[Security Solutions][Detection Engine] Adds threat matching API and rule type

x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts

@@ -299,6 +299,7 @@ export const type = t.keyof({
   query: null,
   saved_query: null,
   threshold: null,
+  threat_match: null,
 });
 export type Type = t.TypeOf<typeof type>;
 

x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.mock.ts

@@ -48,3 +48,104 @@ export const getAddPrepackagedRulesSchemaDecodedMock = (): AddPrepackagedRulesSc
   exceptions_list: [],
   rule_id: 'rule-1',
 });
+
+export const getAddPrepackagedThreatMatchRulesSchemaMock = (): AddPrepackagedRulesSchema => ({
+  description: 'some description',
+  name: 'Query with a rule id',
+  query: 'user.name: root or user.name: admin',
+  severity: 'high',
+  type: 'threat_match',
+  risk_score: 55,
+  language: 'kuery',
+  rule_id: 'rule-1',
+  version: 1,
+  threat_query: '*:*',
+  threat_index: 'list-index',
+  threat_mapping: [
+    {
+      entries: [
+        {
+          field: 'host.name',
+          value: 'host.name',
+          type: 'mapping',
+        },
+      ],
+    },
+  ],
+  threat_filters: [
+    {
+      bool: {
+        must: [
+          {
+            query_string: {
+              query: 'host.name: linux',
+              analyze_wildcard: true,
+              time_zone: 'Zulu',
+            },
+          },
+        ],
+        filter: [],
+        should: [],
+        must_not: [],
+      },
+    },
+  ],
+});
+
+export const getAddPrepackagedThreatMatchRulesSchemaDecodedMock = (): AddPrepackagedRulesSchemaDecoded => ({
+  author: [],
+  description: 'some description',
+  name: 'Query with a rule id',
+  query: 'user.name: root or user.name: admin',
+  severity: 'high',
+  severity_mapping: [],
+  type: 'threat_match',
+  risk_score: 55,
+  risk_score_mapping: [],
+  language: 'kuery',
+  references: [],
+  actions: [],
+  enabled: false,
+  false_positives: [],
+  from: 'now-6m',
+  interval: '5m',
+  max_signals: DEFAULT_MAX_SIGNALS,
+  tags: [],
+  to: 'now',
+  threat: [],
+  throttle: null,
+  version: 1,
+  exceptions_list: [],
+  rule_id: 'rule-1',
+  threat_query: '*:*',
+  threat_index: 'list-index',
+  threat_mapping: [
+    {
+      entries: [
+        {
+          field: 'host.name',
+          value: 'host.name',
+          type: 'mapping',
+        },
+      ],
+    },
+  ],
+  threat_filters: [
+    {
+      bool: {
+        must: [
+          {
+            query_string: {
+              query: 'host.name: linux',
+              analyze_wildcard: true,
+              time_zone: 'Zulu',
+            },
+          },
+        ],
+        filter: [],
+        should: [],
+        must_not: [],
+      },
+    },
+  ],
+});

x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts

@@ -45,6 +45,12 @@ import {
   RiskScoreMapping,
   SeverityMapping,
 } from '../common/schemas';
+import {
+  threat_index,
+  threat_query,
+  threat_filters,
+  threat_mapping,
+} from '../types/threat_mapping';
 
 import {
   DefaultStringArray,
@@ -116,6 +122,10 @@ export const addPrepackagedRulesSchema = t.intersection([
       references: DefaultStringArray, // defaults to empty array of strings if not set during decode
       note, // defaults to "undefined" if not set during decode
       exceptions_list: DefaultListArray, // defaults to empty array if not set during decode
+      threat_filters, // defaults to "undefined" if not set during decode
+      threat_mapping, // defaults to "undefined" if not set during decode
+      threat_query, // defaults to "undefined" if not set during decode
+      threat_index, // defaults to "undefined" if not set during decode
     })
   ),
 ]);

x-pack/plugins/security_solution/common/detection_engine/schemas/request/add_prepackged_rules_schema.test.ts

@@ -17,6 +17,8 @@ import { left } from 'fp-ts/lib/Either';
 import {
   getAddPrepackagedRulesSchemaMock,
   getAddPrepackagedRulesSchemaDecodedMock,
+  getAddPrepackagedThreatMatchRulesSchemaMock,
+  getAddPrepackagedThreatMatchRulesSchemaDecodedMock,
 } from './add_prepackaged_rules_schema.mock';
 import { DEFAULT_MAX_SIGNALS } from '../../../constants';
 import { getListArrayMock } from '../types/lists.mock';
@@ -1597,4 +1599,16 @@ describe('add prepackaged rules schema', () => {
       expect(message.schema).toEqual(expected);
     });
   });
+
+  describe('threat_mapping', () => {
+    test('You can set a threat query, index, mapping, filters on a pre-packaged rule', () => {
+      const payload = getAddPrepackagedThreatMatchRulesSchemaMock();
+      const decoded = addPrepackagedRulesSchema.decode(payload);
+      const checked = exactCheck(payload, decoded);
+      const message = pipe(checked, foldLeftRight);
+      const expected = getAddPrepackagedThreatMatchRulesSchemaDecodedMock();
+      expect(getPaths(left(message.errors))).toEqual([]);
+      expect(message.schema).toEqual(expected);
+    });
+  });
 });

x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_rules_schema.mock.ts

@@ -55,3 +55,103 @@ export const getCreateRulesSchemaDecodedMock = (): CreateRulesSchemaDecoded => (
   exceptions_list: [],
   rule_id: 'rule-1',
 });
+
+export const getCreateThreatMatchRulesSchemaMock = (ruleId = 'rule-1'): CreateRulesSchema => ({
+  description: 'Detecting root and admin users',
+  name: 'Query with a rule id',
+  query: 'user.name: root or user.name: admin',
+  severity: 'high',
+  type: 'threat_match',
+  risk_score: 55,
+  language: 'kuery',
+  rule_id: ruleId,
+  threat_query: '*:*',
+  threat_index: 'list-index',
+  threat_mapping: [
+    {
+      entries: [
+        {
+          field: 'host.name',
+          value: 'host.name',
+          type: 'mapping',
+        },
+      ],
+    },
+  ],
+  threat_filters: [
+    {
+      bool: {
+        must: [
+          {
+            query_string: {
+              query: 'host.name: linux',
+              analyze_wildcard: true,
+              time_zone: 'Zulu',
+            },
+          },
+        ],
+        filter: [],
+        should: [],
+        must_not: [],
+      },
+    },
+  ],
+});
+
+export const getCreateThreatMatchRulesSchemaDecodedMock = (): CreateRulesSchemaDecoded => ({
+  author: [],
+  severity_mapping: [],
+  risk_score_mapping: [],
+  description: 'Detecting root and admin users',
+  name: 'Query with a rule id',
+  query: 'user.name: root or user.name: admin',
+  severity: 'high',
+  type: 'threat_match',
+  risk_score: 55,
+  language: 'kuery',
+  references: [],
+  actions: [],
+  enabled: true,
+  false_positives: [],
+  from: 'now-6m',
+  interval: '5m',
+  max_signals: DEFAULT_MAX_SIGNALS,
+  tags: [],
+  to: 'now',
+  threat: [],
+  throttle: null,
+  version: 1,
+  exceptions_list: [],
+  rule_id: 'rule-1',
+  threat_query: '*:*',
+  threat_index: 'list-index',
+  threat_mapping: [
+    {
+      entries: [
+        {
+          field: 'host.name',
+          value: 'host.name',
+          type: 'mapping',
+        },
+      ],
+    },
+  ],
+  threat_filters: [
+    {
+      bool: {
+        must: [
+          {
+            query_string: {
+              query: 'host.name: linux',
+              analyze_wildcard: true,
+              time_zone: 'Zulu',
+            },
+          },
+        ],
+        filter: [],
+        should: [],
+        must_not: [],
+      },
+    },
+  ],
+});

x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_rules_schema.test.ts

@@ -16,6 +16,8 @@ import { left } from 'fp-ts/lib/Either';
 import {
   getCreateRulesSchemaMock,
   getCreateRulesSchemaDecodedMock,
+  getCreateThreatMatchRulesSchemaMock,
+  getCreateThreatMatchRulesSchemaDecodedMock,
 } from './create_rules_schema.mock';
 import { DEFAULT_MAX_SIGNALS } from '../../../constants';
 import { getListArrayMock } from '../types/lists.mock';
@@ -1661,4 +1663,16 @@ describe('create rules schema', () => {
       expect(message.schema).toEqual(expected);
     });
   });
+
+  describe('threat_mapping', () => {
+    test('You can set a threat query, index, mapping, filters when creating a rule', () => {
+      const payload = getCreateThreatMatchRulesSchemaMock();
+      const decoded = createRulesSchema.decode(payload);
+      const checked = exactCheck(payload, decoded);
+      const message = pipe(checked, foldLeftRight);
+      const expected = getCreateThreatMatchRulesSchemaDecodedMock();
+      expect(getPaths(left(message.errors))).toEqual([]);
+      expect(message.schema).toEqual(expected);
+    });
+  });
 });

x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_rules_schema.ts

@@ -46,6 +46,12 @@ import {
   RiskScoreMapping,
   SeverityMapping,
 } from '../common/schemas';
+import {
+  threat_index,
+  threat_query,
+  threat_filters,
+  threat_mapping,
+} from '../types/threat_mapping';
 
 import {
   DefaultStringArray,
@@ -112,6 +118,10 @@ export const createRulesSchema = t.intersection([
       note, // defaults to "undefined" if not set during decode
       version: DefaultVersionNumber, // defaults to 1 if not set during decode
       exceptions_list: DefaultListArray, // defaults to empty array if not set during decode
+      threat_mapping, // defaults to "undefined" if not set during decode
+      threat_query, // defaults to "undefined" if not set during decode
+      threat_filters, // defaults to "undefined" if not set during decode
+      threat_index, // defaults to "undefined" if not set during decode
     })
   ),
 ]);

x-pack/plugins/security_solution/common/detection_engine/schemas/request/create_rules_type_dependents.test.ts

@@ -4,7 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getCreateRulesSchemaMock } from './create_rules_schema.mock';
+import {
+  getCreateRulesSchemaMock,
+  getCreateThreatMatchRulesSchemaMock,
+} from './create_rules_schema.mock';
 import { CreateRulesSchema } from './create_rules_schema';
 import { createRuleValidateTypeDependents } from './create_rules_type_dependents';
 
@@ -87,4 +90,39 @@ describe('create_rules_type_dependents', () => {
     const errors = createRuleValidateTypeDependents(schema);
     expect(errors).toEqual(['"threshold.value" has to be bigger than 0']);
   });
+
+  test('threat_index, threat_query, and threat_mapping are required when type is "threat_match" and validates with it', () => {
+    const schema: CreateRulesSchema = {
+      ...getCreateRulesSchemaMock(),
+      type: 'threat_match',
+    };
+    const errors = createRuleValidateTypeDependents(schema);
+    expect(errors).toEqual([
+      'when "type" is "threat_match", "threat_index" is required',
+      'when "type" is "threat_match", "threat_query" is required',
+      'when "type" is "threat_match", "threat_mapping" is required',
+    ]);
+  });
+
+  test('validates with threat_index, threat_query, and threat_mapping when type is "threat_match"', () => {
+    const schema = getCreateThreatMatchRulesSchemaMock();
+    const { threat_filters: threatFilters, ...noThreatFilters } = schema;
+    const errors = createRuleValidateTypeDependents(noThreatFilters);
+    expect(errors).toEqual([]);
+  });
+
+  test('does NOT validate when threat_mapping is an empty array', () => {
+    const schema: CreateRulesSchema = {
+      ...getCreateThreatMatchRulesSchemaMock(),
+      threat_mapping: [],
+    };
+    const errors = createRuleValidateTypeDependents(schema);
+    expect(errors).toEqual(['threat_mapping" must have at least one element']);
+  });
+
+  test('validates with threat_index, threat_query, threat_mapping, and an optional threat_filters, when type is "threat_match"', () => {
+    const schema = getCreateThreatMatchRulesSchemaMock();
+    const errors = createRuleValidateTypeDependents(schema);
+    expect(errors).toEqual([]);
+  });
 });