[Fleet] Install security_rule assets as saved objects (#95885) (#96527)

* [Fleet] Install security_rule assets as saved objects * Add security-rule to update_assets.ts * Update UUIDs for security_rule asset * Change .type to match the saved object type not the asset type * Add saved object mapping for security-rule * Make SO non-hidden * Fix SO mapping for security-rule * Make security-rule a non-hidden asset Co-authored-by: Ross Wolf <[email protected]>
elastic · Apr 8, 2021 · 95992f0 · 95992f0
1 parent 36d86ad
commit 95992f0
Show file tree

Hide file tree

Showing 11 changed files with 152 additions and 2 deletions.
diff --git a/x-pack/plugins/fleet/common/services/package_to_package_policy.test.ts b/x-pack/plugins/fleet/common/services/package_to_package_policy.test.ts
@@ -31,6 +31,7 @@ describe('Fleet - packageToPackagePolicy', () => {
         map: [],
         lens: [],
         ml_module: [],
+        security_rule: [],
       },
       elasticsearch: {
         ingest_pipeline: [],

diff --git a/x-pack/plugins/fleet/common/types/models/epm.ts b/x-pack/plugins/fleet/common/types/models/epm.ts
@@ -50,6 +50,7 @@ export enum KibanaAssetType {
   indexPattern = 'index_pattern',
   map = 'map',
   lens = 'lens',
+  securityRule = 'security_rule',
   mlModule = 'ml_module',
 }
 
@@ -64,6 +65,7 @@ export enum KibanaSavedObjectType {
   map = 'map',
   lens = 'lens',
   mlModule = 'ml-module',
+  securityRule = 'security-rule',
 }
 
 export enum ElasticsearchAssetType {

diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/epm/constants.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/epm/constants.tsx
@@ -33,6 +33,7 @@ export const AssetTitleMap: Record<AssetType, string> = {
   map: 'Map',
   data_stream_ilm_policy: 'Data Stream ILM Policy',
   lens: 'Lens',
+  security_rule: 'Security Rule',
   ml_module: 'ML Module',
 };
 
@@ -48,6 +49,7 @@ export const AssetIcons: Record<KibanaAssetType, IconType> = {
   visualization: 'visualizeApp',
   map: 'emsApp',
   lens: 'lensApp',
+  security_rule: 'securityApp',
   ml_module: 'mlApp',
 };
 

diff --git a/x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts b/x-pack/plugins/fleet/server/services/epm/kibana/assets/install.ts
@@ -38,6 +38,7 @@ const KibanaSavedObjectTypeMapping: Record<KibanaAssetType, KibanaSavedObjectTyp
   [KibanaAssetType.visualization]: KibanaSavedObjectType.visualization,
   [KibanaAssetType.lens]: KibanaSavedObjectType.lens,
   [KibanaAssetType.mlModule]: KibanaSavedObjectType.mlModule,
+  [KibanaAssetType.securityRule]: KibanaSavedObjectType.securityRule,
 };
 
 // Define how each asset type will be installed
@@ -55,6 +56,7 @@ const AssetInstallers: Record<
   [KibanaAssetType.visualization]: installKibanaSavedObjects,
   [KibanaAssetType.lens]: installKibanaSavedObjects,
   [KibanaAssetType.mlModule]: installKibanaSavedObjects,
+  [KibanaAssetType.securityRule]: installKibanaSavedObjects,
 };
 
 export async function getKibanaAsset(key: string): Promise<ArchiveAsset> {

diff --git a/x-pack/plugins/fleet/server/services/epm/packages/assets.test.ts b/x-pack/plugins/fleet/server/services/epm/packages/assets.test.ts
@@ -43,7 +43,7 @@ const tests = [
       name: 'coredns',
       version: '1.0.1',
     },
-    // Non existant dataset
+    // Non existent dataset
     dataset: 'foo',
     filter: (path: string) => {
       return true;

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/saved_object_mappings.ts
@@ -53,3 +53,27 @@ export const type: SavedObjectsType = {
   namespaceType: 'single',
   mappings: ruleStatusSavedObjectMappings,
 };
+
+export const ruleAssetSavedObjectType = 'security-rule';
+
+export const ruleAssetSavedObjectMappings: SavedObjectsType['mappings'] = {
+  dynamic: false,
+  properties: {
+    name: {
+      type: 'keyword',
+    },
+    rule_id: {
+      type: 'keyword',
+    },
+    version: {
+      type: 'long',
+    },
+  },
+};
+
+export const ruleAssetType: SavedObjectsType = {
+  name: ruleAssetSavedObjectType,
+  hidden: false,
+  namespaceType: 'agnostic',
+  mappings: ruleAssetSavedObjectMappings,
+};
diff --git a/x-pack/plugins/security_solution/server/saved_objects.ts b/x-pack/plugins/security_solution/server/saved_objects.ts
@@ -8,7 +8,10 @@
 import { CoreSetup } from '../../../../src/core/server';
 
 import { noteType, pinnedEventType, timelineType } from './lib/timeline/saved_object_mappings';
-import { type as ruleStatusType } from './lib/detection_engine/rules/saved_object_mappings';
+import {
+  type as ruleStatusType,
+  ruleAssetType,
+} from './lib/detection_engine/rules/saved_object_mappings';
 import { type as ruleActionsType } from './lib/detection_engine/rule_actions/saved_object_mappings';
 import { type as signalsMigrationType } from './lib/detection_engine/migrations/saved_objects';
 import {
@@ -21,6 +24,7 @@ const types = [
   pinnedEventType,
   ruleActionsType,
   ruleStatusType,
+  ruleAssetType,
   timelineType,
   exceptionsArtifactType,
   manifestType,

diff --git a/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts b/x-pack/test/fleet_api_integration/apis/epm/install_remove_assets.ts
@@ -399,6 +399,11 @@ const expectAssetsInstalled = ({
       id: 'sample_ml_module',
     });
     expect(resMlModule.id).equal('sample_ml_module');
+    const resSecurityRule = await kibanaServer.savedObjects.get({
+      type: 'security-rule',
+      id: 'sample_security_rule',
+    });
+    expect(resSecurityRule.id).equal('sample_security_rule');
     const resIndexPattern = await kibanaServer.savedObjects.get({
       type: 'index-pattern',
       id: 'test-*',
@@ -472,6 +477,10 @@ const expectAssetsInstalled = ({
           id: 'sample_search',
           type: 'search',
         },
+        {
+          id: 'sample_security_rule',
+          type: 'security-rule',
+        },
         {
           id: 'sample_visualization',
           type: 'visualization',
@@ -537,6 +546,7 @@ const expectAssetsInstalled = ({
         { id: 'e21b59b5-eb76-5ab0-bef2-1c8e379e6197', type: 'epm-packages-assets' },
         { id: '4c758d70-ecf1-56b3-b704-6d8374841b34', type: 'epm-packages-assets' },
         { id: 'e786cbd9-0f3b-5a0b-82a6-db25145ebf58', type: 'epm-packages-assets' },
+        { id: 'd8b175c3-0d42-5ec7-90c1-d1e4b307a4c2', type: 'epm-packages-assets' },
         { id: '53c94591-aa33-591d-8200-cd524c2a0561', type: 'epm-packages-assets' },
         { id: 'b658d2d4-752e-54b8-afc2-4c76155c1466', type: 'epm-packages-assets' },
       ],

diff --git a/x-pack/test/fleet_api_integration/apis/epm/update_assets.ts b/x-pack/test/fleet_api_integration/apis/epm/update_assets.ts
@@ -296,6 +296,10 @@ export default function (providerContext: FtrProviderContext) {
             id: 'sample_lens',
             type: 'lens',
           },
+          {
+            id: 'sample_security_rule',
+            type: 'security-rule',
+          },
           {
             id: 'sample_ml_module',
             type: 'ml-module',
@@ -350,6 +354,7 @@ export default function (providerContext: FtrProviderContext) {
           { id: '7f4c5aca-b4f5-5f0a-95af-051da37513fc', type: 'epm-packages-assets' },
           { id: '4281a436-45a8-54ab-9724-fda6849f789d', type: 'epm-packages-assets' },
           { id: '2e56f08b-1d06-55ed-abee-4708e1ccf0aa', type: 'epm-packages-assets' },
+          { id: '4035007b-9c33-5227-9803-2de8a17523b5', type: 'epm-packages-assets' },
           { id: 'c7bf1a39-e057-58a0-afde-fb4b48751d8c', type: 'epm-packages-assets' },
           { id: '8c665f28-a439-5f43-b5fd-8fda7b576735', type: 'epm-packages-assets' },
         ],

diff --git a/...is/fixtures/test_packages/all_assets/0.1.0/kibana/security_rule/sample_security_rule.json b/...is/fixtures/test_packages/all_assets/0.1.0/kibana/security_rule/sample_security_rule.json
@@ -0,0 +1,50 @@
+{
+    "attributes": {
+        "author": [
+            "Elastic"
+        ],
+        "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
+        "from": "now-9m",
+        "index": [
+            "winlogbeat-*",
+            "logs-endpoint.events.*",
+            "logs-windows.*"
+        ],
+        "language": "kuery",
+        "license": "Elastic License v2",
+        "name": "Svchost spawning Cmd",
+        "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+        "risk_score": 21,
+        "rule_id": "sample_security_rule",
+        "severity": "low",
+        "tags": [
+            "Elastic",
+            "Host",
+            "Windows",
+            "Threat Detection",
+            "Execution"
+        ],
+        "threat": [
+            {
+                "framework": "MITRE ATT\u0026CK",
+                "tactic": {
+                    "id": "TA0002",
+                    "name": "Execution",
+                    "reference": "https://attack.mitre.org/tactics/TA0002/"
+                },
+                "technique": [
+                    {
+                        "id": "T1059",
+                        "name": "Command and Scripting Interpreter",
+                        "reference": "https://attack.mitre.org/techniques/T1059/"
+                    }
+                ]
+            }
+        ],
+        "timestamp_override": "event.ingested",
+        "type": "query",
+        "version": 7
+    },
+    "id": "sample_security_rule",
+    "type": "security-rule"
+}
diff --git a/...is/fixtures/test_packages/all_assets/0.2.0/kibana/security_rule/sample_security_rule.json b/...is/fixtures/test_packages/all_assets/0.2.0/kibana/security_rule/sample_security_rule.json
@@ -0,0 +1,50 @@
+{
+    "attributes": {
+        "author": [
+            "Elastic"
+        ],
+        "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
+        "from": "now-9m",
+        "index": [
+            "winlogbeat-*",
+            "logs-endpoint.events.*",
+            "logs-windows.*"
+        ],
+        "language": "kuery",
+        "license": "Elastic License v2",
+        "name": "Svchost spawning Cmd",
+        "query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
+        "risk_score": 21,
+        "rule_id": "sample_security_rule",
+        "severity": "low",
+        "tags": [
+            "Elastic",
+            "Host",
+            "Windows",
+            "Threat Detection",
+            "Execution"
+        ],
+        "threat": [
+            {
+                "framework": "MITRE ATT\u0026CK",
+                "tactic": {
+                    "id": "TA0002",
+                    "name": "Execution",
+                    "reference": "https://attack.mitre.org/tactics/TA0002/"
+                },
+                "technique": [
+                    {
+                        "id": "T1059",
+                        "name": "Command and Scripting Interpreter",
+                        "reference": "https://attack.mitre.org/techniques/T1059/"
+                    }
+                ]
+            }
+        ],
+        "timestamp_override": "event.ingested",
+        "type": "query",
+        "version": 7
+    },
+    "id": "sample_security_rule",
+    "type": "security-rule"
+}