-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution] Allow users to edit required_fields field for cus…
…tom rules (#180682) **Resolves: #173594 **Flaky test runner:** https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5915 ## Summary This PR adds an ability to add and edit custom rule's required fields. "Required fields" is an optional field that shows the user which Elasticsearch fields are needed for the rule to run properly. The values in "required fields" don't affect rule execution in any way. It's purely documentational, similar to "setup guide" and "investigation guide". This functionality is added to both rule creation and rule editing screens. It's available for all rule types except ML. <img width="650" alt="Schermafbeelding 2024-05-07 om 12 28 50" src="https://github.com/elastic/kibana/assets/15949146/70ed052e-3e59-413e-80de-73146225f75a"> ## Details The basic flow goes like this: first you specify your index patterns (or a data view), then you can set required fields for these index patterns. Once a user adds a required field and chooses its name, he can then choose its type from the dropdown. The first available type for the field name selected automatically. User can also add their own custom names and types. ### Warnings If a field that is not present in the selected index pattern, you will see a warning message. This can happen in the following cases: - You have specified an index pattern, selected a required field from this index pattern, and then removed this index pattern. - The index doesn't yet exist. For example, you have installed a prebuilt rule but the data for it hasn't been ingested yet, so there's no index yet. - The index was removed. - The mappings for the index were changed and the field is no longer present. In any of these cases, you'll see a general warning message above the form section. And then also a more specific warning message next to the field that is causing the issue. ### ESQL and ML rules Here's how available dropdown options are determined for different rule types: For all rule types except ESQL and ML, we take the index patterns specified by the user and fetch their mappings. Then we use these fields and types to populate the dropdowns. For ESQL rules we parse index patterns out of the query since there's no explicit index pattern form field. We then fetch the mappings for these index patterns and use them to populate the dropdowns. For ML rules, we don't show "required fields" at all. ML rules are a special case. 1. The concept of "required fields" is sort of handled during creation of the ML job itself, where the user specifies the fields that are required for the job to run. 2. In the ML rule creation/editing interface, we don't display the index patterns a rule operates on. So, even if we allowed specifying required fields, the user would need to check the ML job details to see the index patterns the job uses. 3. The ML job dropdown includes both existing and not-yet-created jobs. We can't get index patterns for jobs that don't exist yet, so we can't fill the dropdowns with fields and types. ## Screenshots <img width="628" alt="screen1_" src="https://github.com/elastic/kibana/assets/15949146/aade141f-8285-44c6-8c56-611ba1a9f17b"> <img width="601" alt="screen2_" src="https://github.com/elastic/kibana/assets/15949146/b44fb254-c254-44b8-9600-45b47f29a421">
- Loading branch information
1 parent
85639f6
commit 6eeffd3
Showing
55 changed files
with
2,305 additions
and
210 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 8 additions & 0 deletions
8
...curity_solution/public/detection_engine/rule_creation/components/required_fields/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export { RequiredFields } from './required_fields'; |
53 changes: 53 additions & 0 deletions
53
...detection_engine/rule_creation/components/required_fields/make_validate_required_field.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { RequiredFieldInput } from '../../../../../common/api/detection_engine/model/rule_schema/common_attributes.gen'; | ||
import type { ERROR_CODE, FormData, ValidationFunc } from '../../../../shared_imports'; | ||
import * as i18n from './translations'; | ||
|
||
export function makeValidateRequiredField(parentFieldPath: string) { | ||
return function validateRequiredField( | ||
...args: Parameters<ValidationFunc<FormData, string, RequiredFieldInput>> | ||
): ReturnType<ValidationFunc<{}, ERROR_CODE>> | undefined { | ||
const [{ value, path, form }] = args; | ||
|
||
const formData = form.getFormData(); | ||
const parentFieldData: RequiredFieldInput[] = formData[parentFieldPath]; | ||
|
||
const isFieldNameUsedMoreThanOnce = | ||
parentFieldData.filter((field) => field.name === value.name).length > 1; | ||
|
||
if (isFieldNameUsedMoreThanOnce) { | ||
return { | ||
code: 'ERR_FIELD_FORMAT', | ||
path: `${path}.name`, | ||
message: i18n.FIELD_NAME_USED_MORE_THAN_ONCE(value.name), | ||
}; | ||
} | ||
|
||
/* Allow empty rows. They are going to be removed before submission. */ | ||
if (value.name.trim().length === 0 && value.type.trim().length === 0) { | ||
return; | ||
} | ||
|
||
if (value.name.trim().length === 0) { | ||
return { | ||
code: 'ERR_FIELD_MISSING', | ||
path: `${path}.name`, | ||
message: i18n.FIELD_NAME_REQUIRED, | ||
}; | ||
} | ||
|
||
if (value.type.trim().length === 0) { | ||
return { | ||
code: 'ERR_FIELD_MISSING', | ||
path: `${path}.type`, | ||
message: i18n.FIELD_TYPE_REQUIRED, | ||
}; | ||
} | ||
}; | ||
} |
Oops, something went wrong.