Skip to content

Commit

Permalink
[SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_l…
Browse files Browse the repository at this point in the history 
…ist (#63717)

### Summary [63717]

This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
  • Loading branch information
@yctercero
yctercero authored Apr 17, 2020
1 parent 38217b6 commit 24c253e
Show file tree
Hide file tree
Showing 48 changed files with 141 additions and 141 deletions.
2 changes: 1 addition & 1 deletion x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,7 +448,7 @@ export const getResult = (): RuleAlertType => ({
references: ['http://www.example.com', 'https://ww.example.com'],
note: '# Investigative notes',
version: 1,
lists: [
exceptions_list: [
{
field: 'source.ip',
values_operator: 'included',
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ export const getOutputRuleAlertForRest = (): Omit<
],
},
],
lists: [
exceptions_list: [
{
field: 'source.ip',
values_operator: 'included',
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
timeline_id: timelineId,
timeline_title: timelineTitle,
version,
lists,
exceptions_list,
} = payloadRule;
const ruleIdOrUuid = ruleId ?? uuid.v4();
try {
Expand Down Expand Up @@ -143,7 +143,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
references,
note,
version,
lists,
exceptions_list,
actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is set to rule, otherwise we are a notification and should not enable it,
});

Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ export const createRulesRoute = (router: IRouter): void => {
type,
references,
note,
lists,
exceptions_list,
} = request.body;
const siemResponse = buildSiemResponse(response);

Expand Down Expand Up @@ -131,7 +131,7 @@ export const createRulesRoute = (router: IRouter): void => {
references,
note,
version: 1,
lists,
exceptions_list,
actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it,
});

Expand Down
6 changes: 3 additions & 3 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => {
timeline_id: timelineId,
timeline_title: timelineTitle,
version,
lists,
exceptions_list,
} = parsedRule;

try {
Expand Down Expand Up @@ -195,7 +195,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => {
references,
note,
version,
lists,
exceptions_list,
actions: [], // Actions are not imported nor exported at this time
});
resolve({ rule_id: ruleId, status_code: 200 });
Expand Down Expand Up @@ -232,7 +232,7 @@ export const importRulesRoute = (router: IRouter, config: ConfigType) => {
references,
note,
version,
lists,
exceptions_list,
anomalyThreshold,
machineLearningJobId,
});
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
references,
note,
version,
lists,
exceptions_list,
} = payloadRule;
const finalIndex = outputIndex ?? siemClient.signalsIndex;
const idOrRuleIdOrUnknown = id ?? ruleId ?? '(unknown id)';
Expand Down Expand Up @@ -121,7 +121,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
references,
note,
version,
lists,
exceptions_list,
actions,
});
if (rule != null) {
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ export const updateRulesRoute = (router: IRouter) => {
references,
note,
version,
lists,
exceptions_list,
} = request.body;
const siemResponse = buildSiemResponse(response);

Expand Down Expand Up @@ -117,7 +117,7 @@ export const updateRulesRoute = (router: IRouter) => {
references,
note,
version,
lists,
exceptions_list,
actions: throttle === 'rule' ? actions : [], // Only enable actions if throttle is rule, otherwise we are a notification and should not enable it
});

Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ export const transformAlertToRule = (
last_failure_message: ruleStatus?.attributes.lastFailureMessage,
last_success_message: ruleStatus?.attributes.lastSuccessMessage,
// TODO: (LIST-FEATURE) Remove hasListsFeature() check once we have lists available for a release
lists: hasListsFeature() ? alert.params.lists : null,
exceptions_list: hasListsFeature() ? alert.params.exceptions_list : null,
});
};

Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ export const ruleOutput: RulesSchema = {
},
},
],
lists: [
exceptions_list: [
{
field: 'source.ip',
values_operator: 'included',
Expand Down
24 changes: 12 additions & 12 deletions ...gins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1542,8 +1542,8 @@ describe('add prepackaged rules schema', () => {
// on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
// schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
// you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
describe.skip('lists', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
describe.skip('exceptions_list', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
Expand All @@ -1558,7 +1558,7 @@ describe('add prepackaged rules schema', () => {
risk_score: 50,
note: '# some markdown',
version: 1,
lists: [
exceptions_list: [
{
field: 'source.ip',
values_operator: 'included',
Expand Down Expand Up @@ -1594,7 +1594,7 @@ describe('add prepackaged rules schema', () => {
).toBeFalsy();
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
Expand All @@ -1608,15 +1608,15 @@ describe('add prepackaged rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [],
exceptions_list: [],
version: 1,
}).error
).toBeFalsy();
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'lists'>>>({
addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'exceptions_list'>>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
Expand All @@ -1628,17 +1628,17 @@ describe('add prepackaged rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [{ invalid_value: 'invalid value' }],
exceptions_list: [{ invalid_value: 'invalid value' }],
version: 1,
}).error.message
).toEqual(
'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
);
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'lists'>>>({
addPrepackagedRulesSchema.validate<Partial<Omit<PrepackagedRules, 'exceptions_list'>>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
Expand All @@ -1651,7 +1651,7 @@ describe('add prepackaged rules schema', () => {
risk_score: 50,
note: '# some markdown',
version: 1,
}).value.lists
}).value.exceptions_list
).toEqual([]);
});
});
Expand Down
2 changes: 1 addition & 1 deletion ...k/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,5 +114,5 @@ export const addPrepackagedRulesSchema = Joi.object({
version: version.required(),

// TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release
lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
});
24 changes: 12 additions & 12 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1510,8 +1510,8 @@ describe('create rules schema', () => {
// on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
// schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
// you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
describe.skip('lists', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
describe.skip('exceptions_list', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
expect(
createRulesSchema.validate<Partial<RuleAlertParamsRest>>({
rule_id: 'rule-1',
Expand All @@ -1525,7 +1525,7 @@ describe('create rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [
exceptions_list: [
{
field: 'source.ip',
values_operator: 'included',
Expand Down Expand Up @@ -1561,7 +1561,7 @@ describe('create rules schema', () => {
).toBeFalsy();
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
expect(
createRulesSchema.validate<Partial<RuleAlertParamsRest>>({
rule_id: 'rule-1',
Expand All @@ -1575,14 +1575,14 @@ describe('create rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [],
exceptions_list: [],
}).error
).toBeFalsy();
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate', () => {
expect(
createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'lists'>>>({
createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'exceptions_list'>>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
Expand All @@ -1594,16 +1594,16 @@ describe('create rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [{ invalid_value: 'invalid value' }],
exceptions_list: [{ invalid_value: 'invalid value' }],
}).error.message
).toEqual(
'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
);
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate with empty lists', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate with empty exceptions_list', () => {
expect(
createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'lists'>>>({
createRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'exceptions_list'>>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
Expand All @@ -1615,7 +1615,7 @@ describe('create rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
}).value.lists
}).value.exceptions_list
).toEqual([]);
});
});
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,5 +98,5 @@ export const createRulesSchema = Joi.object({
version: version.default(1),

// TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release
lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
});
24 changes: 12 additions & 12 deletions x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1729,8 +1729,8 @@ describe('import rules schema', () => {
// on demand. Since they are per module, we have a an issue where the ENV variables do not take effect. It is better we change all the
// schema's to be function calls to avoid global side effects or just wait until the feature is available. If you want to test this early,
// you can remove the .skip and set your env variable of export ELASTIC_XPACK_SIEM_LISTS_FEATURE=true locally
describe.skip('lists', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and lists] does validate', () => {
describe.skip('exceptions_list', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and exceptions_list] does validate', () => {
expect(
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
Expand All @@ -1744,7 +1744,7 @@ describe('import rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [
exceptions_list: [
{
field: 'source.ip',
values_operator: 'included',
Expand Down Expand Up @@ -1780,7 +1780,7 @@ describe('import rules schema', () => {
).toBeFalsy();
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty lists] does validate', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and empty exceptions_list] does validate', () => {
expect(
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
Expand All @@ -1794,14 +1794,14 @@ describe('import rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [],
exceptions_list: [],
}).error
).toBeFalsy();
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid lists] does NOT validate and lists is empty', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and invalid exceptions_list] does NOT validate and exceptions_list is empty', () => {
expect(
importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'lists'>>>({
importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'exceptions_list'>>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
Expand All @@ -1813,16 +1813,16 @@ describe('import rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
lists: [{ invalid_value: 'invalid value' }],
exceptions_list: [{ invalid_value: 'invalid value' }],
}).error.message
).toEqual(
'child "lists" fails because ["lists" at position 0 fails because [child "field" fails because ["field" is required]]]'
'child "exceptions_list" fails because ["exceptions_list" at position 0 fails because [child "field" fails because ["field" is required]]]'
);
});

test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent lists] does validate', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, note, and non-existent exceptions_list] does validate', () => {
expect(
importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'lists'>>>({
importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'exceptions_list'>>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
Expand All @@ -1834,7 +1834,7 @@ describe('import rules schema', () => {
type: 'query',
risk_score: 50,
note: '# some markdown',
}).value.lists
}).value.exceptions_list
).toEqual([]);
});
});
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ export const importRulesSchema = Joi.object({
updated_by,

// TODO: (LIST-FEATURE) Remove the hasListsFeatures once this is ready for release
lists: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
exceptions_list: hasListsFeature() ? lists.default([]) : lists.forbidden().default([]),
});

export const importRulesQuerySchema = Joi.object({
Expand Down
Loading

0 comments on commit 24c253e

Please sign in to comment.