[SIEM][Detection Engine] REST API improvements and changes from UI/UX feedback

x-pack/legacy/plugins/siem/common/constants.ts

@@ -32,3 +32,9 @@ export const DEFAULT_TIMEPICKER_QUICK_RANGES = 'timepicker:quickRanges';
  * Id for the SIGNALS alerting type
  */
 export const SIGNALS_ID = `${APP_ID}.signals`;
+
+/**
+ * Detection engine route
+ */
+export const DETECTION_ENGINE_URL = '/api/detection_engine';
+export const DETECTION_ENGINE_RULES_URL = `${DETECTION_ENGINE_URL}/rules`;

x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_signals.js

@@ -118,7 +118,7 @@ async function main() {
 
       if (query != null && query.trim() !== '') {
         const outputMessage = {
-          id: fileToWrite,
+          rule_id: fileToWrite,
           description: description || title,
           immutable: IMMUTABLE,
           index: INDEX,

x-pack/legacy/plugins/siem/server/lib/detection_engine/README.md

@@ -5,7 +5,7 @@ See these two other pages for references:
 https://github.com/elastic/kibana/blob/master/x-pack/legacy/plugins/alerting/README.md
 https://github.com/elastic/kibana/tree/master/x-pack/legacy/plugins/actions
 
-Since there is no UI yet and a lot of backend areas that are not created, you 
+Since there is no UI yet and a lot of backend areas that are not created, you
 should install the kbn-action and kbn-alert project from here:
 https://github.com/pmuellr/kbn-action
 
@@ -18,6 +18,7 @@ brew install jq
 ```
 
 Open up your .zshrc/.bashrc and add these lines with the variables filled in:
+
 ```
 export ELASTICSEARCH_USERNAME=${user}
 export ELASTICSEARCH_PASSWORD=${password}
@@ -41,6 +42,7 @@ export USE_REINDEX_API=true
 ```
 
 Add these lines to your `kibana.dev.yml` to turn on the feature toggles of alerting and actions:
+
 ```
 # Feature flag to turn on alerting
 xpack.alerting.enabled: true
@@ -64,6 +66,7 @@ while commenting out the other require statement:
 ```
 
 Restart Kibana and you should see alerting and actions starting up
+
 ```
 server    log   [22:05:22.277] [info][status][plugin:[email protected]] Status changed from uninitialized to green - Ready
 server    log   [22:05:22.270] [info][status][plugin:[email protected]] Status changed from uninitialized to green - Ready
@@ -84,12 +87,12 @@ Open a terminal and go into the scripts folder `cd kibana/x-pack/legacy/plugins/
 
 which will:
 
-* Delete any existing actions you have
-* Delete any existing alerts you have
-* Delete any existing alert tasks you have
-* Delete any existing signal mapping you might have had.
-* Add the latest signal index and its mappings
-* Posts a sample signal which checks for root or admin every 5 minutes
+- Delete any existing actions you have
+- Delete any existing alerts you have
+- Delete any existing alert tasks you have
+- Delete any existing signal mapping you might have had.
+- Add the latest signal index and its mappings
+- Posts a sample signal which checks for root or admin every 5 minutes
 
 Now you can run
 
@@ -98,20 +101,13 @@ Now you can run
 ```
 
 You should see the new alert instance created like so:
+
 ```ts
 {
     "id": "908a6af1-ac63-4d52-a856-fc635a00db0f",
     "alertTypeId": "siem.signals",
     "interval": "5m",
-    "actions": [
-        {
-            "group": "default",
-            "params": {
-                "message": "SIEM Alert Fired"
-            },
-            "id": "7edd7e98-9286-4fdb-a5c5-16de776bc7c7"
-        }
-    ],
+    "actions": [ ],
     "alertTypeParams": {},
     "enabled": true,
     "throttle": null,
@@ -128,13 +124,13 @@ Every 5 minutes you should see this message in your terminal now:
 server    log   [22:17:33.945] [info][alerting] SIEM Alert Fired
 ```
 
-See the scripts folder and the tools for more command line fun. 
+See the scripts folder and the tools for more command line fun.
 
 Add the `.siem-signals-${your user id}` to your advanced SIEM settings to see any signals
 created which should update once every 5 minutes at this point.
 
 Also add the `.siem-signals-${your user id}` as a kibana index for Maps to be able to see the
-signals 
+signals
 
 Optionally you can add these debug statements to your `kibana.dev.yml` to see more information when running the detection
 engine
@@ -149,4 +145,3 @@ logging.events:
     ops: __no-ops__,
   }
 ```
-

x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts

@@ -7,7 +7,7 @@
 import { SignalSourceHit, SignalSearchResponse, SignalAlertParams } from '../types';
 
 export const sampleSignalAlertParams = (maxSignals: number | undefined): SignalAlertParams => ({
-  id: 'rule-1',
+  ruleId: 'rule-1',
   description: 'Detecting root and admin users',
   falsePositives: [],
   immutable: false,
@@ -148,3 +148,5 @@ export const sampleDocSearchResultsWithSortId: SignalSearchResponse = {
     ],
   },
 };
+
+export const sampleSignalId = '04128c15-0d1b-4716-a4c5-46997ac7f3bd';

x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/build_events_reindex.ts

@@ -22,6 +22,7 @@ interface BuildEventsReIndexParams {
   timeDetected: string;
   ruleRevision: number;
   id: string;
+  ruleId: string | undefined | null;
   type: string;
   references: string[];
 }
@@ -39,6 +40,7 @@ export const buildEventsReIndex = ({
   timeDetected,
   ruleRevision,
   id,
+  ruleId,
   type,
   references,
 }: BuildEventsReIndexParams) => {
@@ -107,6 +109,7 @@ export const buildEventsReIndex = ({
       dest: {
         index: signalsIndex,
       },
+      // TODO: Below the rule_id can be undefined, we need to fix
       script: {
         source: `
           String[] indexPatterns = new String[] {${indexPatterns}};
@@ -120,8 +123,9 @@ export const buildEventsReIndex = ({
           ];
 
           def signal = [
+            "id": "${id}",
             "rule_revision": "${ruleRevision}",
-            "rule_id": "${id}",
+            "rule_id": "${ruleId}",
             "rule_type": "${type}",
             "parent": parent,
             "name": "${name}",

x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signals.ts

@@ -5,75 +5,11 @@
  */
 
 import { SIGNALS_ID } from '../../../../common/constants';
-import { updateSignal } from './update_signals';
 import { SignalParams } from './types';
 
-// TODO: This updateIfIdExists should be temporary and we will remove it once we can POST id's directly to
-// the alerting framework.
-export const updateIfIdExists = async ({
-  alertsClient,
-  actionsClient,
-  description,
-  enabled,
-  falsePositives,
-  filter,
-  from,
-  immutable,
-  query,
-  language,
-  savedId,
-  filters,
-  id,
-  index,
-  interval,
-  maxSignals,
-  name,
-  severity,
-  size,
-  tags,
-  to,
-  type,
-  references,
-}: SignalParams) => {
-  try {
-    const signal = await updateSignal({
-      alertsClient,
-      actionsClient,
-      description,
-      enabled,
-      falsePositives,
-      filter,
-      from,
-      immutable,
-      query,
-      language,
-      savedId,
-      filters,
-      id,
-      index,
-      interval,
-      maxSignals,
-      name,
-      severity,
-      size,
-      tags,
-      to,
-      type,
-      references,
-    });
-    return signal;
-  } catch (err) {
-    if (err.output.statusCode === 404) {
-      return null;
-    } else {
-      return err;
-    }
-  }
-};
-
 export const createSignals = async ({
   alertsClient,
-  actionsClient,
+  actionsClient, // TODO: Use this actionsClient once we have actions such as email, etc...
   description,
   enabled,
   falsePositives,
@@ -83,7 +19,7 @@ export const createSignals = async ({
   language,
   savedId,
   filters,
-  id,
+  ruleId,
   immutable,
   index,
   interval,
@@ -96,85 +32,33 @@ export const createSignals = async ({
   type,
   references,
 }: SignalParams) => {
-  // TODO: Once we can post directly to _id we will not have to do this part anymore.
-  const signalUpdating = await updateIfIdExists({
-    alertsClient,
-    actionsClient,
-    description,
-    enabled,
-    falsePositives,
-    filter,
-    from,
-    query,
-    language,
-    savedId,
-    filters,
-    id,
-    immutable,
-    index,
-    interval,
-    maxSignals,
-    name,
-    severity,
-    size,
-    tags,
-    to,
-    type,
-    references,
-  });
-  if (signalUpdating == null) {
-    // TODO: Right now we are using the .server-log as the default action as each alert has to have
-    // at least one action or it will not be able to do in-memory persistence. When adding in actions
-    // such as email, slack, etc... this should be the default action if no action is specified to
-    // create signals
-    const actionResults = await actionsClient.create({
-      action: {
-        actionTypeId: '.server-log',
-        description: 'SIEM Alerts Log',
-        config: {},
-        secrets: {},
-      },
-    });
-
-    return alertsClient.create({
-      data: {
-        name,
-        alertTypeId: SIGNALS_ID,
-        alertTypeParams: {
-          description,
-          id,
-          index,
-          falsePositives,
-          from,
-          filter,
-          immutable,
-          query,
-          language,
-          savedId,
-          filters,
-          maxSignals,
-          severity,
-          tags,
-          to,
-          type,
-          references,
-        },
-        interval,
-        enabled,
-        actions: [
-          {
-            group: 'default',
-            id: actionResults.id,
-            params: {
-              message: 'SIEM Alert Fired',
-              level: 'info',
-            },
-          },
-        ],
-        throttle: null,
+  return alertsClient.create({
+    data: {
+      name,
+      alertTypeId: SIGNALS_ID,
+      alertTypeParams: {
+        description,
+        ruleId,
+        index,
+        falsePositives,
+        from,
+        filter,
+        immutable,
+        query,
+        language,
+        savedId,
+        filters,
+        maxSignals,
+        severity,
+        tags,
+        to,
+        type,
+        references,
       },
-    });
-  } else {
-    return signalUpdating;
-  }
+      interval,
+      enabled,
+      actions: [], // TODO: Create and add actions here once we have email, etc...
+      throttle: null,
+    },
+  });
 };