Skip to content

[8.8] [Security Solution] Add a migration to unmute custom Security Solution rules (#156593) #156728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kibanamachine merged 1 commit into from
May 4, 2023
Merged

[8.8] [Security Solution] Add a migration to unmute custom Security Solution rules (#156593) #156728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion x-pack/plugins/alerting/server/saved_objects/migrations/8.8/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,30 @@ function addSecuritySolutionActionsFrequency(
return doc;
}

function unmuteSecuritySolutionCustomRules(
doc: SavedObjectUnsanitizedDoc<RawRule>
): SavedObjectUnsanitizedDoc<RawRule> {
if (!isDetectionEngineAADRuleType(doc)) {
return doc;
}

return {
...doc,
attributes: {
...doc.attributes,
muteAll: false,
},
};
}

export const getMigrations880 = (encryptedSavedObjects: EncryptedSavedObjectsPluginSetup) =>
createEsoMigration(
encryptedSavedObjects,
(doc: SavedObjectUnsanitizedDoc<RawRule>): doc is SavedObjectUnsanitizedDoc<RawRule> => true,
pipeMigrations(addActionUuid, addRevision, addSecuritySolutionActionsFrequency)
pipeMigrations(
addActionUuid,
addRevision,
addSecuritySolutionActionsFrequency,
unmuteSecuritySolutionCustomRules
)
);
58 changes: 47 additions & 11 deletions x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2653,20 +2653,26 @@ describe('successful migrations', () => {
]);
});

test('migrates rule to include revision and defaults revision to 0', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)['8.8.0'];
describe('security rule version to revision', () => {
test('migrates rule to include revision and defaults revision to 0', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];

const rule = getMockData();
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(0);
});
const rule = getMockData();
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(0);
});

test('migrates security rule version to revision', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)['8.8.0'];
test('migrates security rule version to revision', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];

const rule = getMockData({ alertTypeId: ruleTypeMappings.eql, params: { version: 2 } });
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(2);
const rule = getMockData({ alertTypeId: ruleTypeMappings.eql, params: { version: 2 } });
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(2);
});
});

describe('migrate actions frequency for Security Solution ', () => {
Expand Down Expand Up @@ -2714,6 +2720,36 @@ describe('successful migrations', () => {
expect(updatedActions).toEqual(rule.attributes.actions);
});
});

describe('unmute security rules', () => {
test.each(Object.values(ruleTypeMappings))(
'unmutes custom rules of type "%s" successfully',
(ruleType) => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];

const rule = getMockData({ alertTypeId: ruleType, muteAll: true });
const migratedAlert880 = migration880(rule, migrationContext);

expect(migratedAlert880.attributes.muteAll).toBeFalsy();
}
);

test('ignores non security rules', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];

const rule = getMockData({
alertTypeId: 'unknown',
muteAll: true,
});
const migratedAlert880 = migration880(rule, migrationContext);

expect(migratedAlert880.attributes.muteAll).toBeTruthy();
});
});
});

describe('Metrics Inventory Threshold rule', () => {
Expand Down
22 changes: 22 additions & 0 deletions x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/migrations.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -692,5 +692,27 @@ export default function createGetTests({ getService }: FtrProviderContext) {
}),
]);
});

it('8.8 unmutes only security rules', async () => {
const securityCustomRuleId = 'alert:88bc8c21-07ba-42eb-ad9c-06820275ac10';
const securityImmutableRuleId = 'alert:8990af61-c09a-11ec-9164-4bfd6fc32c43';
const nonSecurityRuleId = 'alert:74f3e6d7-b7bb-477d-ac28-92ee22728e6e';

const { docs } = await es.mget<{ alert: RawRule }>({
index: ALERTING_CASES_SAVED_OBJECT_INDEX,
body: { ids: [securityCustomRuleId, securityImmutableRuleId, nonSecurityRuleId] },
});

const securityCustomRuleMuteAll =
'_source' in docs[0] ? docs[0]._source?.alert.muteAll : undefined;
const securityImmutableRuleMuteAll =
'_source' in docs[1] ? docs[1]._source?.alert.muteAll : undefined;
const nonSecurityRuleMuteAll =
'_source' in docs[2] ? docs[2]._source?.alert.muteAll : undefined;

expect(securityCustomRuleMuteAll).toBeFalsy();
expect(securityImmutableRuleMuteAll).toBeFalsy();
expect(nonSecurityRuleMuteAll).toBeTruthy();
});
});
}
67 changes: 65 additions & 2 deletions x-pack/test/functional/es_archives/alerts/data.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"createdAt": "2020-06-17T15:35:38.497Z",
"createdBy": "elastic",
"enabled": true,
"muteAll": false,
"muteAll": true,
"mutedInstanceIds": [
],
"name": "always-firing-alert",
Expand Down Expand Up @@ -1023,7 +1023,7 @@
"createdBy":"elastic",
"updatedBy":"elastic",
"createdAt":"2021-07-27T20:42:55.896Z",
"muteAll":false,
"muteAll":true,
"mutedInstanceIds":[

],
Expand Down Expand Up @@ -1407,4 +1407,67 @@
}
}
}
}

{
"type":"doc",
"value":{
"id":"alert:88bc8c21-07ba-42eb-ad9c-06820275ac10",
"index":".kibana_1",
"source":{
"alert":{
"name":"Test unmuting of a custom security rule",
"alertTypeId":"siem.queryRule",
"consumer":"siem",
"params":{
"immutable":false,
"ruleId":"bf9638eb-8d3c-4f40-83d7-8c40a7c80f2e",
"author":[],
"description":"Test unmuting of a custom security rule",
"falsePositives":[],
"from":"now-36000060s",
"license":"",
"outputIndex":".siem-signals-default",
"meta":{
"from":"10000h"
},
"maxSignals":100,
"riskScore":21,
"riskScoreMapping":[],
"severity":"low",
"severityMapping":[],
"threat":[],
"to":"now",
"references":[],
"version":0,
"exceptionsList":[],
"type":"query",
"language":"kuery",
"index":["test-index"],
"query":"*:*",
"filters":[]
},
"schedule":{
"interval":"5m"
},
"enabled":false,
"actions": [],
"apiKeyOwner":null,
"apiKey":null,
"createdBy":"elastic",
"updatedBy":"elastic",
"createdAt":"2023-03-27T20:42:55.896Z",
"muteAll":true,
"mutedInstanceIds":[],
"scheduledTaskId":null,
"tags":[]
},
"type":"alert",
"migrationVersion":{
"alert":"8.7.0"
},
"updated_at":"2023-03-27T20:42:55.896Z",
"references":[]
}
}
}