Skip to content

[Security Solution][Exceptions] - Fixes exception builder bug that includes matches operator #136340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Jul 19, 2022
Merged

[Security Solution][Exceptions] - Fixes exception builder bug that includes matches operator #136340

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c585cab
update exception builder operators to not include matches operator
yctercero Jul 13, 2022
8367a9c
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Jul 13, 2022
cdc29f6
Merge branch 'main' of github.com:elastic/kibana into remove_matches_…
yctercero Jul 13, 2022
98d2462
Merge branch 'remove_matches_from_builder' of github.com:yctercero/ki…
yctercero Jul 13, 2022
47119f7
updating jest test
yctercero Jul 14, 2022
b7f0760
Merge branch 'main' of github.com:elastic/kibana into remove_matches_…
yctercero Jul 14, 2022
e105aab
Merge branch 'main' of github.com:yctercero/kibana into remove_matche…
yctercero Jul 18, 2022
fe348f3
updated operator logic to avoid affecting non detection exceptions
yctercero Jul 18, 2022
fd8aff5
[CI] Auto-commit changed files from 'node scripts/precommit_hook.js -…
kibanamachine Jul 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions packages/kbn-securitysolution-autocomplete/src/get_operators/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
import {
doesNotExistOperator,
EVENT_FILTERS_OPERATORS,
EXCEPTION_OPERATORS,
ALL_OPERATORS,
existsOperator,
isNotOperator,
isOperator,
Expand Down Expand Up @@ -53,6 +53,6 @@ describe('#getOperators', () => {
test('it returns all operator types when field type is not null, boolean, or nested', () => {
const operator = getOperators(getField('machine.os.raw'));

expect(operator).toEqual(EXCEPTION_OPERATORS);
expect(operator).toEqual(ALL_OPERATORS);
});
});
4 changes: 2 additions & 2 deletions packages/kbn-securitysolution-autocomplete/src/get_operators/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
import { DataViewFieldBase } from '@kbn/es-query';

import {
EXCEPTION_OPERATORS,
ALL_OPERATORS,
EVENT_FILTERS_OPERATORS,
OperatorOption,
doesNotExistOperator,
Expand All @@ -34,6 +34,6 @@ export const getOperators = (field: DataViewFieldBase | undefined): OperatorOpti
} else if (field.name === 'file.path.text') {
return EVENT_FILTERS_OPERATORS;
} else {
return EXCEPTION_OPERATORS;
return ALL_OPERATORS;
}
};
18 changes: 17 additions & 1 deletion packages/kbn-securitysolution-list-utils/src/autocomplete_operators/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,23 @@ export const EVENT_FILTERS_OPERATORS: OperatorOption[] = [
matchesOperator,
];

export const EXCEPTION_OPERATORS: OperatorOption[] = [
/*
* !IMPORTANT! - Please only add to this list if it is an operator
* supported by the detection engine.
*/
export const DETECTION_ENGINE_EXCEPTION_OPERATORS: OperatorOption[] = [
isOperator,
isNotOperator,
isOneOfOperator,
isNotOneOfOperator,
existsOperator,
doesNotExistOperator,
isInListOperator,
isNotInListOperator,
];


export const ALL_OPERATORS: OperatorOption[] = [
Copy link
Contributor Author

@yctercero yctercero Jul 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed this to try to help with a bit of the confusion.

isOperator,
isNotOperator,
isOneOfOperator,
Expand Down
19 changes: 11 additions & 8 deletions packages/kbn-securitysolution-list-utils/src/helpers/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,14 @@ import {
} from '@kbn/es-query';

import {
EXCEPTION_OPERATORS,
ALL_OPERATORS,
EXCEPTION_OPERATORS_SANS_LISTS,
doesNotExistOperator,
existsOperator,
isNotOperator,
isOneOfOperator,
isOperator,
DETECTION_ENGINE_EXCEPTION_OPERATORS,
} from '../autocomplete_operators';

import {
Expand Down Expand Up @@ -192,7 +193,7 @@ export const getExceptionOperatorSelect = (item: BuilderEntry): OperatorOption =
return isOperator;
} else {
const operatorType = getOperatorType(item);
const foundOperator = EXCEPTION_OPERATORS.find((operatorOption) => {
const foundOperator = ALL_OPERATORS.find((operatorOption) => {
return item.operator === operatorOption.operator && operatorType === operatorOption.type;
});

Expand Down Expand Up @@ -679,20 +680,22 @@ export const getOperatorOptions = (
item: FormattedBuilderEntry,
listType: ExceptionListType,
isBoolean: boolean,
includeValueListOperators = true
includeValueListOperators = true,
): OperatorOption[] => {
if (item.nested === 'parent' || item.field == null) {
return [isOperator];
} else if ((item.nested != null && listType === 'endpoint') || listType === 'endpoint') {
return isBoolean ? [isOperator] : [isOperator, isOneOfOperator];
} else if (item.nested != null && listType === 'detection') {
return isBoolean ? [isOperator, existsOperator] : [isOperator, isOneOfOperator, existsOperator];
} else if (isBoolean) {
return [isOperator, isNotOperator, existsOperator, doesNotExistOperator];
} else if (!includeValueListOperators) {
return EXCEPTION_OPERATORS_SANS_LISTS;
} else {
return isBoolean
? [isOperator, isNotOperator, existsOperator, doesNotExistOperator]
: includeValueListOperators
? EXCEPTION_OPERATORS
: EXCEPTION_OPERATORS_SANS_LISTS;
return listType === 'detection'
? DETECTION_ENGINE_EXCEPTION_OPERATORS
: ALL_OPERATORS;
}
};

Expand Down
25 changes: 16 additions & 9 deletions x-pack/plugins/lists/public/exceptions/components/builder/helpers.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ import {
} from '@kbn/securitysolution-io-ts-list-types';
import {
BuilderEntry,
EXCEPTION_OPERATORS,
ALL_OPERATORS,
DETECTION_ENGINE_EXCEPTION_OPERATORS,
EXCEPTION_OPERATORS_SANS_LISTS,
EmptyEntry,
ExceptionsBuilderExceptionItem,
Expand Down Expand Up @@ -596,13 +597,6 @@ describe('Exception builder helpers', () => {
expect(output).toEqual(expected);
});

test('it returns all operator options if "listType" is "detection"', () => {
const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
const output = getOperatorOptions(payloadItem, 'detection', false);
const expected: OperatorOption[] = EXCEPTION_OPERATORS;
expect(output).toEqual(expected);
});

test('it returns "isOperator", "isNotOperator", "doesNotExistOperator" and "existsOperator" if field type is boolean', () => {
const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
const output = getOperatorOptions(payloadItem, 'detection', true);
Expand All @@ -618,14 +612,27 @@ describe('Exception builder helpers', () => {
test('it returns list operators if specified to', () => {
const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
const output = getOperatorOptions(payloadItem, 'detection', false, true);
expect(output).toEqual(EXCEPTION_OPERATORS);
expect(output.some((operator) => operator.value === 'is_not_in_list')).toBeTruthy();
expect(output.some((operator) => operator.value === 'is_in_list')).toBeTruthy();
});

test('it does not return list operators if specified not to', () => {
const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
const output = getOperatorOptions(payloadItem, 'detection', false, false);
expect(output).toEqual(EXCEPTION_OPERATORS_SANS_LISTS);
});

test('it returns all possible operators if list type is not "detection"', () => {
const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
const output = getOperatorOptions(payloadItem, 'endpoint_events', false, true);
expect(output).toEqual(ALL_OPERATORS);
});

test('it returns all operators supported by detection engine if list type is "detection"', () => {
const payloadItem: FormattedBuilderEntry = getMockBuilderEntry();
const output = getOperatorOptions(payloadItem, 'detection', false, true);
expect(output).toEqual(DETECTION_ENGINE_EXCEPTION_OPERATORS);
});
});

describe('#getEntryOnFieldChange', () => {
Expand Down