[Security Solutions][Detection Engine] Adds missing mappings to the signals for the indicator rules#92928
Merged
FrankHassanabad merged 1 commit intoelastic:masterfrom Mar 1, 2021
Conversation
FrankHassanabad
added
v8.0.0
v7.13.0
v7.12.0
Feature:Detection Alerts
FrankHassanabad
added
the
auto-backport
Contributor
💚 Build SucceededMetrics [docs]
To update your PR or re-run it, just comment with: |
| created_by: createdBy, | ||
| updated_by: updatedBy, | ||
| threat: ruleParams.threat ?? [], | ||
| threat_mapping: ruleParams.threatMapping ?? [], |
Contributor
There was a problem hiding this comment.
wouldn't we expect these to be left off of signal.rule when they are undefined for other rule types rather than defaulted to []?
Contributor
Author
There was a problem hiding this comment.
I followed the other examples, above this one. We can change this behavior with a follow up if we don't want empty arrays.
rylnd
approved these changes
Mar 1, 2021
Contributor
rylnd
left a comment
rylnd
left a comment
There was a problem hiding this comment.
I agree with @marshallmain that the defaulting in build_rule should probably be removed for consistency, but everything else looks great!
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 1, 2021
…elastic#92928) ## Summary Indicator rules were missing the mappings and the copy code for when they were being created. This fixes that. **Manual testing instructions** Add an indicator rule: <img width="1075" alt="Screen Shot 2021-02-25 at 3 33 05 PM" src="https://user-images.githubusercontent.com/1151048/109229217-37c35700-7780-11eb-9988-573d53f2c076.png"> Then after it fires check that it shows up in the timeline and tables and also check that it is queryable: <img width="473" alt="Screen Shot 2021-02-25 at 3 31 48 PM" src="https://user-images.githubusercontent.com/1151048/109229261-4a3d9080-7780-11eb-808b-06fb0e9e4099.png"> <img width="509" alt="Screen Shot 2021-02-25 at 3 32 12 PM" src="https://user-images.githubusercontent.com/1151048/109229269-4c075400-7780-11eb-96bd-2464a7ac555e.png"> <img width="1390" alt="Screen Shot 2021-02-25 at 3 39 20 PM" src="https://user-images.githubusercontent.com/1151048/109229290-545f8f00-7780-11eb-982c-4506552973df.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 1, 2021
…elastic#92928) ## Summary Indicator rules were missing the mappings and the copy code for when they were being created. This fixes that. **Manual testing instructions** Add an indicator rule: <img width="1075" alt="Screen Shot 2021-02-25 at 3 33 05 PM" src="https://user-images.githubusercontent.com/1151048/109229217-37c35700-7780-11eb-9988-573d53f2c076.png"> Then after it fires check that it shows up in the timeline and tables and also check that it is queryable: <img width="473" alt="Screen Shot 2021-02-25 at 3 31 48 PM" src="https://user-images.githubusercontent.com/1151048/109229261-4a3d9080-7780-11eb-808b-06fb0e9e4099.png"> <img width="509" alt="Screen Shot 2021-02-25 at 3 32 12 PM" src="https://user-images.githubusercontent.com/1151048/109229269-4c075400-7780-11eb-96bd-2464a7ac555e.png"> <img width="1390" alt="Screen Shot 2021-02-25 at 3 39 20 PM" src="https://user-images.githubusercontent.com/1151048/109229290-545f8f00-7780-11eb-982c-4506552973df.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Contributor
1 task
kibanamachine
added a commit
that referenced
this pull request
Mar 1, 2021
…#92928) (#93039) ## Summary Indicator rules were missing the mappings and the copy code for when they were being created. This fixes that. **Manual testing instructions** Add an indicator rule: <img width="1075" alt="Screen Shot 2021-02-25 at 3 33 05 PM" src="https://user-images.githubusercontent.com/1151048/109229217-37c35700-7780-11eb-9988-573d53f2c076.png"> Then after it fires check that it shows up in the timeline and tables and also check that it is queryable: <img width="473" alt="Screen Shot 2021-02-25 at 3 31 48 PM" src="https://user-images.githubusercontent.com/1151048/109229261-4a3d9080-7780-11eb-808b-06fb0e9e4099.png"> <img width="509" alt="Screen Shot 2021-02-25 at 3 32 12 PM" src="https://user-images.githubusercontent.com/1151048/109229269-4c075400-7780-11eb-96bd-2464a7ac555e.png"> <img width="1390" alt="Screen Shot 2021-02-25 at 3 39 20 PM" src="https://user-images.githubusercontent.com/1151048/109229290-545f8f00-7780-11eb-982c-4506552973df.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Mar 1, 2021
…#92928) (#93038) ## Summary Indicator rules were missing the mappings and the copy code for when they were being created. This fixes that. **Manual testing instructions** Add an indicator rule: <img width="1075" alt="Screen Shot 2021-02-25 at 3 33 05 PM" src="https://user-images.githubusercontent.com/1151048/109229217-37c35700-7780-11eb-9988-573d53f2c076.png"> Then after it fires check that it shows up in the timeline and tables and also check that it is queryable: <img width="473" alt="Screen Shot 2021-02-25 at 3 31 48 PM" src="https://user-images.githubusercontent.com/1151048/109229261-4a3d9080-7780-11eb-808b-06fb0e9e4099.png"> <img width="509" alt="Screen Shot 2021-02-25 at 3 32 12 PM" src="https://user-images.githubusercontent.com/1151048/109229269-4c075400-7780-11eb-96bd-2464a7ac555e.png"> <img width="1390" alt="Screen Shot 2021-02-25 at 3 39 20 PM" src="https://user-images.githubusercontent.com/1151048/109229290-545f8f00-7780-11eb-982c-4506552973df.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
FrankHassanabad
added a commit
that referenced
this pull request
Mar 1, 2021
## Summary Follow up from: #92928 Removes the default arrays and adds typing to the rule schema in order to see which ones require default arrays vs. which ones can/should be defaulted as `undefined`. Updates unit tests. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 1, 2021
## Summary Follow up from: elastic#92928 Removes the default arrays and adds typing to the rule schema in order to see which ones require default arrays vs. which ones can/should be defaulted as `undefined`. Updates unit tests. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 1, 2021
## Summary Follow up from: elastic#92928 Removes the default arrays and adds typing to the rule schema in order to see which ones require default arrays vs. which ones can/should be defaulted as `undefined`. Updates unit tests. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
added a commit
that referenced
this pull request
Mar 1, 2021
## Summary Follow up from: #92928 Removes the default arrays and adds typing to the rule schema in order to see which ones require default arrays vs. which ones can/should be defaulted as `undefined`. Updates unit tests. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Mar 1, 2021
## Summary Follow up from: #92928 Removes the default arrays and adds typing to the rule schema in order to see which ones require default arrays vs. which ones can/should be defaulted as `undefined`. Updates unit tests. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
jloleysens
added a commit
that referenced
this pull request
Mar 3, 2021
… ilm/rollup-v2-action * 'ilm/rollup-v2-action' of github.com:elastic/kibana: [Security Solution][Case][Bug] Only add rule object for alert comments (#92977) [Security Solution][Case] Show the current connector name in case view (#93018) [Security Solution] Remove unused mock data (#92357) Adds mapping to the signals for the indicator rules that were missing (#92928) skip flaky suite (#85208) Cleanup spaces plugin (#91976) Control round and decimal places in Gauge Visualization when using aggregate functions like average (#91293) Added alerting ui mock for jest test (#92604) Remove "beta" label from URL Drilldown as it is now GA (#92859)
timroes
added
the
Team: SecuritySolution
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
rylnd
added a commit
to rylnd/kibana
that referenced
this pull request
Apr 20, 2021
The last released mappings update was elastic#92928, which bumped from 24 -> 25. The few unreleased updates since then have increased this by 1, but since these changes are going out with 7.13 we are bumping by 10 _since the last release_, in order to give "room" for minor releases.
rylnd
added a commit
that referenced
this pull request
Apr 20, 2021
… 1.9 (#97573) * adds snapshot test for getSignalsTemplate * [CTI] Extracts non-ecs, non-signal mappings to separate file * adds updated ECS mappings * Normalize/clean up various mappings files * Adds a wrapping "mappings.properties" around our extra mappings * Spreads our other mappings similarly to ECS mappings * Moves dynamic: false out of ECS mappings and into our main template * Ensures we include 'threat.properties.indicator', since that's where our 'type: nested' declaration resides * Update ECS mappings snapshot post-1.9 updates This updated snapshot reflects the mappings changes that one will receive when migrating/rolling over to a 7.13 alerts index. * Update signals template version as per guidelines. The last released mappings update was #92928, which bumped from 24 -> 25. The few unreleased updates since then have increased this by 1, but since these changes are going out with 7.13 we are bumping by 10 _since the last release_, in order to give "room" for minor releases. * Fix cypress test failure due to updated mappings This magic number represents "the number of mapped fields that begin with 'host.geo.c' and, because this PR adds a mapping for host.geo.continent_code, the test needed to be updated. Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 20, 2021
… 1.9 (elastic#97573) * adds snapshot test for getSignalsTemplate * [CTI] Extracts non-ecs, non-signal mappings to separate file * adds updated ECS mappings * Normalize/clean up various mappings files * Adds a wrapping "mappings.properties" around our extra mappings * Spreads our other mappings similarly to ECS mappings * Moves dynamic: false out of ECS mappings and into our main template * Ensures we include 'threat.properties.indicator', since that's where our 'type: nested' declaration resides * Update ECS mappings snapshot post-1.9 updates This updated snapshot reflects the mappings changes that one will receive when migrating/rolling over to a 7.13 alerts index. * Update signals template version as per guidelines. The last released mappings update was elastic#92928, which bumped from 24 -> 25. The few unreleased updates since then have increased this by 1, but since these changes are going out with 7.13 we are bumping by 10 _since the last release_, in order to give "room" for minor releases. * Fix cypress test failure due to updated mappings This magic number represents "the number of mapped fields that begin with 'host.geo.c' and, because this PR adds a mapping for host.geo.continent_code, the test needed to be updated. Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
kibanamachine
added a commit
that referenced
this pull request
Apr 20, 2021
… 1.9 (#97573) (#97682) * adds snapshot test for getSignalsTemplate * [CTI] Extracts non-ecs, non-signal mappings to separate file * adds updated ECS mappings * Normalize/clean up various mappings files * Adds a wrapping "mappings.properties" around our extra mappings * Spreads our other mappings similarly to ECS mappings * Moves dynamic: false out of ECS mappings and into our main template * Ensures we include 'threat.properties.indicator', since that's where our 'type: nested' declaration resides * Update ECS mappings snapshot post-1.9 updates This updated snapshot reflects the mappings changes that one will receive when migrating/rolling over to a 7.13 alerts index. * Update signals template version as per guidelines. The last released mappings update was #92928, which bumped from 24 -> 25. The few unreleased updates since then have increased this by 1, but since these changes are going out with 7.13 we are bumping by 10 _since the last release_, in order to give "room" for minor releases. * Fix cypress test failure due to updated mappings This magic number represents "the number of mapped fields that begin with 'host.geo.c' and, because this PR adds a mapping for host.geo.continent_code, the test needed to be updated. Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Indicator rules were missing the mappings and the copy code for when they were being created. This fixes that.
Manual testing instructions
Add an indicator rule:
Then after it fires check that it shows up in the timeline and tables and also check that it is queryable:
Checklist