Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM][Detection Engine] REST API improvements and changes from UI/UX feedback #50797

Merged
merged 15 commits into from
Nov 16, 2019

Conversation

FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Nov 15, 2019

Summary

Updated REST API from feedback from the UI/UX

  • Changes the id to be rule_id on PUT/POST and makes it optional for a POST (create).
  • On data return sets both id and rule_id is returned. If rule_id is not set, a uuid.v4() will b assigned to the rule_id and the value will be returned.
  • Transforms output of all endpoints to be 1-1 to the input.
  • Fixes delete to return the deleted rule
  • Changes the URL to be /api/detection_engine/rules
  • Changes the POST behavior to fail with a 409 (conflict) if the rule already exists (For creates)
  • Changes the POST behavior where sending in a rule_id is now optional. If none are sent in it does not create a rule_id and instead returns null for the rule_id and the autogenerated one.
  • Changes the PUT behavior to fail with a 404 (not found) if the rule does not already exist (For updates)
  • Deletes the actions code and just uses an empty array since we don't have actions yet
  • Makes all error conditions consistent and does not expose the underlying error codes. Only exception to the rule is if an error condition returns non 404 or something unexpected. In which case it will show that error upstream.

Example post output:

$ ./post_signal.sh
{
  "created_by": "elastic",
  "description": "Detecting root and admin users",
  "enabled": true,
  "false_positives": [],
  "from": "now-6m",
  "id": "8277a0e8-474c-4507-9c11-5f197b5fe2d5",
  "index": [
    "auditbeat-*",
    "filebeat-*",
    "packetbeat-*",
    "winlogbeat-*"
  ],
  "interval": "5m",
  "rule_id": "rule-1",
  "language": "kuery",
  "max_signals": 100,
  "name": "Detect Root/Admin Users",
  "query": "user.name: root or user.name: admin",
  "references": [
    "http://www.example.com",
    "https://ww.example.com"
  ],
  "severity": "high",
  "updated_by": "elastic",
  "tags": [],
  "to": "now",
  "type": "query"
}

Example delete and get URL's now (see scripts for more details):

${KIBANA_URL}/api/detection_engine/rules?rule_id="rule-1"
${KIBANA_URL}/api/detection_engine/rules?id="04128c15-0d1b-4716-a4c5-46997ac7f3bd"

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11

- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support

- [ ] Documentation was added for features that require explanation or tutorials

- [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

- [ ] This was checked for breaking API changes and was labeled appropriately

@elasticmachine

This comment has been minimized.

@elasticmachine

This comment has been minimized.

@FrankHassanabad FrankHassanabad changed the title Output transforms [SIEM][Detection Engine] REST API improvements and changes from UI/UX feedback Nov 15, 2019
@elasticmachine

This comment has been minimized.

@elasticmachine

This comment has been minimized.

@FrankHassanabad FrankHassanabad marked this pull request as ready for review November 15, 2019 23:57
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested scripts locally and observed the new rule interface and rule_id/id changes across the API. Also 👀through the code changes and all the new tests -- great job with this @FrankHassanabad, the API and flow is really coming together! And thanks for all these sweet new additions, going to make use of them in the UI right away! 🙂

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@FrankHassanabad FrankHassanabad merged commit 6ff91e8 into elastic:master Nov 16, 2019
@FrankHassanabad FrankHassanabad deleted the output_transforms branch November 16, 2019 06:56
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Nov 16, 2019
… feedback (elastic#50797)

Updated REST API from feedback from the UI/UX
  * Changes the `id` to be `rule_id` on PUT/POST and makes it optional for a POST (create).
  * On data return sets both `id` and `rule_id` is returned. If `rule_id` is not set, a uuid.v4() will b assigned to the rule_id and the value will be returned.
  * Transforms output of all endpoints to be 1-1 to the input.
  * Fixes delete to return the deleted rule
  * Changes the URL to be `/api/detection_engine/rules`
  * Changes the POST behavior to fail with a `409 (conflict)` if the rule already exists (For creates)
  * Changes the POST behavior where sending in a `rule_id` is now optional. If none are sent in it does not create a `rule_id` and instead returns `null` for the `rule_id` and the autogenerated one.
  * Changes the PUT behavior to fail with a `404 (not found)` if the rule does not already exist (For updates)
  * Deletes the actions code and just uses an empty array since we don't have actions yet
  * Makes all error conditions consistent and does not expose the underlying error codes. Only exception to the rule is if an error condition returns non `404` or something unexpected. In which case it will show that error upstream.

Example post output:

```ts
$ ./post_signal.sh
{
  "created_by": "elastic",
  "description": "Detecting root and admin users",
  "enabled": true,
  "false_positives": [],
  "from": "now-6m",
  "id": "8277a0e8-474c-4507-9c11-5f197b5fe2d5",
  "index": [
    "auditbeat-*",
    "filebeat-*",
    "packetbeat-*",
    "winlogbeat-*"
  ],
  "interval": "5m",
  "rule_id": "rule-1",
  "language": "kuery",
  "max_signals": 100,
  "name": "Detect Root/Admin Users",
  "query": "user.name: root or user.name: admin",
  "references": [
    "http://www.example.com",
    "https://ww.example.com"
  ],
  "severity": "high",
  "updated_by": "elastic",
  "tags": [],
  "to": "now",
  "type": "query"
}
```

Example delete and get URL's now (see scripts for more details):

```ts
${KIBANA_URL}/api/detection_engine/rules?rule_id="rule-1"
${KIBANA_URL}/api/detection_engine/rules?id="04128c15-0d1b-4716-a4c5-46997ac7f3bd"
```

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Nov 16, 2019
… feedback (elastic#50797)

## Summary

Updated REST API from feedback from the UI/UX
  * Changes the `id` to be `rule_id` on PUT/POST and makes it optional for a POST (create).
  * On data return sets both `id` and `rule_id` is returned. If `rule_id` is not set, a uuid.v4() will b assigned to the rule_id and the value will be returned.
  * Transforms output of all endpoints to be 1-1 to the input.
  * Fixes delete to return the deleted rule
  * Changes the URL to be `/api/detection_engine/rules`
  * Changes the POST behavior to fail with a `409 (conflict)` if the rule already exists (For creates)
  * Changes the POST behavior where sending in a `rule_id` is now optional. If none are sent in it does not create a `rule_id` and instead returns `null` for the `rule_id` and the autogenerated one.
  * Changes the PUT behavior to fail with a `404 (not found)` if the rule does not already exist (For updates)
  * Deletes the actions code and just uses an empty array since we don't have actions yet
  * Makes all error conditions consistent and does not expose the underlying error codes. Only exception to the rule is if an error condition returns non `404` or something unexpected. In which case it will show that error upstream.


Example post output:

```ts
$ ./post_signal.sh
{
  "created_by": "elastic",
  "description": "Detecting root and admin users",
  "enabled": true,
  "false_positives": [],
  "from": "now-6m",
  "id": "8277a0e8-474c-4507-9c11-5f197b5fe2d5",
  "index": [
    "auditbeat-*",
    "filebeat-*",
    "packetbeat-*",
    "winlogbeat-*"
  ],
  "interval": "5m",
  "rule_id": "rule-1",
  "language": "kuery",
  "max_signals": 100,
  "name": "Detect Root/Admin Users",
  "query": "user.name: root or user.name: admin",
  "references": [
    "http://www.example.com",
    "https://ww.example.com"
  ],
  "severity": "high",
  "updated_by": "elastic",
  "tags": [],
  "to": "now",
  "type": "query"
}
```

Example delete and get URL's now (see scripts for more details):

```ts
${KIBANA_URL}/api/detection_engine/rules?rule_id="rule-1"
${KIBANA_URL}/api/detection_engine/rules?id="04128c15-0d1b-4716-a4c5-46997ac7f3bd"
```

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
FrankHassanabad added a commit that referenced this pull request Nov 16, 2019
… feedback (#50797) (#50851)

## Summary

Updated REST API from feedback from the UI/UX
  * Changes the `id` to be `rule_id` on PUT/POST and makes it optional for a POST (create).
  * On data return sets both `id` and `rule_id` is returned. If `rule_id` is not set, a uuid.v4() will b assigned to the rule_id and the value will be returned.
  * Transforms output of all endpoints to be 1-1 to the input.
  * Fixes delete to return the deleted rule
  * Changes the URL to be `/api/detection_engine/rules`
  * Changes the POST behavior to fail with a `409 (conflict)` if the rule already exists (For creates)
  * Changes the POST behavior where sending in a `rule_id` is now optional. If none are sent in it does not create a `rule_id` and instead returns `null` for the `rule_id` and the autogenerated one.
  * Changes the PUT behavior to fail with a `404 (not found)` if the rule does not already exist (For updates)
  * Deletes the actions code and just uses an empty array since we don't have actions yet
  * Makes all error conditions consistent and does not expose the underlying error codes. Only exception to the rule is if an error condition returns non `404` or something unexpected. In which case it will show that error upstream.


Example post output:

```ts
$ ./post_signal.sh
{
  "created_by": "elastic",
  "description": "Detecting root and admin users",
  "enabled": true,
  "false_positives": [],
  "from": "now-6m",
  "id": "8277a0e8-474c-4507-9c11-5f197b5fe2d5",
  "index": [
    "auditbeat-*",
    "filebeat-*",
    "packetbeat-*",
    "winlogbeat-*"
  ],
  "interval": "5m",
  "rule_id": "rule-1",
  "language": "kuery",
  "max_signals": 100,
  "name": "Detect Root/Admin Users",
  "query": "user.name: root or user.name: admin",
  "references": [
    "http://www.example.com",
    "https://ww.example.com"
  ],
  "severity": "high",
  "updated_by": "elastic",
  "tags": [],
  "to": "now",
  "type": "query"
}
```

Example delete and get URL's now (see scripts for more details):

```ts
${KIBANA_URL}/api/detection_engine/rules?rule_id="rule-1"
${KIBANA_URL}/api/detection_engine/rules?id="04128c15-0d1b-4716-a4c5-46997ac7f3bd"
```

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
jloleysens added a commit to jloleysens/kibana that referenced this pull request Nov 18, 2019
…her [skip ci]

* upstream/master: (54 commits)
  allows plugins to define validation schema for "enabled" flag (elastic#50286)
  Add retry to find.existsByDisplayedByCssSelector (elastic#48734)
  [i18n] integrate latest translations (elastic#50864)
  ui/resize_checker 👉 src/plugins/kibana_utils (elastic#44750)
  Fix @reach/router types (elastic#50863)
  [ML] Adding ML node warning to overview and analytics pages (elastic#50766)
  Bump storybook dependencies (elastic#50752)
  [APM Replace usage of idx with optional chaining (elastic#50849)
  [SIEM] Fix eslint errors (elastic#49713)
  Improve "Browser client is out of date" error message (elastic#50296)
  [SIEM][Detection Engine] REST API improvements and changes from UI/UX feedback (elastic#50797)
  Move @kbn/es-query into data plugin - es-query folder (elastic#50182)
  Index Management new platform migration (elastic#49359)
  Increase retry for cloud snapshot to finish (elastic#50781)
  Removing EuiCode from inside EuiPanel (elastic#50683)
  [SIEM] Tests for search_after and bulk index (elastic#50129)
  Make babel understand TypeScript 3.7 syntax (elastic#50772)
  Fixing mocha tests and broken password change status codes (elastic#50704)
  [Canvas] Use compressed forms in sidebar (elastic#49419)
  Add labels to shell scripts in Jenkins (elastic#49657)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants