-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Detection Engine] Adds threat matching to the rul…
…e creator (#78955) ## Summary This adds threat matching rule type to the rule creator. Screen shot of creating a threat match <img width="1023" alt="Screen Shot 2020-09-30 at 3 31 09 PM" src="https://user-images.githubusercontent.com/1151048/94742158-791b1c00-0332-11eb-9d79-78ab431322f0.png"> --- Screen shot of the description after creating one <img width="1128" alt="Screen Shot 2020-09-30 at 3 29 32 PM" src="https://user-images.githubusercontent.com/1151048/94742203-8b955580-0332-11eb-837f-5b4383044a13.png"> --- Screen shot of first creating a threat match without values filled out <img width="1017" alt="Screen Shot 2020-09-30 at 3 27 29 PM" src="https://user-images.githubusercontent.com/1151048/94742222-95b75400-0332-11eb-9872-e7670e917941.png"> Additions and bug fixes: * Changes the threat index to be an array * Adds a threat_language to the REST schema so that we can use KQL, Lucene, (others in the future) * Adds plumbing for threat_list to work with the other REST endpoints such as PUT, PATCH, etc... * Adds the AND, OR dialog and user interface **Usage** If you are a team member using the team servers you can skip this usage section of creating threat index. Otherwise if you want to know how to create a mock threat index, instructions are below. Go to the folder: ```ts /kibana/x-pack/plugins/security_solution/server/lib/detection_engine/scripts ``` And post a small ECS threat mapping to the index called `mock-threat-list`: ```ts ./create_threat_mapping.sh ``` Then to post a small number of threats that represent simple port numbers you can run: ```ts ./create_threat_data.sh ``` However, feel free to also manually create them directly in your dev tools like so: ```ts # Posts a threat list item called some-name with an IP but change these out for valid data in your system PUT mock-threat-list-1/_doc/9999 { "@timestamp": "2020-09-09T20:30:45.725Z", "host": { "name": "some-name", "ip": "127.0.0.1" } } ``` ```ts # Posts a destination port number to watch PUT mock-threat-list-1/_doc/10000 { "@timestamp": "2020-09-08T20:30:45.725Z", "destination": { "port": "443" } } ``` ```ts # Posts a source port number to watch PUT mock-threat-list-1/_doc/10001 { "@timestamp": "2020-09-08T20:30:45.725Z", "source": { "port": "443" } } ``` ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
- Loading branch information
1 parent
117b577
commit d6c7128
Showing
81 changed files
with
3,224 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
x-pack/plugins/security_solution/public/common/components/threat_match/and_badge.test.tsx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import React from 'react'; | ||
import { ThemeProvider } from 'styled-components'; | ||
import { mount } from 'enzyme'; | ||
import euiLightVars from '@elastic/eui/dist/eui_theme_light.json'; | ||
|
||
import { AndBadgeComponent } from './and_badge'; | ||
|
||
describe('AndBadgeComponent', () => { | ||
test('it renders entryItemIndexItemEntryFirstRowAndBadge for very first item', () => { | ||
const wrapper = mount( | ||
<ThemeProvider theme={() => ({ eui: euiLightVars, darkMode: false })}> | ||
<AndBadgeComponent entriesLength={2} entryItemIndex={0} /> | ||
</ThemeProvider> | ||
); | ||
|
||
expect(wrapper.find('[data-test-subj="entryItemEntryFirstRowAndBadge"]').exists()).toBeTruthy(); | ||
}); | ||
|
||
test('it renders entryItemEntryInvisibleAndBadge if "entriesLength" is 1 or less', () => { | ||
const wrapper = mount( | ||
<ThemeProvider theme={() => ({ eui: euiLightVars, darkMode: false })}> | ||
<AndBadgeComponent entriesLength={1} entryItemIndex={0} /> | ||
</ThemeProvider> | ||
); | ||
|
||
expect( | ||
wrapper.find('[data-test-subj="entryItemEntryInvisibleAndBadge"]').exists() | ||
).toBeTruthy(); | ||
}); | ||
|
||
test('it renders regular "and" badge if item is not the first one and includes more than one entry', () => { | ||
const wrapper = mount( | ||
<ThemeProvider theme={() => ({ eui: euiLightVars, darkMode: false })}> | ||
<AndBadgeComponent entriesLength={2} entryItemIndex={1} /> | ||
</ThemeProvider> | ||
); | ||
|
||
expect(wrapper.find('[data-test-subj="entryItemEntryAndBadge"]').exists()).toBeTruthy(); | ||
}); | ||
}); |
50 changes: 50 additions & 0 deletions
50
x-pack/plugins/security_solution/public/common/components/threat_match/and_badge.tsx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import React from 'react'; | ||
import { EuiFlexItem } from '@elastic/eui'; | ||
import styled from 'styled-components'; | ||
|
||
import { AndOrBadge } from '../and_or_badge'; | ||
|
||
const MyInvisibleAndBadge = styled(EuiFlexItem)` | ||
visibility: hidden; | ||
`; | ||
|
||
const MyFirstRowContainer = styled(EuiFlexItem)` | ||
padding-top: 20px; | ||
`; | ||
|
||
interface AndBadgeProps { | ||
entriesLength: number; | ||
entryItemIndex: number; | ||
} | ||
|
||
export const AndBadgeComponent = React.memo<AndBadgeProps>(({ entriesLength, entryItemIndex }) => { | ||
const badge = <AndOrBadge includeAntennas type="and" />; | ||
|
||
if (entriesLength > 1 && entryItemIndex === 0) { | ||
return ( | ||
<MyFirstRowContainer grow={false} data-test-subj="entryItemEntryFirstRowAndBadge"> | ||
{badge} | ||
</MyFirstRowContainer> | ||
); | ||
} else if (entriesLength <= 1) { | ||
return ( | ||
<MyInvisibleAndBadge grow={false} data-test-subj="entryItemEntryInvisibleAndBadge"> | ||
{badge} | ||
</MyInvisibleAndBadge> | ||
); | ||
} else { | ||
return ( | ||
<EuiFlexItem grow={false} data-test-subj="entryItemEntryAndBadge"> | ||
{badge} | ||
</EuiFlexItem> | ||
); | ||
} | ||
}); | ||
|
||
AndBadgeComponent.displayName = 'AndBadge'; |
Oops, something went wrong.