[SIEM] [Detection Engine] adds created_at and updated_at timestamps t…

…o rules (#53137)

* adds created_at and updated_at timestamps to rules

* fix missing update to tests

* save created_at and updated_at in rule in signals index

* requires created_at and updated_at in rule

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts

@@ -175,6 +175,8 @@ export const getResult = (): RuleAlertType => ({
   tags: [`${INTERNAL_RULE_ID_KEY}:rule-1`],
   alertTypeId: 'siem.signals',
   params: {
+    createdAt: '2019-12-13T16:40:33.400Z',
+    updatedAt: '2019-12-13T16:40:33.400Z',
     description: 'Detecting root and admin users',
     ruleId: 'rule-1',
     index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts

@@ -33,6 +33,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
     },
     async handler(request: RulesRequest, headers) {
       const {
+        created_at: createdAt,
         description,
         enabled,
         false_positives: falsePositives,
@@ -55,6 +56,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
         threats,
         to,
         type,
+        updated_at: updatedAt,
         references,
       } = request.payload;
       const alertsClient = isFunction(request.getAlertsClient) ? request.getAlertsClient() : null;
@@ -87,6 +89,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
         const createdRule = await createRules({
           alertsClient,
           actionsClient,
+          createdAt,
           description,
           enabled,
           falsePositives,
@@ -109,6 +112,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
           to,
           type,
           threats,
+          updatedAt,
           references,
         });
         return transformOrError(createdRule);

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts

@@ -23,6 +23,8 @@ describe('utils', () => {
       const rule = transformAlertToRule(fullRule);
       expect(rule).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: true,
         false_positives: [],
@@ -69,6 +71,8 @@ describe('utils', () => {
       const { from, language, ...omitData } = transformAlertToRule(fullRule);
       expect(omitData).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: true,
         false_positives: [],
@@ -114,6 +118,8 @@ describe('utils', () => {
       const rule = transformAlertToRule(fullRule);
       expect(rule).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: true,
         false_positives: [],
@@ -160,6 +166,8 @@ describe('utils', () => {
       const rule = transformAlertToRule(fullRule);
       expect(rule).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: true,
         false_positives: [],
@@ -207,6 +215,8 @@ describe('utils', () => {
       const { from, enabled, ...omitData } = transformAlertToRule(fullRule);
       expect(omitData).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         false_positives: [],
         id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
@@ -250,6 +260,8 @@ describe('utils', () => {
       const ruleWithEnabledFalse = transformAlertToRule(fullRule);
       expect(ruleWithEnabledFalse).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: false,
         from: 'now-6m',
@@ -297,6 +309,8 @@ describe('utils', () => {
       const ruleWithEnabledFalse = transformAlertToRule(fullRule);
       expect(ruleWithEnabledFalse).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: true,
         from: 'now-6m',
@@ -343,6 +357,8 @@ describe('utils', () => {
       fullRule.tags = ['tag 1', 'tag 2', `${INTERNAL_IDENTIFIER}_some_other_value`];
       const rule = transformAlertToRule(fullRule);
       expect(rule).toEqual({
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         created_by: 'elastic',
         description: 'Detecting root and admin users',
         enabled: true,
@@ -442,6 +458,8 @@ describe('utils', () => {
         data: [
           {
             created_by: 'elastic',
+            created_at: '2019-12-13T16:40:33.400Z',
+            updated_at: '2019-12-13T16:40:33.400Z',
             description: 'Detecting root and admin users',
             enabled: true,
             false_positives: [],
@@ -496,6 +514,8 @@ describe('utils', () => {
       const output = transformOrError(getResult());
       expect(output).toEqual({
         created_by: 'elastic',
+        created_at: '2019-12-13T16:40:33.400Z',
+        updated_at: '2019-12-13T16:40:33.400Z',
         description: 'Detecting root and admin users',
         enabled: true,
         false_positives: [],

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts

@@ -34,6 +34,8 @@ export const transformTags = (tags: string[]): string[] => {
 // those on the export
 export const transformAlertToRule = (alert: RuleAlertType): Partial<OutputRuleAlertRest> => {
   return pickBy<OutputRuleAlertRest>((value: unknown) => value != null, {
+    created_at: alert.params.createdAt,
+    updated_at: alert.params.updatedAt,
     created_by: alert.createdBy,
     description: alert.params.description,
     enabled: alert.enabled,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts

@@ -41,6 +41,7 @@ export const createRules = async ({
       tags: addRuleIdToTags(tags, ruleId),
       alertTypeId: SIGNALS_ID,
       params: {
+        createdAt: new Date().toISOString(),
         description,
         ruleId,
         index,
@@ -59,6 +60,7 @@ export const createRules = async ({
         threats,
         to,
         type,
+        updatedAt: new Date().toISOString(),
         references,
       },
       interval,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts

@@ -103,6 +103,7 @@ export const updateRules = async ({
       threats,
       to,
       type,
+      updatedAt: new Date().toISOString(),
       references,
     }
   );

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts

@@ -32,6 +32,8 @@ export const sampleRuleAlertParams = (
   savedId: undefined,
   meta: undefined,
   threats: undefined,
+  updatedAt: '2019-12-17T15:04:25.343Z',
+  createdAt: '2019-12-17T15:04:37.105Z',
 });
 
 export const sampleDocNoSortId = (someUuid: string = sampleIdGuid): SignalSourceHit => ({

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts

@@ -69,6 +69,8 @@ describe('buildBulkBody', () => {
           enabled: true,
           created_by: 'elastic',
           updated_by: 'elastic',
+          created_at: fakeSignalSourceHit.signal.rule?.created_at,
+          updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
         },
       },
     });
@@ -142,6 +144,8 @@ describe('buildBulkBody', () => {
           enabled: true,
           created_by: 'elastic',
           updated_by: 'elastic',
+          created_at: fakeSignalSourceHit.signal.rule?.created_at,
+          updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
         },
       },
     });
@@ -213,6 +217,8 @@ describe('buildBulkBody', () => {
           enabled: true,
           created_by: 'elastic',
           updated_by: 'elastic',
+          created_at: fakeSignalSourceHit.signal.rule?.created_at,
+          updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
         },
       },
     });
@@ -277,6 +283,8 @@ describe('buildBulkBody', () => {
           enabled: true,
           created_by: 'elastic',
           updated_by: 'elastic',
+          updated_at: fakeSignalSourceHit.signal.rule?.updated_at,
+          created_at: fakeSignalSourceHit.signal.rule?.created_at,
         },
       },
     });

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts

@@ -59,6 +59,8 @@ describe('buildRule', () => {
       to: 'now',
       type: 'query',
       updated_by: 'elastic',
+      updated_at: rule.updated_at,
+      created_at: rule.created_at,
       filters: [
         {
           query: 'host.name: Rebecca',
@@ -110,6 +112,8 @@ describe('buildRule', () => {
       to: 'now',
       type: 'query',
       updated_by: 'elastic',
+      updated_at: rule.updated_at,
+      created_at: rule.created_at,
     };
     expect(rule).toEqual(expected);
   });
@@ -150,6 +154,8 @@ describe('buildRule', () => {
       to: 'now',
       type: 'query',
       updated_by: 'elastic',
+      updated_at: rule.updated_at,
+      created_at: rule.created_at,
     };
     expect(rule).toEqual(expected);
   });

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts

@@ -55,5 +55,7 @@ export const buildRule = ({
     created_by: createdBy,
     updated_by: updatedBy,
     threats: ruleParams.threats,
+    created_at: ruleParams.createdAt,
+    updated_at: ruleParams.updatedAt,
   });
 };

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_signal.test.ts

@@ -51,6 +51,8 @@ describe('buildSignal', () => {
         tags: ['some fake tag 1', 'some fake tag 2'],
         to: 'now',
         type: 'query',
+        updated_at: signal.rule.updated_at,
+        created_at: signal.rule.created_at,
       },
     };
     expect(signal).toEqual(expected);
@@ -104,6 +106,8 @@ describe('buildSignal', () => {
         tags: ['some fake tag 1', 'some fake tag 2'],
         to: 'now',
         type: 'query',
+        updated_at: signal.rule.updated_at,
+        created_at: signal.rule.created_at,
       },
     };
     expect(signal).toEqual(expected);

x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts

@@ -31,6 +31,7 @@ export const signalRulesAlertType = ({
     actionGroups: ['default'],
     validate: {
       params: schema.object({
+        createdAt: schema.string(),
         description: schema.string(),
         falsePositives: schema.arrayOf(schema.string(), { defaultValue: [] }),
         from: schema.string(),
@@ -49,6 +50,7 @@ export const signalRulesAlertType = ({
         threats: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
         to: schema.string(),
         type: schema.string(),
+        updatedAt: schema.string(),
         references: schema.arrayOf(schema.string(), { defaultValue: [] }),
       }),
     },

x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts

@@ -21,6 +21,7 @@ export interface ThreatParams {
 }
 
 export interface RuleAlertParams {
+  createdAt: string;
   description: string;
   enabled: boolean;
   falsePositives: string[];
@@ -44,20 +45,30 @@ export interface RuleAlertParams {
   to: string;
   threats: ThreatParams[] | undefined | null;
   type: 'query' | 'saved_query';
+  updatedAt: string;
 }
 
 export type RuleTypeParams = Omit<RuleAlertParams, 'name' | 'enabled' | 'interval' | 'tags'>;
 
 export type RuleAlertParamsRest = Omit<
   RuleAlertParams,
-  'ruleId' | 'falsePositives' | 'maxSignals' | 'savedId' | 'riskScore' | 'outputIndex'
+  | 'ruleId'
+  | 'falsePositives'
+  | 'maxSignals'
+  | 'savedId'
+  | 'riskScore'
+  | 'outputIndex'
+  | 'updatedAt'
+  | 'createdAt'
 > & {
   rule_id: RuleAlertParams['ruleId'];
   false_positives: RuleAlertParams['falsePositives'];
   saved_id: RuleAlertParams['savedId'];
   max_signals: RuleAlertParams['maxSignals'];
   risk_score: RuleAlertParams['riskScore'];
   output_index: RuleAlertParams['outputIndex'];
+  created_at: RuleAlertParams['createdAt'];
+  updated_at: RuleAlertParams['updatedAt'];
 };
 
 export type OutputRuleAlertRest = RuleAlertParamsRest & {