maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/x-pack/test/detection_engine_api_integration
History
Garrett Spong 591e10355a
[Security] Adds field mapping support to rule creation (#70288) 
## Summary

Resolves: https://github.com/elastic/kibana/issues/65941, https://github.com/elastic/kibana/issues/66317, and `Add support for "building block" alerts`

This PR is `Part I` and adds additional fields to the `rules schema` in supporting the ability to map and override fields when generating alerts. A few bookkeeping fields like `license` and `author` have been added as well. The new fields are as follows:

``` ts
export interface TheseAreTheNewFields {
  author: string[];
  building_block_type: string; // 'default'
  license: string;
  risk_score_mapping: Array<
    {
      field: string;
      operator: string; // 'equals'
      value: string;
    }
  >;
  rule_name_override: string;
  severity_mapping: Array<
    {
      field: string;
      operator: string; // 'equals'
      value: string;
      severity: string; // 'low' | 'medium' | 'high' | 'critical'
    }
  >;
  timestamp_override: string;
}
```

These new fields are exposed as additional settings on the `About rule` section of the Rule Creation UI.

##### Default collapsed view, no severity or risk score override specified:
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/86090417-49c0ee80-ba67-11ea-898f-a43af6d9383f.png" />
</p>

##### Severity & risk score override specified:
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/86091165-a8d33300-ba68-11ea-86ac-89393a7ca3f5.png" />
</p>

##### Additional fields in Advanced settings:
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/86091256-cbfde280-ba68-11ea-9b63-acf2524039bd.png" />
</p>


Note: This PR adds the fields to the `Rules Schema`, the `signals index mapping`,  and creates the UI for adding these fields during Rule Creation/Editing. The follow-up `Part II` will add the business logic for mapping fields during `rule execution`, and also add UI validation/additional tests.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Syncing w/ @benskelker 
- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios
- [x] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)

### For maintainers

- [x] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
2020-07-01 22:49:30 -06:00
..
basic [SIEM][Detection Engine] Fixes a stale view/query within the signals table when re-opening/closing signals 2020-06-16 08:41:59 -06:00
common Register privileges in Kibana Platform Security plugin and remove legacy getUser API. (#65472) 2020-06-05 08:11:58 +02:00
security_and_spaces [SIEM][Detection Engine] Fixes a stale view/query within the signals table when re-opening/closing signals 2020-06-16 08:41:59 -06:00
utils.ts [Security] Adds field mapping support to rule creation (#70288) 2020-07-01 22:49:30 -06:00