Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.x] [Security Solution][Detections] Adds Indicator path config for indicator match rules (#91260) #91593

Merged
merged 1 commit into from
Feb 17, 2021

Conversation

rylnd
Copy link
Contributor

@rylnd rylnd commented Feb 17, 2021

Backports the following commits to 7.x:

…tor match rules (elastic#91260)

* Add new field for overriding threat indicator path

There is no UI for this currently, nor is it used during rule execution.

* Adds form field for indicator path parameter

Also adds missing plumbing that was preventing the new field from being
persisted to the alert/returned in the response.

* Wire up our indicator path config to enrichment

* Add unit test for enriching from a custom indicator path

We always persist to `threat.indicator.*` on the signal, but this allows
users to specify where the enrichment fields can be found on the matched
indicator document.

* Wire up the missing piece of our indicator path config

We were not passing this from the rule itself into the threat matching
logic, and so were merely getting the default value.

An integration test will fix this. Incoming!

* Move indicator path defaulting outside of helper functions

This happens closer to where we pass data from the rule to our helpers,
and will prevent errors/bugs due to defaulting logic down the road.

It makes tests a little more verbose, but that's okay.

* Fix remaining type errors around new rule field

* Make threat indicator path a conditional field

Always sending along this field, but only allowing it for threat match
rules was implicitly breaking the workflow of otther rule types. By
making the field conditional on the rule type, this field only impacts
threat match rules.

This also fixes some types and tests accordingly.

Co-authored-by: Kibana Machine <[email protected]>
@rylnd rylnd added the backport label Feb 17, 2021
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 7.5MB 7.6MB +1.7KB

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@rylnd rylnd merged commit c3c830f into elastic:7.x Feb 17, 2021
@rylnd rylnd deleted the backport/7.x/pr-91260 branch February 17, 2021 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants