[RAC][Security Solution] Add base Security Rule Type#105096
Merged
madirey merged 100 commits intoelastic:masterfrom Aug 3, 2021
Merged
[RAC][Security Solution] Add base Security Rule Type#105096madirey merged 100 commits intoelastic:masterfrom
madirey merged 100 commits intoelastic:masterfrom
Conversation
…076ca54526ea0e61a9a99e1c1bce854806977e
madirey
added
Feature:Custom Query Rule
dominiqueclarke
approved these changes
Jul 30, 2021
Contributor
dominiqueclarke
left a comment
dominiqueclarke
left a comment
There was a problem hiding this comment.
Uptime changes look good to me. Only did a code review.
| dateRangeStart: moment(new Date(fields['kibana.rac.alert.start']!)) | ||
| .subtract('5', 'm') | ||
| .toISOString(), | ||
| dateRangeEnd: fields[ALERT_STATUS] === 'open' ? 'now' : fields[ALERT_END]!, |
Contributor
There was a problem hiding this comment.
Thank you for doing this. I actually have a branch up getting ready to update this. Much appreciated.
xcrzx
approved these changes
Jul 30, 2021
Contributor
xcrzx
left a comment
xcrzx
left a comment
There was a problem hiding this comment.
Checked changes in regards to rule execution logging, LGTM 👍
It would be great to merge this PR sooner so that we can start integration with the new Exec log.
dhurley14
reviewed
Jul 30, 2021
Contributor
dhurley14
left a comment
dhurley14
left a comment
There was a problem hiding this comment.
In regards to the comment in your PR description around The created rule is not visible in our UI and is not accessible through most of our API endpoints. I think we just need a small update so we can still manage these rules through the security solution detections page by updating the routes to include the new QUERY_ALERT_TYPE_ID.
One example is in the find_rules route
where we can update this filter to include the new QUERY_ALERT_TYPE_ID
If you agree with the above, I think there are other places where this change should propagate as well, like in the import rules route.
ecezalp
approved these changes
Jul 30, 2021
Contributor
There was a problem hiding this comment.
Wow! The changes look fantastic. I think that the overall modularization efforts really came together, and everything became easier to understand! Thank you so much for doing this work!
One comment though - I flipped on the ruleRegistryFlag (by adding just noticed the instructions above. will try again!xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled'] to my kibana.dev.yml, but I wasn't able to get any alerts on the Custom Query Rule. It seemed like a new alerting index didn't get created, I wasn't able to catch any suspicious errors / logs in my terminal. I was wondering if I am missing a step or if I should try again. Please let me know!
michaelolo24
reviewed
Aug 2, 2021
| array: false, | ||
| required: true, | ||
| }, | ||
| 'kibana.alert.threat': { |
Contributor
There was a problem hiding this comment.
making a personal note to add kibana.alert.reason 😄
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
@elasticmachine merge upstream |
michaelolo24
approved these changes
Aug 2, 2021
Contributor
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsAPI count
API count missing comments
References to deprecated APIs
History
To update your PR or re-run it, just comment with: |
madirey
added a commit
to madirey/kibana
that referenced
this pull request
Aug 5, 2021
* injects bulkCreate and wrapHits to individual rule executors * WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e * removes ruleStatusService from old rule executors, fixes executor unit tests * fixes rebase * Rename reference_rules to rule_types * Fix type errors * Fix type errors in base security rule factory * Additional improvements to types and interfaces * More type alignment * Fix remaining type errors in query rule * Add validation / inject lists plugin * Formatting * Improvements to typing * Static typing on executors * cleanup * Hook up params for query/threshold rules... includes exceptionsList and daterange tuple * Scaffolding for wrapHits and bulkCreate * Add error handling / status reporting * Fixup alert type state * Begin threshold * Begin work on threshold state * Organize rule types * Export base security rule types * Fixup lifecycle static typing * WrapHits / bulk changes * Field mappings (partial) * whoops * Remove redundant params * More flexibile implementation of bulkCreateFactory * Add mappings * Finish query rule * Revert "Remove redundant params" This reverts commit 87aff9c. * Revert "whoops" This reverts commit a7771bd. * Fixup return types * Use alertWithPersistence * Fix import * End-to-end rule mostly working * Fix bulkCreate * Bug fixes * Bug fixes and mapping changes * Fix indexing * cleanup * Fix type errors * Test fixes * Fix query tests * cleanup / rename kibana.rac to kibana * Remove eql/threshold (for now) * Move technical fields to package * Add indexAlias and buildRuleMessageFactory * imports * type errors * Change 'kibana.rac.*' to 'kibana.*' * Fix lifecycle tests * Single alert instance * fix import * Fix type error * Fix more type errors * Fix query rule type test * revert to previous ts-expect-error * type errors again * types / linting * General readability improvements * Add invariant function from Dmitrii's branch * Use invariant and constants * Improvements to field mappings * More test failure fixes * Add refresh param for bulk create * Update more field refs * Actually use refresh param * cleanup * test fixes * changes to rule creation script * Fix created signals count * Use ruleId * Updates to bulk indexing * Mapping updates * Cannot use 'strict' for dynamic setting Co-authored-by: Marshall Main <marshall.main@elastic.co> Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
madirey
added a commit
that referenced
this pull request
Aug 5, 2021
* injects bulkCreate and wrapHits to individual rule executors * WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e * removes ruleStatusService from old rule executors, fixes executor unit tests * fixes rebase * Rename reference_rules to rule_types * Fix type errors * Fix type errors in base security rule factory * Additional improvements to types and interfaces * More type alignment * Fix remaining type errors in query rule * Add validation / inject lists plugin * Formatting * Improvements to typing * Static typing on executors * cleanup * Hook up params for query/threshold rules... includes exceptionsList and daterange tuple * Scaffolding for wrapHits and bulkCreate * Add error handling / status reporting * Fixup alert type state * Begin threshold * Begin work on threshold state * Organize rule types * Export base security rule types * Fixup lifecycle static typing * WrapHits / bulk changes * Field mappings (partial) * whoops * Remove redundant params * More flexibile implementation of bulkCreateFactory * Add mappings * Finish query rule * Revert "Remove redundant params" This reverts commit 87aff9c. * Revert "whoops" This reverts commit a7771bd. * Fixup return types * Use alertWithPersistence * Fix import * End-to-end rule mostly working * Fix bulkCreate * Bug fixes * Bug fixes and mapping changes * Fix indexing * cleanup * Fix type errors * Test fixes * Fix query tests * cleanup / rename kibana.rac to kibana * Remove eql/threshold (for now) * Move technical fields to package * Add indexAlias and buildRuleMessageFactory * imports * type errors * Change 'kibana.rac.*' to 'kibana.*' * Fix lifecycle tests * Single alert instance * fix import * Fix type error * Fix more type errors * Fix query rule type test * revert to previous ts-expect-error * type errors again * types / linting * General readability improvements * Add invariant function from Dmitrii's branch * Use invariant and constants * Improvements to field mappings * More test failure fixes * Add refresh param for bulk create * Update more field refs * Actually use refresh param * cleanup * test fixes * changes to rule creation script * Fix created signals count * Use ruleId * Updates to bulk indexing * Mapping updates * Cannot use 'strict' for dynamic setting Co-authored-by: Marshall Main <marshall.main@elastic.co> Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Marshall Main <marshall.main@elastic.co> Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
streamich
pushed a commit
to vadimkibana/kibana
that referenced
this pull request
Aug 8, 2021
* injects bulkCreate and wrapHits to individual rule executors * WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e * removes ruleStatusService from old rule executors, fixes executor unit tests * fixes rebase * Rename reference_rules to rule_types * Fix type errors * Fix type errors in base security rule factory * Additional improvements to types and interfaces * More type alignment * Fix remaining type errors in query rule * Add validation / inject lists plugin * Formatting * Improvements to typing * Static typing on executors * cleanup * Hook up params for query/threshold rules... includes exceptionsList and daterange tuple * Scaffolding for wrapHits and bulkCreate * Add error handling / status reporting * Fixup alert type state * Begin threshold * Begin work on threshold state * Organize rule types * Export base security rule types * Fixup lifecycle static typing * WrapHits / bulk changes * Field mappings (partial) * whoops * Remove redundant params * More flexibile implementation of bulkCreateFactory * Add mappings * Finish query rule * Revert "Remove redundant params" This reverts commit 87aff9c. * Revert "whoops" This reverts commit a7771bd. * Fixup return types * Use alertWithPersistence * Fix import * End-to-end rule mostly working * Fix bulkCreate * Bug fixes * Bug fixes and mapping changes * Fix indexing * cleanup * Fix type errors * Test fixes * Fix query tests * cleanup / rename kibana.rac to kibana * Remove eql/threshold (for now) * Move technical fields to package * Add indexAlias and buildRuleMessageFactory * imports * type errors * Change 'kibana.rac.*' to 'kibana.*' * Fix lifecycle tests * Single alert instance * fix import * Fix type error * Fix more type errors * Fix query rule type test * revert to previous ts-expect-error * type errors again * types / linting * General readability improvements * Add invariant function from Dmitrii's branch * Use invariant and constants * Improvements to field mappings * More test failure fixes * Add refresh param for bulk create * Update more field refs * Actually use refresh param * cleanup * test fixes * changes to rule creation script * Fix created signals count * Use ruleId * Updates to bulk indexing * Mapping updates * Cannot use 'strict' for dynamic setting Co-authored-by: Marshall Main <marshall.main@elastic.co> Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a base security rule type, which wraps the persistence rule type to provide Detections-specific logic.
Summary of changes
How to test this implementation
echo "xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']" >> ./config/kibana.dev.ymlecho "xpack.ruleRegistry.write.enabled: true" >> ./config/kibana.dev.yml./x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/scripts/create_rule_query.shIt creates a rule that generates up to 10 alerts every minute or so. The created rule is not visible in our UI and is not accessible through most of our API endpoints.
To be addressed in future PRs
outputIndexby utilizingstateChecklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:
For maintainers