From a3385e0e963fd5a25e6242816b7f622530bcdeb5 Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Tue, 21 Jan 2020 19:02:28 -0700 Subject: [PATCH] [SIEM][Detection Engine] Critical blocker, fixes schema accepting values it should not (#55488) ## Summary * This fixes the schema accepting values the UI cannot handle at this point with severity. It's best to just set it to a small fixed enumeration of values. * From feedback from people the values should have more defaults and be more consistent in the schema so gave defaults for `from`, `to`, and `interval`. * Removed dead query examples that cannot happen because immutable cannot be set by end users anymore * Changes the version and other sections to be integer only and not allow floats * Added unit tests ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) --- .../rules/add_prepackaged_rules_route.test.ts | 2 +- .../get_prepackaged_rule_status_route.test.ts | 2 +- .../add_prepackaged_rules_schema.test.ts | 164 ++++++++++++------ .../schemas/add_prepackaged_rules_schema.ts | 4 +- .../schemas/create_rules_bulk_schema.test.ts | 68 +++++++- .../schemas/create_rules_schema.test.ts | 154 ++++++++++------ .../routes/schemas/create_rules_schema.ts | 4 +- .../schemas/import_rules_schema.test.ts | 163 +++++++++++------ .../routes/schemas/import_rules_schema.ts | 4 +- .../schemas/query_signals_index_schema.ts | 2 +- .../routes/schemas/schemas.ts | 13 +- .../schemas/update_rules_schema.test.ts | 102 ++++++----- .../create_rules_stream_from_ndjson.test.ts | 22 +-- .../scripts/rules/queries/query_disabled.json | 2 - .../rules/queries/query_immutable.json | 11 -- .../scripts/rules/queries/query_lucene.json | 2 - .../rules/queries/query_mitre_attack.json | 2 - .../rules/queries/query_timelineid.json | 2 - .../rules/queries/query_with_filter.json | 2 - .../rules/queries/query_with_meta_data.json | 2 - .../rules/queries/query_with_rule_id.json | 2 - .../rules/queries/query_with_tags.json | 2 - .../rules/queries/simplest_filters.json | 2 - .../scripts/rules/queries/simplest_query.json | 2 - .../saved_queries/saved_query_by_rule_id.json | 2 - .../saved_query_with_filters.json | 2 - .../saved_queries/saved_query_with_query.json | 2 - .../saved_query_with_query_filter.json | 2 - .../saved_queries/simplest_saved_query.json | 2 - 29 files changed, 480 insertions(+), 265 deletions(-) delete mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_immutable.json diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.test.ts index ed193b6473a9e..a99893433ea8d 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.test.ts @@ -34,7 +34,7 @@ jest.mock('../../rules/get_prepackaged_rules', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', version: 2, // set one higher than the mocks which is set to 1 to trigger updates diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/get_prepackaged_rule_status_route.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/get_prepackaged_rule_status_route.test.ts index 1ae9e87b8eefe..f07d6a9fc65a6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/get_prepackaged_rule_status_route.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/get_prepackaged_rule_status_route.test.ts @@ -33,7 +33,7 @@ jest.mock('../../rules/get_prepackaged_rules', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', version: 2, // set one higher than the mocks which is set to 1 to trigger updates diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts index abdd5a0c7b508..2a04c15b8cd9f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts @@ -78,7 +78,7 @@ describe('add prepackaged rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', }).error ).toBeTruthy(); }); @@ -91,7 +91,7 @@ describe('add prepackaged rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).error ).toBeTruthy(); @@ -105,7 +105,7 @@ describe('add prepackaged rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -120,7 +120,7 @@ describe('add prepackaged rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', interval: '5m', index: ['index-1'], @@ -137,7 +137,7 @@ describe('add prepackaged rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', query: 'some query', index: ['index-1'], @@ -156,7 +156,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -175,7 +175,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -196,7 +196,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -215,7 +215,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', risk_score: 50, @@ -234,7 +234,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -256,7 +256,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', threats: [ @@ -291,7 +291,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -312,7 +312,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -332,7 +332,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -353,7 +353,7 @@ describe('add prepackaged rules schema', () => { index: ['index-1'], immutable: false, name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -374,7 +374,7 @@ describe('add prepackaged rules schema', () => { index: ['index-1'], immutable: true, name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -394,7 +394,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -413,7 +413,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -435,7 +435,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -460,7 +460,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: [5], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -482,7 +482,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', version: 1, }).value.interval @@ -499,7 +499,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', version: 1, @@ -517,7 +517,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', version: 1, @@ -535,7 +535,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -554,7 +554,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -576,7 +576,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -596,7 +596,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -617,7 +617,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -638,7 +638,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -659,7 +659,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -681,7 +681,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -703,7 +703,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -725,7 +725,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -750,7 +750,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -779,7 +779,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -823,7 +823,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -863,7 +863,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -898,7 +898,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -923,7 +923,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -948,7 +948,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -973,7 +973,7 @@ describe('add prepackaged rules schema', () => { immutable: 5, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -996,7 +996,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1019,7 +1019,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1042,7 +1042,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1065,7 +1065,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1088,7 +1088,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1116,7 +1116,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1140,7 +1140,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1162,7 +1162,7 @@ describe('add prepackaged rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1186,7 +1186,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1210,7 +1210,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1235,7 +1235,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1260,7 +1260,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1285,7 +1285,7 @@ describe('add prepackaged rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1297,4 +1297,60 @@ describe('add prepackaged rules schema', () => { }).error.message ).toEqual('child "timeline_title" fails because ["timeline_title" is not allowed]'); }); + + test('The default for "from" will be "now-6m"', () => { + expect( + addPrepackagedRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).value.from + ).toEqual('now-6m'); + }); + + test('The default for "to" will be "now"', () => { + expect( + addPrepackagedRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).value.to + ).toEqual('now'); + }); + + test('You cannot set the severity to a value other than low, medium, high, or critical', () => { + expect( + addPrepackagedRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'junk', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).error.message + ).toEqual( + 'child "severity" fails because ["severity" must be one of [low, medium, high, critical]]' + ); + }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts index 9311371d630f7..d254f83243491 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts @@ -51,7 +51,7 @@ export const addPrepackagedRulesSchema = Joi.object({ enabled: enabled.default(false), false_positives: false_positives.default([]), filters, - from: from.required(), + from: from.default('now-6m'), rule_id: rule_id.required(), immutable: immutable.default(true).valid(true), index, @@ -71,7 +71,7 @@ export const addPrepackagedRulesSchema = Joi.object({ name: name.required(), severity: severity.required(), tags: tags.default([]), - to: to.required(), + to: to.default('now'), type: type.required(), threats: threats.default([]), references: references.default([]), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_bulk_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_bulk_schema.test.ts index 17fb5320daa01..1eab50848b822 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_bulk_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_bulk_schema.test.ts @@ -37,7 +37,7 @@ describe('create_rules_bulk_schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', query: 'some query', index: ['index-1'], @@ -57,7 +57,7 @@ describe('create_rules_bulk_schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', query: 'some query', index: ['index-1'], @@ -70,7 +70,7 @@ describe('create_rules_bulk_schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', query: 'some query', index: ['index-1'], @@ -79,4 +79,66 @@ describe('create_rules_bulk_schema', () => { ]).error ).toBeFalsy(); }); + + test('The default for "from" will be "now-6m"', () => { + expect( + createRulesBulkSchema.validate>([ + { + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }, + ]).value[0].from + ).toEqual('now-6m'); + }); + + test('The default for "to" will be "now"', () => { + expect( + createRulesBulkSchema.validate>([ + { + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }, + ]).value[0].to + ).toEqual('now'); + }); + + test('You cannot set the severity to a value other than low, medium, high, or critical', () => { + expect( + createRulesBulkSchema.validate>([ + { + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'junk', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }, + ]).error.message + ).toEqual( + '"value" at position 0 fails because [child "severity" fails because ["severity" must be one of [low, medium, high, critical]]]' + ); + }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts index c76071047434c..f765f01300c58 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts @@ -79,7 +79,7 @@ describe('create rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', }).error ).toBeTruthy(); }); @@ -92,7 +92,7 @@ describe('create rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).error ).toBeTruthy(); @@ -106,7 +106,7 @@ describe('create rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -121,7 +121,7 @@ describe('create rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', interval: '5m', index: ['index-1'], @@ -138,7 +138,7 @@ describe('create rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', query: 'some query', index: ['index-1'], @@ -156,7 +156,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -175,7 +175,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -195,7 +195,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -213,7 +213,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', risk_score: 50, @@ -232,7 +232,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -250,7 +250,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -273,7 +273,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', threats: [ @@ -308,7 +308,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -329,7 +329,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -351,7 +351,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -375,7 +375,7 @@ describe('create rules schema', () => { to: 'now', index: [5], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -398,7 +398,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).value.interval ).toEqual('5m'); @@ -415,7 +415,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).value.max_signals @@ -433,7 +433,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', }).error.message @@ -451,7 +451,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -470,7 +470,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -492,7 +492,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -512,7 +512,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -533,7 +533,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -554,7 +554,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -575,7 +575,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -597,7 +597,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -619,7 +619,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -641,7 +641,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -664,7 +664,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -693,7 +693,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -737,7 +737,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -777,7 +777,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -812,7 +812,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -837,7 +837,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -864,7 +864,7 @@ describe('create rules schema', () => { immutable: 5, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -886,7 +886,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -908,7 +908,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -930,7 +930,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -952,7 +952,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -974,7 +974,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -999,7 +999,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1022,7 +1022,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1044,7 +1044,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1067,7 +1067,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1089,7 +1089,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1112,7 +1112,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1135,7 +1135,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1158,7 +1158,7 @@ describe('create rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1168,4 +1168,60 @@ describe('create rules schema', () => { }).error.message ).toEqual('child "timeline_title" fails because ["timeline_title" is not allowed]'); }); + + test('The default for "from" will be "now-6m"', () => { + expect( + createRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).value.from + ).toEqual('now-6m'); + }); + + test('The default for "to" will be "now"', () => { + expect( + createRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).value.to + ).toEqual('now'); + }); + + test('You cannot set the severity to a value other than low, medium, high, or critical', () => { + expect( + createRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'junk', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).error.message + ).toEqual( + 'child "severity" fails because ["severity" must be one of [low, medium, high, critical]]' + ); + }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts index 5d9972453fb1a..06dbb0cbb48f3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts @@ -43,7 +43,7 @@ export const createRulesSchema = Joi.object({ enabled: enabled.default(true), false_positives: false_positives.default([]), filters, - from: from.required(), + from: from.default('now-6m'), rule_id, index, interval: interval.default('5m'), @@ -63,7 +63,7 @@ export const createRulesSchema = Joi.object({ name: name.required(), severity: severity.required(), tags: tags.default([]), - to: to.required(), + to: to.default('now'), type: type.required(), threats: threats.default([]), references: references.default([]), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts index 20f418c57b5db..b19a91d18c3ff 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts @@ -84,7 +84,7 @@ describe('import rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', }).error ).toBeTruthy(); }); @@ -97,7 +97,7 @@ describe('import rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).error ).toBeTruthy(); @@ -111,7 +111,7 @@ describe('import rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -126,7 +126,7 @@ describe('import rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', interval: '5m', index: ['index-1'], @@ -143,7 +143,7 @@ describe('import rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', query: 'some query', index: ['index-1'], @@ -161,7 +161,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -180,7 +180,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -200,7 +200,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -218,7 +218,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', risk_score: 50, @@ -237,7 +237,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -255,7 +255,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -278,7 +278,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', threats: [ @@ -313,7 +313,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -334,7 +334,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -356,7 +356,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -381,7 +381,7 @@ describe('import rules schema', () => { to: 'now', index: [5], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -403,7 +403,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).value.interval ).toEqual('5m'); @@ -420,7 +420,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).value.max_signals @@ -438,7 +438,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', }).error.message @@ -456,7 +456,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -475,7 +475,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -497,7 +497,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -517,7 +517,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -538,7 +538,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -559,7 +559,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -580,7 +580,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -602,7 +602,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -624,7 +624,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -646,7 +646,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -670,7 +670,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -700,7 +700,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -744,7 +744,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -784,7 +784,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -819,7 +819,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -844,7 +844,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -869,7 +869,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -894,7 +894,7 @@ describe('import rules schema', () => { immutable: 5, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -917,7 +917,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -940,7 +940,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -963,7 +963,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -986,7 +986,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1009,7 +1009,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1035,7 +1035,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1059,7 +1059,7 @@ describe('import rules schema', () => { immutable: true, index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1081,7 +1081,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1104,7 +1104,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1126,7 +1126,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1149,7 +1149,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1174,7 +1174,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1197,7 +1197,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1219,7 +1219,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1240,7 +1240,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1265,7 +1265,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1290,7 +1290,7 @@ describe('import rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -1344,4 +1344,59 @@ describe('import rules schema', () => { expect(importRulesPayloadSchema.validate({ file: {} }).error).toBeFalsy(); }); }); + + test('The default for "from" will be "now-6m"', () => { + expect( + importRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).value.from + ).toEqual('now-6m'); + }); + + test('The default for "to" will be "now"', () => { + expect( + importRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'low', + type: 'query', + references: ['index-1'], + language: 'kuery', + max_signals: 1, + version: 1, + }).value.to + ).toEqual('now'); + }); + + test('You cannot set the severity to a value other than low, medium, high, or critical', () => { + expect( + importRulesSchema.validate>({ + rule_id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'junk', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).error.message + ).toEqual( + 'child "severity" fails because ["severity" must be one of [low, medium, high, critical]]' + ); + }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts index df825c442fff6..8516585a2c055 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts @@ -59,7 +59,7 @@ export const importRulesSchema = Joi.object({ enabled: enabled.default(true), false_positives: false_positives.default([]), filters, - from: from.required(), + from: from.default('now-6m'), rule_id: rule_id.required(), immutable: immutable.default(false), index, @@ -80,7 +80,7 @@ export const importRulesSchema = Joi.object({ name: name.required(), severity: severity.required(), tags: tags.default([]), - to: to.required(), + to: to.default('now'), type: type.required(), threats: threats.default([]), references: references.default([]), diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/query_signals_index_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/query_signals_index_schema.ts index 0a6fceb44f845..26a32d2e4980b 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/query_signals_index_schema.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/query_signals_index_schema.ts @@ -9,7 +9,7 @@ import Joi from 'joi'; export const querySignalsSchema = Joi.object({ query: Joi.object(), aggs: Joi.object(), - size: Joi.number(), + size: Joi.number().integer(), track_total_hits: Joi.boolean(), _source: Joi.array().items(Joi.string()), }).min(1); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts index ecca661d2b856..a027fcb96b599 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts @@ -37,12 +37,15 @@ export const timeline_title = Joi.string().when('timeline_id', { otherwise: Joi.forbidden(), }); export const meta = Joi.object(); -export const max_signals = Joi.number().greater(0); +export const max_signals = Joi.number() + .integer() + .greater(0); export const name = Joi.string(); export const risk_score = Joi.number() + .integer() .greater(-1) .less(101); -export const severity = Joi.string(); +export const severity = Joi.string().valid('low', 'medium', 'high', 'critical'); export const status = Joi.string().valid('open', 'closed'); export const to = Joi.string(); export const type = Joi.string().valid('query', 'saved_query'); @@ -51,9 +54,11 @@ export const references = Joi.array() .items(Joi.string()) .single(); export const per_page = Joi.number() + .integer() .min(0) .default(20); export const page = Joi.number() + .integer() .min(1) .default(1); export const signal_ids = Joi.array().items(Joi.string()); @@ -97,4 +102,6 @@ export const updated_at = Joi.string() .strict(); export const created_by = Joi.string(); export const updated_by = Joi.string(); -export const version = Joi.number().min(1); +export const version = Joi.number() + .integer() + .min(1); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts index 823ebb90a3b3c..44b3b5b927be2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts @@ -147,7 +147,7 @@ describe('update rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', }).error ).toBeFalsy(); }); @@ -160,7 +160,7 @@ describe('update rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', }).error ).toBeFalsy(); }); @@ -173,7 +173,7 @@ describe('update rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).error ).toBeFalsy(); @@ -187,7 +187,7 @@ describe('update rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).error ).toBeFalsy(); @@ -201,7 +201,7 @@ describe('update rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -216,7 +216,7 @@ describe('update rules schema', () => { from: 'now-5m', to: 'now', name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -232,7 +232,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -248,7 +248,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -264,7 +264,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -281,7 +281,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -298,7 +298,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -316,7 +316,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some query', @@ -334,7 +334,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -350,7 +350,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).error @@ -366,7 +366,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -385,7 +385,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -403,7 +403,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', type: 'query', }).value.interval ).toEqual(undefined); @@ -418,7 +418,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }).value.max_signals @@ -436,7 +436,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -459,7 +459,7 @@ describe('update rules schema', () => { to: 'now', index: [5], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', query: 'some-query', @@ -479,7 +479,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', }).error @@ -495,7 +495,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -512,7 +512,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -530,7 +530,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -549,7 +549,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -568,7 +568,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -587,7 +587,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -607,7 +607,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -627,7 +627,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -679,7 +679,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -699,7 +699,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -737,7 +737,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -778,7 +778,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -820,7 +820,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -858,7 +858,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', references: ['index-1'], @@ -890,7 +890,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -909,7 +909,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -927,7 +927,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -946,7 +946,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -965,7 +965,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -984,7 +984,7 @@ describe('update rules schema', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'saved_query', saved_id: 'some id', @@ -992,4 +992,24 @@ describe('update rules schema', () => { }).error.message ).toEqual('child "timeline_title" fails because ["timeline_title" is not allowed]'); }); + + test('You cannot set the severity to a value other than low, medium, high, or critical', () => { + expect( + updateRulesSchema.validate>({ + id: 'rule-1', + risk_score: 50, + description: 'some description', + name: 'some-name', + severity: 'junk', + type: 'query', + references: ['index-1'], + query: 'some query', + language: 'kuery', + max_signals: 1, + version: 1, + }).error.message + ).toEqual( + 'child "severity" fails because ["severity" must be one of [low, medium, high, critical]]' + ); + }); }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts index fce3c90ef18e7..48b7195c3b0bc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules_stream_from_ndjson.test.ts @@ -21,7 +21,7 @@ export const getOutputSample = (): Partial => ({ to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', }); @@ -55,7 +55,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -78,7 +78,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -120,7 +120,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -143,7 +143,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -184,7 +184,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -207,7 +207,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -248,7 +248,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -272,7 +272,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -312,7 +312,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, @@ -338,7 +338,7 @@ describe('create_rules_stream_from_ndjson', () => { to: 'now', index: ['index-1'], name: 'some-name', - severity: 'severity', + severity: 'low', interval: '5m', type: 'query', enabled: true, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_disabled.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_disabled.json index 38b3ed9f74696..f354351caa5f0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_disabled.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_disabled.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "enabled": false } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_immutable.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_immutable.json deleted file mode 100644 index 681d66e16d0ba..0000000000000 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_immutable.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "name": "Query which is immutable", - "description": "Example query which is immutable", - "risk_score": 1, - "severity": "high", - "type": "query", - "from": "now-6m", - "to": "now", - "query": "user.name: root or user.name: admin", - "immutable": true -} diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_lucene.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_lucene.json index ed8849831a479..03d5ab3c0b4e9 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_lucene.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_lucene.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "language": "lucene" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json index 721a172ce55d7..f728e3b988206 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_mitre_attack.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "threats": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_timelineid.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_timelineid.json index eb87a14e0c688..2bc4aa2275926 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_timelineid.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_timelineid.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "timeline_id": "timeline-id", "timeline_title": "timeline_title" diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_filter.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_filter.json index c754ab73ea21e..28ae121c7969a 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_filter.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_filter.json @@ -5,8 +5,6 @@ "risk_score": 15, "severity": "high", "type": "query", - "from": "now-24h", - "to": "now", "query": "user.name: root or user.name: admin", "filters": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_meta_data.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_meta_data.json index f9f5bf854e45c..8d86605d648ec 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_meta_data.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_meta_data.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "meta": { "whatever-you-want": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_rule_id.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_rule_id.json index e4da196007527..3347fb0e724b3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_rule_id.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_rule_id.json @@ -5,7 +5,5 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_tags.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_tags.json index 954f5942180d6..2c61f08d4b480 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_tags.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_tags.json @@ -5,8 +5,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "tags": ["tag_1", "tag_2"] } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_filters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_filters.json index 61e68f886ffe7..37f0e541298b2 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_filters.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_filters.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "filters": [ { "query": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_query.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_query.json index e812b031a28fd..407fa1dcc0884 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_query.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/simplest_query.json @@ -4,7 +4,5 @@ "risk_score": 1, "severity": "high", "type": "query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_by_rule_id.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_by_rule_id.json index 0e0be24c00207..48b6a34cf2316 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_by_rule_id.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_by_rule_id.json @@ -5,7 +5,5 @@ "risk_score": 5, "severity": "high", "type": "saved_query", - "from": "now-6m", - "to": "now", "saved_id": "test-saved-id" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_filters.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_filters.json index 55f95e9644b8b..2bb9845a507c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_filters.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_filters.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "saved_query", - "from": "now-6m", - "to": "now", "filters": [ { "query": { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query.json index ee37c4cb784d1..786dcdb377a68 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query.json @@ -4,8 +4,6 @@ "risk_score": 1, "severity": "high", "type": "saved_query", - "from": "now-6m", - "to": "now", "query": "user.name: root or user.name: admin", "saved_id": "test-saved-id" } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query_filter.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query_filter.json index 19801e7a98ac2..5e5c51d2243b0 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query_filter.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/saved_query_with_query_filter.json @@ -5,8 +5,6 @@ "risk_score": 15, "severity": "high", "type": "query", - "from": "now-24h", - "to": "now", "query": "user.name: root or user.name: admin", "filters": [ { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/simplest_saved_query.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/simplest_saved_query.json index a3dbf0f1b09af..ac9f224313b23 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/simplest_saved_query.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/saved_queries/simplest_saved_query.json @@ -4,7 +4,5 @@ "risk_score": 5, "severity": "high", "type": "saved_query", - "from": "now-6m", - "to": "now", "saved_id": "test-saved-id" }