestampOverrideFallbackDisabled, t.undefined]), threat: threats, - to, + to: RuleIntervalTo, references: RuleReferenceArray, version: RuleVersion, exceptionsList: listArray, @@ -277,7 +277,7 @@ export const allRuleTypes = t.union([ export const internalRuleCreate = t.type({ name: RuleName, - tags: RuleTags, + tags: RuleTagArray, alertTypeId: allRuleTypes, consumer: t.literal(SERVER_APP_ID), schedule: t.type({ @@ -293,7 +293,7 @@ export type InternalRuleCreate = t.TypeOf; export const internalRuleUpdate = t.type({ name: RuleName, - tags: RuleTags, + tags: RuleTagArray, schedule: t.type({ interval: t.string, }), From 54201101d8fc99199b35a64e25051e9d3a997fab Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 07:17:50 +0200 Subject: [PATCH 09/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/index.ts | 3 ++ .../model/common_to_all_types/rule_actions.ts | 27 ++++++++++ .../rule_schema/model/temp.ts | 52 +++++++++++++++++++ .../schemas/common/schemas.ts | 15 ------ .../create_signals_migration_schema.ts | 4 +- .../request/perform_bulk_action_schema.ts | 11 ++-- .../schemas/request/rule_schemas.ts | 46 ++++++++-------- .../logic/use_add_exception.tsx | 4 +- .../rule_management/logic/types.ts | 20 ++++--- .../exceptions/get_es_query_filter.ts | 5 +- .../pages/detection_engine/rules/types.ts | 6 +-- .../rule_schema/model/rule_schemas.ts | 38 +++++++------- .../detection_engine/signals/get_filter.ts | 4 +- .../signals/get_query_filter.ts | 5 +- 14 files changed, 155 insertions(+), 85 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_actions.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts index 426b96d763c14..bd8404a8ec2a5 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/index.ts @@ -11,6 +11,7 @@ export * from './model/common_to_all_types/misc_attributes'; export * from './model/common_to_all_types/related_integrations'; export * from './model/common_to_all_types/required_fields'; export * from './model/common_to_all_types/risk_score'; +export * from './model/common_to_all_types/rule_actions'; export * from './model/common_to_all_types/rule_schedule'; export * from './model/common_to_all_types/saved_object'; export * from './model/common_to_all_types/severity'; @@ -23,3 +24,5 @@ export * from './model/specific_to_indicator_match/temp'; export * from './model/specific_to_new_terms/temp'; export * from './model/specific_to_query/temp'; export * from './model/specific_to_threshold/temp'; + +export * from './model/temp'; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_actions.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_actions.ts new file mode 100644 index 0000000000000..c72b38700f764 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/common_to_all_types/rule_actions.ts @@ -0,0 +1,27 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type * as t from 'io-ts'; +import { action, actions, throttle } from '@kbn/securitysolution-io-ts-alerting-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleAction = t.TypeOf; +export const RuleAction = action; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleActionArray = t.TypeOf; +export const RuleActionArray = actions; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleActionThrottle = t.TypeOf; +export const RuleActionThrottle = throttle; diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts new file mode 100644 index 0000000000000..8bed07a8ff529 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts @@ -0,0 +1,52 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import * as t from 'io-ts'; +import { listArray } from '@kbn/securitysolution-io-ts-list-types'; +import { max_signals, threat } from '@kbn/securitysolution-io-ts-alerting-types'; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type BuildingBlockType = t.TypeOf; +export const BuildingBlockType = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type AlertsIndex = t.TypeOf; +export const AlertsIndex = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type AlertsIndexNamespace = t.TypeOf; +export const AlertsIndexNamespace = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type ExceptionListArray = t.TypeOf; +export const ExceptionListArray = listArray; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type MaxSignals = t.TypeOf; +export const MaxSignals = max_signals; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type ThreatArray = t.TypeOf; +export const ThreatArray = t.array(threat); + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type IndexPatternArray = t.TypeOf; +export const IndexPatternArray = t.array(t.string); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index 8d00b8cf6e7e8..a7460963d1d03 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -16,20 +16,12 @@ import { LimitedSizeArray, } from '@kbn/securitysolution-io-ts-types'; -export const building_block_type = t.string; -export type BuildingBlockType = t.TypeOf; - -export const buildingBlockTypeOrUndefined = t.union([building_block_type, t.undefined]); - export const file_name = t.string; export type FileName = t.TypeOf; export const exclude_export_details = t.boolean; export type ExcludeExportDetails = t.TypeOf; -export const namespace = t.string; -export type Namespace = t.TypeOf; - /** * TODO: Right now the filters is an "unknown", when it could more than likely * become the actual ESFilter as a type. @@ -47,17 +39,12 @@ export const data_view_id = t.string; export const dataViewIdOrUndefined = t.union([data_view_id, t.undefined]); -export const indexOrUndefined = t.union([index, t.undefined]); -export type IndexOrUndefined = t.TypeOf; - export const query = t.string; export type Query = t.TypeOf; export const queryOrUndefined = t.union([query, t.undefined]); export type QueryOrUndefined = t.TypeOf; -export const output_index = t.string; - export const saved_id = t.string; export const savedIdOrUndefined = t.union([saved_id, t.undefined]); @@ -175,8 +162,6 @@ export const timelines_updated = PositiveInteger; export const timelines_not_installed = PositiveInteger; export const timelines_not_updated = PositiveInteger; -export const namespaceOrUndefined = t.union([namespace, t.undefined]); - export const indexRecord = t.record( t.string, t.type({ diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_signals_migration_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_signals_migration_schema.ts index 55267c27ee37f..1eba4855bf0d3 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_signals_migration_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_signals_migration_schema.ts @@ -8,7 +8,7 @@ import * as t from 'io-ts'; import { PositiveInteger, PositiveIntegerGreaterThanZero } from '@kbn/securitysolution-io-ts-types'; -import { index } from '../common/schemas'; +import { IndexPatternArray } from '../../rule_schema'; export const signalsReindexOptions = t.partial({ requests_per_second: t.number, @@ -21,7 +21,7 @@ export type SignalsReindexOptions = t.TypeOf; export const createSignalsMigrationSchema = t.intersection([ t.exact( t.type({ - index, + index: IndexPatternArray, }) ), t.exact(signalsReindexOptions), diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts index b27ab77eb74e5..4f516bcb2eaa9 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts @@ -14,8 +14,13 @@ import { action_id as actionId, } from '@kbn/securitysolution-io-ts-alerting-types'; -import { RuleTagArray, TimelineTemplateId, TimelineTemplateTitle } from '../../rule_schema'; -import { queryOrUndefined, index } from '../common/schemas'; +import { + IndexPatternArray, + RuleTagArray, + TimelineTemplateId, + TimelineTemplateTitle, +} from '../../rule_schema'; +import { queryOrUndefined } from '../common/schemas'; export enum BulkAction { 'enable' = 'enable', @@ -71,7 +76,7 @@ const bulkActionEditPayloadIndexPatterns = t.intersection([ t.literal(BulkActionEditType.delete_index_patterns), t.literal(BulkActionEditType.set_index_patterns), ]), - value: index, + value: IndexPatternArray, }), t.exact(t.partial({ overwrite_data_views: t.boolean })), ]); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index b589eb0699254..55f1c9d907650 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -8,7 +8,6 @@ import * as t from 'io-ts'; import { - actions, machine_learning_job_id, threat_filters, threat_query, @@ -17,23 +16,27 @@ import { threat_indicator_path, concurrent_searches, items_per_search, - threats, - max_signals, - throttle, } from '@kbn/securitysolution-io-ts-alerting-types'; -import { listArray } from '@kbn/securitysolution-io-ts-list-types'; import { RuleExecutionSummary } from '../../rule_monitoring'; import { ResponseActionArray } from '../../rule_response_actions/schemas'; import { + AlertsIndex, + AlertsIndexNamespace, + BuildingBlockType, EventCategoryOverride, + ExceptionListArray, + IndexPatternArray, InvestigationGuide, IsRuleEnabled, IsRuleImmutable, + MaxSignals, RelatedIntegrationArray, RequiredFieldArray, RiskScore, RiskScoreMapping, + RuleActionArray, + RuleActionThrottle, RuleAuthorArray, RuleDescription, RuleFalsePositiveArray, @@ -55,6 +58,7 @@ import { SetupGuide, Severity, SeverityMapping, + ThreatArray, TiebreakerField, TimelineTemplateId, TimelineTemplateTitle, @@ -63,11 +67,8 @@ import { TimestampOverrideFallbackDisabled, } from '../../rule_schema'; import { - index, data_view_id, filters, - building_block_type, - output_index, query, saved_id, threshold, @@ -76,7 +77,6 @@ import { updated_by, created_at, created_by, - namespace, newTermsFields, historyWindowStart, } from '../common'; @@ -189,9 +189,9 @@ const baseParams = { // Misc attributes license: RuleLicense, note: InvestigationGuide, - building_block_type, - output_index, - namespace, + building_block_type: BuildingBlockType, + output_index: AlertsIndex, + namespace: AlertsIndexNamespace, }, defaultable: { // Main attributes @@ -206,17 +206,17 @@ const baseParams = { from: RuleIntervalFrom, to: RuleIntervalTo, // Rule actions - actions, - throttle, + actions: RuleActionArray, + throttle: RuleActionThrottle, // Rule exceptions - exceptions_list: listArray, + exceptions_list: ExceptionListArray, // Misc attributes author: RuleAuthorArray, false_positives: RuleFalsePositiveArray, references: RuleReferenceArray, // maxSignals not used in ML rules but probably should be used - max_signals, - threat: threats, + max_signals: MaxSignals, + threat: ThreatArray, }, }; const { @@ -256,7 +256,7 @@ const eqlRuleParams = { query, }, optional: { - index, + index: IndexPatternArray, data_view_id, filters, event_category_override: EventCategoryOverride, @@ -281,7 +281,7 @@ const threatMatchRuleParams = { threat_index, }, optional: { - index, + index: IndexPatternArray, data_view_id, filters, saved_id, @@ -307,7 +307,7 @@ const queryRuleParams = { type: t.literal('query'), }, optional: { - index, + index: IndexPatternArray, data_view_id, filters, saved_id, @@ -334,7 +334,7 @@ const savedQueryRuleParams = { optional: { // Having language, query, and filters possibly defined adds more code confusion and probably user confusion // if the saved object gets deleted for some reason - index, + index: IndexPatternArray, data_view_id, query, filters, @@ -359,7 +359,7 @@ const thresholdRuleParams = { threshold, }, optional: { - index, + index: IndexPatternArray, data_view_id, filters, saved_id, @@ -401,7 +401,7 @@ const newTermsRuleParams = { history_window_start: historyWindowStart, }, optional: { - index, + index: IndexPatternArray, data_view_id, filters, }, diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/logic/use_add_exception.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/logic/use_add_exception.tsx index a6149f366dfaf..4597a1625366d 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/logic/use_add_exception.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/logic/use_add_exception.tsx @@ -21,7 +21,7 @@ import { buildAlertStatusesFilter, } from '../../../detections/components/alerts_table/default_config'; import { getEsQueryFilter } from '../../../detections/containers/detection_engine/exceptions/get_es_query_filter'; -import type { Index } from '../../../../common/detection_engine/schemas/common/schemas'; +import type { IndexPatternArray } from '../../../../common/detection_engine/rule_schema'; import { formatExceptionItemForUpdate, prepareExceptionItemsForBulkClose } from '../utils/helpers'; import { useKibana } from '../../../common/lib/kibana'; @@ -38,7 +38,7 @@ export type AddOrUpdateExceptionItemsFunc = ( ruleStaticId: string, exceptionItemsToAddOrUpdate: Array, alertIdToClose?: string, - bulkCloseIndex?: Index + bulkCloseIndex?: IndexPatternArray ) => Promise; export type ReturnUseAddOrUpdateException = [ diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index f30be7f65f1a9..903596635f1ea 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -9,7 +9,6 @@ import * as t from 'io-ts'; import type { Type } from '@kbn/securitysolution-io-ts-alerting-types'; import { - threats, threat_filters, threat_index, threat_indicator_path, @@ -19,14 +18,16 @@ import { type, } from '@kbn/securitysolution-io-ts-alerting-types'; import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types'; -import { listArray } from '@kbn/securitysolution-io-ts-list-types'; import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring'; import { + BuildingBlockType, EventCategoryOverride, + ExceptionListArray, InvestigationGuide, IsRuleEnabled, IsRuleImmutable, + MaxSignals, RelatedIntegrationArray, RequiredFieldArray, RiskScore, @@ -51,6 +52,7 @@ import { SetupGuide, Severity, SeverityMapping, + ThreatArray, TiebreakerField, TimelineTemplateId, TimelineTemplateTitle, @@ -60,11 +62,7 @@ import { } from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; -import { - building_block_type, - data_view_id, - threshold, -} from '../../../../common/detection_engine/schemas/common'; +import { data_view_id, threshold } from '../../../../common/detection_engine/schemas/common'; import type { CreateRulesSchema, PatchRulesSchema, @@ -129,7 +127,7 @@ export const RuleSchema = t.intersection([ interval: RuleInterval, immutable: IsRuleImmutable, name: RuleName, - max_signals: t.number, + max_signals: MaxSignals, references: RuleReferenceArray, related_integrations: RelatedIntegrationArray, required_fields: RequiredFieldArray, @@ -142,7 +140,7 @@ export const RuleSchema = t.intersection([ tags: RuleTagArray, type, to: RuleIntervalTo, - threat: threats, + threat: ThreatArray, updated_at: t.string, updated_by: t.string, actions: t.array(action), @@ -152,7 +150,7 @@ export const RuleSchema = t.intersection([ outcome: SavedObjectResolveOutcome, alias_target_id: SavedObjectResolveAliasTargetId, alias_purpose: SavedObjectResolveAliasPurpose, - building_block_type, + building_block_type: BuildingBlockType, anomaly_threshold: t.number, filters: t.array(t.unknown), index: t.array(t.string), @@ -182,7 +180,7 @@ export const RuleSchema = t.intersection([ timestamp_field: TimestampField, tiebreaker_field: TiebreakerField, note: InvestigationGuide, - exceptions_list: listArray, + exceptions_list: ExceptionListArray, uuid: t.string, version: RuleVersion, execution_summary: RuleExecutionSummary, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts index bab81d4625f0c..7757a15c86db4 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts @@ -15,14 +15,15 @@ import { getExceptionFilterFromExceptions } from '@kbn/securitysolution-list-api import { buildEsQuery } from '@kbn/es-query'; import { KibanaServices } from '../../../../common/lib/kibana'; -import type { Query, Index } from '../../../../../common/detection_engine/schemas/common'; +import type { Query } from '../../../../../common/detection_engine/schemas/common'; +import type { IndexPatternArray } from '../../../../../common/detection_engine/rule_schema'; import type { ESBoolQuery } from '../../../../../common/typed_json'; export const getEsQueryFilter = async ( query: Query, language: Language, filters: unknown, - index: Index, + index: IndexPatternArray, lists: Array, excludeExceptions: boolean = true ): Promise => { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index 520081e811a0b..4fc748c258db2 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -22,6 +22,7 @@ import type { FieldValueQueryBar } from '../../../components/rules/query_bar'; import type { FieldValueTimeline } from '../../../components/rules/pick_timeline'; import type { FieldValueThreshold } from '../../../components/rules/threshold_input'; import type { + BuildingBlockType, RelatedIntegrationArray, RequiredFieldArray, RiskScoreMapping, @@ -33,10 +34,7 @@ import type { SeverityMapping, TimestampOverride, } from '../../../../../common/detection_engine/rule_schema'; -import type { - BuildingBlockType, - SortOrder, -} from '../../../../../common/detection_engine/schemas/common'; +import type { SortOrder } from '../../../../../common/detection_engine/schemas/common'; import type { EqlOptionsSelected } from '../../../../../common/search_strategy'; import type { RuleResponseAction, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index 18a750b422be8..4f4a6b8a2a3d6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -16,11 +16,8 @@ import { concurrentSearchesOrUndefined, itemsPerSearchOrUndefined, threatIndicatorPathOrUndefined, - threats, throttleOrNull, - max_signals, } from '@kbn/securitysolution-io-ts-alerting-types'; -import { listArray } from '@kbn/securitysolution-io-ts-list-types'; import { SIGNALS_ID, EQL_RULE_TYPE_ID, @@ -34,10 +31,16 @@ import { import type { SanitizedRuleConfig } from '@kbn/alerting-plugin/common'; import { + AlertsIndex, + AlertsIndexNamespace, + BuildingBlockType, EventCategoryOverride, + ExceptionListArray, + IndexPatternArray, InvestigationGuide, IsRuleEnabled, IsRuleImmutable, + MaxSignals, RelatedIntegrationArray, RequiredFieldArray, RiskScore, @@ -58,6 +61,7 @@ import { SetupGuide, Severity, SeverityMapping, + ThreatArray, TiebreakerField, TimelineTemplateId, TimelineTemplateTitle, @@ -66,11 +70,7 @@ import { TimestampOverrideFallbackDisabled, } from '../../../../../common/detection_engine/rule_schema'; import { - buildingBlockTypeOrUndefined, - namespaceOrUndefined, dataViewIdOrUndefined, - indexOrUndefined, - output_index, query, queryOrUndefined, filtersOrUndefined, @@ -89,21 +89,21 @@ const nonEqlLanguages = t.keyof({ kuery: null, lucene: null }); export const baseRuleParams = t.exact( t.type({ author: RuleAuthorArray, - buildingBlockType: buildingBlockTypeOrUndefined, + buildingBlockType: t.union([BuildingBlockType, t.undefined]), description: RuleDescription, - namespace: namespaceOrUndefined, + namespace: t.union([AlertsIndexNamespace, t.undefined]), note: t.union([InvestigationGuide, t.undefined]), falsePositives: RuleFalsePositiveArray, from: RuleIntervalFrom, ruleId: RuleSignatureId, immutable: IsRuleImmutable, license: t.union([RuleLicense, t.undefined]), - outputIndex: output_index, + outputIndex: AlertsIndex, timelineId: t.union([TimelineTemplateId, t.undefined]), timelineTitle: t.union([TimelineTemplateTitle, t.undefined]), meta: t.union([RuleMetadata, t.undefined]), // maxSignals not used in ML rules but probably should be used - maxSignals: max_signals, + maxSignals: MaxSignals, riskScore: RiskScore, riskScoreMapping: RiskScoreMapping, ruleNameOverride: t.union([RuleNameOverride, t.undefined]), @@ -111,11 +111,11 @@ export const baseRuleParams = t.exact( severityMapping: SeverityMapping, timestampOverride: t.union([TimestampOverride, t.undefined]), timestampOverrideFallbackDisabled: t.union([TimestampOverrideFallbackDisabled, t.undefined]), - threat: threats, + threat: ThreatArray, to: RuleIntervalTo, references: RuleReferenceArray, version: RuleVersion, - exceptionsList: listArray, + exceptionsList: ExceptionListArray, relatedIntegrations: t.union([RelatedIntegrationArray, t.undefined]), requiredFields: t.union([RequiredFieldArray, t.undefined]), setup: t.union([SetupGuide, t.undefined]), @@ -126,7 +126,7 @@ export type BaseRuleParams = t.TypeOf; const eqlSpecificRuleParams = t.type({ type: t.literal('eql'), language: t.literal('eql'), - index: indexOrUndefined, + index: t.union([IndexPatternArray, t.undefined]), dataViewId: dataViewIdOrUndefined, query, filters: filtersOrUndefined, @@ -141,7 +141,7 @@ export type EqlRuleParams = t.TypeOf; const threatSpecificRuleParams = t.type({ type: t.literal('threat_match'), language: nonEqlLanguages, - index: indexOrUndefined, + index: t.union([IndexPatternArray, t.undefined]), query, filters: filtersOrUndefined, savedId: savedIdOrUndefined, @@ -163,7 +163,7 @@ const querySpecificRuleParams = t.exact( t.type({ type: t.literal('query'), language: nonEqlLanguages, - index: indexOrUndefined, + index: t.union([IndexPatternArray, t.undefined]), query, filters: filtersOrUndefined, savedId: savedIdOrUndefined, @@ -180,7 +180,7 @@ const savedQuerySpecificRuleParams = t.type({ // Having language, query, and filters possibly defined adds more code confusion and probably user confusion // if the saved object gets deleted for some reason language: nonEqlLanguages, - index: indexOrUndefined, + index: t.union([IndexPatternArray, t.undefined]), dataViewId: dataViewIdOrUndefined, query: queryOrUndefined, filters: filtersOrUndefined, @@ -200,7 +200,7 @@ export type UnifiedQueryRuleParams = t.TypeOf; const thresholdSpecificRuleParams = t.type({ type: t.literal('threshold'), language: nonEqlLanguages, - index: indexOrUndefined, + index: t.union([IndexPatternArray, t.undefined]), query, filters: filtersOrUndefined, savedId: savedIdOrUndefined, @@ -228,7 +228,7 @@ const newTermsSpecificRuleParams = t.type({ query, newTermsFields, historyWindowStart, - index: indexOrUndefined, + index: t.union([IndexPatternArray, t.undefined]), filters: filtersOrUndefined, language: nonEqlLanguages, dataViewId: dataViewIdOrUndefined, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts index 521fdf1e5a595..6529029eee371 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_filter.ts @@ -18,10 +18,10 @@ import type { } from '@kbn/alerting-plugin/server'; import type { Filter } from '@kbn/es-query'; import { assertUnreachable } from '../../../../common/utility_types'; +import type { IndexPatternArray } from '../../../../common/detection_engine/rule_schema'; import type { QueryOrUndefined, SavedIdOrUndefined, - IndexOrUndefined, } from '../../../../common/detection_engine/schemas/common/schemas'; import type { PartialFilter } from '../types'; import { withSecuritySpan } from '../../../utils/with_security_span'; @@ -35,7 +35,7 @@ interface GetFilterArgs { query: QueryOrUndefined; savedId: SavedIdOrUndefined; services: RuleExecutorServices; - index: IndexOrUndefined; + index: IndexPatternArray | undefined; exceptionFilter: Filter | undefined; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts index 58b13152bb64a..52b4ccb4cd5f0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts @@ -9,7 +9,8 @@ import type { Language } from '@kbn/securitysolution-io-ts-alerting-types'; import type { Filter, EsQueryConfig, DataViewBase } from '@kbn/es-query'; import { buildEsQuery } from '@kbn/es-query'; import type { ESBoolQuery } from '../../../../common/typed_json'; -import type { Index, Query } from '../../../../common/detection_engine/schemas/common'; +import type { IndexPatternArray } from '../../../../common/detection_engine/rule_schema'; +import type { Query } from '../../../../common/detection_engine/schemas/common'; export const getQueryFilter = ({ query, @@ -21,7 +22,7 @@ export const getQueryFilter = ({ query: Query; language: Language; filters: unknown; - index: Index; + index: IndexPatternArray; exceptionFilter: Filter | undefined; }): ESBoolQuery => { const indexPattern: DataViewBase = { From 0552c4a5e7e713ffb0c8d0088d60f2f1cb8b7650 Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 07:27:48 +0200 Subject: [PATCH 10/11] TEMP COMMIT. REBASE ME --- .../detection_engine/rule_schema/model/temp.ts | 6 ++++++ .../detection_engine/schemas/common/schemas.ts | 7 ------- .../schemas/request/rule_schemas.ts | 14 +++++++------- .../rule_management/logic/types.ts | 8 +++++--- .../rule_schema/model/rule_schemas.ts | 14 +++++++------- 5 files changed, 25 insertions(+), 24 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts index 8bed07a8ff529..1fd942e17da4f 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts @@ -50,3 +50,9 @@ export const ThreatArray = t.array(threat); */ export type IndexPatternArray = t.TypeOf; export const IndexPatternArray = t.array(t.string); + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type DataViewId = t.TypeOf; +export const DataViewId = t.string; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index a7460963d1d03..fc546ce47f60f 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -32,13 +32,6 @@ export type Filters = t.TypeOf; // Filters are not easily type-a export const filtersOrUndefined = t.union([filters, t.undefined]); export type FiltersOrUndefined = t.TypeOf; -export const index = t.array(t.string); -export type Index = t.TypeOf; - -export const data_view_id = t.string; - -export const dataViewIdOrUndefined = t.union([data_view_id, t.undefined]); - export const query = t.string; export type Query = t.TypeOf; diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 55f1c9d907650..002d9d9062707 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -24,6 +24,7 @@ import { AlertsIndex, AlertsIndexNamespace, BuildingBlockType, + DataViewId, EventCategoryOverride, ExceptionListArray, IndexPatternArray, @@ -67,7 +68,6 @@ import { TimestampOverrideFallbackDisabled, } from '../../rule_schema'; import { - data_view_id, filters, query, saved_id, @@ -257,7 +257,7 @@ const eqlRuleParams = { }, optional: { index: IndexPatternArray, - data_view_id, + data_view_id: DataViewId, filters, event_category_override: EventCategoryOverride, timestamp_field: TimestampField, @@ -282,7 +282,7 @@ const threatMatchRuleParams = { }, optional: { index: IndexPatternArray, - data_view_id, + data_view_id: DataViewId, filters, saved_id, threat_filters, @@ -308,7 +308,7 @@ const queryRuleParams = { }, optional: { index: IndexPatternArray, - data_view_id, + data_view_id: DataViewId, filters, saved_id, response_actions: ResponseActionArray, @@ -335,7 +335,7 @@ const savedQueryRuleParams = { // Having language, query, and filters possibly defined adds more code confusion and probably user confusion // if the saved object gets deleted for some reason index: IndexPatternArray, - data_view_id, + data_view_id: DataViewId, query, filters, response_actions: ResponseActionArray, @@ -360,7 +360,7 @@ const thresholdRuleParams = { }, optional: { index: IndexPatternArray, - data_view_id, + data_view_id: DataViewId, filters, saved_id, }, @@ -402,7 +402,7 @@ const newTermsRuleParams = { }, optional: { index: IndexPatternArray, - data_view_id, + data_view_id: DataViewId, filters, }, defaultable: { diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index 903596635f1ea..a8e8d76bd223a 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -22,8 +22,10 @@ import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types'; import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring'; import { BuildingBlockType, + DataViewId, EventCategoryOverride, ExceptionListArray, + IndexPatternArray, InvestigationGuide, IsRuleEnabled, IsRuleImmutable, @@ -62,7 +64,7 @@ import { } from '../../../../common/detection_engine/rule_schema'; import type { SortOrder } from '../../../../common/detection_engine/schemas/common'; -import { data_view_id, threshold } from '../../../../common/detection_engine/schemas/common'; +import { threshold } from '../../../../common/detection_engine/schemas/common'; import type { CreateRulesSchema, PatchRulesSchema, @@ -153,8 +155,8 @@ export const RuleSchema = t.intersection([ building_block_type: BuildingBlockType, anomaly_threshold: t.number, filters: t.array(t.unknown), - index: t.array(t.string), - data_view_id, + index: IndexPatternArray, + data_view_id: DataViewId, language: t.string, license: RuleLicense, meta: MetaRule, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index 4f4a6b8a2a3d6..a592d0606e52b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -34,6 +34,7 @@ import { AlertsIndex, AlertsIndexNamespace, BuildingBlockType, + DataViewId, EventCategoryOverride, ExceptionListArray, IndexPatternArray, @@ -70,7 +71,6 @@ import { TimestampOverrideFallbackDisabled, } from '../../../../../common/detection_engine/rule_schema'; import { - dataViewIdOrUndefined, query, queryOrUndefined, filtersOrUndefined, @@ -127,7 +127,7 @@ const eqlSpecificRuleParams = t.type({ type: t.literal('eql'), language: t.literal('eql'), index: t.union([IndexPatternArray, t.undefined]), - dataViewId: dataViewIdOrUndefined, + dataViewId: t.union([DataViewId, t.undefined]), query, filters: filtersOrUndefined, eventCategoryOverride: t.union([EventCategoryOverride, t.undefined]), @@ -153,7 +153,7 @@ const threatSpecificRuleParams = t.type({ threatIndicatorPath: threatIndicatorPathOrUndefined, concurrentSearches: concurrentSearchesOrUndefined, itemsPerSearch: itemsPerSearchOrUndefined, - dataViewId: dataViewIdOrUndefined, + dataViewId: t.union([DataViewId, t.undefined]), }); export const threatRuleParams = t.intersection([baseRuleParams, threatSpecificRuleParams]); export type ThreatSpecificRuleParams = t.TypeOf; @@ -167,7 +167,7 @@ const querySpecificRuleParams = t.exact( query, filters: filtersOrUndefined, savedId: savedIdOrUndefined, - dataViewId: dataViewIdOrUndefined, + dataViewId: t.union([DataViewId, t.undefined]), responseActions: ResponseActionRuleParamsOrUndefined, }) ); @@ -181,7 +181,7 @@ const savedQuerySpecificRuleParams = t.type({ // if the saved object gets deleted for some reason language: nonEqlLanguages, index: t.union([IndexPatternArray, t.undefined]), - dataViewId: dataViewIdOrUndefined, + dataViewId: t.union([DataViewId, t.undefined]), query: queryOrUndefined, filters: filtersOrUndefined, savedId: saved_id, @@ -205,7 +205,7 @@ const thresholdSpecificRuleParams = t.type({ filters: filtersOrUndefined, savedId: savedIdOrUndefined, threshold: thresholdNormalized, - dataViewId: dataViewIdOrUndefined, + dataViewId: t.union([DataViewId, t.undefined]), }); export const thresholdRuleParams = t.intersection([baseRuleParams, thresholdSpecificRuleParams]); export type ThresholdSpecificRuleParams = t.TypeOf; @@ -231,7 +231,7 @@ const newTermsSpecificRuleParams = t.type({ index: t.union([IndexPatternArray, t.undefined]), filters: filtersOrUndefined, language: nonEqlLanguages, - dataViewId: dataViewIdOrUndefined, + dataViewId: t.union([DataViewId, t.undefined]), }); export const newTermsRuleParams = t.intersection([baseRuleParams, newTermsSpecificRuleParams]); export type NewTermsSpecificRuleParams = t.TypeOf; From 4be39ab6fc412b89cddc7fecd186e7b1f02c85cb Mon Sep 17 00:00:00 2001 From: Georgii Gorbachev Date: Fri, 14 Oct 2022 07:54:49 +0200 Subject: [PATCH 11/11] TEMP COMMIT. REBASE ME --- .../rule_schema/model/temp.ts | 14 +++++++++ .../schemas/common/schemas.ts | 16 ---------- .../request/perform_bulk_action_schema.ts | 4 +-- .../schemas/request/rule_schemas.ts | 28 ++++++++--------- .../rule_management/logic/types.ts | 9 ++++-- .../exceptions/get_es_query_filter.ts | 8 +++-- .../rule_schema/model/rule_schemas.ts | 31 +++++++++---------- .../signals/build_events_query.ts | 8 +++-- .../detection_engine/signals/get_filter.ts | 9 ++---- .../signals/get_query_filter.ts | 5 ++- 10 files changed, 66 insertions(+), 66 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts index 1fd942e17da4f..6e91f14468a72 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_schema/model/temp.ts @@ -56,3 +56,17 @@ export const IndexPatternArray = t.array(t.string); */ export type DataViewId = t.TypeOf; export const DataViewId = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + */ +export type RuleQuery = t.TypeOf; +export const RuleQuery = t.string; + +/** + * TODO: https://github.com/elastic/kibana/pull/142950 Add description + * TODO: Right now the filters is an "unknown", when it could more than likely + * become the actual ESFilter as a type. + */ +export type RuleFilterArray = t.TypeOf; // Filters are not easily type-able yet +export const RuleFilterArray = t.array(t.unknown); // Filters are not easily type-able yet diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index fc546ce47f60f..ae0b78daad45d 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -22,22 +22,6 @@ export type FileName = t.TypeOf; export const exclude_export_details = t.boolean; export type ExcludeExportDetails = t.TypeOf; -/** - * TODO: Right now the filters is an "unknown", when it could more than likely - * become the actual ESFilter as a type. - */ -export const filters = t.array(t.unknown); // Filters are not easily type-able yet -export type Filters = t.TypeOf; // Filters are not easily type-able yet - -export const filtersOrUndefined = t.union([filters, t.undefined]); -export type FiltersOrUndefined = t.TypeOf; - -export const query = t.string; -export type Query = t.TypeOf; - -export const queryOrUndefined = t.union([query, t.undefined]); -export type QueryOrUndefined = t.TypeOf; - export const saved_id = t.string; export const savedIdOrUndefined = t.union([saved_id, t.undefined]); diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts index 4f516bcb2eaa9..17fb273417dc4 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/perform_bulk_action_schema.ts @@ -16,11 +16,11 @@ import { import { IndexPatternArray, + RuleQuery, RuleTagArray, TimelineTemplateId, TimelineTemplateTitle, } from '../../rule_schema'; -import { queryOrUndefined } from '../common/schemas'; export enum BulkAction { 'enable' = 'enable', @@ -158,7 +158,7 @@ export type BulkActionEditForRuleParams = export const performBulkActionSchema = t.intersection([ t.exact( t.type({ - query: queryOrUndefined, + query: t.union([RuleQuery, t.undefined]), }) ), t.exact(t.partial({ ids: NonEmptyArray(t.string) })), diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts index 002d9d9062707..d7666326550f8 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.ts @@ -41,6 +41,7 @@ import { RuleAuthorArray, RuleDescription, RuleFalsePositiveArray, + RuleFilterArray, RuleInterval, RuleIntervalFrom, RuleIntervalTo, @@ -49,6 +50,7 @@ import { RuleName, RuleNameOverride, RuleObjectId, + RuleQuery, RuleReferenceArray, RuleSignatureId, RuleTagArray, @@ -68,8 +70,6 @@ import { TimestampOverrideFallbackDisabled, } from '../../rule_schema'; import { - filters, - query, saved_id, threshold, anomaly_threshold, @@ -253,12 +253,12 @@ const eqlRuleParams = { required: { type: t.literal('eql'), language: t.literal('eql'), - query, + query: RuleQuery, }, optional: { index: IndexPatternArray, data_view_id: DataViewId, - filters, + filters: RuleFilterArray, event_category_override: EventCategoryOverride, timestamp_field: TimestampField, tiebreaker_field: TiebreakerField, @@ -275,7 +275,7 @@ export { eqlCreateParams, eqlResponseParams }; const threatMatchRuleParams = { required: { type: t.literal('threat_match'), - query, + query: RuleQuery, threat_query, threat_mapping, threat_index, @@ -283,7 +283,7 @@ const threatMatchRuleParams = { optional: { index: IndexPatternArray, data_view_id: DataViewId, - filters, + filters: RuleFilterArray, saved_id, threat_filters, threat_indicator_path, @@ -309,12 +309,12 @@ const queryRuleParams = { optional: { index: IndexPatternArray, data_view_id: DataViewId, - filters, + filters: RuleFilterArray, saved_id, response_actions: ResponseActionArray, }, defaultable: { - query, + query: RuleQuery, language: t.keyof({ kuery: null, lucene: null }), }, }; @@ -336,8 +336,8 @@ const savedQueryRuleParams = { // if the saved object gets deleted for some reason index: IndexPatternArray, data_view_id: DataViewId, - query, - filters, + query: RuleQuery, + filters: RuleFilterArray, response_actions: ResponseActionArray, }, defaultable: { @@ -355,13 +355,13 @@ export { savedQueryCreateParams, savedQueryResponseParams }; const thresholdRuleParams = { required: { type: t.literal('threshold'), - query, + query: RuleQuery, threshold, }, optional: { index: IndexPatternArray, data_view_id: DataViewId, - filters, + filters: RuleFilterArray, saved_id, }, defaultable: { @@ -396,14 +396,14 @@ export { machineLearningCreateParams, machineLearningResponseParams }; const newTermsRuleParams = { required: { type: t.literal('new_terms'), - query, + query: RuleQuery, new_terms_fields: newTermsFields, history_window_start: historyWindowStart, }, optional: { index: IndexPatternArray, data_view_id: DataViewId, - filters, + filters: RuleFilterArray, }, defaultable: { language: t.keyof({ kuery: null, lucene: null }), diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts index a8e8d76bd223a..31c57ca3c545c 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/types.ts @@ -21,6 +21,7 @@ import type { NamespaceType } from '@kbn/securitysolution-io-ts-list-types'; import { RuleExecutionSummary } from '../../../../common/detection_engine/rule_monitoring'; import { + AlertsIndex, BuildingBlockType, DataViewId, EventCategoryOverride, @@ -37,6 +38,7 @@ import { RuleAuthorArray, RuleDescription, RuleFalsePositiveArray, + RuleFilterArray, RuleInterval, RuleIntervalFrom, RuleIntervalTo, @@ -44,6 +46,7 @@ import { RuleName, RuleNameOverride, RuleObjectId, + RuleQuery, RuleReferenceArray, RuleSignatureId, RuleTagArray, @@ -154,7 +157,7 @@ export const RuleSchema = t.intersection([ alias_purpose: SavedObjectResolveAliasPurpose, building_block_type: BuildingBlockType, anomaly_threshold: t.number, - filters: t.array(t.unknown), + filters: RuleFilterArray, index: IndexPatternArray, data_view_id: DataViewId, language: t.string, @@ -163,8 +166,8 @@ export const RuleSchema = t.intersection([ machine_learning_job_id: t.array(t.string), new_terms_fields: t.array(t.string), history_window_start: t.string, - output_index: t.string, - query: t.string, + output_index: AlertsIndex, + query: RuleQuery, rule_name_override: RuleNameOverride, saved_id: t.string, threshold, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts index 7757a15c86db4..7232d6bc2285b 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/exceptions/get_es_query_filter.ts @@ -15,12 +15,14 @@ import { getExceptionFilterFromExceptions } from '@kbn/securitysolution-list-api import { buildEsQuery } from '@kbn/es-query'; import { KibanaServices } from '../../../../common/lib/kibana'; -import type { Query } from '../../../../../common/detection_engine/schemas/common'; -import type { IndexPatternArray } from '../../../../../common/detection_engine/rule_schema'; +import type { + IndexPatternArray, + RuleQuery, +} from '../../../../../common/detection_engine/rule_schema'; import type { ESBoolQuery } from '../../../../../common/typed_json'; export const getEsQueryFilter = async ( - query: Query, + query: RuleQuery, language: Language, filters: unknown, index: IndexPatternArray, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index a592d0606e52b..49139c6c37eb0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -49,12 +49,14 @@ import { RuleAuthorArray, RuleDescription, RuleFalsePositiveArray, + RuleFilterArray, RuleIntervalFrom, RuleIntervalTo, RuleLicense, RuleMetadata, RuleName, RuleNameOverride, + RuleQuery, RuleReferenceArray, RuleSignatureId, RuleTagArray, @@ -71,9 +73,6 @@ import { TimestampOverrideFallbackDisabled, } from '../../../../../common/detection_engine/rule_schema'; import { - query, - queryOrUndefined, - filtersOrUndefined, savedIdOrUndefined, saved_id, thresholdNormalized, @@ -128,8 +127,8 @@ const eqlSpecificRuleParams = t.type({ language: t.literal('eql'), index: t.union([IndexPatternArray, t.undefined]), dataViewId: t.union([DataViewId, t.undefined]), - query, - filters: filtersOrUndefined, + query: RuleQuery, + filters: t.union([RuleFilterArray, t.undefined]), eventCategoryOverride: t.union([EventCategoryOverride, t.undefined]), timestampField: t.union([TimestampField, t.undefined]), tiebreakerField: t.union([TiebreakerField, t.undefined]), @@ -142,10 +141,10 @@ const threatSpecificRuleParams = t.type({ type: t.literal('threat_match'), language: nonEqlLanguages, index: t.union([IndexPatternArray, t.undefined]), - query, - filters: filtersOrUndefined, + query: RuleQuery, + filters: t.union([RuleFilterArray, t.undefined]), savedId: savedIdOrUndefined, - threatFilters: filtersOrUndefined, + threatFilters: t.union([RuleFilterArray, t.undefined]), threatQuery: threat_query, threatMapping: threat_mapping, threatLanguage: t.union([nonEqlLanguages, t.undefined]), @@ -164,8 +163,8 @@ const querySpecificRuleParams = t.exact( type: t.literal('query'), language: nonEqlLanguages, index: t.union([IndexPatternArray, t.undefined]), - query, - filters: filtersOrUndefined, + query: RuleQuery, + filters: t.union([RuleFilterArray, t.undefined]), savedId: savedIdOrUndefined, dataViewId: t.union([DataViewId, t.undefined]), responseActions: ResponseActionRuleParamsOrUndefined, @@ -182,8 +181,8 @@ const savedQuerySpecificRuleParams = t.type({ language: nonEqlLanguages, index: t.union([IndexPatternArray, t.undefined]), dataViewId: t.union([DataViewId, t.undefined]), - query: queryOrUndefined, - filters: filtersOrUndefined, + query: t.union([RuleQuery, t.undefined]), + filters: t.union([RuleFilterArray, t.undefined]), savedId: saved_id, responseActions: ResponseActionRuleParamsOrUndefined, }); @@ -201,8 +200,8 @@ const thresholdSpecificRuleParams = t.type({ type: t.literal('threshold'), language: nonEqlLanguages, index: t.union([IndexPatternArray, t.undefined]), - query, - filters: filtersOrUndefined, + query: RuleQuery, + filters: t.union([RuleFilterArray, t.undefined]), savedId: savedIdOrUndefined, threshold: thresholdNormalized, dataViewId: t.union([DataViewId, t.undefined]), @@ -225,11 +224,11 @@ export type MachineLearningRuleParams = t.TypeOf; index: IndexPatternArray | undefined; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts index 52b4ccb4cd5f0..15477388839e4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/get_query_filter.ts @@ -9,8 +9,7 @@ import type { Language } from '@kbn/securitysolution-io-ts-alerting-types'; import type { Filter, EsQueryConfig, DataViewBase } from '@kbn/es-query'; import { buildEsQuery } from '@kbn/es-query'; import type { ESBoolQuery } from '../../../../common/typed_json'; -import type { IndexPatternArray } from '../../../../common/detection_engine/rule_schema'; -import type { Query } from '../../../../common/detection_engine/schemas/common'; +import type { IndexPatternArray, RuleQuery } from '../../../../common/detection_engine/rule_schema'; export const getQueryFilter = ({ query, @@ -19,7 +18,7 @@ export const getQueryFilter = ({ index, exceptionFilter, }: { - query: Query; + query: RuleQuery; language: Language; filters: unknown; index: IndexPatternArray;