Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM] Add support for actions and throttle in Rules #59641

Merged

Conversation

patrykkopycinski
Copy link
Contributor

@patrykkopycinski patrykkopycinski commented Mar 9, 2020

Summary

It's a part of #59004 effort, but I have decided to split it into couple PRs to make it easier to check

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@patrykkopycinski patrykkopycinski force-pushed the feat/siem-rule-actions-throttle branch from 6ebdfc5 to c27eacb Compare March 9, 2020 12:14
@patrykkopycinski patrykkopycinski force-pushed the feat/siem-rule-actions-throttle branch from c27eacb to f8892c7 Compare March 9, 2020 12:16
@patrykkopycinski patrykkopycinski self-assigned this Mar 9, 2020
@patrykkopycinski patrykkopycinski added release_note:skip Skip the PR/issue when compiling release notes v7.7.0 v8.0.0 labels Mar 9, 2020
@patrykkopycinski patrykkopycinski requested review from FrankHassanabad, dhurley14 and yctercero and removed request for FrankHassanabad March 9, 2020 13:17
@patrykkopycinski patrykkopycinski changed the title Feat/siem rule actions throttle [SIEM] Add support for actions and throttle in Rules Mar 9, 2020
@patrykkopycinski patrykkopycinski marked this pull request as ready for review March 9, 2020 14:41
Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Added minor comment on response type.

@@ -24,6 +24,7 @@ export const file_name = t.string;
* become the actual ESFilter as a type.
*/
export const filters = t.array(t.unknown); // Filters are not easily type-able yet
export const actions = t.array(t.unknown);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this unkown for the same reason as filters? If so, maybe we can add the same comment?

@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would change back the type in one area and any other suggestions I have here and then I will approve.

@patrykkopycinski
Copy link
Contributor Author

@elasticmachine merge upstream

elasticmachine and others added 3 commits March 18, 2020 05:12
…e-actions-throttle

# Conflicts:
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/schemas.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts
#	x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of these comments are just suggestions, feel free to ignore them. The one concern is the change to calculateVersion in patchRules, so I'm going to request changes until I get verification that that's intentional and not a bug.

@@ -4,6 +4,8 @@
* you may not use this file except in compliance with the Elastic License.
*/

import { AlertAction } from '../../../../../../plugins/alerting/common';
export { AlertAction } from '../../../../../../plugins/alerting/common';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we import from both this file and the original type throughout this branch. Should we consolidate to one location?

@@ -82,8 +84,8 @@ export const createRules = ({
},
schedule: { interval },
enabled,
actions: [], // TODO: Create and add actions here once we have email, etc...
throttle: null,
actions: actions ?? [],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The createRulesSchema validation should set this default, right? Do we need the coalescing here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be because of the tech debt with some of the TypeScript "soup" issues that are from me when sharing types between patch and create here:

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/types.ts

If that's true, and it's messy to correct this at this point without large refactoring you can add a comment like so:

actions ?? [], // FUNFACT: This is really never undefined here but since types are over shared between patch and create it exists here.

And we can clean this up down the road.

@@ -76,7 +77,6 @@ export const patchRules = async ({
type,
references,
version,
throttle,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means that changes to throttle (and actions) will not bump the rule version, right? Is that the correct behavior?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion with @rylnd and @FrankHassanabad we have decided to bump the rule's version whenever actions or throttle change

expect(rule).toEqual(expected);
});

test('it omits a null value such as if throttle is undefined if is present', () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test description is unclear; what is this testing that the previous test is not?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added " around the keys we're checking, did it help?

@@ -59,11 +62,14 @@ export interface RuleAlertParams {
threat: ThreatParams[] | undefined | null;
type: RuleType;
version: number;
throttle?: string;
throttle: string | null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought, that minor bug shouldn't block this getting merged. We can address it in a followup.

}).value.throttle
).toEqual(null);
});

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome tests 👍 !!!

t.type({
group: t.string,
id: t.string,
actionTypeId: t.string,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might not have a choice but to keep this as camel case 🐫 , but if possible we should try for 🐍 snake case.

Up to you on this one, I know that the alerting team was made aware that they should be using snake case.

I leave this part as optional, but the more snake case we have now, the less migrations or headaches and support later for the API.

Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is really great improvements. I always appreciate people like you Patryk that can come up to speed quickly in code areas and learn both the detection engine and the alerting team's code base and navigate between different team's coding philosophy's.

You have been really good about fixing all the suggestions as well as adjusting your work schedule to quickly fix things while we are online which is really awesome of you. Thank you.

I know it's tricky to not mix in 🐫 case with 🐍 case for REST interfaces within Kibana and I left those as optional because I don't want to delay something as good as this and I have left a few 🐫 cases as well myself so I don't think it's such a big ordeal if those are in here for a while.

But since you added so many tests and took a lot of extra time to work through comments from myself and Ryland (as well as resolve conflicts from our PR) I think this is good to go and you should merge it before any other conflicts!

So 👍 and double 💪 💪

LGTM!

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@patrykkopycinski patrykkopycinski merged commit 8f1e22f into elastic:master Mar 20, 2020
@patrykkopycinski patrykkopycinski deleted the feat/siem-rule-actions-throttle branch March 20, 2020 09:54
patrykkopycinski added a commit to patrykkopycinski/kibana that referenced this pull request Mar 20, 2020
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 20, 2020
* master: (52 commits)
  [SIEM] Fix types in rules tests (elastic#60736)
  [Alerting] prevent flickering when fields are updated in an alert (elastic#60666)
  License checks for actions plugin (elastic#59070)
  Implemented ability to clear and properly validate alert interval (elastic#60571)
  WebElementWrapper: add findByTestSubject/findAllByTestSubject to search with data-test-subj (elastic#60568)
  [Maps] Update layer dependencies to NP (elastic#59585)
  [Discover] Remove StateManagementConfigProvider (elastic#60221)
  [ML] Listing all categorization wizard checks (elastic#60502)
  [Upgrade Assistant] First iteration of batch reindex docs (elastic#59887)
  [SIEM] Export timeline (elastic#58368)
  [SIEM] Add support for actions and throttle in Rules (elastic#59641)
  Fix ace a11y listener (elastic#60639)
  Add addInfo toast to core notifications service (elastic#60574)
  fix test description (elastic#60638)
  [SIEM] Cypress screenshots upload to google cloud (elastic#60556)
  [canvas/shareable_runtime] sync sass loaders with kbn/optimizer (elastic#60653)
  [SIEM] Fixes Modification of ML Rules (elastic#60662)
  [SIEM] [Case] Bulk status update, add comment avatar, id => title in breadcrumbs (elastic#60410)
  [Alerting] add functional tests for index threshold alertType (elastic#60597)
  [Ingest]EMT-248: add post action request handler and resources (elastic#60581)
  ...
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 20, 2020
* master: (55 commits)
  Update dependency @elastic/charts to v18.1.0 (elastic#60578)
  Only set timezone when user setting is a valid timezone (elastic#57850)
  [NP] Remove `ui/agg_types` dependencies and move paginated table to kibana_legacy (elastic#60276)
  [SIEM] Fix types in rules tests (elastic#60736)
  [Alerting] prevent flickering when fields are updated in an alert (elastic#60666)
  License checks for actions plugin (elastic#59070)
  Implemented ability to clear and properly validate alert interval (elastic#60571)
  WebElementWrapper: add findByTestSubject/findAllByTestSubject to search with data-test-subj (elastic#60568)
  [Maps] Update layer dependencies to NP (elastic#59585)
  [Discover] Remove StateManagementConfigProvider (elastic#60221)
  [ML] Listing all categorization wizard checks (elastic#60502)
  [Upgrade Assistant] First iteration of batch reindex docs (elastic#59887)
  [SIEM] Export timeline (elastic#58368)
  [SIEM] Add support for actions and throttle in Rules (elastic#59641)
  Fix ace a11y listener (elastic#60639)
  Add addInfo toast to core notifications service (elastic#60574)
  fix test description (elastic#60638)
  [SIEM] Cypress screenshots upload to google cloud (elastic#60556)
  [canvas/shareable_runtime] sync sass loaders with kbn/optimizer (elastic#60653)
  [SIEM] Fixes Modification of ML Rules (elastic#60662)
  ...
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 20, 2020
…o alerting/tls-warning

* 'alerting/tls-warning' of github.com:gmmorris/kibana: (32 commits)
  [ML] Listing all categorization wizard checks (elastic#60502)
  [Upgrade Assistant] First iteration of batch reindex docs (elastic#59887)
  [SIEM] Export timeline (elastic#58368)
  [SIEM] Add support for actions and throttle in Rules (elastic#59641)
  Fix ace a11y listener (elastic#60639)
  Add addInfo toast to core notifications service (elastic#60574)
  fix test description (elastic#60638)
  [SIEM] Cypress screenshots upload to google cloud (elastic#60556)
  [canvas/shareable_runtime] sync sass loaders with kbn/optimizer (elastic#60653)
  [SIEM] Fixes Modification of ML Rules (elastic#60662)
  [SIEM] [Case] Bulk status update, add comment avatar, id => title in breadcrumbs (elastic#60410)
  [Alerting] add functional tests for index threshold alertType (elastic#60597)
  [Ingest]EMT-248: add post action request handler and resources (elastic#60581)
  Return incident's url (elastic#60617)
  [Endpoint] TEST: GET alert details - boundary test for first alert retrieval (elastic#60320)
  [ML] Transforms: Fix pivot preview table mapping. (elastic#60609)
  [Endpoint] Log random seed for sample data CLI to console (elastic#60646)
  Use common event model for determining if event is v0 or v1 (elastic#60667)
  Disables PR Project Assigner workflow
  [Reporting] Allow reports to be deleted in Management > Kibana > Reporting (elastic#60077)
  ...
patrykkopycinski added a commit that referenced this pull request Mar 20, 2020
…60727)

* [SIEM] Add support for actions and throttle in Rules (#59641)

* fix types

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:skip Skip the PR/issue when compiling release notes Team:SIEM v7.7.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants