Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solutions][Detection Engine] Adds missing mappings to the signals for the indicator rules #92928

Merged
merged 1 commit into from
Mar 1, 2021
Merged

[Security Solutions][Detection Engine] Adds missing mappings to the signals for the indicator rules #92928

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...lugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import ecsMapping from './ecs_mapping.json';
incremented by 10 in order to add "room" for the aforementioned patch
release
*/
export const SIGNALS_TEMPLATE_VERSION = 24;
export const SIGNALS_TEMPLATE_VERSION = 25;
export const MIN_EQL_RULE_INDEX_VERSION = 2;

export const getSignalsTemplate = (index: string) => {
Expand Down
32 changes: 32 additions & 0 deletions ...k/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,38 @@
}
}
},
"threat_mapping": {
"properties": {
"entries": {
"properties": {
"field": {
"type": "keyword"
},
"value": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
}
}
},
"threat_filters": {
"type": "object"
},
"threat_indicator_path": {
"type": "keyword"
},
"threat_query": {
"type": "keyword"
},
"threat_index": {
"type": "keyword"
},
"threat_language": {
"type": "keyword"
},
"note": {
"type": "text"
},
Expand Down
21 changes: 21 additions & 0 deletions x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -253,6 +256,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
threshold_result: {
terms: [
Expand Down Expand Up @@ -374,6 +380,9 @@ describe('buildBulkBody', () => {
throttle: 'no_actions',
threat: [],
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -485,6 +494,9 @@ describe('buildBulkBody', () => {
updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -589,6 +601,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -692,6 +707,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -795,6 +813,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down
75 changes: 75 additions & 0 deletions x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import { RulesSchema } from '../../../../common/detection_engine/schemas/respons
import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock';
import { INTERNAL_RULE_ID_KEY, INTERNAL_IMMUTABLE_KEY } from '../../../../common/constants';
import { getRulesSchemaMock } from '../../../../common/detection_engine/schemas/response/rules_schema.mocks';
import { RuleTypeParams } from '../types';

describe('buildRule', () => {
beforeEach(() => {
Expand Down Expand Up @@ -104,6 +105,9 @@ describe('buildRule', () => {
],
exceptions_list: getListArrayMock(),
version: 1,
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});
Expand Down Expand Up @@ -162,6 +166,9 @@ describe('buildRule', () => {
created_at: rule.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});
Expand Down Expand Up @@ -220,6 +227,9 @@ describe('buildRule', () => {
created_at: rule.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});
Expand Down Expand Up @@ -282,9 +292,74 @@ describe('buildRule', () => {
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
version: 1,
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});

test('it creates a indicator/threat_mapping/threat_matching rule', () => {
const ruleParams: RuleTypeParams = {
...sampleRuleAlertParams(),
threatMapping: [
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threatFilters: [
{
query: {
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
},
},
},
],
threatIndicatorPath: 'some.path',
threatQuery: 'threat_query',
threatIndex: ['threat_index'],
threatLanguage: 'kuery',
};
const threatMatchRule = buildRule({
actions: [],
doc: sampleDocNoSortId(),
ruleParams,
name: 'some-name',
id: sampleRuleGuid,
enabled: false,
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
tags: [],
throttle: 'no_actions',
});
const expected: Partial<RulesSchema> = {
threat_mapping: ruleParams.threatMapping,
threat_filters: ruleParams.threatFilters,
threat_indicator_path: ruleParams.threatIndicatorPath,
threat_query: ruleParams.threatQuery,
threat_index: ruleParams.threatIndex,
threat_language: ruleParams.threatLanguage,
};
expect(threatMatchRule).toEqual(expect.objectContaining(expected));
});
});

describe('removeInternalTagsFromRule', () => {
Expand Down
6 changes: 6 additions & 0 deletions x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,12 @@ export const buildRule = ({
created_by: createdBy,
updated_by: updatedBy,
threat: ruleParams.threat ?? [],
threat_mapping: ruleParams.threatMapping ?? [],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't we expect these to be left off of signal.rule when they are undefined for other rule types rather than defaulted to []?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the other examples, above this one. We can change this behavior with a follow up if we don't want empty arrays.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow up:
#93063

threat_filters: ruleParams.threatFilters ?? [],
threat_indicator_path: ruleParams.threatIndicatorPath,
threat_query: ruleParams.threatQuery,
threat_index: ruleParams.threatIndex ?? [],
threat_language: ruleParams.threatLanguage,
timestamp_override: ruleParams.timestampOverride,
throttle,
version: ruleParams.version,
Expand Down