Skip to content

Commit

Permalink
[Security Solution][Detection Engine] Fixes agnostic type bug (#108610)…
Browse files Browse the repository at this point in the history 
… (#108745)

## Summary

Fixes agnostic type bug where in part 1 (#108225), I incorrectly used the same saved object type for both `single` and `agnostic`.

Before the references for SO's were:

```json
"references" : [
  {
    "name" : "param:exceptionsList_0",
    "id" : "endpoint_list",
    "type" : "exception-list" <--- This should have been "exception-list-agnostic" type
  },
  {
    "name" : "param:exceptionsList_1",
    "id" : "50e3bd70-ef1b-11eb-ad71-7de7959be71c",
    "type" : "exception-list"
  }
],
```

After:
```json
"references" : [
  {
    "name" : "param:exceptionsList_0",
    "id" : "endpoint_list",
    "type" : "exception-list-agnostic" <--- This should now be the "exception-list-agnostic" type
  },
  {
    "name" : "param:exceptionsList_1",
    "id" : "50e3bd70-ef1b-11eb-ad71-7de7959be71c",
    "type" : "exception-list"
  }
],
```

Manual testing: Add a new `security_solution` alert and exception list as well as an endpoint list to it. Then save it
<img width="1581" alt="Screen Shot 2021-08-13 at 5 00 39 PM" src="https://user-images.githubusercontent.com/1151048/129425847-78025aba-6d7a-4a5a-9d4f-950ec664596c.png">
<img width="1571" alt="Screen Shot 2021-08-13 at 5 00 47 PM" src="https://user-images.githubusercontent.com/1151048/129425848-42018331-cac6-4411-8153-3441a8af6f34.png">


Do this query in dev tools:
```json
GET .kibana-hassanabad19/_search
{
  "query": {
    "terms": {
      "alert.alertTypeId": [
        "siem.signals"
      ]
    }
  },
  "size": 10000
}
```

And check to ensure that the references look like the after picture where type has : `"type" : "exception-list-agnostic"` if we have an agnostic list. Ensure that on a page reload that the exception types are still there on the rule. Ensure that there are no errors in the console about not finding the correct SO type or anything else odd. 

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Frank Hassanabad <[email protected]>
  • Loading branch information
@kibanamachine @FrankHassanabad
kibanamachine and FrankHassanabad authored Aug 16, 2021
1 parent 287a68e commit bf61bcc
Show file tree
Hide file tree
Showing 8 changed files with 52 additions and 18 deletions.
2 changes: 1 addition & 1 deletion ..._solution/server/lib/detection_engine/signals/saved_object_references/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ to any newly saved rule:
{
"name" : "param:exceptionsList_0",
"id" : "endpoint_list",
"type" : "exception-list"
"type" : "exception-list-agnostic"
},
{
"name" : "param:exceptionsList_1",
Expand Down
15 changes: 9 additions & 6 deletions ...rver/lib/detection_engine/signals/saved_object_references/extract_exceptions_list.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,11 @@
import { extractExceptionsList } from './extract_exceptions_list';
import { loggingSystemMock } from 'src/core/server/mocks';
import { RuleParams } from '../../schemas/rule_schemas';
import { EXCEPTION_LIST_NAMESPACE } from '@kbn/securitysolution-list-constants';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils';
import {
EXCEPTION_LIST_NAMESPACE,
EXCEPTION_LIST_NAMESPACE_AGNOSTIC,
} from '@kbn/securitysolution-list-constants';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils/constants';

describe('extract_exceptions_list', () => {
type FuncReturn = ReturnType<typeof extractExceptionsList>;
Expand Down Expand Up @@ -48,21 +51,21 @@ describe('extract_exceptions_list', () => {
{
id: '123',
name: `${EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME}_0`,
type: EXCEPTION_LIST_NAMESPACE,
type: EXCEPTION_LIST_NAMESPACE_AGNOSTIC,
},
]);
});

test('It returns two exception lists transformed into a saved object references', () => {
test('It returns 2 exception lists transformed into a saved object references', () => {
const twoInputs: RuleParams['exceptionsList'] = [
mockExceptionsList()[0],
{ ...mockExceptionsList()[0], id: '976' },
{ ...mockExceptionsList()[0], id: '976', namespace_type: 'single' },
];
expect(extractExceptionsList({ logger, exceptionsList: twoInputs })).toEqual<FuncReturn>([
{
id: '123',
name: `${EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME}_0`,
type: EXCEPTION_LIST_NAMESPACE,
type: EXCEPTION_LIST_NAMESPACE_AGNOSTIC,
},
{
id: '976',
Expand Down
4 changes: 2 additions & 2 deletions ...on/server/lib/detection_engine/signals/saved_object_references/extract_exceptions_list.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/

import { Logger, SavedObjectReference } from 'src/core/server';
import { EXCEPTION_LIST_NAMESPACE } from '@kbn/securitysolution-list-constants';
import { getSavedObjectType } from '@kbn/securitysolution-list-utils';
import { RuleParams } from '../../schemas/rule_schemas';
import { getSavedObjectNamePatternForExceptionsList } from './utils';

Expand Down Expand Up @@ -35,7 +35,7 @@ export const extractExceptionsList = ({
return exceptionsList.map((exceptionItem, index) => ({
name: getSavedObjectNamePatternForExceptionsList(index),
id: exceptionItem.id,
type: EXCEPTION_LIST_NAMESPACE,
type: getSavedObjectType({ namespaceType: exceptionItem.namespace_type }),
}));
}
};
37 changes: 35 additions & 2 deletions ...on/server/lib/detection_engine/signals/saved_object_references/extract_references.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,11 @@
import { loggingSystemMock } from 'src/core/server/mocks';
import { extractReferences } from './extract_references';
import { RuleParams } from '../../schemas/rule_schemas';
import { EXCEPTION_LIST_NAMESPACE } from '@kbn/securitysolution-list-constants';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils';
import {
EXCEPTION_LIST_NAMESPACE,
EXCEPTION_LIST_NAMESPACE_AGNOSTIC,
} from '@kbn/securitysolution-list-constants';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils/constants';

describe('extract_references', () => {
type FuncReturn = ReturnType<typeof extractReferences>;
Expand Down Expand Up @@ -43,6 +46,36 @@ describe('extract_references', () => {
{
id: '123',
name: `${EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME}_0`,
type: EXCEPTION_LIST_NAMESPACE_AGNOSTIC,
},
],
});
});

test('It returns params untouched and the references extracted as 2 exception list saved object references', () => {
const params: Partial<RuleParams> = {
note: 'some note',
exceptionsList: [
mockExceptionsList()[0],
{ ...mockExceptionsList()[0], id: '456', namespace_type: 'single' },
],
};
expect(
extractReferences({
logger,
params: params as RuleParams,
})
).toEqual<FuncReturn>({
params: params as RuleParams,
references: [
{
id: '123',
name: `${EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME}_0`,
type: EXCEPTION_LIST_NAMESPACE_AGNOSTIC,
},
{
id: '456',
name: `${EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME}_1`,
type: EXCEPTION_LIST_NAMESPACE,
},
],
Expand Down
2 changes: 1 addition & 1 deletion ...erver/lib/detection_engine/signals/saved_object_references/inject_exceptions_list.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@

import { loggingSystemMock } from 'src/core/server/mocks';
import { SavedObjectReference } from 'src/core/server';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils';
import { EXCEPTION_LIST_NAMESPACE } from '@kbn/securitysolution-list-constants';
import { injectExceptionsReferences } from './inject_exceptions_list';
import { RuleParams } from '../../schemas/rule_schemas';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils/constants';

describe('inject_exceptions_list', () => {
type FuncReturn = ReturnType<typeof injectExceptionsReferences>;
Expand Down
2 changes: 1 addition & 1 deletion ...ion/server/lib/detection_engine/signals/saved_object_references/inject_references.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@

import { loggingSystemMock } from 'src/core/server/mocks';
import { SavedObjectReference } from 'src/core/server';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils';
import { EXCEPTION_LIST_NAMESPACE } from '@kbn/securitysolution-list-constants';
import { injectReferences } from './inject_references';
import { RuleParams } from '../../schemas/rule_schemas';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './utils/constants';

describe('inject_references', () => {
type FuncReturn = ReturnType<typeof injectReferences>;
Expand Down
2 changes: 1 addition & 1 deletion ...b/detection_engine/signals/saved_object_references/utils/get_saved_object_name_pattern.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/

/**
* Given a name and index this will return the pattern of "${name_${index}"
* Given a name and index this will return the pattern of "${name}_${index}"
* @param name The name to suffix the string
* @param index The index to suffix the string
* @returns The pattern "${name_${index}"
Expand Down
6 changes: 2 additions & 4 deletions ...ls/saved_object_references/utils/get_saved_object_name_pattern_for_exception_list.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,8 @@
* 2.0.
*/

import {
EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME,
getSavedObjectNamePatternForExceptionsList,
} from '.';
import { EXCEPTIONS_SAVED_OBJECT_REFERENCE_NAME } from './constants';
import { getSavedObjectNamePatternForExceptionsList } from './get_saved_object_name_pattern_for_exception_list';

describe('get_saved_object_name_pattern_for_exception_list', () => {
test('returns expected pattern given a zero', () => {
Expand Down

0 comments on commit bf61bcc

Please sign in to comment.