Skip to content

Commit

Permalink
Adds mapping to the signals for the indicator rules that were missing (
Browse files Browse the repository at this point in the history
…elastic#92928)

## Summary

Indicator rules were missing the mappings and the copy code for when they were being created. This fixes that.

**Manual testing instructions**

Add an indicator rule:
<img width="1075" alt="Screen Shot 2021-02-25 at 3 33 05 PM" src="https://user-images.githubusercontent.com/1151048/109229217-37c35700-7780-11eb-9988-573d53f2c076.png">

Then after it fires check that it shows up in the timeline and tables and also check that it is queryable:
<img width="473" alt="Screen Shot 2021-02-25 at 3 31 48 PM" src="https://user-images.githubusercontent.com/1151048/109229261-4a3d9080-7780-11eb-808b-06fb0e9e4099.png">
<img width="509" alt="Screen Shot 2021-02-25 at 3 32 12 PM" src="https://user-images.githubusercontent.com/1151048/109229269-4c075400-7780-11eb-96bd-2464a7ac555e.png">
<img width="1390" alt="Screen Shot 2021-02-25 at 3 39 20 PM" src="https://user-images.githubusercontent.com/1151048/109229290-545f8f00-7780-11eb-982c-4506552973df.png">

### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
  • Loading branch information
FrankHassanabad authored and kibanamachine committed Mar 1, 2021
1 parent 0772e20 commit 63584f8
Show file tree
Hide file tree
Showing 5 changed files with 135 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import ecsMapping from './ecs_mapping.json';
incremented by 10 in order to add "room" for the aforementioned patch
release
*/
export const SIGNALS_TEMPLATE_VERSION = 24;
export const SIGNALS_TEMPLATE_VERSION = 25;
export const MIN_EQL_RULE_INDEX_VERSION = 2;

export const getSignalsTemplate = (index: string) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,38 @@
}
}
},
"threat_mapping": {
"properties": {
"entries": {
"properties": {
"field": {
"type": "keyword"
},
"value": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
}
}
},
"threat_filters": {
"type": "object"
},
"threat_indicator_path": {
"type": "keyword"
},
"threat_query": {
"type": "keyword"
},
"threat_index": {
"type": "keyword"
},
"threat_language": {
"type": "keyword"
},
"note": {
"type": "text"
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -253,6 +256,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
threshold_result: {
terms: [
Expand Down Expand Up @@ -374,6 +380,9 @@ describe('buildBulkBody', () => {
throttle: 'no_actions',
threat: [],
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -485,6 +494,9 @@ describe('buildBulkBody', () => {
updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -589,6 +601,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -692,6 +707,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down Expand Up @@ -795,6 +813,9 @@ describe('buildBulkBody', () => {
created_at: fakeSignalSourceHit.signal.rule?.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
},
depth: 1,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import { RulesSchema } from '../../../../common/detection_engine/schemas/respons
import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock';
import { INTERNAL_RULE_ID_KEY, INTERNAL_IMMUTABLE_KEY } from '../../../../common/constants';
import { getRulesSchemaMock } from '../../../../common/detection_engine/schemas/response/rules_schema.mocks';
import { RuleTypeParams } from '../types';

describe('buildRule', () => {
beforeEach(() => {
Expand Down Expand Up @@ -104,6 +105,9 @@ describe('buildRule', () => {
],
exceptions_list: getListArrayMock(),
version: 1,
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});
Expand Down Expand Up @@ -162,6 +166,9 @@ describe('buildRule', () => {
created_at: rule.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});
Expand Down Expand Up @@ -220,6 +227,9 @@ describe('buildRule', () => {
created_at: rule.created_at,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});
Expand Down Expand Up @@ -282,9 +292,74 @@ describe('buildRule', () => {
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
version: 1,
threat_filters: [],
threat_index: [],
threat_mapping: [],
};
expect(rule).toEqual(expected);
});

test('it creates a indicator/threat_mapping/threat_matching rule', () => {
const ruleParams: RuleTypeParams = {
...sampleRuleAlertParams(),
threatMapping: [
{
entries: [
{
field: 'host.name',
value: 'host.name',
type: 'mapping',
},
],
},
],
threatFilters: [
{
query: {
bool: {
must: [
{
query_string: {
query: 'host.name: linux',
analyze_wildcard: true,
time_zone: 'Zulu',
},
},
],
},
},
},
],
threatIndicatorPath: 'some.path',
threatQuery: 'threat_query',
threatIndex: ['threat_index'],
threatLanguage: 'kuery',
};
const threatMatchRule = buildRule({
actions: [],
doc: sampleDocNoSortId(),
ruleParams,
name: 'some-name',
id: sampleRuleGuid,
enabled: false,
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
tags: [],
throttle: 'no_actions',
});
const expected: Partial<RulesSchema> = {
threat_mapping: ruleParams.threatMapping,
threat_filters: ruleParams.threatFilters,
threat_indicator_path: ruleParams.threatIndicatorPath,
threat_query: ruleParams.threatQuery,
threat_index: ruleParams.threatIndex,
threat_language: ruleParams.threatLanguage,
};
expect(threatMatchRule).toEqual(expect.objectContaining(expected));
});
});

describe('removeInternalTagsFromRule', () => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,12 @@ export const buildRule = ({
created_by: createdBy,
updated_by: updatedBy,
threat: ruleParams.threat ?? [],
threat_mapping: ruleParams.threatMapping ?? [],
threat_filters: ruleParams.threatFilters ?? [],
threat_indicator_path: ruleParams.threatIndicatorPath,
threat_query: ruleParams.threatQuery,
threat_index: ruleParams.threatIndex ?? [],
threat_language: ruleParams.threatLanguage,
timestamp_override: ruleParams.timestampOverride,
throttle,
version: ruleParams.version,
Expand Down

0 comments on commit 63584f8

Please sign in to comment.