diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts index 48036ec73511b..c6f432a28aee4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts @@ -21,7 +21,7 @@ import ecsMapping from './ecs_mapping.json'; incremented by 10 in order to add "room" for the aforementioned patch release */ -export const SIGNALS_TEMPLATE_VERSION = 24; +export const SIGNALS_TEMPLATE_VERSION = 25; export const MIN_EQL_RULE_INDEX_VERSION = 2; export const getSignalsTemplate = (index: string) => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json index 22dba81e5c8e6..26ff1c501540b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json @@ -236,6 +236,38 @@ } } }, + "threat_mapping": { + "properties": { + "entries": { + "properties": { + "field": { + "type": "keyword" + }, + "value": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "threat_filters": { + "type": "object" + }, + "threat_indicator_path": { + "type": "keyword" + }, + "threat_query": { + "type": "keyword" + }, + "threat_index": { + "type": "keyword" + }, + "threat_language": { + "type": "keyword" + }, "note": { "type": "text" }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts index 362c368881b37..08e3335170897 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts @@ -131,6 +131,9 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, depth: 1, }, @@ -253,6 +256,9 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, updated_at: fakeSignalSourceHit.signal.rule?.updated_at, exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, threshold_result: { terms: [ @@ -374,6 +380,9 @@ describe('buildBulkBody', () => { throttle: 'no_actions', threat: [], exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, depth: 1, }, @@ -485,6 +494,9 @@ describe('buildBulkBody', () => { updated_at: fakeSignalSourceHit.signal.rule?.updated_at, throttle: 'no_actions', exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, depth: 1, }, @@ -589,6 +601,9 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, throttle: 'no_actions', exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, depth: 1, }, @@ -692,6 +707,9 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, throttle: 'no_actions', exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, depth: 1, }, @@ -795,6 +813,9 @@ describe('buildBulkBody', () => { created_at: fakeSignalSourceHit.signal.rule?.created_at, throttle: 'no_actions', exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }, depth: 1, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts index a2a0b8c73a8bd..40cc15786392c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts @@ -23,6 +23,7 @@ import { RulesSchema } from '../../../../common/detection_engine/schemas/respons import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock'; import { INTERNAL_RULE_ID_KEY, INTERNAL_IMMUTABLE_KEY } from '../../../../common/constants'; import { getRulesSchemaMock } from '../../../../common/detection_engine/schemas/response/rules_schema.mocks'; +import { RuleTypeParams } from '../types'; describe('buildRule', () => { beforeEach(() => { @@ -104,6 +105,9 @@ describe('buildRule', () => { ], exceptions_list: getListArrayMock(), version: 1, + threat_filters: [], + threat_index: [], + threat_mapping: [], }; expect(rule).toEqual(expected); }); @@ -162,6 +166,9 @@ describe('buildRule', () => { created_at: rule.created_at, throttle: 'no_actions', exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }; expect(rule).toEqual(expected); }); @@ -220,6 +227,9 @@ describe('buildRule', () => { created_at: rule.created_at, throttle: 'no_actions', exceptions_list: getListArrayMock(), + threat_filters: [], + threat_index: [], + threat_mapping: [], }; expect(rule).toEqual(expected); }); @@ -282,9 +292,74 @@ describe('buildRule', () => { throttle: 'no_actions', exceptions_list: getListArrayMock(), version: 1, + threat_filters: [], + threat_index: [], + threat_mapping: [], }; expect(rule).toEqual(expected); }); + + test('it creates a indicator/threat_mapping/threat_matching rule', () => { + const ruleParams: RuleTypeParams = { + ...sampleRuleAlertParams(), + threatMapping: [ + { + entries: [ + { + field: 'host.name', + value: 'host.name', + type: 'mapping', + }, + ], + }, + ], + threatFilters: [ + { + query: { + bool: { + must: [ + { + query_string: { + query: 'host.name: linux', + analyze_wildcard: true, + time_zone: 'Zulu', + }, + }, + ], + }, + }, + }, + ], + threatIndicatorPath: 'some.path', + threatQuery: 'threat_query', + threatIndex: ['threat_index'], + threatLanguage: 'kuery', + }; + const threatMatchRule = buildRule({ + actions: [], + doc: sampleDocNoSortId(), + ruleParams, + name: 'some-name', + id: sampleRuleGuid, + enabled: false, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', + createdBy: 'elastic', + updatedBy: 'elastic', + interval: 'some interval', + tags: [], + throttle: 'no_actions', + }); + const expected: Partial = { + threat_mapping: ruleParams.threatMapping, + threat_filters: ruleParams.threatFilters, + threat_indicator_path: ruleParams.threatIndicatorPath, + threat_query: ruleParams.threatQuery, + threat_index: ruleParams.threatIndex, + threat_language: ruleParams.threatLanguage, + }; + expect(threatMatchRule).toEqual(expect.objectContaining(expected)); + }); }); describe('removeInternalTagsFromRule', () => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts index 8f3fda800d726..167724836e01c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts @@ -103,6 +103,12 @@ export const buildRule = ({ created_by: createdBy, updated_by: updatedBy, threat: ruleParams.threat ?? [], + threat_mapping: ruleParams.threatMapping ?? [], + threat_filters: ruleParams.threatFilters ?? [], + threat_indicator_path: ruleParams.threatIndicatorPath, + threat_query: ruleParams.threatQuery, + threat_index: ruleParams.threatIndex ?? [], + threat_language: ruleParams.threatLanguage, timestamp_override: ruleParams.timestampOverride, throttle, version: ruleParams.version,