From ca5b1983955b99d3af84b4c7a89bb7d1562f93a7 Mon Sep 17 00:00:00 2001
From: FrankHassanabad <frank.hassanabad@elastic.co>
Date: Wed, 20 Nov 2019 15:05:06 -0700
Subject: [PATCH] Added meta object for the UI to utilize

---
 .../alerts/__mocks__/es_results.ts            |  1 +
 .../detection_engine/alerts/create_signals.ts |  2 +
 .../alerts/signals_alert_type.ts              |  1 +
 .../lib/detection_engine/alerts/types.ts      |  1 +
 .../detection_engine/alerts/update_signals.ts |  2 +
 .../lib/detection_engine/alerts/utils.ts      |  1 +
 .../routes/__mocks__/request_responses.ts     |  1 +
 .../routes/create_signals_route.ts            |  2 +
 .../detection_engine/routes/schemas.test.ts   | 72 +++++++++++++++++++
 .../lib/detection_engine/routes/schemas.ts    |  3 +
 .../routes/update_signals_route.ts            |  2 +
 .../lib/detection_engine/routes/utils.ts      |  1 +
 .../scripts/signals/root_or_admin_meta.json   | 21 ++++++
 13 files changed, 110 insertions(+)
 create mode 100644 x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_meta.json

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts
index 5004c2af0838a..0a70a7342b2dd 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts
@@ -29,6 +29,7 @@ export const sampleSignalAlertParams = (
   filter: undefined,
   filters: undefined,
   savedId: undefined,
+  meta: undefined,
   size: 1000,
 });
 
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signals.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signals.ts
index 8a31a45fa8e04..9f472d060def7 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signals.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signals.ts
@@ -18,6 +18,7 @@ export const createSignals = async ({
   query,
   language,
   savedId,
+  meta,
   filters,
   ruleId,
   immutable,
@@ -51,6 +52,7 @@ export const createSignals = async ({
         language,
         outputIndex,
         savedId,
+        meta,
         filters,
         maxSignals,
         riskScore,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/signals_alert_type.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/signals_alert_type.ts
index a6fa6fb3bdecf..8308bca68e9af 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/signals_alert_type.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/signals_alert_type.ts
@@ -30,6 +30,7 @@ export const signalsAlertType = ({ logger }: { logger: Logger }): SignalAlertTyp
         language: schema.nullable(schema.string()),
         outputIndex: schema.string(),
         savedId: schema.nullable(schema.string()),
+        meta: schema.nullable(schema.object({}, { allowUnknowns: true })),
         query: schema.nullable(schema.string()),
         filters: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
         maxSignals: schema.number({ defaultValue: 10000 }),
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts
index 64dda913f2c9d..79e62538b1a7e 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts
@@ -40,6 +40,7 @@ export interface SignalAlertParams {
   query: string | undefined | null;
   references: string[];
   savedId: string | undefined | null;
+  meta: Record<string, {}> | undefined | null;
   severity: string;
   size: number | undefined | null;
   tags: string[];
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_signals.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_signals.ts
index 6c6bfcfcf449d..dd85c671205c9 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_signals.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_signals.ts
@@ -51,6 +51,7 @@ export const updateSignal = async ({
   language,
   outputIndex,
   savedId,
+  meta,
   filters,
   filter,
   from,
@@ -93,6 +94,7 @@ export const updateSignal = async ({
       language,
       outputIndex,
       savedId,
+      meta,
       filters,
       index,
       maxSignals,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.ts
index aa122d0c99535..25934dc9aa356 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.ts
@@ -42,6 +42,7 @@ export const buildRule = ({
     rule_id: signalParams.ruleId,
     false_positives: signalParams.falsePositives,
     saved_id: signalParams.savedId,
+    meta: signalParams.meta,
     max_signals: signalParams.maxSignals,
     risk_score: signalParams.riskScore,
     output_index: signalParams.outputIndex,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
index be0d125179688..28c83a2aceaef 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
@@ -130,6 +130,7 @@ export const getResult = (): SignalAlertType => ({
     language: 'kuery',
     outputIndex: '.siem-signals',
     savedId: null,
+    meta: null,
     filters: null,
     riskScore: 50,
     maxSignals: 100,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_signals_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_signals_route.ts
index 08e7d9fe53d4f..b4ea203ca334f 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_signals_route.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_signals_route.ts
@@ -43,6 +43,7 @@ export const createCreateSignalsRoute: Hapi.ServerRoute = {
       output_index: outputIndex,
       // eslint-disable-next-line @typescript-eslint/camelcase
       saved_id: savedId,
+      meta,
       filters,
       // eslint-disable-next-line @typescript-eslint/camelcase
       rule_id: ruleId,
@@ -87,6 +88,7 @@ export const createCreateSignalsRoute: Hapi.ServerRoute = {
       language,
       outputIndex,
       savedId,
+      meta,
       filters,
       ruleId: ruleId != null ? ruleId : uuid.v4(),
       index,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts
index afda3955d7391..12bee2357c18d 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts
@@ -910,6 +910,58 @@ describe('schemas', () => {
         }).error
       ).toBeFalsy();
     });
+
+    test('You can set meta to any object you want', () => {
+      expect(
+        createSignalsSchema.validate<Partial<SignalAlertParamsRest>>({
+          rule_id: 'rule-1',
+          output_index: '.siem-signals',
+          risk_score: 50,
+          description: 'some description',
+          from: 'now-5m',
+          to: 'now',
+          immutable: true,
+          index: ['index-1'],
+          name: 'some-name',
+          severity: 'severity',
+          interval: '5m',
+          type: 'query',
+          references: ['index-1'],
+          query: 'some query',
+          language: 'kuery',
+          max_signals: 1,
+          meta: {
+            somethingMadeUp: { somethingElse: true },
+          },
+        }).error
+      ).toBeFalsy();
+    });
+
+    test('You cannot create meta as a string', () => {
+      expect(
+        createSignalsSchema.validate<
+          Partial<Omit<SignalAlertParamsRest, 'meta'> & { meta: string }>
+        >({
+          rule_id: 'rule-1',
+          output_index: '.siem-signals',
+          risk_score: 50,
+          description: 'some description',
+          from: 'now-5m',
+          to: 'now',
+          immutable: true,
+          index: ['index-1'],
+          name: 'some-name',
+          severity: 'severity',
+          interval: '5m',
+          type: 'query',
+          references: ['index-1'],
+          query: 'some query',
+          language: 'kuery',
+          max_signals: 1,
+          meta: 'should not work',
+        }).error
+      ).toBeTruthy();
+    });
   });
 
   describe('update signals schema', () => {
@@ -1647,6 +1699,26 @@ describe('schemas', () => {
         }).error
       ).toBeFalsy();
     });
+
+    test('meta can be updated', () => {
+      expect(
+        updateSignalSchema.validate<Partial<UpdateSignalAlertParamsRest>>({
+          id: 'rule-1',
+          meta: { whateverYouWant: 'anything_at_all' },
+        }).error
+      ).toBeFalsy();
+    });
+
+    test('You update meta as a string', () => {
+      expect(
+        updateSignalSchema.validate<
+          Partial<Omit<UpdateSignalAlertParamsRest, 'meta'> & { meta: string }>
+        >({
+          id: 'rule-1',
+          meta: 'should not work',
+        }).error
+      ).toBeTruthy();
+    });
   });
 
   describe('find signals schema', () => {
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts
index 62a5dd7090163..9231cb097b2b6 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts
@@ -24,6 +24,7 @@ const query = Joi.string();
 const language = Joi.string().valid('kuery', 'lucene');
 const output_index = Joi.string();
 const saved_id = Joi.string();
+const meta = Joi.object();
 const max_signals = Joi.number().greater(0);
 const name = Joi.string();
 const risk_score = Joi.number()
@@ -73,6 +74,7 @@ export const createSignalsSchema = Joi.object({
     then: Joi.required(),
     otherwise: Joi.forbidden(),
   }),
+  meta,
   risk_score: risk_score.required(),
   max_signals: max_signals.default(100),
   name: name.required(),
@@ -107,6 +109,7 @@ export const updateSignalSchema = Joi.object({
     then: Joi.optional(),
     otherwise: Joi.forbidden(),
   }),
+  meta,
   risk_score,
   max_signals,
   name,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/update_signals_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/update_signals_route.ts
index 91338420a2145..3fc25d59440b1 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/update_signals_route.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/update_signals_route.ts
@@ -39,6 +39,7 @@ export const createUpdateSignalsRoute: Hapi.ServerRoute = {
       output_index: outputIndex,
       // eslint-disable-next-line @typescript-eslint/camelcase
       saved_id: savedId,
+      meta,
       filters,
       // eslint-disable-next-line @typescript-eslint/camelcase
       rule_id: ruleId,
@@ -78,6 +79,7 @@ export const createUpdateSignalsRoute: Hapi.ServerRoute = {
       language,
       outputIndex,
       savedId,
+      meta,
       filters,
       id,
       ruleId,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.ts
index eb66689c08efb..bf39d9d16b2b9 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.ts
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.ts
@@ -48,6 +48,7 @@ export const transformAlertToSignal = (signal: SignalAlertType): Partial<OutputS
     query: signal.alertTypeParams.query,
     references: signal.alertTypeParams.references,
     saved_id: signal.alertTypeParams.savedId,
+    meta: signal.alertTypeParams.meta,
     severity: signal.alertTypeParams.severity,
     size: signal.alertTypeParams.size,
     updated_by: signal.updatedBy,
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_meta.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_meta.json
new file mode 100644
index 0000000000000..266ceeba15d47
--- /dev/null
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_meta.json
@@ -0,0 +1,21 @@
+{
+  "rule_id": "rule-meta-data",
+  "risk_score": 1,
+  "description": "Detecting root and admin users",
+  "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"],
+  "interval": "5m",
+  "name": "Detect Root/Admin Users",
+  "output_index": ".siem-signals",
+  "severity": "high",
+  "type": "query",
+  "from": "now-6m",
+  "to": "now",
+  "query": "user.name: root or user.name: admin",
+  "language": "kuery",
+  "references": ["http://www.example.com", "https://ww.example.com"],
+  "meta": {
+    "anything_i_want": {
+      "total_meta_for_ui_needs": true
+    }
+  }
+}