-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution] Implement isCustomized calculation (#186988)
**Resolves: #180145 **Resolves: #184364 > [!NOTE] > This PR doesn't include `isCustomized` recalculation when bulk editing rules. This should be addressed separately as it might require first changing the `RulesClient.bulkEdit` method signature. ## Summary This PR implements the calculation of `ruleSource.isCustomized` inside the `DetectionRulesClient`. The recalculation of the `isCustomized` field is performed on every rule patch and update operation, including rule upgrades. See the ticket for more information: #180145 and `detection_rules_client/mergers/rule_source/calculate_is_customized.ts` for implementation details. The `isCustomized` calculation is based on the `calculateRuleFieldsDiff` method used inside the prebuilt rules domain for calculating changed fields during rule upgrades. This ensures that the diff calculation logic is unified and reused to avoid any discrepancies in different paths of rule management. The recalculation and saving of the field is done in the following endpoints: - **Update Rule** - `PUT /rules` - **Patch Rule** - `PATCH /rules` - **Bulk Update Rules** - `PUT /rules/_bulk_update` - **Bulk Patch Rules** - `PATCH /rules/_bulk_update` - **Import Rules** - `POST /rules/_import` - **Perform Rule Upgrade** - `POST /prebuilt_rules/upgrade/_perform` This PR also partially addresses refactoring mentioned here: #184364. Namely: - Splits the rule converters into smaller single-responsibility functions. - Separate methods to convert RuleResponse to AlertingRule and back - Separate methods to apply rule patches, updates, or set defaults - Separate case converters - Migrates methods to work with RuleResponse instead of alerting type wherever possible. - Adds new methods for fetching rules by id or rule id and deprecates the `readRules`. Although new methods are not exposed yet in the public client interface, this is something that needs to be addressed separately.
- Loading branch information
Showing
62 changed files
with
2,552 additions
and
2,040 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
...etection_engine/prebuilt_rules/logic/rule_assets/__mocks__/prebuilt_rule_assets_client.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export const createPrebuiltRuleAssetsClient = () => { | ||
return { | ||
fetchLatestAssets: jest.fn(), | ||
fetchLatestVersions: jest.fn(), | ||
fetchAssetsByVersion: jest.fn(), | ||
}; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
...e_management/logic/detection_rules_client/converters/common_params_camel_to_snake.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { getBaseRuleParams } from '../../../../rule_schema/mocks'; | ||
import { commonParamsCamelToSnake } from './common_params_camel_to_snake'; | ||
|
||
describe('commonParamsCamelToSnake', () => { | ||
test('should convert rule_source params to snake case', () => { | ||
const transformedParams = commonParamsCamelToSnake({ | ||
...getBaseRuleParams(), | ||
ruleSource: { | ||
type: 'external', | ||
isCustomized: false, | ||
}, | ||
}); | ||
expect(transformedParams).toEqual( | ||
expect.objectContaining({ | ||
rule_source: { | ||
type: 'external', | ||
is_customized: false, | ||
}, | ||
}) | ||
); | ||
}); | ||
}); |
47 changes: 47 additions & 0 deletions
47
...e/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters'; | ||
import type { BaseRuleParams } from '../../../../rule_schema'; | ||
import { migrateLegacyInvestigationFields } from '../../../utils/utils'; | ||
|
||
export const commonParamsCamelToSnake = (params: BaseRuleParams) => { | ||
return { | ||
description: params.description, | ||
risk_score: params.riskScore, | ||
severity: params.severity, | ||
building_block_type: params.buildingBlockType, | ||
namespace: params.namespace, | ||
note: params.note, | ||
license: params.license, | ||
output_index: params.outputIndex, | ||
timeline_id: params.timelineId, | ||
timeline_title: params.timelineTitle, | ||
meta: params.meta, | ||
rule_name_override: params.ruleNameOverride, | ||
timestamp_override: params.timestampOverride, | ||
timestamp_override_fallback_disabled: params.timestampOverrideFallbackDisabled, | ||
investigation_fields: migrateLegacyInvestigationFields(params.investigationFields), | ||
author: params.author, | ||
false_positives: params.falsePositives, | ||
from: params.from, | ||
rule_id: params.ruleId, | ||
max_signals: params.maxSignals, | ||
risk_score_mapping: params.riskScoreMapping, | ||
severity_mapping: params.severityMapping, | ||
threat: params.threat, | ||
to: params.to, | ||
references: params.references, | ||
version: params.version, | ||
exceptions_list: params.exceptionsList, | ||
immutable: params.immutable, | ||
rule_source: convertObjectKeysToSnakeCase(params.ruleSource), | ||
related_integrations: params.relatedIntegrations ?? [], | ||
required_fields: params.requiredFields ?? [], | ||
setup: params.setup ?? '', | ||
}; | ||
}; |
26 changes: 26 additions & 0 deletions
26
...agement/logic/detection_rules_client/converters/convert_alerting_rule_to_rule_response.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { SanitizedRule } from '@kbn/alerting-plugin/common'; | ||
import { stringifyZodError } from '@kbn/zod-helpers'; | ||
import { RuleResponse } from '../../../../../../../common/api/detection_engine/model/rule_schema'; | ||
import type { RuleParams } from '../../../../rule_schema'; | ||
import { internalRuleToAPIResponse } from './internal_rule_to_api_response'; | ||
import { RuleResponseValidationError } from '../utils'; | ||
|
||
export function convertAlertingRuleToRuleResponse(rule: SanitizedRule<RuleParams>): RuleResponse { | ||
const parseResult = RuleResponse.safeParse(internalRuleToAPIResponse(rule)); | ||
|
||
if (!parseResult.success) { | ||
throw new RuleResponseValidationError({ | ||
message: stringifyZodError(parseResult.error), | ||
ruleId: rule.params.ruleId, | ||
}); | ||
} | ||
|
||
return parseResult.data; | ||
} |
39 changes: 39 additions & 0 deletions
39
...t/logic/detection_rules_client/converters/convert_prebuilt_rule_asset_to_rule_response.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { v4 as uuidv4 } from 'uuid'; | ||
import { RuleResponse } from '../../../../../../../common/api/detection_engine/model/rule_schema'; | ||
import { addEcsToRequiredFields } from '../../../utils/utils'; | ||
import type { PrebuiltRuleAsset } from '../../../../prebuilt_rules'; | ||
import { RULE_DEFAULTS } from '../mergers/apply_rule_defaults'; | ||
|
||
export const convertPrebuiltRuleAssetToRuleResponse = ( | ||
prebuiltRuleAsset: PrebuiltRuleAsset | ||
): RuleResponse => { | ||
const immutable = true; | ||
|
||
const ruleResponseSpecificFields = { | ||
id: uuidv4(), | ||
updated_at: new Date().toISOString(), | ||
updated_by: '', | ||
created_at: new Date().toISOString(), | ||
created_by: '', | ||
immutable, | ||
rule_source: { | ||
type: 'external', | ||
is_customized: false, | ||
}, | ||
revision: 1, | ||
}; | ||
|
||
return RuleResponse.parse({ | ||
...RULE_DEFAULTS, | ||
...prebuiltRuleAsset, | ||
required_fields: addEcsToRequiredFields(prebuiltRuleAsset.required_fields), | ||
...ruleResponseSpecificFields, | ||
}); | ||
}; |
Oops, something went wrong.