[Security Solution] Add coverage overview dashboard API contract #159993
Conversation
maximpn
added
release_note:skip
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
| export interface CoverageOverviewRuleData { | ||
| id: string; // rule SO's ids (not ruleId) | ||
| name: string; | ||
| } |
There was a problem hiding this comment.
There are two structures in the PR named CoverageOverviewRuleData what's the difference between them?
There was a problem hiding this comment.
One defined in response_schema.ts is a DTO and another one here in rule_data.ts is a domain model.
| */ | ||
|
|
||
| export interface CoverageOverviewRuleData { | ||
| id: string; // rule SO's ids (not ruleId) |
There was a problem hiding this comment.
Can we use the RuleObjectId alias here?
|
|
||
| export interface CoverageOverviewMitreTactic { | ||
| name: string; | ||
| reference: string; |
There was a problem hiding this comment.
Some comments along the structure would be greatly appreciated. For example, it is not completely clear what reference means in this context.
There was a problem hiding this comment.
Yes, reference looks too generic. I used the same naming as in mitre_tactics_techniques.ts.
As it causes confusion I've added comments to some fields.
|
@maximpn I'd like to shortly check this PR too if you don't mind waiting for a little bit. |
...lution/common/detection_engine/rule_management/api/rules/coverage_overview/request_schema.ts
Outdated
Show resolved
Hide resolved
...lution/common/detection_engine/rule_management/api/rules/coverage_overview/request_schema.ts
Outdated
Show resolved
Hide resolved
...lution/common/detection_engine/rule_management/api/rules/coverage_overview/request_schema.ts
Outdated
Show resolved
Hide resolved
...lution/common/detection_engine/rule_management/api/rules/coverage_overview/request_schema.ts
Outdated
Show resolved
Hide resolved
...ution/common/detection_engine/rule_management/api/rules/coverage_overview/response_schema.ts
Outdated
Show resolved
Hide resolved
...ution/common/detection_engine/rule_management/api/rules/coverage_overview/response_schema.ts
Outdated
Show resolved
Hide resolved
...ution/public/detection_engine/rule_management/logic/coverage_overview/models/mitre_tactic.ts
Outdated
Show resolved
Hide resolved
|
|
||
| export interface CoverageOverviewMitreTactic { | ||
| name: string; | ||
| reference: string; |
| * 2.0. | ||
| */ | ||
|
|
||
| export interface CoverageOverviewRuleData { |
There was a problem hiding this comment.
Could we reuse the Probably not if we want to have an id in the FE's model.CoverageOverviewRuleData from the common folder?
There was a problem hiding this comment.
One defined in common/.../response_schema.ts is a DTO and another one here in rule_data.ts is a domain model.
Generally speaking we can reuse it but it will lead to excess id added in the API response which I'd like to avoid.
There was a problem hiding this comment.
Great, maybe then we could rename the FE model to disambiguate from the DTO? E.g.
DTO: CoverageOverviewRuleAttributes
Model: CoverageOverviewRule
...ution/public/detection_engine/rule_management/logic/coverage_overview/models/mitre_tactic.ts
Outdated
Show resolved
Hide resolved
maximpn
force-pushed
the
mitre-dashboard-api-contract
branch
from
80b2bac to
585b307
Compare
| export enum CoverageOverviewRuleActivity { | ||
| Enabled = 'enabled', | ||
| Disabled = 'disabled', | ||
| Available = 'available', | ||
| } | ||
| export const CoverageOverviewRuleActivitySchema = enumeration( | ||
| 'CoverageOverviewRuleActivity', | ||
| CoverageOverviewRuleActivity | ||
| ); | ||
|
|
||
| export enum CoverageOverviewRuleSource { | ||
| Prebuilt = 'prebuilt', | ||
| Custom = 'custom', | ||
| Customized = 'customized', | ||
| } | ||
| export const CoverageOverviewRuleSourceSchema = enumeration( | ||
| 'CoverageOverviewRuleSource', | ||
| CoverageOverviewRuleSource | ||
| ); |
There was a problem hiding this comment.
Nit: commenting on each individual enum option + enums themselves could be helpful too for someone who's out of context. It could be not obvious what, for example, available means, because this word is ambiguous.
| /** | ||
| * A search term to filter the response by rule name, index pattern, MITRE ATT&CK tactic or technique | ||
| */ | ||
| search_term: NonEmptyString, |
There was a problem hiding this comment.
Nit: adding one or a few @example blah-blah could be helpful.
There was a problem hiding this comment.
Nit: for consistency with the other existing subdomains having this folder, let's call it model - in a singular form. It was assumed to mean "domain model" as a whole :)
| */ | ||
| reference: string; | ||
| /** | ||
| * A number of covered subtechniques (having as minimum one rule enabled) |
There was a problem hiding this comment.
Nit: as minimum -> at least
| /** | ||
| * A number of covered subtechniques (having as minimum one rule enabled) | ||
| */ | ||
| numOfCoveredSubtechniques: number; |
There was a problem hiding this comment.
Do we want to treat "covered" as "having at least one installed rule associated with it AND enabled" or just "having at least one installed rule associated with it" regardless of the enabled/disabled state?
There was a problem hiding this comment.
Logically speaking having at least one installed rule associated with it AND enabled is the right answer.
There was a problem hiding this comment.
I agree, but we should double-check it with @approksiu
There was a problem hiding this comment.
Posted two minor comments:
- [Security Solution] Add coverage overview dashboard API contract #159993 (comment)
- [Security Solution] Add coverage overview dashboard API contract #159993 (comment)
and a bunch of nits.
Looking good @maximpn, thank you for the fixes 👍 I'm gonna approve it so you don't have to wait for another cycle of review -- please address the rest of the comments at will and merge the PR! 🚀
maximpn
force-pushed
the
mitre-dashboard-api-contract
branch
from
94a7f1c to
73374a6
Compare
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @maximpn |
|
@banderror thank you for the through review and useful comments. I've addressed all of them so merging back the PR. |
**Addresses:** #158238 ## Summary This PR adds Coverage Overview API endpoint necessary to implement Coverage Overview Dashboard. ## Details The Coverage Overview API implementation is represented by one HTTP POST internal route `/internal/detection_engine/rules/_coverage_overview` hidden by a feature flag `detectionsCoverageOverview`. It returns response in the format defined in #159993. Implementation is done in a quite simple way. It basically just fetches all the rules in chunks and adds them to appropriate MITRE ATT&CK category buckets depending on the assigned categories. The chunk size has been chosen to be `10000` as it's the default limit. At the current stage the API doesn't handle available rules which means it doesn't return available rules in the response. Sample response containing two rules looks like ```json { "coverage": { "TA001": ["e2c9ee90-12d6-11ee-a0ab-c95a1fc4921d"], "T001": ["e2c9ee90-12d6-11ee-a0ab-c95a1fc4921d"], "T001.001": ["e2c9ee90-12d6-11ee-a0ab-c95a1fc4921d"], "TA002": ["e2f459f0-12d6-11ee-a0ab-c95a1fc4921d"], "T002": ["e2f459f0-12d6-11ee-a0ab-c95a1fc4921d"], "T002.002": ["e2f459f0-12d6-11ee-a0ab-c95a1fc4921d"], }, "unmapped_rule_ids": [], "rules_data": { "e2c9ee90-12d6-11ee-a0ab-c95a1fc4921d": { "name": "Some rule", "activity": "disabled" }, "e2f459f0-12d6-11ee-a0ab-c95a1fc4921d": { "name": "Another rule", "activity": "enabled" }, }, } ``` ### How to access the endpoint? Make sure a feature `detectionsCoverageOverview` flag is set in `config/kibana.dev.yml` like ```yaml xpack.securitySolution.enableExperimental: - detectionsCoverageOverview ``` Then access the API via an HTTP client for example `curl` - an empty filter ```sh curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview ``` - filter by rule name ```sh curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"search_term": "rule name"}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview ``` - filter by enabled rules ```sh curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview ``` - filter by prebuilt rules ```sh curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"source": ["prebuilt"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview ``` ## Known problems - <del>Filtering by a tactic name doesn't guarantee the other tactics, techniques and sub-techniques will be filtered out. As one rule may be assigned to more than one tactic, technique and sub-technique filtering such rules by one tactic will lead to only rules assigned to the desired tactic be processed. But the result will include all the tactics, techniques and sub-techniques assigned to that rules.</del> UPD: leave as is for now - <del>Some of the implementation details are similar to `find_rules` endpoint. The difference is that `find_rules` accepts `query` parameter which is a KQL query while `coverage_overview` accepts filter fields and builds up a KQL query under the hood. Passing a prepared KQL query to `coverage_overview` looks too permissive and can lead to undesired filtering results. Some of KQL query building code is common and can be reused between FE and BE.</del> UPD: Solved - <del>One may ask why using an HTTP POST request instead of HTTP GET. In fact HTTP POST is needed only for convenience to send a JSON request query in the request body similar to GraphQL approach but it looks rather an overkill. One of the main reasons why HTTP POST is used is the limitation of `io-ts` schemas used to request query validation. It's handled by `buildRouteValidation()` which doesn't parse input parameters. For example there is a request with a query string `/internal/detection_engine/rules/_coverage_overview?filter={"search_term": "rule 1"}`, it's handled and the following object gets passed to `buildRouteValidation()`</del> ```ts { "filter": '{"search_term": "rule 1"}' } ``` <del>as you may notice `'{"search_term": "rule 1"}'` is a string so the `io-ts` schema validation fails while the request looks correct. In contrast a similar `@kbn/config-schema` schema used instead for the request query validation handles it correctly. As the reference it works [here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/alerting/server/routes/find_rules.ts#L100C16-L100C27) for `internal/alerting/rules/_find` endpoint, `fields` query parameter can be a JSON array and validation handles it correctly.</del> UPD: discussed with the team and decided that HTTP POST is more convenient for complex filters. - During FTR tests implementation I've noticed the server fails if the second page (10000 - 20000 rules) is requested with an error ``` illegal_argument_exception: Result window is too large, from + size must be less than or equal to: [10000] but was [20000]. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the [index.max_result_window] index level setting. ``` There is a chance it can fail with the same error in prod. UPD: The problem in reproducible in prod. To avoid a server crash the endpoint doesn't handle more than 10k rules. The problem will be addressed in #160698. ## Posible improvements - [x] Move KQL utility functions into common folder to be shared between FE and BE (done) - Implement stricter filtering to return only searched tactic, technique and sub-technique (leave as is for now) - Use HTTP GET instead of HTTP POST (discussed with the team and decided that HTTP POST is more convenient for complex filters) - Make sure pages above 10000 rules are handled properly (will be addresses in #160698) ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenario
Addresses: #158202
Summary
This PR defines Coverage Overview Dashboard API's request and response type definitions and adds UI domain models.