Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detection Engine] - Update UI to read rule exceptions_list #69939

Closed
wants to merge 56 commits into from
Closed

[SIEM][Detection Engine] - Update UI to read rule exceptions_list #69939

wants to merge 56 commits into from

Conversation

yctercero
Copy link
Contributor

@yctercero yctercero commented Jun 25, 2020
edited
Loading

Summary

This PR tries to start to tie together the recent server and client changes for exceptions lists.

  • Updates graphql types to allow UI access to a rule's exceptions_list property
  • Updates the exception viewer component to now dynamically take the rule exceptions_list, up until now we just had an empty array in it's place
  • Updates the viewer UI to better deal with spacing when an exception list item only has one or two entries (before the and badge with the antennas was stretching passed the exception items to fill the space)
  • Updates the detections engine exceptions logic to fetch list items using an exception list's id as opposed to it's list_id, this now aligns with the UI using the same params on its end
  • Adds unit tests for the detection engine server side util that fetches the exception list items

With this PR, you should now be able to use the API to create rules with exception lists and see the alerts filtered in the UI as well as seeing the exceptions show now in the exceptions viewer. See #69715 TO DO section for an explanation on the remaining updates needed to the filtering logic.

Testing

To turn on lists plugin - in kibana.dev.yml

# Enable lists feature
xpack.lists.enabled: true
xpack.lists.listIndex: '.lists-yara'
xpack.lists.listItemIndex: '.items-yara'

Add export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true to your bash file.

Use the scripts in x-pack/plugins/lists/server/scripts to create some sample exception lists and items. You can use the following:

If you've previously played around with lists, run ./hard_reset.sh (this will delete any lists you've created).

Create large value list:

  • Create large value list ./post_list.sh
  • Create large value list item ./post_list_item.sh (I modified the value to be "value": "10.4.2.140")

Create exception list:

  • Create exception list ./post_exception_list.sh
  • Create exception list item ./post_exception_list_item.sh ./exception_lists/new/exception_list_item_with_list.json

Use the scripts in x-pack/plugins/security_solution/server/lib/detection_engine/scripts to create rule:
Before running script, you'll need to update the referenced exceptions_list id to the one you created

  • Run ./post_rule.sh ./rules/queries/query_with_list.json (Makes reference to the exception list created in step above)

In the Alerts table, you should see something like the following where you only see events where the event.module is zeek and source.ip is 10.4.2.140 (or whatever ip you specified).
Screen Shot 2020-06-23 at 11 19 07 AM

Go to your newly created rule details and on the Exceptions tab you should see something like this:
Screen Shot 2020-06-25 at 10 13 04 AM

Checklist

@yctercero yctercero self-assigned this Jun 25, 2020
@yctercero yctercero marked this pull request as ready for review June 25, 2020 14:28
@yctercero yctercero requested review from a team as code owners June 25, 2020 14:28
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@yctercero yctercero mentioned this pull request Jun 25, 2020
Merged
5 tasks
rylnd
rylnd reviewed Jun 25, 2020
View reviewed changes
x-pack/plugins/lists/public/exceptions/types.ts Outdated
@@ -59,7 +59,7 @@ export interface UseExceptionListProps {

export interface ExceptionIdentifiers {
id: string;
namespaceType: NamespaceType;
namespace_type: NamespaceType;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this changed to snake case to match the request body? I would expect it to be namespaceType everywhere except the API call, which sends namespace_type: namespaceType

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea it was. Would I specify that change from namespace_type to namespaceType in the graphql types?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working to update this and a found bug.

yctercero
yctercero commented Jul 2, 2020
View reviewed changes
x-pack/plugins/security_solution/public/alerts/pages/detection_engine/rules/details/index.tsx
@@ -253,6 +254,18 @@ export const RuleDetailsPageComponent: FC<PropsFromRedux> = ({

const { indicesExist, indexPattern } = useWithSource('default', indexToAdd);

const exceptionLists = useMemo((): ExceptionIdentifiers[] => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, we'd be transforming all of the rule params to camel case when we fetch them in use_rule / use_rules. This is a temporary workaround.

@yctercero yctercero requested review from vigneshshanmugam, watson and a team as code owners July 6, 2020 15:32
@yctercero yctercero requested a review from a team July 6, 2020 15:32
@yctercero yctercero requested review from a team as code owners July 6, 2020 15:32
@yctercero yctercero requested a review from a team July 6, 2020 15:32
@yctercero yctercero requested review from a team as code owners July 6, 2020 15:32
@yctercero yctercero requested a review from a team July 6, 2020 15:32
@yctercero yctercero requested a review from a team as a code owner July 6, 2020 15:32
@botelastic botelastic bot added Feature:ExpressionLanguage Interpreter expression language (aka canvas pipeline) Team:APM All issues that need APM UI Team support labels Jul 6, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@yctercero yctercero closed this Jul 6, 2020
@kibanamachine
Copy link
Contributor

💔 Build Failed

Failed CI Steps

Build metrics

@kbn/optimizer bundle module count

id value diff baseline
securitySolution 815 +24 791

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@yctercero yctercero mentioned this pull request Jul 7, 2020
Merged
4 tasks
@yctercero yctercero deleted the exceptions_ui branch October 14, 2020 12:01
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylnd rylnd rylnd left review comments

@vigneshshanmugam vigneshshanmugam Awaiting requested review from vigneshshanmugam

@watson watson Awaiting requested review from watson

Assignees

@yctercero yctercero

Labels
Feature:ExpressionLanguage Interpreter expression language (aka canvas pipeline) release_note:enhancement Team:APM All issues that need APM UI Team support Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.