[Security Solution] [Detections] Adds support for system actions (and cases action) to detection rules #183937
Conversation
…factor was merged
...security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
Outdated
Show resolved
Hide resolved
dhurley14
added
ci:cloud-deploy
|
/ci |
dhurley14
added
the
release_note:skip
| @@ -479,7 +479,6 @@ components: | |||
| $ref: '#/components/schemas/RuleActionFrequency' | |||
| required: | |||
| - action_type_id | |||
| - group | |||
There was a problem hiding this comment.
For any questions on this, I pulled this from the system actions RFC:
All rules APIs will not accept the systemActions in their requests. The system will deduct if an action is a system action automatically using the actions’ client. As system actions are not allowed to have a group, the property will be optional (at the moment it is required) in all APIs. The APIs will convert the actions to the schema needed by the rules client. Finally, the APIs will merge the system actions with the default actions before sending the response back to the client.
Ref: https://docs.google.com/document/d/1mYStNLxrafnyxR6v_uB4ONw_iFHTg1pmE3EAQYgKFSY/edit?pli=1
⏳ Build in-progress
History
cc @dhurley14 |
|
Here is a list of test cases I tried manually. All passed:
|
… into system-actions-security
...n/public/detection_engine/rule_creation/components/step_rule_actions/notification_action.tsx
Outdated
Show resolved
Hide resolved
...press/e2e/detection_response/detection_engine/rule_actions/rule_actions_pli_essentials.cy.ts
Show resolved
Hide resolved
.../lib/detection_engine/rule_management/logic/bulk_actions/action_to_rules_client_operation.ts
Show resolved
Hide resolved
...management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Hey @dhurley14. Thanks for addressing my points. Rechecked the bulk adding of system actions and everything seems to be working as expected now 👍
Left a couple of nits, but approving ✅
(I did cause a conflict in x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/internal_rule_to_api_response.ts when I merged #188631, sorry about that)
There was a problem hiding this comment.
Thanks for implementing this feature and addressing comments.
Approving it, only one test to add left: #183937 (comment)
…creation/components/step_rule_actions/notification_action.tsx Co-authored-by: Vitalii Dmyterko <[email protected]>
There was a problem hiding this comment.
I did a high-level review and testing. LGTM! I noticed that the rule description does not show how the system actions are executed. System actions always work with alert summaries and they are executed on each rule run if the rule matches (triggers). Should we add something to describe that for all system actions?
In the stack management or the o11y we show
Also, unrelated to the PR, I noticed that the ITSM connector is not working as expected. cc @js-jankisalvi
| ); | ||
| }; | ||
|
|
||
| export const getCases = async ( |
There was a problem hiding this comment.
nit: There is already a function to find cases in x-pack/test/cases_api_integration/common/lib/api/index.ts? What do you think of using that instead? Feel free to extend it to match your needs.
There was a problem hiding this comment.
I did investigate this however I could not find a clean way to go about doing this. The options all seemed to introduce too much complexity into the findCases function for a single security solution test case. The problems stem from the use of the auth parameter in the findCases function, whereas we use a supertest that has the auth added to the header to support both ESS and serverless test environments. To update the findCases function to support our use-case would be introducing more maintenance overhead than it was worth. At least that's what I found to be the situation. Thank you for the review!
@cnasikas Verified it happens in main as well. Created an issue. |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @dhurley14 |
Summary
Usually, connectors are used to communicate with external services like PagerDuty or ServiceNow. Automated actions like opening a case or running an OsQuery do not need any configuration. These types of actions are known as "system actions" and represent ways to automate functionality between different kibana features.
This PR allows detection rules to take advantage of system actions, like the cases action, to expedite tasks which our security customers might already undertake, while providing support for future system actions to be added later. You can read more about the cases action here: #153837
Testing
The cases system action is only available for Platinum licensing. To test all we need is to create a rule and in the Actions tab, select Cases, then turn the rule on and have it generate alerts. When the alerts are generated, a case (or cases) will be created and can be viewed in the Cases page.
The configuration options shown in the above screenshot are explained in more detail in this RFC, specifically Diagram 1, but to summarize:
The grouping pieces can be better understood via the following example:
If I select
agent.typein the group by field for the cases action, and have a rule that generates alerts frompacketbeat-*and fromauditbeat-*then that singular rule will generate two separate cases. One for alerts grouped byagent.type: packetbeatand another case for auditbeatAnd we can still use system actions in conjunction with other action connectors.
Checklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: