[RAC][Security Solution] Adds migration to new SecuritySolution rule …

…types (#112113)

* Initial commit

* Properly handle signal history

* Fix #95258 - cardinality sort bug

* Init threshold rule

* Create working threshold rule

* Fix threshold signal generation

* Fix tests

* Update mappings

* ALERT_TYPE_ID => RULE_TYPE_ID

* Add tests

* Fix types

* Adds RAC rule type migration

* Fix threshold tests (remove outputIndex)

* Add threshold rule type to ruleTypeMappings

* Add kbn-securitysolution-rules package for sharing with alerting framework

* Fix type errors

* Fix find_rules tests

* First round of test fixes

* Fix issues from merge conflicts

* Use ruleDataClient getReader() for reading

* Fixes to 'generating_signals' tests

* Remove more refs to legacy schema

* Linting

* Quick type fix

* Bug fixes

* Add saved query rule type

* Linting

* Fix types

* Signal generation tests

* Test updates

* Update some more refs

* build_alert tests

* Cleanup

* Ref updates

* Revert "Ref updates"

This reverts commit 4d1473d.

* Update status field

* Test fixes

* Another test

* Got a little too aggressive with search/replace

* let's see where we're at

* Fix

* Test fixes

* cleanup

* Fix cases API integration test config, flaky DE tests

* Move flattenWithPrefix to package / skip signal migration tests

* Fix unit tests

* Use new schema for bulk rule creation

* event: { kind } => event.kind

* Fix signal migration API tests

* Fix ml integration test

* Fix threat match integration tests

* Fix ML rule type tests and add correct producer to all rule types

* Update threat match API integration test

* Remove dupe properties

* Type fix

* Fix ML producer in functional test

* Fix generating_signals tests

* Remove usage of RuleDataClient-based execution log client

* Don't check output index version if rule registry enabled

* Fix bulk duplicate rule

* Fix duplicate rule test

* Fix readPrivileges and timestamp check logic

* Fixes for eql and exceptions tests... disable open_close_signals

* Type fixes / keyword test fixes

* Additional test fixes

* Unit test fixes + signal -> kibana.alert

* Test fixes for exceptions

* Fix read_resolve_rules test

* Various test fixes with marshallmain

* Sort search results

* Fix create_rules tests

* Disable writer cache for integration tests

* Disable writer cache for cases integration tests

* Fix types in rule_data_plugin_service

* Fix ordering in exceptions tests

* Remove rule_registry.enabled flag

* Fix signals migration tests

* Don't check signals index before creation

* Fix cypress config

* Fix type error

* create_migrations tests

* Skip flaky test

* Helpful comment

* Fixes from merge conflicts

* Pretend that signals index exists

* Fix type errors

* Skip flaky tests

* Fix threat matching test

* Clean up

* Reverting default ruleRegistry experimental flag (breaks unit tests)

* Reenable rule registry experimental feature by default

* Execute DE rule migration in 8.0

Co-authored-by: Marshall Main <[email protected]>

docs/developer/getting-started/monorepo-packages.asciidoc

@@ -91,6 +91,7 @@ yarn kbn watch
 - @kbn/securitysolution-list-constants
 - @kbn/securitysolution-list-hooks
 - @kbn/securitysolution-list-utils
+- @kbn/securitysolution-rules
 - @kbn/securitysolution-utils
 - @kbn/server-http-tools
 - @kbn/server-route-repository

package.json

@@ -148,6 +148,7 @@
     "@kbn/securitysolution-list-constants": "link:bazel-bin/packages/kbn-securitysolution-list-constants",
     "@kbn/securitysolution-list-hooks": "link:bazel-bin/packages/kbn-securitysolution-list-hooks",
     "@kbn/securitysolution-list-utils": "link:bazel-bin/packages/kbn-securitysolution-list-utils",
+    "@kbn/securitysolution-rules": "link:bazel-bin/packages/kbn-securitysolution-rules",
     "@kbn/securitysolution-t-grid": "link:bazel-bin/packages/kbn-securitysolution-t-grid",
     "@kbn/securitysolution-utils": "link:bazel-bin/packages/kbn-securitysolution-utils",
     "@kbn/server-http-tools": "link:bazel-bin/packages/kbn-server-http-tools",

packages/BUILD.bazel

@@ -46,6 +46,7 @@ filegroup(
       "//packages/kbn-securitysolution-list-api:build",
       "//packages/kbn-securitysolution-list-hooks:build",
       "//packages/kbn-securitysolution-list-utils:build",
+      "//packages/kbn-securitysolution-rules:build",
       "//packages/kbn-securitysolution-utils:build",
       "//packages/kbn-securitysolution-es-utils:build",
       "//packages/kbn-securitysolution-t-grid:build",

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -17,6 +17,7 @@ const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const;
 const ECS_VERSION = 'ecs.version' as const;
 const EVENT_ACTION = 'event.action' as const;
 const EVENT_KIND = 'event.kind' as const;
+const EVENT_MODULE = 'event.module' as const;
 const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
 const TAGS = 'tags' as const;
 const TIMESTAMP = '@timestamp' as const;
@@ -88,6 +89,7 @@ const fields = {
   ECS_VERSION,
   EVENT_KIND,
   EVENT_ACTION,
+  EVENT_MODULE,
   TAGS,
   TIMESTAMP,
   ALERT_ACTION_GROUP,
@@ -189,6 +191,7 @@ export {
   ECS_VERSION,
   EVENT_ACTION,
   EVENT_KIND,
+  EVENT_MODULE,
   KIBANA_NAMESPACE,
   ALERT_RULE_UUID,
   ALERT_RULE_CATEGORY,

packages/kbn-securitysolution-rules/BUILD.bazel

@@ -0,0 +1,95 @@
+load("@npm//@bazel/typescript:index.bzl", "ts_config", "ts_project")
+load("@build_bazel_rules_nodejs//:index.bzl", "js_library", "pkg_npm")
+load("//src/dev/bazel:index.bzl", "jsts_transpiler")
+
+PKG_BASE_NAME = "kbn-securitysolution-rules"
+
+PKG_REQUIRE_NAME = "@kbn/securitysolution-rules"
+
+SOURCE_FILES = glob(
+  [
+    "src/**/*.ts",
+  ],
+  exclude = [
+    "**/*.test.*",
+    "**/*.mock.*",
+  ],
+)
+
+SRCS = SOURCE_FILES
+
+filegroup(
+  name = "srcs",
+  srcs = SRCS,
+)
+
+NPM_MODULE_EXTRA_FILES = [
+  "package.json",
+  "README.md",
+]
+
+RUNTIME_DEPS = [
+  "@npm//lodash",
+  "@npm//tslib",
+  "@npm//uuid",
+]
+
+TYPES_DEPS = [
+  "@npm//tslib",
+  "@npm//@types/jest",
+  "@npm//@types/lodash",
+  "@npm//@types/node",
+  "@npm//@types/uuid"
+]
+
+jsts_transpiler(
+  name = "target_node",
+  srcs = SRCS,
+  build_pkg_name = package_name(),
+)
+
+ts_config(
+  name = "tsconfig",
+  src = "tsconfig.json",
+  deps = [
+    "//:tsconfig.base.json",
+    "//:tsconfig.bazel.json",
+  ],
+)
+
+ts_project(
+  name = "tsc_types",
+  args = ["--pretty"],
+  srcs = SRCS,
+  deps = TYPES_DEPS,
+  declaration = True,
+  declaration_map = True,
+  emit_declaration_only = True,
+  out_dir = "target_types",
+  root_dir = "src",
+  source_map = True,
+  tsconfig = ":tsconfig",
+)
+
+js_library(
+  name = PKG_BASE_NAME,
+  srcs = NPM_MODULE_EXTRA_FILES,
+  deps = RUNTIME_DEPS + [":target_node", ":tsc_types"],
+  package_name = PKG_REQUIRE_NAME,
+  visibility = ["//visibility:public"],
+)
+
+pkg_npm(
+  name = "npm_module",
+  deps = [
+      ":%s" % PKG_BASE_NAME,
+  ],
+)
+
+filegroup(
+  name = "build",
+  srcs = [
+      ":npm_module",
+  ],
+  visibility = ["//visibility:public"],
+)

packages/kbn-securitysolution-rules/README.md

@@ -0,0 +1,3 @@
+# kbn-securitysolution-rules
+
+This contains alerts-as-data rule-specific constants and mappings that can be used across plugins.

packages/kbn-securitysolution-rules/jest.config.js

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../..',
+  roots: ['<rootDir>/packages/kbn-securitysolution-rules'],
+};

packages/kbn-securitysolution-rules/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@kbn/securitysolution-rules",
+  "version": "1.0.0",
+  "description": "security solution rule utilities to use across plugins",
+  "license": "SSPL-1.0 OR Elastic License 2.0",
+  "main": "./target_node/index.js",
+  "types": "./target_types/index.d.ts",
+  "private": true
+}

packages/kbn-securitysolution-rules/src/index.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+export * from './rule_type_constants';
+export * from './rule_type_mappings';
+export * from './utils';

packages/kbn-securitysolution-rules/src/rule_type_constants.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+/**
+ * Id for the legacy siem signals alerting type
+ */
+export const SIGNALS_ID = `siem.signals` as const;
+
+/**
+ * IDs for alerts-as-data rule types
+ */
+const RULE_TYPE_PREFIX = `siem` as const;
+export const EQL_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.eqlRule` as const;
+export const INDICATOR_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.indicatorRule` as const;
+export const ML_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.mlRule` as const;
+export const QUERY_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.queryRule` as const;
+export const SAVED_QUERY_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.savedQueryRule` as const;
+export const THRESHOLD_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.thresholdRule` as const;

packages/kbn-securitysolution-rules/src/rule_type_mappings.ts

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import {
+  EQL_RULE_TYPE_ID,
+  INDICATOR_RULE_TYPE_ID,
+  ML_RULE_TYPE_ID,
+  QUERY_RULE_TYPE_ID,
+  SAVED_QUERY_RULE_TYPE_ID,
+  THRESHOLD_RULE_TYPE_ID,
+} from './rule_type_constants';
+
+/**
+ * Maps legacy rule types to RAC rule type IDs.
+ */
+export const ruleTypeMappings = {
+  eql: EQL_RULE_TYPE_ID,
+  machine_learning: ML_RULE_TYPE_ID,
+  query: QUERY_RULE_TYPE_ID,
+  saved_query: SAVED_QUERY_RULE_TYPE_ID,
+  threat_match: INDICATOR_RULE_TYPE_ID,
+  threshold: THRESHOLD_RULE_TYPE_ID,
+};
+type RuleTypeMappings = typeof ruleTypeMappings;
+
+export type RuleType = keyof RuleTypeMappings;
+export type RuleTypeId = RuleTypeMappings[keyof RuleTypeMappings];

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten_with_prefix.ts → packages/kbn-securitysolution-rules/src/utils.ts

@@ -1,12 +1,23 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import { isPlainObject } from 'lodash';
-import { SearchTypes } from '../../../../../../common/detection_engine/types';
+import { RuleType, RuleTypeId, ruleTypeMappings } from './rule_type_mappings';
+
+export const isRuleType = (ruleType: unknown): ruleType is RuleType => {
+  return Object.keys(ruleTypeMappings).includes(ruleType as string);
+};
+
+export const isRuleTypeId = (ruleTypeId: unknown): ruleTypeId is RuleTypeId => {
+  return Object.values(ruleTypeMappings).includes(ruleTypeId as RuleTypeId);
+};
+
+type SearchTypes = string | number | boolean | object | SearchTypes[] | undefined;
 
 export const flattenWithPrefix = (
   prefix: string,

packages/kbn-securitysolution-rules/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "extends": "../../tsconfig.bazel.json",
+  "compilerOptions": {
+    "declaration": true,
+    "declarationMap": true,
+    "emitDeclarationOnly": true,
+    "outDir": "target_types",
+    "rootDir": "src",
+    "sourceMap": true,
+    "sourceRoot": "../../../../packages/kbn-securitysolution-rules/src",
+    "types": [
+      "jest",
+      "node"
+    ]
+  },
+  "include": [
+    "src/**/*"
+  ]
+}

x-pack/plugins/alerting/server/saved_objects/migrations.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { isRuleType, ruleTypeMappings } from '@kbn/securitysolution-rules';
 import { isString } from 'lodash/fp';
 import {
   LogMeta,
@@ -52,7 +53,8 @@ export const isAnyActionSupportIncidents = (doc: SavedObjectUnsanitizedDoc<RawAl
     SUPPORT_INCIDENTS_ACTION_TYPES.includes(action.actionTypeId)
   );
 
-export const isSecuritySolutionRule = (doc: SavedObjectUnsanitizedDoc<RawAlert>): boolean =>
+// Deprecated in 8.0
+export const isSiemSignalsRuleType = (doc: SavedObjectUnsanitizedDoc<RawAlert>): boolean =>
   doc.attributes.alertTypeId === 'siem.signals';
 
 /**
@@ -96,19 +98,19 @@ export function getMigrations(
 
   const migrationSecurityRules713 = createEsoMigration(
     encryptedSavedObjects,
-    (doc): doc is SavedObjectUnsanitizedDoc<RawAlert> => isSecuritySolutionRule(doc),
+    (doc): doc is SavedObjectUnsanitizedDoc<RawAlert> => isSiemSignalsRuleType(doc),
     pipeMigrations(removeNullsFromSecurityRules)
   );
 
   const migrationSecurityRules714 = createEsoMigration(
     encryptedSavedObjects,
-    (doc): doc is SavedObjectUnsanitizedDoc<RawAlert> => isSecuritySolutionRule(doc),
+    (doc): doc is SavedObjectUnsanitizedDoc<RawAlert> => isSiemSignalsRuleType(doc),
     pipeMigrations(removeNullAuthorFromSecurityRules)
   );
 
   const migrationSecurityRules715 = createEsoMigration(
     encryptedSavedObjects,
-    (doc): doc is SavedObjectUnsanitizedDoc<RawAlert> => isSecuritySolutionRule(doc),
+    (doc): doc is SavedObjectUnsanitizedDoc<RawAlert> => isSiemSignalsRuleType(doc),
     pipeMigrations(addExceptionListsToReferences)
   );
 
@@ -126,7 +128,7 @@ export function getMigrations(
   const migrationRules800 = createEsoMigration(
     encryptedSavedObjects,
     (doc: SavedObjectUnsanitizedDoc<RawAlert>): doc is SavedObjectUnsanitizedDoc<RawAlert> => true,
-    (doc) => doc // no-op
+    pipeMigrations(addRACRuleTypes)
   );
 
   return {
@@ -647,6 +649,25 @@ function setLegacyId(
   };
 }
 
+function addRACRuleTypes(
+  doc: SavedObjectUnsanitizedDoc<RawAlert>
+): SavedObjectUnsanitizedDoc<RawAlert> {
+  const ruleType = doc.attributes.params.type;
+  return isSiemSignalsRuleType(doc) && isRuleType(ruleType)
+    ? {
+        ...doc,
+        attributes: {
+          ...doc.attributes,
+          alertTypeId: ruleTypeMappings[ruleType],
+          params: {
+            ...doc.attributes.params,
+            outputIndex: '',
+          },
+        },
+      }
+    : doc;
+}
+
 function getRemovePreconfiguredConnectorsFromReferencesFn(
   isPreconfigured: (connectorId: string) => boolean
 ) {