4c48993bb0
## Summary
This PR starts the migration of the Security Solution rules to use the rule-registry introduced in https://github.com/elastic/kibana/pull/95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See https://github.com/elastic/kibana/issues/95735 for details
Enable via the following feature flags in your `kibana.dev.yml`:
```
# Security Solution Rules on Rule Registry
xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution`
xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']
```
> Note: if setting a custom `xpack.ruleRegistry.index`, for the time being you must also update the [DEFAULT_ALERTS_INDEX](9e213fb7a5/x-pack/plugins/security_solution/common/constants.ts (L28)) in order for the UI to display alerts within the alerts table.
---
Three reference rule types have been added (`query`, `eql`, `threshold`), along with scripts for creating them located in:
```
x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/
```
Main Detection page TGrid queries have been short-circuited to query `.alerts-security-solution*` for displaying alerts from the new alerts as data indices.
To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g. `./create_reference_rule_query.sh` (ensure your ENV vars as set! :)
Alerts as data within the main Detection Page 🎉
<p align="center">
<img width="500" src="https://user-images.githubusercontent.com/2946766/119911768-39cfba00-bf17-11eb-8996-63c0b813fdcc.png" />
</p>
cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain
56 lines
1.9 KiB
TypeScript
56 lines
1.9 KiB
TypeScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the Elastic License
|
|
* 2.0; you may not use this file except in compliance with the Elastic License
|
|
* 2.0.
|
|
*/
|
|
|
|
export type ExperimentalFeatures = typeof allowedExperimentalValues;
|
|
|
|
/**
|
|
* A list of allowed values that can be used in `xpack.securitySolution.enableExperimental`.
|
|
* This object is then used to validate and parse the value entered.
|
|
*/
|
|
const allowedExperimentalValues = Object.freeze({
|
|
trustedAppsByPolicyEnabled: false,
|
|
metricsEntitiesEnabled: false,
|
|
hostIsolationEnabled: false,
|
|
ruleRegistryEnabled: false,
|
|
});
|
|
|
|
type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;
|
|
type Mutable<T> = { -readonly [P in keyof T]: T[P] };
|
|
|
|
const SecuritySolutionInvalidExperimentalValue = class extends Error {};
|
|
const allowedKeys = Object.keys(allowedExperimentalValues) as Readonly<ExperimentalConfigKeys>;
|
|
|
|
/**
|
|
* Parses the string value used in `xpack.securitySolution.enableExperimental` kibana configuration,
|
|
* which should be a string of values delimited by a comma (`,`)
|
|
*
|
|
* @param configValue
|
|
* @throws SecuritySolutionInvalidExperimentalValue
|
|
*/
|
|
export const parseExperimentalConfigValue = (configValue: string[]): ExperimentalFeatures => {
|
|
const enabledFeatures: Mutable<Partial<ExperimentalFeatures>> = {};
|
|
|
|
for (const value of configValue) {
|
|
if (!isValidExperimentalValue(value)) {
|
|
throw new SecuritySolutionInvalidExperimentalValue(`[${value}] is not valid.`);
|
|
}
|
|
|
|
enabledFeatures[value as keyof ExperimentalFeatures] = true;
|
|
}
|
|
|
|
return {
|
|
...allowedExperimentalValues,
|
|
...enabledFeatures,
|
|
};
|
|
};
|
|
|
|
export const isValidExperimentalValue = (value: string): boolean => {
|
|
return allowedKeys.includes(value as keyof ExperimentalFeatures);
|
|
};
|
|
|
|
export const getExperimentalAllowedValues = (): string[] => [...allowedKeys];
|