[SIEM][Detection Engine] Add rule's notification alert type #60832
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
patrykkopycinski
added
v8.0.0
release_note:skip
patrykkopycinski
force-pushed
the
feat/siem-rule-notifications-alert-type
branch
from
e9cebc0 to
0cea359
Compare
patrykkopycinski
requested review from
rylnd and
FrankHassanabad
and removed request for
rylnd
|
Pinging @elastic/siem (Team:SIEM) |
7 tasks
rylnd
reviewed
Mar 23, 2020
|
|
||
| class TestError extends Error { | ||
| constructor() { | ||
| // Pass remaining arguments (including vendor specific ones) to parent constructor |
| jest.mock('./build_signals_query'); | ||
|
|
||
| describe('rules_notification_alert_type', () => { | ||
| const savedObjectsClient = savedObjectsClientMock.create(); |
There was a problem hiding this comment.
I would move these to a beforeEach if possible. The less shared state, the better.
| ruleParams, | ||
| }: ScheduleNotificationActions): AlertInstance => | ||
| alertInstance | ||
| .replaceState({ |
| @@ -74,6 +70,9 @@ export type RuleTypeParams = Omit< | |||
| 'name' | 'enabled' | 'interval' | 'tags' | 'actions' | 'throttle' | |||
| >; | |||
|
|
|||
| export type RuleTypeParamsWithName = RuleTypeParams & { | |||
There was a problem hiding this comment.
Why the special casing of name, here? Is it possible to use it throughout our SIEM alerts, or do we expressly not want it in other alerts?
spong
reviewed
Mar 23, 2020
| const action = { | ||
| group: 'default', | ||
| id: '99403909-ca9b-49ba-9d7a-7e5320e68d05', | ||
| params: { message: 'Rule generated {{state.signalsCount}} singals' }, |
There was a problem hiding this comment.
Suggested change
| params: { message: 'Rule generated {{state.signalsCount}} singals' }, | |
| params: { message: 'Rule generated {{state.signalsCount}} signals' }, |
spong
reviewed
Mar 23, 2020
| const action = { | ||
| group: 'default', | ||
| id: '99403909-ca9b-49ba-9d7a-7e5320e68d05', | ||
| params: { message: 'Rule generated {{state.signalsCount}} singals' }, |
There was a problem hiding this comment.
Suggested change
| params: { message: 'Rule generated {{state.signalsCount}} singals' }, | |
| params: { message: 'Rule generated {{state.signalsCount}} signals' }, |
spong
reviewed
Mar 23, 2020
| { | ||
| group: 'default', | ||
| id: '99403909-ca9b-49ba-9d7a-7e5320e68d05', | ||
| params: { message: 'Rule generated {{state.signalsCount}} singals' }, |
There was a problem hiding this comment.
Suggested change
| params: { message: 'Rule generated {{state.signalsCount}} singals' }, | |
| params: { message: 'Rule generated {{state.signalsCount}} signals' }, |
spong
reviewed
Mar 23, 2020
| { | ||
| actionTypeId: '.slack', | ||
| params: { | ||
| message: 'Rule generated {{state.signalsCount}} singals\n\n{{rule.name}}\n{{resultsLink}}', |
There was a problem hiding this comment.
Suggested change
| message: 'Rule generated {{state.signalsCount}} singals\n\n{{rule.name}}\n{{resultsLink}}', | |
| message: 'Rule generated {{state.signalsCount}} signals\n\n{{rule.name}}\n{{resultsLink}}', |
spong
reviewed
Mar 23, 2020
Comment on lines
29
to
34
| name: i18n.translate( | ||
| 'xpack.siem.detectionEngine.ruleNotificationAlert.actionGroups.default', | ||
| { | ||
| defaultMessage: 'Default', | ||
| } | ||
| ), |
There was a problem hiding this comment.
I thought there wasn't any i18n on the server side -- are we able to do this now, and if so, do you know how the locale gets correctly set?
spong
reviewed
Mar 23, 2020
Comment on lines
+58
to
+59
| from: previousStartedAt ?? `now-${ruleParams.interval}`, | ||
| to: startedAt, |
There was a problem hiding this comment.
Not sure if this daterange is the issue or if it's timing from the signals being written, but I'm sometimes seeing mis-match signals counts in the server logs between signalsRulesAlertType and rulesNotificationsAlertType, and then the action is not fired.
e.g. here's the server log from when a single rule runs:
server log [17:00:04.302] [info][plugins][siem] Found 55 signals from the indexes of "[apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, packetbeat-*, winlogbeat-*]" using signal rule name: "Signal Generator 7k", id: "c0880b7e-0bbb-4ef2-9471-056d36741ba0", rule_id: "38bcddb9-8751-40b8-8244-04254c7a818c", pushing signals to index ".siem-signals-spong-default"
server log [17:00:05.267] [info][plugins][siem] Found 0 signals using signal rule name: "Signal Generator 7k", id: "38bcddb9-8751-40b8-8244-04254c7a818c", rule_id: "38bcddb9-8751-40b8-8244-04254c7a818c" in ".siem-signals-spong-default" index
Which does not result in the rule's action being completed (slack message in this instance). No explicit repro steps yet, but I've noticed it mostly when editing an action after a rule has been created, and then this happens the next time the rule runs.
spong
reviewed
Mar 23, 2020
| @@ -151,12 +153,24 @@ export class Plugin { | |||
| }); | |||
|
|
|||
| if (plugins.alerting != null) { | |||
| const type = signalRulesAlertType({ | |||
| const { host, port, protocol } = core.http.getServerInfo(); | |||
| const kibanaUrl = `${protocol}://${host}:${port}`; | |||
There was a problem hiding this comment.
Not sure if this will work on cloud -- may want to touch base with the platform team to ensure this will be fine there.
spong
reviewed
Mar 23, 2020
|
|
||
| export const createRules = ({ | ||
| export const createRules = async ({ | ||
| alertsClient, | ||
| actionsClient, // TODO: Use this actionsClient once we have actions such as email, etc... |
There was a problem hiding this comment.
Is this TODO/prop still necessary?
There was a problem hiding this comment.
I'm going to clean up actionsClient and the comments afterward :)
spong
approved these changes
Mar 23, 2020
There was a problem hiding this comment.
Checked out, tested locally via UI provided in #59004, and performed a code review. Left a few nits but looks good to me! 👍 Was able to configure slack notifications and receive message when rules were run -- great work here @patrykkopycinski! 🙂🚀
…patrykkopycinski/kibana into feat/siem-rule-notifications-alert-type
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
patrykkopycinski
added a commit
to patrykkopycinski/kibana
that referenced
this pull request
Mar 24, 2020
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Mar 24, 2020
* master: Updating our direct usage of https-proxy-agent to 5.0.0 (elastic#58296) allow users to unset the throttle of an alert (elastic#60964) [Lens] Fix bug in metric config panel (elastic#60982) [SearchProfiler] Minor fixes (elastic#60919) [ML] Renaming ML setup and start contracts (elastic#60980) introduce StartServicesAccessor type for `CoreSetup.getStartServices` (elastic#60748) [SIEM][Detection Engine] Add rule's notification alert type (elastic#60832) [APM] Re-revert "Collect telemetry about data/API performance" (elastic#61030) [NP] Graph: get rid of saved objects class wrapper (elastic#59917) [EPM] merge duplicate fields when creating index patterns (elastic#60957) [Uptime] Ml detection of duration anomalies (elastic#59785) [Alerting] removes unimplemented buttons from Alert Details page (elastic#60934) [skip-ci] Fix CODEOWNERS paths for the Pulse team (elastic#60944) [APM] Threshold alerts (elastic#59566) [ML] Add support for percentiles aggregation to Transform wizard (elastic#60763) Cahgen save object duplicate message (elastic#60901)
patrykkopycinski
added a commit
that referenced
this pull request
Mar 24, 2020
spong
pushed a commit
that referenced
this pull request
Mar 24, 2020
## Summary Allow defining notifications that will trigger whenever the rule created new signals. Requires: - #58395 - #58964 - #60832   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server) - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
spong
pushed a commit
to spong/kibana
that referenced
this pull request
Mar 24, 2020
## Summary Allow defining notifications that will trigger whenever the rule created new signals. Requires: - elastic#58395 - elastic#58964 - elastic#60832   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server) - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
spong
added a commit
that referenced
this pull request
Mar 25, 2020
## Summary Allow defining notifications that will trigger whenever the rule created new signals. Requires: - #58395 - #58964 - #60832   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server) - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) Co-authored-by: patrykkopycinski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Part of #59004
SignalRuleAlertTypeChecklist
Delete any items that are not applicable to this PR.
For maintainers