Skip to content

Commit

Permalink
[RAC][Security Solution] Add base Security Rule Type (#105096) (#107755)
Browse files Browse the repository at this point in the history
* injects bulkCreate and wrapHits to individual rule executors

* WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e

* removes ruleStatusService from old rule executors, fixes executor unit tests

* fixes rebase

* Rename reference_rules to rule_types

* Fix type errors

* Fix type errors in base security rule factory

* Additional improvements to types and interfaces

* More type alignment

* Fix remaining type errors in query rule

* Add validation / inject lists plugin

* Formatting

* Improvements to typing

* Static typing on executors

* cleanup

* Hook up params for query/threshold rules... includes exceptionsList and daterange tuple

* Scaffolding for wrapHits and bulkCreate

* Add error handling / status reporting

* Fixup alert type state

* Begin threshold

* Begin work on threshold state

* Organize rule types

* Export base security rule types

* Fixup lifecycle static typing

* WrapHits / bulk changes

* Field mappings (partial)

* whoops

* Remove redundant params

* More flexibile implementation of bulkCreateFactory

* Add mappings

* Finish query rule

* Revert "Remove redundant params"

This reverts commit 87aff9c.

* Revert "whoops"

This reverts commit a7771bd.

* Fixup return types

* Use alertWithPersistence

* Fix import

* End-to-end rule mostly working

* Fix bulkCreate

* Bug fixes

* Bug fixes and mapping changes

* Fix indexing

* cleanup

* Fix type errors

* Test fixes

* Fix query tests

* cleanup / rename kibana.rac to kibana

* Remove eql/threshold (for now)

* Move technical fields to package

* Add indexAlias and buildRuleMessageFactory

* imports

* type errors

* Change 'kibana.rac.*' to 'kibana.*'

* Fix lifecycle tests

* Single alert instance

* fix import

* Fix type error

* Fix more type errors

* Fix query rule type test

* revert to previous ts-expect-error

* type errors again

* types / linting

* General readability improvements

* Add invariant function from Dmitrii's branch

* Use invariant and constants

* Improvements to field mappings

* More test failure fixes

* Add refresh param for bulk create

* Update more field refs

* Actually use refresh param

* cleanup

* test fixes

* changes to rule creation script

* Fix created signals count

* Use ruleId

* Updates to bulk indexing

* Mapping updates

* Cannot use 'strict' for dynamic setting

Co-authored-by: Marshall Main <[email protected]>
Co-authored-by: Ece Ozalp <[email protected]>
Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: Marshall Main <[email protected]>
Co-authored-by: Ece Ozalp <[email protected]>
Co-authored-by: Kibana Machine <[email protected]>
  • Loading branch information
4 people authored Aug 5, 2021
1 parent 59cc975 commit 475e9e8
Show file tree
Hide file tree
Showing 94 changed files with 2,546 additions and 1,345 deletions.
6 changes: 3 additions & 3 deletions api_docs/observability.json

Large diffs are not rendered by default.

12 changes: 6 additions & 6 deletions api_docs/rule_registry.json

Large diffs are not rendered by default.

199 changes: 156 additions & 43 deletions packages/kbn-rule-data-utils/src/technical_field_names.ts
Original file line number Diff line number Diff line change
Expand Up @@ -8,79 +8,192 @@

import { ValuesType } from 'utility-types';

const ALERT_NAMESPACE = 'kibana.rac.alert' as const;
const KIBANA_NAMESPACE = 'kibana' as const;

const TIMESTAMP = '@timestamp' as const;
const EVENT_KIND = 'event.kind' as const;
const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;

const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const;
const ECS_VERSION = 'ecs.version' as const;
const EVENT_ACTION = 'event.action' as const;
const RULE_UUID = 'rule.uuid' as const;
const EVENT_KIND = 'event.kind' as const;
const RULE_CATEGORY = 'rule.category' as const;
const RULE_CONSUMERS = 'rule.consumers' as const;
const RULE_ID = 'rule.id' as const;
const RULE_NAME = 'rule.name' as const;
const RULE_CATEGORY = 'rule.category' as const;
const RULE_UUID = 'rule.uuid' as const;
const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
const TAGS = 'tags' as const;
const PRODUCER = `${ALERT_NAMESPACE}.producer` as const;
const OWNER = `${ALERT_NAMESPACE}.owner` as const;
const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
const TIMESTAMP = '@timestamp' as const;
const VERSION = `${KIBANA_NAMESPACE}.version` as const;

const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
const ALERT_SEVERITY_LEVEL = `${ALERT_NAMESPACE}.severity.level` as const;
const ALERT_SEVERITY_VALUE = `${ALERT_NAMESPACE}.severity.value` as const;
const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
const SPACE_IDS = 'kibana.space_ids' as const;
const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
const ALERT_OWNER = `${ALERT_NAMESPACE}.owner` as const;
const ALERT_PRODUCER = `${ALERT_NAMESPACE}.producer` as const;
const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
const ALERT_SEVERITY_LEVEL = `${ALERT_NAMESPACE}.severity.level` as const;
const ALERT_SEVERITY_VALUE = `${ALERT_NAMESPACE}.severity.value` as const;
const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;

const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const;
const ALERT_RULE_CONSUMERS = `${ALERT_RULE_NAMESPACE}.consumers` as const;
const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const;
const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
const ALERT_RULE_ID = `${ALERT_RULE_NAMESPACE}.id` as const;
const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
const ALERT_RULE_RISK_SCORE = `${ALERT_RULE_NAMESPACE}.risk_score` as const;
const ALERT_RULE_RISK_SCORE_MAPPING = `${ALERT_RULE_NAMESPACE}.risk_score_mapping` as const;
const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
const ALERT_RULE_SEVERITY = `${ALERT_RULE_NAMESPACE}.severity` as const;
const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` as const;
const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;

const fields = {
TIMESTAMP,
CONSUMERS,
ECS_VERSION,
EVENT_KIND,
EVENT_ACTION,
RULE_UUID,
RULE_CATEGORY,
RULE_CONSUMERS,
RULE_ID,
RULE_NAME,
RULE_CATEGORY,
RULE_UUID,
TAGS,
PRODUCER,
OWNER,
TIMESTAMP,
ALERT_ACTION_GROUP,
ALERT_DURATION,
ALERT_END,
ALERT_EVALUATION_THRESHOLD,
ALERT_EVALUATION_VALUE,
ALERT_ID,
ALERT_UUID,
ALERT_OWNER,
ALERT_PRODUCER,
ALERT_REASON,
ALERT_RISK_SCORE,
ALERT_RULE_AUTHOR,
ALERT_RULE_CONSUMERS,
ALERT_RULE_CREATED_AT,
ALERT_RULE_CREATED_BY,
ALERT_RULE_DESCRIPTION,
ALERT_RULE_ENABLED,
ALERT_RULE_FROM,
ALERT_RULE_ID,
ALERT_RULE_INTERVAL,
ALERT_RULE_LICENSE,
ALERT_RULE_NAME,
ALERT_RULE_NOTE,
ALERT_RULE_REFERENCES,
ALERT_RULE_RISK_SCORE,
ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
ALERT_RULE_SEVERITY,
ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_TAGS,
ALERT_RULE_TO,
ALERT_RULE_TYPE,
ALERT_RULE_UPDATED_AT,
ALERT_RULE_UPDATED_BY,
ALERT_RULE_VERSION,
ALERT_START,
ALERT_END,
ALERT_DURATION,
ALERT_SEVERITY,
ALERT_SEVERITY_LEVEL,
ALERT_SEVERITY_VALUE,
ALERT_STATUS,
ALERT_EVALUATION_THRESHOLD,
ALERT_EVALUATION_VALUE,
ALERT_REASON,
ALERT_SYSTEM_STATUS,
ALERT_UUID,
ALERT_WORKFLOW_REASON,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_USER,
SPACE_IDS,
VERSION,
};

export {
TIMESTAMP,
EVENT_KIND,
EVENT_ACTION,
RULE_UUID,
RULE_ID,
RULE_NAME,
RULE_CATEGORY,
TAGS,
PRODUCER,
OWNER,
ALERT_ID,
ALERT_UUID,
ALERT_START,
ALERT_END,
ALERT_ACTION_GROUP,
ALERT_DURATION,
ALERT_SEVERITY_LEVEL,
ALERT_SEVERITY_VALUE,
ALERT_STATUS,
ALERT_END,
ALERT_EVALUATION_THRESHOLD,
ALERT_EVALUATION_VALUE,
ALERT_ID,
ALERT_OWNER,
ALERT_PRODUCER,
ALERT_REASON,
ALERT_RISK_SCORE,
ALERT_STATUS,
ALERT_WORKFLOW_REASON,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_USER,
ALERT_RULE_AUTHOR,
ALERT_RULE_CONSUMERS,
ALERT_RULE_CREATED_AT,
ALERT_RULE_CREATED_BY,
ALERT_RULE_DESCRIPTION,
ALERT_RULE_ENABLED,
ALERT_RULE_FROM,
ALERT_RULE_ID,
ALERT_RULE_INTERVAL,
ALERT_RULE_LICENSE,
ALERT_RULE_NAME,
ALERT_RULE_NOTE,
ALERT_RULE_REFERENCES,
ALERT_RULE_RISK_SCORE,
ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_TAGS,
ALERT_RULE_TO,
ALERT_RULE_TYPE,
ALERT_RULE_UPDATED_AT,
ALERT_RULE_UPDATED_BY,
ALERT_RULE_VERSION,
ALERT_RULE_SEVERITY,
ALERT_SEVERITY,
ALERT_SEVERITY_LEVEL,
ALERT_SEVERITY_VALUE,
ALERT_START,
ALERT_SYSTEM_STATUS,
ALERT_UUID,
CONSUMERS,
ECS_VERSION,
EVENT_ACTION,
EVENT_KIND,
RULE_CATEGORY,
RULE_CONSUMERS,
RULE_ID,
RULE_NAME,
RULE_UUID,
TAGS,
TIMESTAMP,
SPACE_IDS,
VERSION,
};

export type TechnicalRuleDataFieldName = ValuesType<typeof fields>;
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,17 @@
* 2.0.
*/

import { ALERT_SEVERITY_LEVEL } from '@kbn/rule-data-utils/target/technical_field_names';
import {
ALERT_DURATION,
ALERT_EVALUATION_THRESHOLD,
ALERT_EVALUATION_VALUE,
ALERT_ID,
ALERT_PRODUCER,
ALERT_SEVERITY_LEVEL,
ALERT_START,
ALERT_STATUS,
ALERT_UUID,
} from '@kbn/rule-data-utils';
import { ValuesType } from 'utility-types';
import { EuiTheme } from '../../../../../../../../src/plugins/kibana_react/common';
import { ObservabilityRuleTypeRegistry } from '../../../../../../observability/public';
Expand All @@ -23,28 +33,26 @@ const theme = ({
} as unknown) as EuiTheme;
const alert: Alert = {
'rule.id': ['apm.transaction_duration'],
'kibana.rac.alert.evaluation.value': [2057657.39],
[ALERT_EVALUATION_VALUE]: [2057657.39],
'service.name': ['frontend-rum'],
'rule.name': ['Latency threshold | frontend-rum'],
'kibana.rac.alert.duration.us': [62879000],
'kibana.rac.alert.status': ['open'],
[ALERT_DURATION]: [62879000],
[ALERT_STATUS]: ['open'],
tags: ['apm', 'service.name:frontend-rum'],
'transaction.type': ['page-load'],
'kibana.rac.alert.producer': ['apm'],
'kibana.rac.alert.uuid': ['af2ae371-df79-4fca-b0eb-a2dbd9478180'],
[ALERT_PRODUCER]: ['apm'],
[ALERT_UUID]: ['af2ae371-df79-4fca-b0eb-a2dbd9478180'],
'rule.uuid': ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
'event.action': ['active'],
'@timestamp': ['2021-06-01T16:16:05.183Z'],
'kibana.rac.alert.id': ['apm.transaction_duration_All'],
[ALERT_ID]: ['apm.transaction_duration_All'],
'processor.event': ['transaction'],
'kibana.rac.alert.evaluation.threshold': [500000],
'kibana.rac.alert.start': ['2021-06-01T16:15:02.304Z'],
[ALERT_EVALUATION_THRESHOLD]: [500000],
[ALERT_START]: ['2021-06-01T16:15:02.304Z'],
'event.kind': ['state'],
'rule.category': ['Latency threshold'],
};
const chartStartTime = new Date(
alert['kibana.rac.alert.start']![0] as string
).getTime();
const chartStartTime = new Date(alert[ALERT_START]![0] as string).getTime();
const getFormatter: ObservabilityRuleTypeRegistry['getFormatter'] = () => () => ({
link: '/',
reason: 'a good reason',
Expand Down
Loading

0 comments on commit 475e9e8

Please sign in to comment.