updates per feedback

elastic · Jun 25, 2020 · 373fe8c · 373fe8c
1 parent 1713e7f
commit 373fe8c
Show file tree

Hide file tree

Showing 7 changed files with 124 additions and 16 deletions.
diff --git a/x-pack/plugins/lists/README.md b/x-pack/plugins/lists/README.md
@@ -157,12 +157,14 @@ And you can attach exception list items like so:
     {
       "field": "actingProcess.file.signer",
       "operator": "included",
-      "match": "Elastic, N.V."
+      "type": "match",
+      "value": "Elastic, N.V."
     },
     {
       "field": "event.category",
       "operator": "included",
-      "match_any": [
+      "type": "match_any",
+      "value": [
         "process",
         "malware"
       ]

diff --git a/x-pack/plugins/lists/server/scripts/exception_lists/new/exception_list_item_with_list.json b/x-pack/plugins/lists/server/scripts/exception_lists/new/exception_list_item_with_list.json
@@ -1,4 +1,5 @@
 {
+  "list_id": "endpoint_list",
   "item_id": "endpoint_list_item_lg_val_list",
   "_tags": ["endpoint", "process", "malware", "os:windows"],
   "tags": ["user added string for a tag", "malware"],

diff --git a/x-pack/plugins/lists/server/scripts/lists/new/list_ip_item.json b/x-pack/plugins/lists/server/scripts/lists/new/list_ip_item.json
@@ -1,5 +1,5 @@
 {
   "id": "hand_inserted_item_id",
   "list_id": "list-ip",
-  "value": "127.0.0.1"
+  "value": "10.4.2.140"
 }
diff --git a/x-pack/plugins/security_solution/common/detection_engine/lists_common_deps.ts b/x-pack/plugins/security_solution/common/detection_engine/lists_common_deps.ts
@@ -4,4 +4,4 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-export { EntryList, EntriesArray, namespaceType } from '../../../lists/common/schemas';
+export { EntriesArray, namespaceType } from '../../../lists/common/schemas';
diff --git a/...k/plugins/security_solution/server/lib/detection_engine/signals/build_exceptions_query.ts b/...k/plugins/security_solution/server/lib/detection_engine/signals/build_exceptions_query.ts
@@ -56,8 +56,6 @@ export const operatorBuilder = ({
   });
 
   switch (operator) {
-    // case 'excluded':
-    //   return ` ${and} `;
     case 'included':
       return `${not} `;
     default:

diff --git a/.../plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts b/.../plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts
@@ -8,7 +8,11 @@ import { Logger } from 'src/core/server';
 
 import { ListClient } from '../../../../../lists/server';
 import { SignalSearchResponse, SearchTypes } from './types';
-import { entriesList, ExceptionListItemSchema } from '../../../../../lists/common/schemas';
+import {
+  entriesList,
+  EntryList,
+  ExceptionListItemSchema,
+} from '../../../../../lists/common/schemas';
 
 interface FilterEventsAgainstList {
   listClient: ListClient;
@@ -37,14 +41,8 @@ export const filterEventsAgainstList = async ({
         const { entries } = exceptionItem;
 
         const filteredHitsEntries = entries
-          .filter((t) => entriesList.is(t))
+          .filter((t): t is EntryList => entriesList.is(t))
           .map(async (entry) => {
-            // TODO: If this check is removed, then typescript doesn't
-            // recognize "entry" as EntryList despite .filter()
-            if (!entriesList.is(entry)) {
-              throw new Error('Malformed exception list provided');
-            }
-
             // acquire the list values we are checking for.
             const valuesOfGivenType = eventSearchResult.hits.hits.reduce(
               (acc, searchResultItem) => {

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.test.ts
@@ -7,17 +7,23 @@
 import moment from 'moment';
 import sinon from 'sinon';
 
+import { alertsMock, AlertServicesMock } from '../../../../../alerts/server/mocks';
+import { listMock } from '../../../../../lists/server/mocks';
+import { EntriesArray } from '../../../../common/detection_engine/lists_common_deps';
+
+import * as featureFlags from '../feature_flags';
+
 import {
   generateId,
   parseInterval,
   parseScheduleDates,
   getDriftTolerance,
   getGapBetweenRuns,
   errorAggregator,
+  getListsClient,
+  hasLargeValueList,
 } from './utils';
-
 import { BulkResponseErrorAggregation } from './types';
-
 import {
   sampleBulkResponse,
   sampleEmptyBulkResponse,
@@ -529,4 +535,107 @@ describe('utils', () => {
       expect(aggregated).toEqual(expected);
     });
   });
+
+  describe('#getListsClient', () => {
+    let alertServices: AlertServicesMock;
+
+    beforeEach(() => {
+      alertServices = alertsMock.createAlertServices();
+    });
+
+    afterEach(() => {
+      jest.clearAllMocks();
+    });
+
+    test('it successfully returns list and exceptions list client', async () => {
+      jest.spyOn(featureFlags, 'hasListsFeature').mockReturnValue(true);
+
+      const { listClient, exceptionsClient } = await getListsClient({
+        services: alertServices,
+        savedObjectClient: alertServices.savedObjectsClient,
+        updatedByUser: 'some_user',
+        spaceId: '',
+        lists: listMock.createSetup(),
+      });
+
+      expect(listClient).toBeDefined();
+      expect(exceptionsClient).toBeDefined();
+    });
+
+    test('it returns list and exceptions client of "undefined" if lists feature flag is off', async () => {
+      jest.spyOn(featureFlags, 'hasListsFeature').mockReturnValue(false);
+
+      const listsClient = await getListsClient({
+        services: alertServices,
+        savedObjectClient: alertServices.savedObjectsClient,
+        updatedByUser: 'some_user',
+        spaceId: '',
+        lists: listMock.createSetup(),
+      });
+
+      expect(listsClient).toEqual({ listClient: undefined, exceptionsClient: undefined });
+    });
+
+    test('it throws if "lists" is undefined', async () => {
+      jest.spyOn(featureFlags, 'hasListsFeature').mockReturnValue(true);
+
+      await expect(() =>
+        getListsClient({
+          services: alertServices,
+          savedObjectClient: alertServices.savedObjectsClient,
+          updatedByUser: 'some_user',
+          spaceId: '',
+          lists: undefined,
+        })
+      ).rejects.toThrowError('lists plugin unavailable during rule execution');
+    });
+  });
+
+  describe('#hasLargeValueList', () => {
+    test('it returns false if empty array', () => {
+      const hasLists = hasLargeValueList([]);
+
+      expect(hasLists).toBeFalsy();
+    });
+
+    test('it returns true if item of type EntryList exists', () => {
+      const entries: EntriesArray = [
+        {
+          field: 'actingProcess.file.signer',
+          type: 'list',
+          operator: 'included',
+          list: { id: 'some id', type: 'ip' },
+        },
+        {
+          field: 'file.signature.signer',
+          type: 'match',
+          operator: 'excluded',
+          value: 'Global Signer',
+        },
+      ];
+      const hasLists = hasLargeValueList(entries);
+
+      expect(hasLists).toBeTruthy();
+    });
+
+    test('it returns false if item of type EntryList does not exist', () => {
+      const entries: EntriesArray = [
+        {
+          field: 'actingProcess.file.signer',
+          type: 'match',
+          operator: 'included',
+          value: 'Elastic, N.V.',
+        },
+        {
+          field: 'file.signature.signer',
+          type: 'match',
+          operator: 'excluded',
+          value: 'Global Signer',
+        },
+      ];
+      const hasLists = hasLargeValueList(entries);
+
+      expect(hasLists).toBeFalsy();
+    });
+  });
 });