[Security Solution][Exceptions] - Tie server and client code together #70918
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/siem (Team:SIEM) |
yctercero
commented
Jul 7, 2020
| @@ -43,7 +43,7 @@ interface CreateExceptionListItemOptions { | |||
| user: string; | |||
| tags: Tags; | |||
| tieBreaker?: string; | |||
| type: ExceptionListType; | |||
| type: ExceptionListItemType; | |||
There was a problem hiding this comment.
Before both the list and item types were just t.string so it didn't scream at us, but now that the list type and item type differ, had to update.
yctercero
commented
Jul 7, 2020
| @@ -112,7 +114,7 @@ export interface UpdateExceptionListItemOptions { | |||
| description: DescriptionOrUndefined; | |||
| meta: MetaOrUndefined; | |||
| tags: TagsOrUndefined; | |||
| type: ExceptionListTypeOrUndefined; | |||
| type: ExceptionListItemTypeOrUndefined; | |||
There was a problem hiding this comment.
Before both the list and item types were just t.string so it didn't scream at us, but now that the list type and item type differ, had to update.
yctercero
commented
Jul 7, 2020
| @@ -43,7 +43,7 @@ interface UpdateExceptionListItemOptions { | |||
| user: string; | |||
| tags: TagsOrUndefined; | |||
| tieBreaker?: string; | |||
| type: ExceptionListTypeOrUndefined; | |||
| type: ExceptionListItemTypeOrUndefined; | |||
There was a problem hiding this comment.
Before both the list and item types were just t.string so it didn't scream at us, but now that the list type and item type differ, had to update.
yctercero
commented
Jul 7, 2020
| @@ -80,7 +82,7 @@ export const transformSavedObjectToExceptionList = ({ | |||
| namespace_type: namespaceType, | |||
| tags, | |||
| tie_breaker_id, | |||
| type, | |||
| type: exceptionListType.is(type) ? type : 'detection', | |||
There was a problem hiding this comment.
This is a result of both the list and item type being mapped to the same type property in the SO. We can discuss whether to keep this as is (@FrankHassanabad are there downsides to separating these out?) or change.
yctercero
commented
Jul 7, 2020
| @@ -182,7 +181,7 @@ export const buildExceptionItemEntries = ({ | |||
| }): string => { | |||
| const and = getLanguageBooleanOperator({ language, value: 'and' }); | |||
| const exceptionItem = lists | |||
| .filter((t) => !entriesList.is(t)) | |||
| .filter(({ type }) => type !== 'list') | |||
There was a problem hiding this comment.
Starting to try to not rely on io-ts check where I can given talk of not optimal performance.
peluja1012
approved these changes
Jul 7, 2020
yctercero
added a commit
to yctercero/kibana
that referenced
this pull request
Jul 7, 2020
…elastic#70918) ## Summary This PR tries to start to tie together the server and client changes for exceptions lists. - Updates graphql types to allow UI access to a rule's `exceptions_list` property - Updates the exception viewer component to now dynamically take the rule `exceptions_list`, up until now we just had an empty array in it's place - Updates the viewer logic to check if a rule has an endpoint list associated with it. If it does, then it displays both detections and endpoint UIs (in the viewer), if it does not, then it only displays the detections UI - Updates the viewer UI to better deal with spacing when an exception list item only has one or two entries (before the and badge with the antennas was stretching passed the exception items to fill the space) - Updates the detections engine exceptions logic to fetch list items using an exception list's `id` as opposed to it's `list_id`, this now aligns with the UI using the same params on its end - Adds exception list `type` to information kept by the rule for exception lists - Updates the exception list type from `string` to `endpoint | detection` - Updates the exception list _item_ type from `string` to `simple` - Adds unit tests for the detection engine server side util that fetches the exception list items
yctercero
added a commit
that referenced
this pull request
Jul 7, 2020
…#70918) (#71012) ## Summary This PR tries to start to tie together the server and client changes for exceptions lists. - Updates graphql types to allow UI access to a rule's `exceptions_list` property - Updates the exception viewer component to now dynamically take the rule `exceptions_list`, up until now we just had an empty array in it's place - Updates the viewer logic to check if a rule has an endpoint list associated with it. If it does, then it displays both detections and endpoint UIs (in the viewer), if it does not, then it only displays the detections UI - Updates the viewer UI to better deal with spacing when an exception list item only has one or two entries (before the and badge with the antennas was stretching passed the exception items to fill the space) - Updates the detections engine exceptions logic to fetch list items using an exception list's `id` as opposed to it's `list_id`, this now aligns with the UI using the same params on its end - Adds exception list `type` to information kept by the rule for exception lists - Updates the exception list type from `string` to `endpoint | detection` - Updates the exception list _item_ type from `string` to `simple` - Adds unit tests for the detection engine server side util that fetches the exception list items
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jul 8, 2020
* master: (36 commits) fixed api url in example plugin (elastic#70934) [data.search.aggs]: Remove remaining client dependencies (elastic#70251) [Security Solution][Endpoint] Fix base64 download bug and adopt new user artifact/manifest format (elastic#70998) [Security Solution][Exceptions] - Exception Modal Part I (elastic#70639) [SIEM][Detection Engine][Lists] Adds additional data types to value based lists [SIEM][Detection Engine][Lists] Removes feature flag for lists [APM] Show license callout in ML settings (elastic#70959) Migrate service settings test to jest (elastic#70992) [APM] Add cloud attributes to data telemetry (elastic#71008) Fix breadcrumb on panels for visibility / round corners (elastic#71010) Improve search typescript (elastic#69333) [savedObjects field count] run in baseline job (elastic#70999) [Security Solution] [Timeline] Timeline manager tweaks (elastic#69988) [Endpoint] Support redirect from Policy Details to Ingest when user initiates Edit Policy from Datasource Edit page (elastic#70874) [APM] Add API tests (elastic#70740) [Security Solution][Exceptions] - Tie server and client code together (elastic#70918) [Audit Logging] Add AuditTrail service (elastic#69278) [Usage Collection] Ensure no type duplicates (elastic#70946) [Security Solution] [Timeline] Bugfix for timeline row actions disappear sometimes (elastic#70958) [CI] Add pipeline task queue framework and merge workers into one (elastic#64011) ...
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR tries to start to tie together the server and client changes for exceptions lists.
exceptions_listpropertyexceptions_list, up until now we just had an empty array in it's placeidas opposed to it'slist_id, this now aligns with the UI using the same params on its endtypeto information kept by the rule for exception listsstringtoendpoint | detectionstringtosimpleWith this PR, you should now be able to use the API to create rules with exception lists and see the alerts filtered in the UI as well as seeing the exceptions show now in the exceptions viewer. See #69715
TO DOsection for an explanation on the remaining updates needed to the filtering logic.Note: This was originally #69939 , but opened new clean PR here.
How to test
To turn on lists plugin - in kibana.dev.yml
Add
export ELASTIC_XPACK_SIEM_LISTS_FEATURE=trueto your bash file.Use the scripts in
x-pack/plugins/lists/server/scriptsto create some sample exception lists and items. You can use the following:If you've previously played around with lists (or if you've never, and need to create the index), run
./hard_reset.sh(this will delete any lists you've created).Create large value list:
./post_list.sh./post_list_item.sh(I modified the value to be"value": "10.4.3.11")Create exception list:
./post_exception_list.sh./post_exception_list_item.sh ./exception_lists/new/exception_list_item_with_list.json. This makes reference to the large value list created above.Use the scripts in
x-pack/plugins/security_solution/server/lib/detection_engine/scriptsto create rule:Before running script, you'll need to update the referenced exceptions_list id to the one you created
./post_rule.sh ./rules/queries/query_with_list.json(Makes reference to the exception list created in step above)In the
Alertstable, you should see something like the following where you only see events where theevent.moduleissuricataandsource.ipis10.4.3.11(or whatever ip you specified).Go to your newly created rule details and on the
Exceptionstab you should see something like this:What to test
TO DOsection for an explanation on the remaining updates needed to the filtering logic../post_exception_list.sh ./exception_lists/new/exception_list_detection.json./post_exception_list_item.sh ./exception_lists/new/exception_list_item_detection_auto_id.json- this script auto generates the item_id so you can run it as many times as you like to create multiple itemsx-pack/plugins/security_solution/server/lib/detection_engine/scriptsupdate/rules/patches/update_list.jsonto include your newly created exception list and run./patch_rule.sh ./rules/patches/update_list.jsontypeother thanendpointordetection? (Hopefully not! 🛑 )typeother thansimple? (Hopefully not! 🛑 )exceptions_liston the rule to just have a detections list, do you see the viewer display a modified view with no toggle options? (You should! 😬 ) Something like:Checklist