Skip to content

Commit

Permalink
[SIEM][Detection Engine] Utilizes native alert tags
Browse files Browse the repository at this point in the history 
## Summary

* Changes out the params of tags to use the native alert tags.
* Updated unit tests
* Updated examples

Tests are:

Post a query with a tag
```sh
./post_rule.sh ./rules/queries/query_with_tags.json
```

Filter by that tag:

```sh
./find_rule_by_filter.sh "alert.attributes.tags:tag_1"
```

Update a query with a tag:

```sh
./update_rule.sh ./rules/updates/update_tags.json
```


### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
  • Loading branch information
@FrankHassanabad
FrankHassanabad authored Dec 10, 2019
1 parent 5fb59f3 commit 23edb41
Show file tree
Hide file tree
Showing 11 changed files with 65 additions and 21 deletions.
3 changes: 1 addition & 2 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ export const sampleRuleAlertParams = (
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
type: 'query',
from: 'now-6m',
tags: ['some fake tag'],
to: 'now',
severity: 'high',
query: 'user.name: root or user.name: admin',
Expand Down Expand Up @@ -277,7 +276,7 @@ export const sampleRule = (): Partial<OutputRuleAlertRest> => {
references: ['http://www.example.com', 'https://ww.example.com'],
severity: 'high',
updated_by: 'elastic',
tags: [],
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
type: 'query',
};
Expand Down
3 changes: 1 addition & 2 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_rules.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ export const createRules = async ({
return alertsClient.create({
data: {
name,
tags: [],
tags,
alertTypeId: SIGNALS_ID,
params: {
description,
Expand All @@ -55,7 +55,6 @@ export const createRules = async ({
maxSignals,
riskScore,
severity,
tags,
threats,
to,
type,
Expand Down
3 changes: 2 additions & 1 deletion x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/rules_alert_type.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ export const rulesAlertType = ({
maxSignals: schema.number({ defaultValue: DEFAULT_MAX_SIGNALS }),
riskScore: schema.number(),
severity: schema.string(),
tags: schema.arrayOf(schema.string(), { defaultValue: [] }),
threats: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
to: schema.string(),
type: schema.string(),
Expand All @@ -70,6 +69,7 @@ export const rulesAlertType = ({
// TODO: Remove this hard extraction of name once this is fixed: https://github.com/elastic/kibana/issues/50522
const savedObject = await services.savedObjectsClient.get('alert', alertId);
const name: string = savedObject.attributes.name;
const tags: string[] = savedObject.attributes.tags;

const createdBy: string = savedObject.attributes.createdBy;
const updatedBy: string = savedObject.attributes.updatedBy;
Expand Down Expand Up @@ -134,6 +134,7 @@ export const rulesAlertType = ({
interval,
enabled,
pageSize: searchAfterSize,
tags,
});

if (bulkIndexResult) {
Expand Down
2 changes: 1 addition & 1 deletion x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ export interface ReadRuleByRuleId {
ruleId: string;
}

export type RuleTypeParams = Omit<RuleAlertParams, 'name' | 'enabled' | 'interval'>;
export type RuleTypeParams = Omit<RuleAlertParams, 'name' | 'enabled' | 'interval' | 'tags'>;

export type RuleAlertType = Alert & {
id: string;
Expand Down
4 changes: 1 addition & 3 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_rules.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,6 @@ export const updateRules = async ({
maxSignals,
riskScore,
severity,
tags,
threats,
to,
type,
Expand All @@ -112,11 +111,10 @@ export const updateRules = async ({
} else if (!rule.enabled && enabled) {
await alertsClient.enable({ id: rule.id });
}

return alertsClient.update({
id: rule.id,
data: {
tags: [],
tags: tags != null ? tags : [],
name: calculateName({ updatedName: name, originalName: rule.name }),
interval: calculateInterval(interval, rule.interval),
actions,
Expand Down
37 changes: 28 additions & 9 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
// Timestamp will potentially always be different so remove it for the test
delete fakeSignalSourceHit['@timestamp'];
Expand Down Expand Up @@ -102,7 +103,7 @@ describe('utils', () => {
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
type: 'query',
to: 'now',
enabled: true,
Expand Down Expand Up @@ -131,6 +132,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
// Timestamp will potentially always be different so remove it for the test
delete fakeSignalSourceHit['@timestamp'];
Expand Down Expand Up @@ -174,7 +176,7 @@ describe('utils', () => {
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
type: 'query',
to: 'now',
enabled: true,
Expand Down Expand Up @@ -202,6 +204,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
// Timestamp will potentially always be different so remove it for the test
delete fakeSignalSourceHit['@timestamp'];
Expand Down Expand Up @@ -244,7 +247,7 @@ describe('utils', () => {
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
type: 'query',
to: 'now',
enabled: true,
Expand All @@ -270,6 +273,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
// Timestamp will potentially always be different so remove it for the test
delete fakeSignalSourceHit['@timestamp'];
Expand Down Expand Up @@ -307,7 +311,7 @@ describe('utils', () => {
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
type: 'query',
to: 'now',
enabled: true,
Expand Down Expand Up @@ -448,6 +452,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(successfulsingleBulkCreate).toEqual(true);
});
Expand Down Expand Up @@ -475,6 +480,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(successfulsingleBulkCreate).toEqual(true);
});
Expand All @@ -494,6 +500,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(successfulsingleBulkCreate).toEqual(true);
});
Expand All @@ -513,6 +520,7 @@ describe('utils', () => {
updatedBy: 'elastic',
interval: '5m',
enabled: true,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(mockLogger.error).toHaveBeenCalled();
expect(successfulsingleBulkCreate).toEqual(true);
Expand Down Expand Up @@ -583,6 +591,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(mockService.callCluster).toHaveBeenCalledTimes(0);
expect(result).toEqual(true);
Expand Down Expand Up @@ -634,6 +643,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(mockService.callCluster).toHaveBeenCalledTimes(5);
expect(result).toEqual(true);
Expand All @@ -656,6 +666,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(mockLogger.error).toHaveBeenCalled();
expect(result).toEqual(false);
Expand Down Expand Up @@ -685,6 +696,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(mockLogger.error).toHaveBeenCalled();
expect(result).toEqual(false);
Expand Down Expand Up @@ -714,6 +726,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(result).toEqual(true);
});
Expand Down Expand Up @@ -745,6 +758,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(result).toEqual(true);
});
Expand Down Expand Up @@ -776,6 +790,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(result).toEqual(true);
});
Expand Down Expand Up @@ -809,6 +824,7 @@ describe('utils', () => {
enabled: true,
pageSize: 1,
filter: undefined,
tags: ['some fake tag 1', 'some fake tag 2'],
});
expect(result).toEqual(false);
});
Expand Down Expand Up @@ -884,7 +900,7 @@ describe('utils', () => {
references: ['http://www.example.com', 'https://ww.example.com'],
severity: 'high',
updated_by: 'elastic',
tags: [],
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
type: 'query',
},
Expand Down Expand Up @@ -937,7 +953,7 @@ describe('utils', () => {
references: ['http://www.example.com', 'https://ww.example.com'],
severity: 'high',
updated_by: 'elastic',
tags: [],
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
type: 'query',
},
Expand Down Expand Up @@ -968,6 +984,7 @@ describe('utils', () => {
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
tags: ['some fake tag 1', 'some fake tag 2'],
});
const expected: Partial<OutputRuleAlertRest> = {
created_by: 'elastic',
Expand All @@ -988,7 +1005,7 @@ describe('utils', () => {
risk_score: 50,
rule_id: 'rule-1',
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
type: 'query',
updated_by: 'elastic',
Expand Down Expand Up @@ -1018,6 +1035,7 @@ describe('utils', () => {
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
tags: ['some fake tag 1', 'some fake tag 2'],
});
const expected: Partial<OutputRuleAlertRest> = {
created_by: 'elastic',
Expand All @@ -1038,7 +1056,7 @@ describe('utils', () => {
risk_score: 50,
rule_id: 'rule-1',
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
type: 'query',
updated_by: 'elastic',
Expand All @@ -1057,6 +1075,7 @@ describe('utils', () => {
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
tags: ['some fake tag 1', 'some fake tag 2'],
});
const expected: Partial<OutputRuleAlertRest> = {
created_by: 'elastic',
Expand All @@ -1077,7 +1096,7 @@ describe('utils', () => {
risk_score: 50,
rule_id: 'rule-1',
severity: 'high',
tags: ['some fake tag'],
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
type: 'query',
updated_by: 'elastic',
Expand Down
Loading

0 comments on commit 23edb41

Please sign in to comment.