Skip to content

Commit

Permalink
[CTI][RAC] adds indicator match rule (#107977) (#108381)
Browse files Browse the repository at this point in the history
Co-authored-by: Ece Özalp <[email protected]>
  • Loading branch information
kibanamachine and ecezalp authored Aug 12, 2021
1 parent f268321 commit b577963
Show file tree
Hide file tree
Showing 10 changed files with 634 additions and 34 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@
* 2.0.
*/

export const createRuleMock = () => ({
import { RuleParams } from '../../schemas/rule_schemas';

export const createRuleMock = (params: Partial<RuleParams>) => ({
actions: [],
author: [],
buildingBlockType: undefined,
Expand Down Expand Up @@ -49,4 +51,5 @@ export const createRuleMock = () => ({
updatedAt: '2020-01-10T21:11:45.839Z',
updatedBy: 'elastic',
version: 1,
...params,
});
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ import { AlertAttributes } from '../../signals/types';
import { createRuleMock } from './rule';
import { listMock } from '../../../../../../lists/server/mocks';
import { ruleRegistryMocks } from '../../../../../../rule_registry/server/mocks';
import { RuleParams } from '../../schemas/rule_schemas';

export const createRuleTypeMocks = () => {
export const createRuleTypeMocks = (
ruleType: string = 'query',
ruleParams: Partial<RuleParams> = {}
) => {
/* eslint-disable @typescript-eslint/no-explicit-any */
let alertExecutor: (...args: any[]) => Promise<any>;

Expand All @@ -43,7 +47,7 @@ export const createRuleTypeMocks = () => {
const mockSavedObjectsClient = savedObjectsClientMock.create();
mockSavedObjectsClient.get.mockResolvedValue({
id: 'de2f6a49-28a3-4794-bad7-0e9482e075f8',
type: 'query',
type: ruleType,
references: [],
attributes: {
actions: [],
Expand All @@ -57,7 +61,7 @@ export const createRuleTypeMocks = () => {
interval: '30m',
},
throttle: '',
params: createRuleMock(),
params: createRuleMock(ruleParams),
},
} as SavedObject<AlertAttributes>);

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

export const ctiFieldMap = {
'threat.indicator': {
type: 'nested',
array: false,
required: false,
},
'threat.indicator.as.number': {
type: 'long',
array: false,
required: false,
},
'threat.indicator.as.organization.name': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.confidence': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.dataset': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.description': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.domain': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.email.address': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.first_seen': {
type: 'date',
array: false,
required: false,
},
'threat.indicator.geo.city_name': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.geo.continent_name': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.geo.country_iso_code': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.geo.country_name': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.geo.location': {
type: 'geo_point',
array: false,
required: false,
},
'threat.indicator.geo.name': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.geo.region_iso_code': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.geo.region_name': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.ip': {
type: 'ip',
array: false,
required: false,
},
'threat.indicator.last_seen': {
type: 'date',
array: false,
required: false,
},
'threat.indicator.marking.tlp': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.matched.atomic': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.matched.field': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.matched.type': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.module': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.port': {
type: 'long',
array: false,
required: false,
},
'threat.indicator.provider': {
type: 'keyword',
array: false,
required: false,
},
'threat.indicator.scanner_stats': {
type: 'long',
array: false,
required: false,
},
'threat.indicator.sightings': {
type: 'long',
array: false,
required: false,
},
'threat.indicator.type': {
type: 'keyword',
array: false,
required: false,
},
};
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@
*/

export { createQueryAlertType } from './query/create_query_alert_type';
export { createIndicatorMatchAlertType } from './indicator_match/create_indicator_match_alert_type';
Loading

0 comments on commit b577963

Please sign in to comment.