-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Detection Engine][Rules] - Adds custom highlighted fields option #163235
Changes from 23 commits
eb33083
0b98a19
110eb99
5a249b9
ccf1c24
cbbbbf9
6f5ac58
f416282
a42910e
888c042
b8c3923
b272000
7b97501
eda33ef
5920bba
317873d
0363fb8
e0b6a90
bfda622
44aa7a5
013c437
7376b1b
07d0e41
2fd6f51
a7379e5
df9d604
3f67bc5
ba11dba
97d5adf
2188d0d
e0f8fc9
a416d1a
5a225bf
49bdfc0
2d01586
294387d
9d6c1e3
f62deca
e3b8078
983053e
9cc5c9f
d547c5e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,6 +55,9 @@ export const RuleAuthorArray = t.array(t.string); // should be non-empty strings | |
export type RuleFalsePositiveArray = t.TypeOf<typeof RuleFalsePositiveArray>; | ||
export const RuleFalsePositiveArray = t.array(t.string); // should be non-empty strings? | ||
|
||
export type RuleCustomHighlightedFieldArray = t.TypeOf<typeof RuleCustomHighlightedFieldArray>; | ||
export const RuleCustomHighlightedFieldArray = t.array(NonEmptyString); | ||
Comment on lines
+63
to
+64
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we please add a JSDoc comment with an explanation what these fields mean and a link to the PR? |
||
|
||
export type RuleReferenceArray = t.TypeOf<typeof RuleReferenceArray>; | ||
export const RuleReferenceArray = t.array(t.string); // should be non-empty strings? | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -64,6 +64,7 @@ const getResponseBaseParams = (anchorDate: string = ANCHOR_DATE): SharedResponse | |
timestamp_override: undefined, | ||
timestamp_override_fallback_disabled: undefined, | ||
namespace: undefined, | ||
custom_highlighted_fields: undefined, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it shouldn't be possible to set it to |
||
}); | ||
|
||
export const getRulesSchemaMock = (anchorDate: string = ANCHOR_DATE): QueryRule => ({ | ||
|
@@ -77,6 +78,7 @@ export const getRulesSchemaMock = (anchorDate: string = ANCHOR_DATE): QueryRule | |
saved_id: undefined, | ||
response_actions: undefined, | ||
alert_suppression: undefined, | ||
custom_highlighted_fields: undefined, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same here |
||
}); | ||
|
||
export const getSavedQuerySchemaMock = (anchorDate: string = ANCHOR_DATE): SavedQueryRule => ({ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -232,4 +232,65 @@ describe('Rule response schema', () => { | |
expect(message.schema).toEqual({}); | ||
}); | ||
}); | ||
|
||
describe('custom_highlighted_fields', () => { | ||
test('it should validate rule with empty array for "custom_highlighted_fields"', () => { | ||
const payload = getRulesSchemaMock(); | ||
payload.custom_highlighted_fields = []; | ||
|
||
const decoded = RuleResponse.decode(payload); | ||
const checked = exactCheck(payload, decoded); | ||
const message = pipe(checked, foldLeftRight); | ||
const expected = { ...getRulesSchemaMock(), custom_highlighted_fields: [] }; | ||
|
||
expect(getPaths(left(message.errors))).toEqual([]); | ||
expect(message.schema).toEqual(expected); | ||
}); | ||
|
||
test('it should validate rule with "custom_highlighted_fields"', () => { | ||
const payload = getRulesSchemaMock(); | ||
payload.custom_highlighted_fields = ['foo', 'bar']; | ||
|
||
const decoded = RuleResponse.decode(payload); | ||
const checked = exactCheck(payload, decoded); | ||
const message = pipe(checked, foldLeftRight); | ||
const expected = { ...getRulesSchemaMock(), custom_highlighted_fields: ['foo', 'bar'] }; | ||
|
||
expect(getPaths(left(message.errors))).toEqual([]); | ||
expect(message.schema).toEqual(expected); | ||
}); | ||
|
||
test('it should validate undefined for "custom_highlighted_fields"', () => { | ||
const payload: RuleResponse = { | ||
...getRulesSchemaMock(), | ||
custom_highlighted_fields: undefined, | ||
}; | ||
|
||
const decoded = RuleResponse.decode(payload); | ||
const checked = exactCheck(payload, decoded); | ||
const message = pipe(checked, foldLeftRight); | ||
const expected = { ...getRulesSchemaMock(), custom_highlighted_fields: undefined }; | ||
|
||
expect(getPaths(left(message.errors))).toEqual([]); | ||
expect(message.schema).toEqual(expected); | ||
}); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
test('it should NOT validate a string for "custom_highlighted_fields"', () => { | ||
const payload: Omit<RuleResponse, 'custom_highlighted_fields'> & { | ||
custom_highlighted_fields: string; | ||
} = { | ||
...getRulesSchemaMock(), | ||
custom_highlighted_fields: 'foo', | ||
}; | ||
|
||
const decoded = RuleResponse.decode(payload); | ||
const checked = exactCheck(payload, decoded); | ||
const message = pipe(checked, foldLeftRight); | ||
|
||
expect(getPaths(left(message.errors))).toEqual([ | ||
'Invalid value "foo" supplied to "custom_highlighted_fields"', | ||
]); | ||
expect(message.schema).toEqual({}); | ||
}); | ||
}); | ||
}); |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -53,6 +53,7 @@ import { | |
RelatedIntegrationArray, | ||
RequiredFieldArray, | ||
RuleAuthorArray, | ||
RuleCustomHighlightedFieldArray, | ||
RuleDescription, | ||
RuleFalsePositiveArray, | ||
RuleFilterArray, | ||
|
@@ -116,6 +117,7 @@ export const baseSchema = buildRuleSchemas({ | |
output_index: AlertsIndex, | ||
namespace: AlertsIndexNamespace, | ||
meta: RuleMetadata, | ||
custom_highlighted_fields: RuleCustomHighlightedFieldArray, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Posting for visibility here. As discussed over zoom with @yctercero, I think this field should be:
So in a rule, it would be something like We should consider writing a migration to add a "null" rule.investigation_fields = {
field_names: [],
}; |
||
// Throttle | ||
throttle: RuleActionThrottle, | ||
}, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: not sure why we test the
transformDataToNdjson
function against a mock rule, considering the function is quite generic:I think we should test it against generic objects 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Not going to touch in this PR though.