-
Notifications
You must be signed in to change notification settings - Fork 8.6k
[Cloud Security]Detection Rules counter on Rules Flyout #176041
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
animehart
merged 13 commits into
elastic:main
from
animehart:rules-flyout-detection-rule
Feb 6, 2024
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
3ac88f2
started
animehart 0f06116
updated de creation message
animehart 17ca1eb
added FTR
animehart c5c4dba
cleanup
animehart 155b406
fix conflict
animehart 6a6aeb4
Merge branch 'main' into rules-flyout-detection-rule
animehart 76f5230
checking if new ftr is causing issue
animehart 42bf2f9
Merge branch 'rules-flyout-detection-rule' of github.com:animehart/ki…
animehart a3a007d
changed test order
animehart 1d51a88
fix ftr
animehart c42aeb6
Merge branch 'main' into rules-flyout-detection-rule
animehart cdcef1b
conflict fix
animehart 99b1f58
Merge branch 'rules-flyout-detection-rule' of github.com:animehart/ki…
animehart File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
103 changes: 103 additions & 0 deletions
103
...ecurity_posture/public/pages/configurations/utils/create_detection_rule_from_benchmark.ts
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import { HttpSetup } from '@kbn/core/public'; | ||
| import { CspBenchmarkRule } from '../../../../common/types/latest'; | ||
| import { | ||
| FINDINGS_INDEX_PATTERN, | ||
| LATEST_FINDINGS_RETENTION_POLICY, | ||
| } from '../../../../common/constants'; | ||
| import { createDetectionRule } from '../../../common/api/create_detection_rule'; | ||
| import { generateBenchmarkRuleTags } from '../../../../common/utils/detection_rules'; | ||
|
|
||
| const DEFAULT_RULE_RISK_SCORE = 0; | ||
| const DEFAULT_RULE_SEVERITY = 'low'; | ||
| const DEFAULT_RULE_ENABLED = true; | ||
| const DEFAULT_RULE_AUTHOR = 'Elastic'; | ||
| const DEFAULT_RULE_LICENSE = 'Elastic License v2'; | ||
| const DEFAULT_MAX_ALERTS_PER_RULE = 100; | ||
| const ALERT_SUPPRESSION_FIELD = 'resource.id'; | ||
| const ALERT_TIMESTAMP_FIELD = 'event.ingested'; | ||
| const DEFAULT_INVESTIGATION_FIELDS = { | ||
| field_names: ['resource.name', 'resource.id', 'resource.type', 'resource.sub_type'], | ||
| }; | ||
|
|
||
| enum AlertSuppressionMissingFieldsStrategy { | ||
| // per each document a separate alert will be created | ||
| DoNotSuppress = 'doNotSuppress', | ||
| // only one alert will be created per suppress by bucket | ||
| Suppress = 'suppress', | ||
| } | ||
|
|
||
| const convertReferencesLinksToArray = (input: string | undefined) => { | ||
| if (!input) { | ||
| return []; | ||
| } | ||
| // Match all URLs in the input string using a regular expression | ||
| const matches = input.match(/(https?:\/\/\S+)/g); | ||
|
|
||
| if (!matches) { | ||
| return []; | ||
| } | ||
|
|
||
| // Remove the numbers and new lines | ||
| return matches.map((link) => link.replace(/^\d+\. /, '').replace(/\n/g, '')); | ||
| }; | ||
|
|
||
| const generateFindingsRuleQuery = (benchmarkRule: CspBenchmarkRule['metadata']) => { | ||
| const currentTimestamp = new Date().toISOString(); | ||
|
|
||
| return `rule.benchmark.rule_number: "${benchmarkRule.benchmark.rule_number}" | ||
| AND rule.benchmark.id: "${benchmarkRule.benchmark.id}" | ||
| AND result.evaluation: "failed" | ||
| AND event.ingested >= "${currentTimestamp}"`; | ||
| }; | ||
|
|
||
| /* | ||
| * Creates a detection rule from a Benchmark rule | ||
| */ | ||
| export const createDetectionRuleFromBenchmark = async ( | ||
| http: HttpSetup, | ||
| benchmarkRule: CspBenchmarkRule['metadata'] | ||
| ) => { | ||
| return await createDetectionRule({ | ||
| http, | ||
| rule: { | ||
| type: 'query', | ||
| language: 'kuery', | ||
| license: DEFAULT_RULE_LICENSE, | ||
| author: [DEFAULT_RULE_AUTHOR], | ||
| filters: [], | ||
| false_positives: [], | ||
| risk_score: DEFAULT_RULE_RISK_SCORE, | ||
| risk_score_mapping: [], | ||
| severity: DEFAULT_RULE_SEVERITY, | ||
| severity_mapping: [], | ||
| threat: [], | ||
| interval: '1h', | ||
| from: `now-${LATEST_FINDINGS_RETENTION_POLICY}`, | ||
| to: 'now', | ||
| max_signals: DEFAULT_MAX_ALERTS_PER_RULE, | ||
| timestamp_override: ALERT_TIMESTAMP_FIELD, | ||
| timestamp_override_fallback_disabled: false, | ||
| actions: [], | ||
| enabled: DEFAULT_RULE_ENABLED, | ||
| alert_suppression: { | ||
| group_by: [ALERT_SUPPRESSION_FIELD], | ||
| missing_fields_strategy: AlertSuppressionMissingFieldsStrategy.Suppress, | ||
| }, | ||
| index: [FINDINGS_INDEX_PATTERN], | ||
| query: generateFindingsRuleQuery(benchmarkRule), | ||
| references: convertReferencesLinksToArray(benchmarkRule.references), | ||
| name: benchmarkRule.name, | ||
| description: benchmarkRule.rationale, | ||
| tags: generateBenchmarkRuleTags(benchmarkRule), | ||
| investigation_fields: DEFAULT_INVESTIGATION_FIELDS, | ||
| note: benchmarkRule.remediation, | ||
| }, | ||
| }); | ||
| }; | ||
29 changes: 29 additions & 0 deletions
29
x-pack/plugins/cloud_security_posture/public/pages/rules/rules_detection_rule_counter.tsx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import type { HttpSetup } from '@kbn/core/public'; | ||
| import React from 'react'; | ||
| import { CspBenchmarkRule } from '../../../common/types/latest'; | ||
| import { getFindingsDetectionRuleSearchTags } from '../../../common/utils/detection_rules'; | ||
| import { DetectionRuleCounter } from '../../components/detection_rule_counter'; | ||
| import { createDetectionRuleFromBenchmark } from '../configurations/utils/create_detection_rule_from_benchmark'; | ||
|
|
||
| export const RulesDetectionRuleCounter = ({ | ||
| benchmarkRule, | ||
| }: { | ||
| benchmarkRule: CspBenchmarkRule['metadata']; | ||
| }) => { | ||
| const createBenchmarkRuleFn = async (http: HttpSetup) => | ||
| await createDetectionRuleFromBenchmark(http, benchmarkRule); | ||
|
|
||
| return ( | ||
| <DetectionRuleCounter | ||
| tags={getFindingsDetectionRuleSearchTags(benchmarkRule)} | ||
| createRuleFn={createBenchmarkRuleFn} | ||
| /> | ||
| ); | ||
| }; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@animehart @opauloh This file is almost identical to
create_detection_rule_from_finding.ts. Let's avoid such repetition and think about how to abstract the logic. I can see that the only different thing is where we take the data from. In one case it'sfinding.rule.benchmarkand in another, it'sbenchmarkRule. All the rest look the same. If that's the case, it should be very simple to abstract and just pass thebenchmarkobject