Skip to content

[Security Solutions][Detection Engine] Adds threat matching API and rule type #77395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 30 commits into from
Sep 20, 2020
Merged

[Security Solutions][Detection Engine] Adds threat matching API and rule type #77395

Show file tree
Hide file tree
Changes from 26 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
ce14648
Simple type change for Type to reduce multiple touch points when addi…
FrankHassanabad Sep 2, 2020
01c8c88
Merge branch 'master' into make-type-common
FrankHassanabad Sep 2, 2020
b49a549
Fixes the cycle deps issue by breaking out a file from utils
FrankHassanabad Sep 2, 2020
048c2d9
Fixed missing jest.mock call
FrankHassanabad Sep 3, 2020
298806c
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 3, 2020
6af9d85
Initial threat_mapping implementation
FrankHassanabad Sep 14, 2020
83d398e
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 14, 2020
4f6ad76
Broke out the schema into a types file for better organization and te…
FrankHassanabad Sep 14, 2020
84f11a7
More unit tests added
FrankHassanabad Sep 14, 2020
0f5496d
Adds more unit tests
FrankHassanabad Sep 14, 2020
581c663
More unit tests added
FrankHassanabad Sep 14, 2020
2aa838e
More unit tests
FrankHassanabad Sep 15, 2020
fea347c
Adds more unit tests
FrankHassanabad Sep 15, 2020
da7b89c
Fixes unit test
FrankHassanabad Sep 15, 2020
0a51480
Added more unit tests
FrankHassanabad Sep 15, 2020
fbab786
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 15, 2020
b992338
Fixed front end type issues after merge from master
FrankHassanabad Sep 15, 2020
d36e090
Added more tests and made the filters quicker and more resliant again…
FrankHassanabad Sep 16, 2020
f32eb78
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 16, 2020
575eecf
More unit tests
FrankHassanabad Sep 16, 2020
68599a9
Adds more unit tests
FrankHassanabad Sep 16, 2020
604c893
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 16, 2020
f3eaff0
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 16, 2020
404fee3
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 17, 2020
3a97f89
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 17, 2020
cf9502e
Fixed type issues from lastest merge from master
FrankHassanabad Sep 17, 2020
680150a
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 20, 2020
903ff63
Fixes from really really good code review of it.
FrankHassanabad Sep 20, 2020
b43f302
Merge branch 'master' into add-threat-match
FrankHassanabad Sep 20, 2020
7bfb649
Updated from master, merged in and implemented error messages from ot…
FrankHassanabad Sep 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,7 @@ export const type = t.keyof({
query: null,
saved_query: null,
threshold: null,
threat_match: null,
});
export type Type = t.TypeOf<typeof type>;

Expand Down
10 changes: 10 additions & 0 deletions ...security_solution/common/detection_engine/schemas/request/add_prepackaged_rules_schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@ import {
RiskScoreMapping,
SeverityMapping,
} from '../common/schemas';
import {
threat_index,
threat_query,
threat_filters,
threat_mapping,
} from '../types/threat_mapping';

import {
DefaultStringArray,
Expand Down Expand Up @@ -116,6 +122,10 @@ export const addPrepackagedRulesSchema = t.intersection([
references: DefaultStringArray, // defaults to empty array of strings if not set during decode
note, // defaults to "undefined" if not set during decode
exceptions_list: DefaultListArray, // defaults to empty array if not set during decode
threat_filters, // defaults to "undefined" if not set during decode
Copy link
Contributor

@yctercero yctercero Sep 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: For fields that are arrays, do we want to default them to empty arrays? Or did you choose to default them to "undefined" to be more explicit about like if a rule is not of type "threat_match" these fields should not be there (as opposed to them being there and being [])?

Copy link
Contributor Author

@FrankHassanabad FrankHassanabad Sep 20, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah you answered the question below so I think we're good here 👍

threat_mapping, // defaults to "undefined" if not set during decode
threat_query, // defaults to "undefined" if not set during decode
threat_index, // defaults to "undefined" if not set during decode
})
),
]);
Expand Down
79 changes: 79 additions & 0 deletions ...rity_solution/common/detection_engine/schemas/request/add_prepackged_rules_schema.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1596,5 +1596,84 @@ describe('add prepackaged rules schema', () => {
};
expect(message.schema).toEqual(expected);
});

describe('threat_mapping', () => {
test('You can set a threat query, index, mapping, filters on a pre-packaged rule', () => {
const payload: AddPrepackagedRulesSchema = {
...getAddPrepackagedRulesSchemaMock(),
threat_query: '*:*',
Copy link
Contributor

@yctercero yctercero Sep 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: It might be useful to make a getThreatMatchAddOnMock that includes these threat match values to throw in throughout.

Copy link
Contributor Author

@FrankHassanabad FrankHassanabad Sep 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added both a getAddPrepackagedThreatRulesSchemaMock and a getAddPrepackagedThreatRulesSchemaDecodedMock here as well as the other schema based tests to keep the boiler platting down as suggested. 👍

So now it looks like all the rest. Thanks for the good advice

threat_index: 'list-index',
threat_mapping: [
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threat_filters: [
{
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
filter: [],
should: [],
must_not: [],
},
},
],
};

const decoded = addPrepackagedRulesSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);
expect(getPaths(left(message.errors))).toEqual([]);
const expected: AddPrepackagedRulesSchema = {
...getAddPrepackagedRulesSchemaDecodedMock(),
threat_query: '*:*',
threat_index: 'list-index',
threat_mapping: [
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threat_filters: [
{
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
filter: [],
should: [],
must_not: [],
},
},
],
};
expect(message.schema).toEqual(expected);
});
});
});
});
79 changes: 79 additions & 0 deletions ...ins/security_solution/common/detection_engine/schemas/request/create_rules_schema.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1660,5 +1660,84 @@ describe('create rules schema', () => {
};
expect(message.schema).toEqual(expected);
});

describe('threat_mapping', () => {
test('You can set a threat query, index, mapping, filters on a pre-packaged rule', () => {
Copy link
Contributor

@yctercero yctercero Sep 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be:

Suggested change
test('You can set a threat query, index, mapping, filters on a pre-packaged rule', () => {
test('You can set a threat query, index, mapping, filters when creating rule', () => {

Copy link
Contributor Author

@FrankHassanabad FrankHassanabad Sep 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, good catch, fixed for the next commit

const payload: CreateRulesSchema = {
...getCreateRulesSchemaMock(),
threat_query: '*:*',
threat_index: 'list-index',
threat_mapping: [
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threat_filters: [
{
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
filter: [],
should: [],
must_not: [],
},
},
],
};

const decoded = createRulesSchema.decode(payload);
const checked = exactCheck(payload, decoded);
const message = pipe(checked, foldLeftRight);
expect(getPaths(left(message.errors))).toEqual([]);
const expected: CreateRulesSchemaDecoded = {
...getCreateRulesSchemaDecodedMock(),
threat_query: '*:*',
threat_index: 'list-index',
threat_mapping: [
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threat_filters: [
{
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
filter: [],
should: [],
must_not: [],
},
},
],
};
expect(message.schema).toEqual(expected);
});
});
});
});
10 changes: 10 additions & 0 deletions .../plugins/security_solution/common/detection_engine/schemas/request/create_rules_schema.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ import {
RiskScoreMapping,
SeverityMapping,
} from '../common/schemas';
import {
threat_index,
threat_query,
threat_filters,
threat_mapping,
} from '../types/threat_mapping';

import {
DefaultStringArray,
Expand Down Expand Up @@ -112,6 +118,10 @@ export const createRulesSchema = t.intersection([
note, // defaults to "undefined" if not set during decode
version: DefaultVersionNumber, // defaults to 1 if not set during decode
exceptions_list: DefaultListArray, // defaults to empty array if not set during decode
threat_mapping, // defaults to "undefined" if not set during decode
threat_query, // defaults to "undefined" if not set during decode
threat_filters, // defaults to "undefined" if not set during decode
threat_index, // defaults to "undefined" if not set during decode
})
),
]);
Expand Down
67 changes: 67 additions & 0 deletions ...ity_solution/common/detection_engine/schemas/request/create_rules_type_dependents.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,4 +87,71 @@ describe('create_rules_type_dependents', () => {
const errors = createRuleValidateTypeDependents(schema);
expect(errors).toEqual(['"threshold.value" has to be bigger than 0']);
});

test('threat_index, threat_query, and threat_mapping are required when type is "threat_match" and validates with it', () => {
const schema: CreateRulesSchema = {
...getCreateRulesSchemaMock(),
type: 'threat_match',
};
const errors = createRuleValidateTypeDependents(schema);
expect(errors).toEqual([
'when "type" is "threat_match", "threat_index" is required',
'when "type" is "threat_match", "threat_query" is required',
'when "type" is "threat_match", "threat_mapping" is required',
]);
});

test('validates with threat_index, threat_query, and threat_mapping when type is "threat_match"', () => {
const schema: CreateRulesSchema = {
...getCreateRulesSchemaMock(),
type: 'threat_match',
threat_index: 'index-123',
threat_mapping: [{ entries: [{ field: '', type: 'mapping', value: '' }] }],
threat_query: '*:*',
};
const errors = createRuleValidateTypeDependents(schema);
expect(errors).toEqual([]);
});

test('does NOT validate when threat_mapping is an empty array', () => {
const schema: CreateRulesSchema = {
...getCreateRulesSchemaMock(),
type: 'threat_match',
threat_index: 'index-123',
threat_mapping: [],
threat_query: '*:*',
};
const errors = createRuleValidateTypeDependents(schema);
expect(errors).toEqual(['threat_mapping" must have at least one element']);
Copy link
Contributor

@yctercero yctercero Sep 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahhh, I see now here why this value defaults to undefined as opposed to empty array given this requirement here.

});

test('validates with threat_index, threat_query, threat_mapping, and an optional threat_filters, when type is "threat_match"', () => {
const schema: CreateRulesSchema = {
...getCreateRulesSchemaMock(),
type: 'threat_match',
threat_index: 'index-123',
threat_mapping: [{ entries: [{ field: '', type: 'mapping', value: '' }] }],
threat_query: '*:*',
threat_filters: [
{
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
filter: [],
should: [],
must_not: [],
},
},
],
};
const errors = createRuleValidateTypeDependents(schema);
expect(errors).toEqual([]);
});
});
19 changes: 19 additions & 0 deletions ...security_solution/common/detection_engine/schemas/request/create_rules_type_dependents.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,24 @@ export const validateThreshold = (rule: CreateRulesSchema): string[] => {
return [];
};

export const validateThreatMapping = (rule: CreateRulesSchema): string[] => {
let errors: string[] = [];
if (rule.type === 'threat_match') {
Copy link
Contributor

@yctercero yctercero Sep 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: saw that I think one of the more recent PRs added the pattern of using a helper function to check rule type (x-pack/plugins/security_solution/common/detection_engine/utils.ts) like on line 98 above - maybe a threat match one can be added.

Copy link
Contributor Author

@FrankHassanabad FrankHassanabad Sep 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually yeah I had one in the backend on the server side but it looks like these have moved to the common section so totally agree. I am moving the server side one to the common section and then collapsing code and cleaning this one up. Thanks for the 🦅 👀 on these.

if (!rule.threat_mapping) {
errors = ['when "type" is "threat_match", "threat_mapping" is required', ...errors];
} else if (rule.threat_mapping.length === 0) {
errors = ['threat_mapping" must have at least one element', ...errors];
}
if (!rule.threat_query) {
errors = ['when "type" is "threat_match", "threat_query" is required', ...errors];
}
if (!rule.threat_index) {
errors = ['when "type" is "threat_match", "threat_index" is required', ...errors];
}
}
return errors;
};

export const createRuleValidateTypeDependents = (schema: CreateRulesSchema): string[] => {
return [
...validateAnomalyThreshold(schema),
Expand All @@ -117,5 +135,6 @@ export const createRuleValidateTypeDependents = (schema: CreateRulesSchema): str
...validateTimelineId(schema),
...validateTimelineTitle(schema),
...validateThreshold(schema),
...validateThreatMapping(schema),
];
};
Loading