Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Threat intel feed support for detector creation #762

Merged
merged 10 commits into from
Oct 25, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/cypress-workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@ on:
branches:
- "*"
env:
OPENSEARCH_DASHBOARDS_VERSION: '2.9.0'
OPENSEARCH_VERSION: '2.9.0-SNAPSHOT'
SECURITY_ANALYTICS_BRANCH: '2.9'
OPENSEARCH_DASHBOARDS_VERSION: '2.11.0'
amsiglan marked this conversation as resolved.
Show resolved Hide resolved
OPENSEARCH_VERSION: '2.11.0-SNAPSHOT'
SECURITY_ANALYTICS_BRANCH: '2.11'
GRADLE_VERSION: '7.6.1'

# If this variable is not empty, the package.json, opensearch_dashboards.json, and yarn.lock files will be replaced
# with those files from the 'opensearch-project/security-analytics-dashboards-plugin' branch or commit specified.
OVERRIDE_REFERENCE: '2.9'
OVERRIDE_REFERENCE: '2.11'
jobs:
tests:
name: Run Cypress E2E tests
Expand Down Expand Up @@ -111,7 +111,7 @@ jobs:
- name: Run OpenSearch-Dashboards server
run: |
cd OpenSearch-Dashboards
yarn start --no-base-path --no-watch &
yarn start --no-base-path --no-watch --server.host="0.0.0.0" &
shell: bash

# Window is slow so wait longer
Expand Down
6 changes: 2 additions & 4 deletions cypress/integration/1_detectors.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ const dataSourceLabel = 'Select or input source indexes or index patterns';

const getDataSourceField = () => cy.getFieldByLabel(dataSourceLabel);

const logTypeLabel = 'Select a log type you would like to detect';
const logTypeLabel = 'Log type';

const getLogTypeField = () => cy.getFieldByLabel(logTypeLabel);

Expand Down Expand Up @@ -125,7 +125,7 @@ const createDetector = (detectorName, dataSource, expectFailure) => {

fillDetailsForm(detectorName, dataSource);

cy.getElementByText('.euiAccordion .euiTitle', 'Detection rules (14 selected)')
cy.getElementByText('.euiAccordion .euiTitle', 'Selected detection rules (14)')
.click({ force: true, timeout: 5000 })
.then(() => cy.contains('.euiTable .euiTableRow', 'Dns'));

Expand All @@ -150,8 +150,6 @@ const createDetector = (detectorName, dataSource, expectFailure) => {
.focus()
.blur();

cy.getFieldByLabel('Specify alert severity').selectComboboxItem('1 (Highest)');

cy.intercept('POST', '/_plugins/_security_analytics/mappings').as('createMappingsRequest');
cy.intercept('POST', '/_plugins/_security_analytics/detectors').as('createDetectorRequest');

Expand Down
1 change: 1 addition & 0 deletions models/interfaces.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ export interface AlertCondition {
sev_levels: string[];
tags: string[];
ids: string[];
threat_intel_enabled: boolean;

// Alert related fields
actions: TriggerAction[];
Expand Down
7 changes: 5 additions & 2 deletions public/pages/Alerts/components/AlertFlyout/AlertFlyout.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ export class AlertFlyout extends React.Component<AlertFlyoutProps, AlertFlyoutSt
name: 'Finding ID',
sortable: true,
dataType: 'string',
render: (id, finding) =>
render: (id, finding: any) =>
amsiglan marked this conversation as resolved.
Show resolved Hide resolved
(
<EuiLink
onClick={() => {
Expand All @@ -157,7 +157,10 @@ export class AlertFlyout extends React.Component<AlertFlyoutProps, AlertFlyoutSt
...finding,
detector: { _id: detector.id as string, _index: '', _source: detector },
ruleName: rule.title,
ruleSeverity: rule.level,
ruleSeverity:
rule.level === 'critical'
amsiglan marked this conversation as resolved.
Show resolved Hide resolved
? rule.level
: finding['ruleSeverity'] || rule.level,
},
[...this.state.findingItems, finding],
true,
Expand Down
35 changes: 12 additions & 23 deletions public/pages/Correlations/containers/CorrelationRules.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,26 @@ import {
getCorrelationRulesTableColumns,
getCorrelationRulesTableSearchConfig,
} from '../utils/helpers';
import { CorrelationRule } from '../../../../types';
import { CorrelationRule, CorrelationRuleTableItem } from '../../../../types';
import { RouteComponentProps } from 'react-router-dom';
import { DeleteCorrelationRuleModal } from '../components/DeleteModal';

export const CorrelationRules: React.FC<RouteComponentProps> = (props: RouteComponentProps) => {
const context = useContext(CoreServicesContext);
const [allRules, setAllRules] = useState<CorrelationRule[]>([]);
const [filteredRules, setFilteredRules] = useState<CorrelationRule[]>([]);
const [allRules, setAllRules] = useState<CorrelationRuleTableItem[]>([]);
const [isDeleteModalVisible, setIsDeleteModalVisible] = useState(false);
const [selectedRule, setSelectedRule] = useState<CorrelationRule | undefined>(undefined);

const getCorrelationRules = useCallback(async () => {
const allRuleItems: CorrelationRule[] = await DataStore.correlations.getCorrelationRules();
setAllRules(allRuleItems);
setFilteredRules(allRuleItems);
const allRuleTableItems: CorrelationRuleTableItem[] = allRuleItems.map((item) => {
const logTypes = item.queries.map((q) => q.logType).join(', ');
return {
...item,
logTypes,
};
});
setAllRules(allRuleTableItems);
}, [DataStore.correlations.getCorrelationRules]);

useEffect(() => {
Expand All @@ -61,22 +66,6 @@ export const CorrelationRules: React.FC<RouteComponentProps> = (props: RouteComp
[]
);

const onLogTypeFilterChange = useCallback(
(logTypes?: string[]) => {
if (!logTypes) {
setFilteredRules(allRules);
return;
}

const logTypesSet = new Set(logTypes);
const filteredRules = allRules.filter((rule) => {
return rule.queries.some((query) => logTypesSet.has(query.logType));
});
setFilteredRules(filteredRules);
},
[allRules]
);

const onRuleNameClick = useCallback((rule: CorrelationRule) => {
props.history.push({
pathname: `${ROUTES.CORRELATION_RULE_EDIT}/${rule.id}`,
Expand Down Expand Up @@ -143,10 +132,10 @@ export const CorrelationRules: React.FC<RouteComponentProps> = (props: RouteComp
setIsDeleteModalVisible(true);
setSelectedRule(rule);
})}
items={filteredRules}
items={allRules}
pagination={true}
sorting={true}
search={getCorrelationRulesTableSearchConfig(onLogTypeFilterChange)}
search={getCorrelationRulesTableSearchConfig()}
/>
) : (
<EuiEmptyPrompt
Expand Down
39 changes: 6 additions & 33 deletions public/pages/Correlations/utils/helpers.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,14 @@

import React from 'react';
import { EuiBasicTableColumn, EuiBadge, EuiToolTip, EuiButtonIcon, EuiLink } from '@elastic/eui';
import {
ArgsWithError,
ArgsWithQuery,
CorrelationRule,
CorrelationRuleQuery,
} from '../../../../types';
import { CorrelationRule, CorrelationRuleQuery, CorrelationRuleTableItem } from '../../../../types';
import { Search } from '@opensearch-project/oui/src/eui_components/basic_table';
import { FieldClause } from '@opensearch-project/oui/src/eui_components/search_bar/query/ast';
import { formatRuleType, getLogTypeFilterOptions } from '../../../utils/helpers';

export const getCorrelationRulesTableColumns = (
onRuleNameClick: (rule: CorrelationRule) => void,
_refreshRules: (ruleItem: CorrelationRule) => void
): EuiBasicTableColumn<CorrelationRule>[] => {
): EuiBasicTableColumn<CorrelationRuleTableItem>[] => {
return [
{
field: 'name',
Expand All @@ -31,7 +25,8 @@ export const getCorrelationRulesTableColumns = (
},
{
name: 'Log types',
render: (ruleItem: CorrelationRule) => {
field: 'logTypes',
render: (logTypes: string, ruleItem: CorrelationRule) => {
const badges = [
...new Set(ruleItem.queries?.map((query) => formatRuleType(query.logType))),
];
Expand Down Expand Up @@ -75,33 +70,11 @@ export const getCorrelationRulesTableColumns = (
];
};

export const getCorrelationRulesTableSearchConfig = (
onLogTypeFilterChange: (logTypes?: string[]) => void
): Search => {
export const getCorrelationRulesTableSearchConfig = (): Search => {
return {
box: {
placeholder: 'Search by rule name, log type',
},
onChange: (args: ArgsWithQuery | ArgsWithError) => {
if (!args.error) {
const logTypeFieldClauseIdx = args.query.ast.clauses.findIndex(
(clause) => clause.type === 'field' && clause.field === 'logTypes'
);
const logTypeFieldClause =
logTypeFieldClauseIdx > -1 ? args.query.ast.clauses[logTypeFieldClauseIdx] : undefined;

if (logTypeFieldClause) {
const logTypes = (logTypeFieldClause as FieldClause).value as string[];
// Need to remove the logTypes clause so that in built search doesn't try to apply it because that will return 0 results,
// since it requires custom logic we implemented in the `onLogTypeFilterChange` callback
args.query.ast.removeOrFieldClauses('logTypes');
onLogTypeFilterChange(logTypes);
} else if (args.query.ast.clauses.length === 0) {
onLogTypeFilterChange(undefined);
}
}

return true;
schema: true,
},
filters: [
{
Expand Down
Loading
Loading