-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM] Add support for actions and throttle in Rules #59641
[SIEM] Add support for actions and throttle in Rules #59641
Conversation
6ebdfc5
to
c27eacb
Compare
c27eacb
to
f8892c7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Added minor comment on response type.
@@ -24,6 +24,7 @@ export const file_name = t.string; | |||
* become the actual ESFilter as a type. | |||
*/ | |||
export const filters = t.array(t.unknown); // Filters are not easily type-able yet | |||
export const actions = t.array(t.unknown); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this unkown for the same reason as filters? If so, maybe we can add the same comment?
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/utils.ts
Outdated
Show resolved
Hide resolved
x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
Outdated
Show resolved
Hide resolved
Pinging @elastic/siem (Team:SIEM) |
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_signal.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would change back the type in one area and any other suggestions I have here and then I will approve.
x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
Outdated
Show resolved
Hide resolved
…e-actions-throttle
@elasticmachine merge upstream |
…e-actions-throttle # Conflicts: # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/rules_schema.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/response/schemas.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/update_rules_schema.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_all.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_export_by_object_ids.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/patch_rules.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of these comments are just suggestions, feel free to ignore them. The one concern is the change to calculateVersion
in patchRules
, so I'm going to request changes until I get verification that that's intentional and not a bug.
@@ -4,6 +4,8 @@ | |||
* you may not use this file except in compliance with the Elastic License. | |||
*/ | |||
|
|||
import { AlertAction } from '../../../../../../plugins/alerting/common'; | |||
export { AlertAction } from '../../../../../../plugins/alerting/common'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we import from both this file and the original type throughout this branch. Should we consolidate to one location?
@@ -82,8 +84,8 @@ export const createRules = ({ | |||
}, | |||
schedule: { interval }, | |||
enabled, | |||
actions: [], // TODO: Create and add actions here once we have email, etc... | |||
throttle: null, | |||
actions: actions ?? [], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The createRulesSchema
validation should set this default, right? Do we need the coalescing here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be because of the tech debt with some of the TypeScript "soup" issues that are from me when sharing types between patch and create here:
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/types.ts
If that's true, and it's messy to correct this at this point without large refactoring you can add a comment like so:
actions ?? [], // FUNFACT: This is really never undefined here but since types are over shared between patch and create it exists here.
And we can clean this up down the road.
@@ -76,7 +77,6 @@ export const patchRules = async ({ | |||
type, | |||
references, | |||
version, | |||
throttle, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that changes to throttle
(and actions
) will not bump the rule version, right? Is that the correct behavior?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussion with @rylnd and @FrankHassanabad we have decided to bump the rule's version whenever actions
or throttle
change
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts
Outdated
Show resolved
Hide resolved
expect(rule).toEqual(expected); | ||
}); | ||
|
||
test('it omits a null value such as if throttle is undefined if is present', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test description is unclear; what is this testing that the previous test is not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added "
around the keys we're checking, did it help?
@@ -59,11 +62,14 @@ export interface RuleAlertParams { | |||
threat: ThreatParams[] | undefined | null; | |||
type: RuleType; | |||
version: number; | |||
throttle?: string; | |||
throttle: string | null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On second thought, that minor bug shouldn't block this getting merged. We can address it in a followup.
}).value.throttle | ||
).toEqual(null); | ||
}); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome tests 👍 !!!
...ck/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts
Outdated
Show resolved
Hide resolved
...ck/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/patch_rules_schema.test.ts
Outdated
Show resolved
Hide resolved
t.type({ | ||
group: t.string, | ||
id: t.string, | ||
actionTypeId: t.string, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might not have a choice but to keep this as camel case 🐫 , but if possible we should try for 🐍 snake case.
Up to you on this one, I know that the alerting team was made aware that they should be using snake case.
I leave this part as optional, but the more snake case we have now, the less migrations or headaches and support later for the API.
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/schemas.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is really great improvements. I always appreciate people like you Patryk that can come up to speed quickly in code areas and learn both the detection engine and the alerting team's code base and navigate between different team's coding philosophy's.
You have been really good about fixing all the suggestions as well as adjusting your work schedule to quickly fix things while we are online which is really awesome of you. Thank you.
I know it's tricky to not mix in 🐫 case with 🐍 case for REST interfaces within Kibana and I left those as optional because I don't want to delay something as good as this and I have left a few 🐫 cases as well myself so I don't think it's such a big ordeal if those are in here for a while.
But since you added so many tests and took a lot of extra time to work through comments from myself and Ryland (as well as resolve conflicts from our PR) I think this is good to go and you should merge it before any other conflicts!
So 👍 and double 💪 💪
LGTM!
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
* master: (52 commits) [SIEM] Fix types in rules tests (elastic#60736) [Alerting] prevent flickering when fields are updated in an alert (elastic#60666) License checks for actions plugin (elastic#59070) Implemented ability to clear and properly validate alert interval (elastic#60571) WebElementWrapper: add findByTestSubject/findAllByTestSubject to search with data-test-subj (elastic#60568) [Maps] Update layer dependencies to NP (elastic#59585) [Discover] Remove StateManagementConfigProvider (elastic#60221) [ML] Listing all categorization wizard checks (elastic#60502) [Upgrade Assistant] First iteration of batch reindex docs (elastic#59887) [SIEM] Export timeline (elastic#58368) [SIEM] Add support for actions and throttle in Rules (elastic#59641) Fix ace a11y listener (elastic#60639) Add addInfo toast to core notifications service (elastic#60574) fix test description (elastic#60638) [SIEM] Cypress screenshots upload to google cloud (elastic#60556) [canvas/shareable_runtime] sync sass loaders with kbn/optimizer (elastic#60653) [SIEM] Fixes Modification of ML Rules (elastic#60662) [SIEM] [Case] Bulk status update, add comment avatar, id => title in breadcrumbs (elastic#60410) [Alerting] add functional tests for index threshold alertType (elastic#60597) [Ingest]EMT-248: add post action request handler and resources (elastic#60581) ...
* master: (55 commits) Update dependency @elastic/charts to v18.1.0 (elastic#60578) Only set timezone when user setting is a valid timezone (elastic#57850) [NP] Remove `ui/agg_types` dependencies and move paginated table to kibana_legacy (elastic#60276) [SIEM] Fix types in rules tests (elastic#60736) [Alerting] prevent flickering when fields are updated in an alert (elastic#60666) License checks for actions plugin (elastic#59070) Implemented ability to clear and properly validate alert interval (elastic#60571) WebElementWrapper: add findByTestSubject/findAllByTestSubject to search with data-test-subj (elastic#60568) [Maps] Update layer dependencies to NP (elastic#59585) [Discover] Remove StateManagementConfigProvider (elastic#60221) [ML] Listing all categorization wizard checks (elastic#60502) [Upgrade Assistant] First iteration of batch reindex docs (elastic#59887) [SIEM] Export timeline (elastic#58368) [SIEM] Add support for actions and throttle in Rules (elastic#59641) Fix ace a11y listener (elastic#60639) Add addInfo toast to core notifications service (elastic#60574) fix test description (elastic#60638) [SIEM] Cypress screenshots upload to google cloud (elastic#60556) [canvas/shareable_runtime] sync sass loaders with kbn/optimizer (elastic#60653) [SIEM] Fixes Modification of ML Rules (elastic#60662) ...
…o alerting/tls-warning * 'alerting/tls-warning' of github.com:gmmorris/kibana: (32 commits) [ML] Listing all categorization wizard checks (elastic#60502) [Upgrade Assistant] First iteration of batch reindex docs (elastic#59887) [SIEM] Export timeline (elastic#58368) [SIEM] Add support for actions and throttle in Rules (elastic#59641) Fix ace a11y listener (elastic#60639) Add addInfo toast to core notifications service (elastic#60574) fix test description (elastic#60638) [SIEM] Cypress screenshots upload to google cloud (elastic#60556) [canvas/shareable_runtime] sync sass loaders with kbn/optimizer (elastic#60653) [SIEM] Fixes Modification of ML Rules (elastic#60662) [SIEM] [Case] Bulk status update, add comment avatar, id => title in breadcrumbs (elastic#60410) [Alerting] add functional tests for index threshold alertType (elastic#60597) [Ingest]EMT-248: add post action request handler and resources (elastic#60581) Return incident's url (elastic#60617) [Endpoint] TEST: GET alert details - boundary test for first alert retrieval (elastic#60320) [ML] Transforms: Fix pivot preview table mapping. (elastic#60609) [Endpoint] Log random seed for sample data CLI to console (elastic#60646) Use common event model for determining if event is v0 or v1 (elastic#60667) Disables PR Project Assigner workflow [Reporting] Allow reports to be deleted in Management > Kibana > Reporting (elastic#60077) ...
Summary
It's a part of #59004 effort, but I have decided to split it into couple PRs to make it easier to check
Checklist
Delete any items that are not applicable to this PR.
For maintainers