[Security Solution] Add EQL query editable component with EQL options fields #199115
Conversation
maximpn
added
release_note:skip
| @@ -33,7 +33,6 @@ export const timelineDefaults: SubsetTimelineModel & | |||
| description: '', | |||
| eqlOptions: { | |||
| eventCategoryField: 'event.category', | |||
| tiebreakerField: '', | |||
There was a problem hiding this comment.
tiebreakerField as an empty doesn't look correct for the EQL validator. It sends requests to /internal/search/eql to validate the request. It returns an error when a tiebreaker field has an empty string.
Additionally it looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
banderror
added
backport:version
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
2291ad0
to
db856ba
Compare
|
Thanks for all the work here! Pulled down and tested in rule creation/edit flow. So far LGTM. Confirmed that logic around disabling suppression for sequence queries remains. cc @dhurley14 |
| QueryLanguageEnum, | ||
| } from '../../../../../../../../../common/api/detection_engine'; | ||
| import { EqlQueryEditAdapter } from './eql_query_edit_adapter'; | ||
| // import { |
There was a problem hiding this comment.
Commented out code. Can be removed.
| eqlQuery: { | ||
| validations: [ | ||
| // { | ||
| // validator: debounceAsync(eqlValidator, 300), |
There was a problem hiding this comment.
Commented out code. Can be removed.
| ); | ||
| } | ||
|
|
||
| const kqlQuerySchema = { |
There was a problem hiding this comment.
Since there are no validations we can probably remove the schema
There was a problem hiding this comment.
RuleFieldEditFormWrapper's ruleFieldFormSchema property is required. We still should pass an empty object. So removing it completely it's possible.
There was a problem hiding this comment.
Got it. Then let's rename it to eqlQuerySchema.
|
For some reason getting an EQL validation error in the upgrade flyout, but on the the Rule Editing page. The error is shown right away, after opening the edit mode. Prevents me from saving. 
EQL query I usedapi where host.os.type == "win" and
process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and
not
(
process.executable : (
"?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
"?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe",
"?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe",
"?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe",
"?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe",
"?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\aciseagent.exe",
"?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpndownloader.exe",
"?:\\Program Files (x86)\\eScan\\reload.exe",
"?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
"?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe",
"?:\\Program Files (x86)\\microsoft intune management extension\\microsoft.management.services.intunewindowsagent.exe",
"?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe",
"?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe",
"?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe",
"?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe",
"?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe",
"?:\\Program Files*\\Windows Defender\\MsMpEng.exe",
"?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe",
"?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
"?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe",
"?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe",
"?:\\Program Files\\ESET\\ESET Security\\ekrn.exe",
"?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe",
"?:\\Program Files\\Fortinet\\FortiClient\\FortiSSLVPNdaemon.exe",
"?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe",
"?:\\Program Files\\Huntress\\HuntressAgent.exe",
"?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe",
"?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe",
"?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe",
"?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
"?:\\Program Files\\smart-x\\controlupagent\\version*\\cuagent.exe",
"?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe",
"?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe",
"?:\\Program Files\\Trend Micro\\Deep Security Agent\\netagent\\tm_netagent.exe",
"?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
"?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe",
"?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe",
"?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe",
"?:\\Windows\\Sysmon.exe",
"?:\\Windows\\Sysmon64.exe",
"?:\\Windows\\System32\\csrss.exe",
"?:\\Windows\\System32\\MRT.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\taskhostw.exe",
"?:\\Windows\\System32\\RtkAudUService64.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe"
) and not ?process.code_signature.trusted == false
)
|
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
326eeb0
to
64b371f
Compare
|
Hi @nkhristinin, thanks for testing the PR. Indeed
Could you elaborate on that? A screenshot or a video recording would be nice. |
Finally was able to see that in diff, thanks! |
| disabled, | ||
| onEqlOptionsChange, | ||
| onValidityChange, | ||
| onValiditingChange, |
There was a problem hiding this comment.
Looks like there's a typo. Did you mean onIsValidatingChange?
There was a problem hiding this comment.
Thanks for noticing. I copies this prop name from the existing EqlQueryBar component but it definitely makes sense to fix this typo.
There was a problem hiding this comment.
Thanks, @maximpn! I have manually tested the EQL field in both the flyout and the Rule Creation and Editing pages. I also re-tested the query bar validation with other rule types since it was affected by this PR.
I haven't found any additional issues except the one I mentioned in #199115 (comment). As we decided, it should be addressed separately after discussing it with the product.
also left a few minor comments about the code. Overall, the PR looks good to me now.
maximpn
force-pushed
the
add-eql-query-edit-component
branch
4 times, most recently
from
e77ca51
to
7408045
Compare
There was a problem hiding this comment.
The code LGTM and I did some smoke testing and everything seems to be working normally.
Though I'm a little worried about the changes made to Timeline. I don't have enough knowledge about how things work internally related to this tiebreakerField (I don't even what it is or what it does).
I would feel more comfortable if someone with more experience (@michaelolo24 @kqualters-elastic @janmonschke) was having a second look at this PR before approving.
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
7408045
to
1156ef3
Compare
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Unknown metric groupsReferences to deprecated APIs
History
cc @maximpn |
Partially addresses: #171520
Summary
This PR adds is built on top of #193828 and #196948 and adds an EQL Query editable component with EQL Options fields (
event_category_override,timestamp_fieldandtiebreaker_field) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.Details
This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done
EqlQueryEditcomponent withUseFieldinside. It helps to make it type safe avoiding issues like passing invalid types toEqlQueryBar.UseFieldtypes component properties asRecord<string, any>so potentially any refactoring can break some functionality. For example code in Timeline passesDataViewSpecwhereDataViewBaseis expected while these two types aren't fully compatible.EqlQueryEdit. Passing field configuration toUseFieldrewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration forUseFields. Additionally we can reduce reusing complexity by incapsulating absolutely required validation inEqlQueryEditcomponent.tiebreakerFieldwas removed in Timelines.tiebreakerFieldis part of EQL options used for EQL validation. EQL validation endpoint/internal/search/eqlreturns an error when an empty string provided fortiebreakerField. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.How to test
The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below
Potential Code Execution via Postgresqlwith rule_id2a692072-d78d-42f3-a48a-775677d79c4eDetection Rules (SIEM)Page ->Rule Updates-> click onPotential Code Execution via Postgresqlrule -> expandEQL Queryto see EQL Query -> pressEditbuttonScreenshots