Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list #63717

Merged
merged 5 commits into from
Apr 17, 2020

Conversation

yctercero
Copy link
Contributor

@yctercero yctercero commented Apr 16, 2020

Summary

This PR updates the rules lists param to be exceptions_list. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the exceptions_list logic is being applied as a double not.

The following example does say event.module is not suricata BUT as this is an exceptions list, the logic is not when even.module is not suricata --> query && !(!event.module:suricata) ---> query && event.module:suricata

exceptions_list: [
   {
       field: 'event.module',
       values_operator: 'excluded',
       values_type: 'match',
       values: [
            {
                  name: 'suricata'
             }
       ]
   }
]

Did not update type names (ex lists_values etc...) as they'll also be useful when (maybe) adding such things as inclusion lists.

Tests marked describe.skip due to this being behind a feature flag were checked to be sure they are passing when feature flag is turned on.

Testing

  • ./post_rule.sh ./rules/queries/lists/query_with_list.json
  • ./update_rule.sh ./rules/updates/update_list.json
  • ./patch_rule.sh ./rules/patches/update_list.json

Checklist

For maintainers

@yctercero yctercero requested a review from a team as a code owner April 16, 2020 14:40
@yctercero yctercero self-assigned this Apr 16, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple enough, LGTM for the name change. Appreciate the time you took to accept feedback and then apply it to this to make it super simple for the API vocabulary to avoid user confusion.

This will save us time in the long run from forum posts and documentation for end users.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@yctercero yctercero merged commit 24c253e into elastic:master Apr 17, 2020
yctercero added a commit to yctercero/kibana that referenced this pull request Apr 17, 2020
…ist (elastic#63717)

### Summary [63717]

This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
jloleysens added a commit to jloleysens/kibana that referenced this pull request Apr 20, 2020
…bana into ingest-node-pipelines/privileges

* 'feature/ingest-node-pipelines' of github.com:elastic/kibana: (126 commits)
  [SEARCH] Cleanup fetch soon (elastic#63320)
  skip flaky suite (elastic#58692)
  [Uptime] Refresh index and also show more info to user regardi… (elastic#62606)
  [Drilldowns] Fix back button by removing panels from url in dashboard in view mode (elastic#62415)
  [platform] serve plugins from /bundles/plugin:${id}
  [Alerting] Documentation for how to pre-configure connectors. (elastic#63807)
  skip flaky suite (elastic#63621)
  Revert "skip flaky suite (elastic#63747)"
  skip flaky suite (elastic#63747)
  [SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list (elastic#63717)
  [SIEM] Flaky test fix: Bump find_statuses timeout (elastic#63900)
  [Uptime] Add cert API request and runtime type checking (elastic#63062)
  [Lens] Allow table to scroll horizontally (elastic#63805)
  [Metrics UI] Allow users to create alerts from the central Alerts UI (elastic#63803)
  Migrate legacy maps licensing (x-pack/tilemap) to NP (elastic#63539)
  [Alerting] "Create alert" and alert list design improvements (elastic#63515)
  [Lens] Fix existence for dotted paths in _source (elastic#63752)
  Example plugins in X-Pack (elastic#63823)
  [ML] Migrate Mocha unit tests to Jest: migrate job utils and query utils tests (elastic#63775)
  Endpoint: middleware receive immutable versions of state and actions (elastic#63802)
  ...
FrankHassanabad pushed a commit to FrankHassanabad/kibana that referenced this pull request Apr 20, 2020
…ist (elastic#63717)

### Summary [63717]

This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
jloleysens added a commit to jloleysens/kibana that referenced this pull request Apr 20, 2020
…bana into pipeline-editor-part-mvp-2

* 'feature/ingest-node-pipelines' of github.com:elastic/kibana: (127 commits)
  [Ingest pipelines] Polish details panel and empty list (elastic#63926)
  [SEARCH] Cleanup fetch soon (elastic#63320)
  skip flaky suite (elastic#58692)
  [Uptime] Refresh index and also show more info to user regardi… (elastic#62606)
  [Drilldowns] Fix back button by removing panels from url in dashboard in view mode (elastic#62415)
  [platform] serve plugins from /bundles/plugin:${id}
  [Alerting] Documentation for how to pre-configure connectors. (elastic#63807)
  skip flaky suite (elastic#63621)
  Revert "skip flaky suite (elastic#63747)"
  skip flaky suite (elastic#63747)
  [SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list (elastic#63717)
  [SIEM] Flaky test fix: Bump find_statuses timeout (elastic#63900)
  [Uptime] Add cert API request and runtime type checking (elastic#63062)
  [Lens] Allow table to scroll horizontally (elastic#63805)
  [Metrics UI] Allow users to create alerts from the central Alerts UI (elastic#63803)
  Migrate legacy maps licensing (x-pack/tilemap) to NP (elastic#63539)
  [Alerting] "Create alert" and alert list design improvements (elastic#63515)
  [Lens] Fix existence for dotted paths in _source (elastic#63752)
  Example plugins in X-Pack (elastic#63823)
  [ML] Migrate Mocha unit tests to Jest: migrate job utils and query utils tests (elastic#63775)
  ...
yctercero pushed a commit that referenced this pull request Apr 20, 2020
…ist (#63717) (#63962)

### Summary [63717]

This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
@yctercero yctercero deleted the update-rule-lists-param branch July 20, 2020 01:44
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.8.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants