Skip to content

Commit

Permalink
Fixed the signal rule copying over to be more complete along with tes…
Browse files Browse the repository at this point in the history
…ts and types and refactoring
  • Loading branch information
FrankHassanabad committed Nov 20, 2019
1 parent cab25f9 commit 43fcd16
Show file tree
Hide file tree
Showing 9 changed files with 562 additions and 447 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ const FROM = 'now-6m';
const TO = 'now';
const IMMUTABLE = true;
const INDEX = ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'];
const OUTPUT_INDEX = process.env.SIGNALS_INDEX || '.siem-signals';
const RISK_SCORE = 50;

const walk = dir => {
const list = fs.readdirSync(dir);
Expand Down Expand Up @@ -119,6 +121,7 @@ async function main() {
if (query != null && query.trim() !== '') {
const outputMessage = {
rule_id: fileToWrite,
risk_score: RISK_SCORE,
description: description || title,
immutable: IMMUTABLE,
index: INDEX,
Expand All @@ -131,6 +134,7 @@ async function main() {
query,
language,
filters: filter,
output_index: OUTPUT_INDEX,
};

fs.writeFileSync(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,17 @@
* you may not use this file except in compliance with the Elastic License.
*/

import { SignalSourceHit, SignalSearchResponse, SignalAlertParams } from '../types';
import { SignalSourceHit, SignalSearchResponse, AlertTypeParams } from '../types';

export const sampleSignalAlertParams = (
maxSignals: number | undefined,
riskScore?: number | undefined
): SignalAlertParams => ({
): AlertTypeParams => ({
ruleId: 'rule-1',
description: 'Detecting root and admin users',
falsePositives: [],
immutable: false,
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
interval: '5m',
name: 'Detect Root/Admin Users',
type: 'query',
from: 'now-6m',
tags: ['some fake tag'],
Expand All @@ -28,7 +26,6 @@ export const sampleSignalAlertParams = (
references: ['http://google.com'],
riskScore: riskScore ? riskScore : 50,
maxSignals: maxSignals ? maxSignals : 10000,
enabled: true,
filter: undefined,
filters: undefined,
savedId: undefined,
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@
import { schema } from '@kbn/config-schema';
import { Logger } from 'src/core/server';
import { SIGNALS_ID } from '../../../../common/constants';
// TODO: Remove this for the build_events_query call eventually
import { buildEventsReIndex } from './build_events_reindex';

import { buildEventsSearchQuery } from './build_events_query';
import { searchAfterAndBulkIndex } from './utils';
Expand Down Expand Up @@ -46,7 +44,6 @@ export const signalsAlertType = ({ logger }: { logger: Logger }): SignalAlertTyp
},
async executor({ alertId, services, params }) {
const {
description,
filter,
from,
ruleId,
Expand All @@ -56,18 +53,20 @@ export const signalsAlertType = ({ logger }: { logger: Logger }): SignalAlertTyp
outputIndex,
savedId,
query,
maxSignals,
// riskScore, TODO: Add and copy this data and any other data over to the rule
references,
severity,
to,
type,
size,
} = params;

// TODO: Remove this hard extraction of name once this is fixed: https://github.com/elastic/kibana/issues/50522
const savedObject = await services.savedObjectsClient.get('alert', alertId);
const name = savedObject.attributes.name;
const name: string = savedObject.attributes.name;

const createdBy: string = savedObject.attributes.createdBy;
const updatedBy: string = savedObject.attributes.updatedBy;
const interval: string = savedObject.attributes.interval;
const enabled: boolean = savedObject.attributes.enabled;

const searchAfterSize = size ? size : 1000;

const esFilter = await getFilter({
Expand All @@ -92,55 +91,34 @@ export const signalsAlertType = ({ logger }: { logger: Logger }): SignalAlertTyp

try {
logger.debug(`Starting signal rule "id: ${alertId}", "ruleId: ${ruleId}"`);
if (process.env.USE_REINDEX_API === 'true') {
const reIndex = buildEventsReIndex({
index,
from,
to,
signalsIndex: outputIndex,
severity,
description,
name,
timeDetected: new Date().toISOString(),
filter: esFilter,
maxDocs: maxSignals,
ruleRevision: 1,
id: alertId,
ruleId,
type,
references,
});
const result = await services.callCluster('reindex', reIndex);
if (result.total > 0) {
logger.info(
`Total signals found from signal rule "id: ${alertId}", "ruleId: ${ruleId}" (reindex algorithm): ${result.total}`
);
}
} else {
logger.debug(
`[+] Initial search call of signal rule "id: ${alertId}", "ruleId: ${ruleId}"`
logger.debug(
`[+] Initial search call of signal rule "id: ${alertId}", "ruleId: ${ruleId}"`
);
const noReIndexResult = await services.callCluster('search', noReIndex);
if (noReIndexResult.hits.total.value !== 0) {
logger.info(
`Total signals found from signal rule "id: ${alertId}", "ruleId: ${ruleId}": ${noReIndexResult.hits.total.value}`
);
const noReIndexResult = await services.callCluster('search', noReIndex);
if (noReIndexResult.hits.total.value !== 0) {
logger.info(
`Total signals found from signal rule "id: ${alertId}", "ruleId: ${ruleId}": ${noReIndexResult.hits.total.value}`
);
}
}

const bulkIndexResult = await searchAfterAndBulkIndex(
noReIndexResult,
params,
services,
logger,
alertId,
outputIndex
);
const bulkIndexResult = await searchAfterAndBulkIndex({
someResult: noReIndexResult,
signalParams: params,
services,
logger,
id: alertId,
signalsIndex: outputIndex,
name,
createdBy,
updatedBy,
interval,
enabled,
});

if (bulkIndexResult) {
logger.debug(`Finished signal rule "id: ${alertId}", "ruleId: ${ruleId}"`);
} else {
logger.error(`Error processing signal rule "id: ${alertId}", "ruleId: ${ruleId}"`);
}
if (bulkIndexResult) {
logger.debug(`Finished signal rule "id: ${alertId}", "ruleId: ${ruleId}"`);
} else {
logger.error(`Error processing signal rule "id: ${alertId}", "ruleId: ${ruleId}"`);
}
} catch (err) {
// TODO: Error handling and writing of errors into a signal that has error
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,10 @@ export type OutputSignalAlertRest = SignalAlertParamsRest & {
updated_by: string | undefined | null;
};

export type OutputSignalES = OutputSignalAlertRest & {
status: 'open' | 'closed';
};

export type UpdateSignalAlertParamsRest = Partial<SignalAlertParamsRest> & {
id: string | undefined;
rule_id: SignalAlertParams['ruleId'] | undefined;
Expand Down
Loading

0 comments on commit 43fcd16

Please sign in to comment.