maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[SIEM] [Detection Engine] Timestamps for rules (#56197)

Browse source 
* utilize createdAt and updatedAt from the alerting saved object

* revert accidental change to test rule

* updatedAt is not a part of savedObject attributes passed back from alerting, it's at the top level
This commit is contained in:
Devin W. Hurley 2020-01-28 14:56:31 -05:00 committed by GitHub
parent ff37dd1c25
commit 8360faf7bd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 85 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
View file

@ -269,8 +269,6 @@ export const getResult = (): RuleAlertType => ({
alertTypeId: 'siem.signals',
consumer: 'siem',
params: {
createdAt: '2019-12-13T16:40:33.400Z',
updatedAt: '2019-12-13T16:40:33.400Z',
description: 'Detecting root and admin users',
ruleId: 'rule-1',
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
View file

@ -51,7 +51,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
const rules = await Promise.all(
request.payload.map(async payloadRule => {
const {
created_at: createdAt,
description,
enabled,
false_positives: falsePositives,
@ -73,7 +72,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
threat,
to,
type,
updated_at: updatedAt,
references,
timeline_id: timelineId,
timeline_title: timelineTitle,
@ -104,7 +102,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
const createdRule = await createRules({
alertsClient,
actionsClient,
createdAt,
description,
enabled,
falsePositives,
@ -129,7 +126,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
to,
type,
threat,
updatedAt,
references,
version,
});

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts
View file

@ -35,7 +35,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
},
async handler(request: RulesRequest, headers) {
const {
created_at: createdAt,
description,
enabled,
false_positives: falsePositives,
@ -59,7 +58,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
threat,
to,
type,
updated_at: updatedAt,
references,
} = request.payload;
const alertsClient = isFunction(request.getAlertsClient) ? request.getAlertsClient() : null;
@ -91,7 +89,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
const createdRule = await createRules({
alertsClient,
actionsClient,
createdAt,
description,
enabled,
falsePositives,
@ -116,7 +113,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
to,
type,
threat,
updatedAt,
references,
version: 1,
});

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts
View file

@ -130,7 +130,6 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
const createdRule = await createRules({
alertsClient,
actionsClient,
createdAt: new Date().toISOString(),
description,
enabled,
falsePositives,
@ -155,7 +154,6 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
to,
type,
threat,
updatedAt: new Date().toISOString(),
references,
version,
});

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts
View file

@ -81,8 +81,8 @@ export const transformAlertToRule = (
ruleStatus?: SavedObject<IRuleSavedAttributesSavedObjectAttributes>
): Partial<OutputRuleAlertRest> => {
return pickBy<OutputRuleAlertRest>((value: unknown) => value != null, {
created_at: alert.params.createdAt,
updated_at: alert.params.updatedAt,
created_at: alert.createdAt.toISOString(),
updated_at: alert.updatedAt.toISOString(),
created_by: alert.createdBy,
description: alert.params.description,
enabled: alert.enabled,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts
View file

@ -45,7 +45,6 @@ export const createRules = ({
alertTypeId: SIGNALS_ID,
consumer: APP_ID,
params: {
createdAt: new Date().toISOString(),
description,
ruleId,
index,
@ -66,7 +65,6 @@ export const createRules = ({
threat,
to,
type,
updatedAt: new Date().toISOString(),
references,
version,
},

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts
View file

@ -75,8 +75,6 @@ export const installPrepackagedRules = (
threat,
references,
version,
createdAt: new Date().toISOString(),
updatedAt: new Date().toISOString(),
}),
];
}, []);

1
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts
View file

@ -164,7 +164,6 @@ export const updateRules = async ({
threat,
to,
type,
updatedAt: new Date().toISOString(),
references,
version: calculatedVersion,
}

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts
View file

@ -35,8 +35,6 @@ export const sampleRuleAlertParams = (
meta: undefined,
threat: undefined,
version: 1,
updatedAt: '2019-12-17T15:04:25.343Z',
createdAt: '2019-12-17T15:04:37.105Z',
});
export const sampleDocNoSortId = (someUuid: string = sampleIdGuid): SignalSourceHit => ({

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts
View file

@ -25,6 +25,8 @@ describe('buildBulkBody', () => {
ruleParams: sampleParams,
id: sampleRuleGuid,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -103,6 +105,8 @@ describe('buildBulkBody', () => {
ruleParams: sampleParams,
id: sampleRuleGuid,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -189,6 +193,8 @@ describe('buildBulkBody', () => {
ruleParams: sampleParams,
id: sampleRuleGuid,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -272,6 +278,8 @@ describe('buildBulkBody', () => {
ruleParams: sampleParams,
id: sampleRuleGuid,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts
View file

@ -15,7 +15,9 @@ interface BuildBulkBodyParams {
ruleParams: RuleTypeParams;
id: string;
name: string;
createdAt: string;
createdBy: string;
updatedAt: string;
updatedBy: string;
interval: string;
enabled: boolean;
@ -28,7 +30,9 @@ export const buildBulkBody = ({
ruleParams,
id,
name,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
enabled,
@ -39,7 +43,9 @@ export const buildBulkBody = ({
id,
name,
enabled,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
tags,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts
View file

@ -31,6 +31,8 @@ describe('buildRule', () => {
name: 'some-name',
id: sampleRuleGuid,
enabled: false,
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
@ -85,6 +87,8 @@ describe('buildRule', () => {
name: 'some-name',
id: sampleRuleGuid,
enabled: true,
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',
@ -128,6 +132,8 @@ describe('buildRule', () => {
name: 'some-name',
id: sampleRuleGuid,
enabled: true,
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: 'some interval',

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts
View file

@ -12,7 +12,9 @@ interface BuildRuleParams {
name: string;
id: string;
enabled: boolean;
createdAt: string;
createdBy: string;
updatedAt: string;
updatedBy: string;
interval: string;
tags: string[];
@ -23,7 +25,9 @@ export const buildRule = ({
name,
id,
enabled,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
tags,
@ -58,7 +62,7 @@ export const buildRule = ({
updated_by: updatedBy,
threat: ruleParams.threat,
version: ruleParams.version,
created_at: ruleParams.createdAt,
updated_at: ruleParams.updatedAt,
created_at: createdAt,
updated_at: updatedAt,
});
};

16
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts
View file

@ -40,6 +40,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -93,6 +95,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -117,6 +121,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -148,6 +154,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -179,6 +187,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -212,6 +222,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -245,6 +257,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -280,6 +294,8 @@ describe('searchAfterAndBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts
View file

@ -19,8 +19,10 @@ interface SearchAfterAndBulkCreateParams {
id: string;
signalsIndex: string;
name: string;
createdAt: string;
createdBy: string;
updatedBy: string;
updatedAt: string;
interval: string;
enabled: boolean;
pageSize: number;
@ -38,8 +40,10 @@ export const searchAfterAndBulkCreate = async ({
signalsIndex,
filter,
name,
createdAt,
createdBy,
updatedBy,
updatedAt,
interval,
enabled,
pageSize,
@ -58,7 +62,9 @@ export const searchAfterAndBulkCreate = async ({
id,
signalsIndex,
name,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
enabled,
@ -118,7 +124,9 @@ export const searchAfterAndBulkCreate = async ({
id,
signalsIndex,
name,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
enabled,

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts
View file

@ -35,7 +35,6 @@ export const signalRulesAlertType = ({
actionGroups: ['default'],
validate: {
params: schema.object({
createdAt: schema.string(),
description: schema.string(),
falsePositives: schema.arrayOf(schema.string(), { defaultValue: [] }),
from: schema.string(),
@ -56,7 +55,6 @@ export const signalRulesAlertType = ({
threat: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
to: schema.string(),
type: schema.string(),
updatedAt: schema.string(),
references: schema.arrayOf(schema.string(), { defaultValue: [] }),
version: schema.number({ defaultValue: 1 }),
}),
@ -121,7 +119,9 @@ export const signalRulesAlertType = ({
const tags: string[] = savedObject.attributes.tags;
const createdBy: string = savedObject.attributes.createdBy;
const createdAt: string = savedObject.attributes.createdAt;
const updatedBy: string = savedObject.attributes.updatedBy;
const updatedAt: string = savedObject.updated_at ?? '';
const interval: string = savedObject.attributes.schedule.interval;
const enabled: boolean = savedObject.attributes.enabled;
const gap = getGapBetweenRuns({
@ -210,7 +210,9 @@ export const signalRulesAlertType = ({
filter: esFilter,
name,
createdBy,
createdAt,
updatedBy,
updatedAt,
interval,
enabled,
pageSize: searchAfterSize,

10
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts
View file

@ -152,6 +152,8 @@ describe('singleBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -180,6 +182,8 @@ describe('singleBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -200,6 +204,8 @@ describe('singleBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -221,6 +227,8 @@ describe('singleBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',
@ -244,6 +252,8 @@ describe('singleBulkCreate', () => {
id: sampleRuleGuid,
signalsIndex: DEFAULT_SIGNALS_INDEX,
name: 'rule-name',
createdAt: '2020-01-28T15:58:34.810Z',
updatedAt: '2020-01-28T15:59:14.004Z',
createdBy: 'elastic',
updatedBy: 'elastic',
interval: '5m',

18
x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts
View file

@ -21,7 +21,9 @@ interface SingleBulkCreateParams {
id: string;
signalsIndex: string;
name: string;
createdAt: string;
createdBy: string;
updatedAt: string;
updatedBy: string;
interval: string;
enabled: boolean;
@ -59,7 +61,9 @@ export const singleBulkCreate = async ({
id,
signalsIndex,
name,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
enabled,
@ -91,7 +95,19 @@ export const singleBulkCreate = async ({
),
},
},
buildBulkBody({ doc, ruleParams, id, name, createdBy, updatedBy, interval, enabled, tags }),
buildBulkBody({
doc,
ruleParams,
id,
name,
createdAt,
createdBy,
updatedAt,
updatedBy,
interval,
enabled,
tags,
}),
]);
const start = performance.now();
const response: BulkResponse = await services.callCluster('bulk', {

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
View file

@ -22,7 +22,6 @@ export interface ThreatParams {
}
export interface RuleAlertParams {
createdAt: string;
description: string;
enabled: boolean;
falsePositives: string[];
@ -49,7 +48,6 @@ export interface RuleAlertParams {
threat: ThreatParams[] | undefined | null;
type: 'query' | 'saved_query';
version: number;
updatedAt: string;
}
export type RuleTypeParams = Omit<RuleAlertParams, 'name' | 'enabled' | 'interval' | 'tags'>;
@ -65,8 +63,6 @@ export type RuleAlertParamsRest = Omit<
| 'timelineId'
| 'timelineTitle'
| 'outputIndex'
| 'updatedAt'
| 'createdAt'
> &
Omit<
IRuleStatusAttributes,
@ -86,8 +82,8 @@ export type RuleAlertParamsRest = Omit<
max_signals: RuleAlertParams['maxSignals'];
risk_score: RuleAlertParams['riskScore'];
output_index: RuleAlertParams['outputIndex'];
created_at: RuleAlertParams['createdAt'];
updated_at: RuleAlertParams['updatedAt'];
created_at: string;
updated_at: string;
status?: IRuleStatusAttributes['status'] | undefined;
status_date?: IRuleStatusAttributes['statusDate'] | undefined;
last_failure_at?: IRuleStatusAttributes['lastFailureAt'] | undefined;