Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Adds Indicator path config for indicator match rules #91260

Merged
merged 9 commits into from
Feb 17, 2021
Merged

[Security Solution][Detections] Adds Indicator path config for indicator match rules #91260

merged 9 commits into from
Feb 17, 2021

Commits on Feb 12, 2021

  1. Add new field for overriding threat indicator path 

    There is no UI for this currently, nor is it used during rule execution.
    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    8404f50 View commit details
    Browse the repository at this point in the history

  2. Adds form field for indicator path parameter 

    Also adds missing plumbing that was preventing the new field from being
persisted to the alert/returned in the response.
    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    1bcf451 View commit details
    Browse the repository at this point in the history

  3. Wire up our indicator path config to enrichment

    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    0b3956a View commit details
    Browse the repository at this point in the history

  4. Add unit test for enriching from a custom indicator path 

    We always persist to `threat.indicator.*` on the signal, but this allows
users to specify where the enrichment fields can be found on the matched
indicator document.
    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    b4749a9 View commit details
    Browse the repository at this point in the history

  5. Wire up the missing piece of our indicator path config 

    We were not passing this from the rule itself into the threat matching
logic, and so were merely getting the default value.

An integration test will fix this. Incoming!
    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    6b2d1d7 View commit details
    Browse the repository at this point in the history

  6. Move indicator path defaulting outside of helper functions 

    This happens closer to where we pass data from the rule to our helpers,
and will prevent errors/bugs due to defaulting logic down the road.

It makes tests a little more verbose, but that's okay.
    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    c33dc3a View commit details
    Browse the repository at this point in the history

  7. Fix remaining type errors around new rule field

    @rylnd
    rylnd committed Feb 12, 2021
    Configuration menu
    Copy the full SHA
    c5004db View commit details
    Browse the repository at this point in the history

Commits on Feb 15, 2021

  1. Make threat indicator path a conditional field 

    Always sending along this field, but only allowing it for threat match
rules was implicitly breaking the workflow of otther rule types. By
making the field conditional on the rule type, this field only impacts
threat match rules.

This also fixes some types and tests accordingly.
    @rylnd
    rylnd committed Feb 15, 2021
    Configuration menu
    Copy the full SHA
    5da3b12 View commit details
    Browse the repository at this point in the history

Commits on Feb 16, 2021

  1. Merge branch 'master' into indicator_path_config

    @kibanamachine
    kibanamachine authored Feb 16, 2021
    Configuration menu
    Copy the full SHA
    af0e0f1 View commit details
    Browse the repository at this point in the history