Skip to content

Commit

Permalink
[Security Solution][Detections] Add rule overrides for single event E…
Browse files Browse the repository at this point in the history
…QL rules (#78876)

* Add buildRuleWithOverrides function for single event EQL queries

* Disable rule overrides for all sequence signals

Co-authored-by: Elastic Machine <[email protected]>
  • Loading branch information
marshallmain and elasticmachine authored Sep 30, 2020
1 parent 15e7623 commit e41f436
Show file tree
Hide file tree
Showing 13 changed files with 232 additions and 105 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
"from": "now-300m",
"severity": "high",
"type": "eql",
"language": "eql",
"threat": [
{
"framework": "MITRE ATT&CK",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import { RuleTypeParams } from '../../types';
import { IRuleStatusAttributes } from '../../rules/types';
import { ruleStatusSavedObjectType } from '../../rules/saved_object_mappings';
import { getListArrayMock } from '../../../../../common/detection_engine/schemas/types/lists.mock';
import { RulesSchema } from '../../../../../common/detection_engine/schemas/response';

export const sampleRuleAlertParams = (
maxSignals?: number | undefined,
Expand Down Expand Up @@ -92,6 +93,46 @@ export const sampleRuleSO = (): SavedObject<RuleAlertAttributes> => {
};
};

export const expectedRule = (): RulesSchema => {
return {
actions: [],
author: ['Elastic'],
building_block_type: 'default',
id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
rule_id: 'rule-1',
false_positives: [],
max_signals: 10000,
risk_score: 50,
risk_score_mapping: [],
output_index: '.siem-signals',
description: 'Detecting root and admin users',
from: 'now-6m',
immutable: false,
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
interval: '5m',
language: 'kuery',
license: 'Elastic License',
name: 'rule-name',
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
severity_mapping: [],
tags: ['some fake tag 1', 'some fake tag 2'],
threat: [],
type: 'query',
to: 'now',
note: '',
enabled: true,
created_by: 'sample user',
updated_by: 'sample user',
version: 1,
updated_at: '2020-03-27T22:55:59.577Z',
created_at: '2020-03-27T22:55:59.577Z',
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
};
};

export const sampleDocNoSortIdNoVersion = (someUuid: string = sampleIdGuid): SignalSourceHit => ({
_index: 'myFakeSignalIndex',
_type: 'doc',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,7 @@ describe('buildSignalFromEvent', () => {
const ancestor = sampleDocWithAncestors().hits.hits[0];
delete ancestor._source.source;
const ruleSO = sampleRuleSO();
const signal = buildSignalFromEvent(ancestor, ruleSO);
const signal = buildSignalFromEvent(ancestor, ruleSO, true);
// Timestamp will potentially always be different so remove it for the test
// @ts-expect-error
delete signal['@timestamp'];
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import {
BaseSignalHit,
SignalSource,
} from './types';
import { buildRule, buildRuleWithoutOverrides } from './build_rule';
import { buildRule, buildRuleWithoutOverrides, buildRuleWithOverrides } from './build_rule';
import { additionalSignalFields, buildSignal } from './build_signal';
import { buildEventTypeSignal } from './build_event_type_signal';
import { RuleAlertAction } from '../../../../common/detection_engine/types';
Expand Down Expand Up @@ -97,7 +97,7 @@ export const buildSignalGroupFromSequence = (
): BaseSignalHit[] => {
const wrappedBuildingBlocks = wrapBuildingBlocks(
sequence.events.map((event) => {
const signal = buildSignalFromEvent(event, ruleSO);
const signal = buildSignalFromEvent(event, ruleSO, false);
signal.signal.rule.building_block_type = 'default';
return signal;
}),
Expand Down Expand Up @@ -147,9 +147,12 @@ export const buildSignalFromSequence = (

export const buildSignalFromEvent = (
event: BaseSignalHit,
ruleSO: SavedObject<RuleAlertAttributes>
ruleSO: SavedObject<RuleAlertAttributes>,
applyOverrides: boolean
): SignalHit => {
const rule = buildRuleWithoutOverrides(ruleSO);
const rule = applyOverrides
? buildRuleWithOverrides(ruleSO, event._source)
: buildRuleWithoutOverrides(ruleSO);
const signal = {
...buildSignal([event], rule),
...additionalSignalFields(event),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,19 @@
* you may not use this file except in compliance with the Elastic License.
*/

import { buildRule, removeInternalTagsFromRule, buildRuleWithoutOverrides } from './build_rule';
import {
buildRule,
removeInternalTagsFromRule,
buildRuleWithOverrides,
buildRuleWithoutOverrides,
} from './build_rule';
import {
sampleDocNoSortId,
sampleRuleAlertParams,
sampleRuleGuid,
sampleRuleSO,
expectedRule,
sampleDocSeverity,
} from './__mocks__/es_results';
import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema';
import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock';
Expand Down Expand Up @@ -312,43 +319,7 @@ describe('buildRuleWithoutOverrides', () => {
test('builds a rule using rule SO', () => {
const ruleSO = sampleRuleSO();
const rule = buildRuleWithoutOverrides(ruleSO);
expect(rule).toEqual({
actions: [],
author: ['Elastic'],
building_block_type: 'default',
id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
rule_id: 'rule-1',
false_positives: [],
max_signals: 10000,
risk_score: 50,
risk_score_mapping: [],
output_index: '.siem-signals',
description: 'Detecting root and admin users',
from: 'now-6m',
immutable: false,
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
interval: '5m',
language: 'kuery',
license: 'Elastic License',
name: 'rule-name',
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
severity_mapping: [],
tags: ['some fake tag 1', 'some fake tag 2'],
threat: [],
type: 'query',
to: 'now',
note: '',
enabled: true,
created_by: 'sample user',
updated_by: 'sample user',
version: 1,
updated_at: ruleSO.updated_at ?? '',
created_at: ruleSO.attributes.createdAt,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
});
expect(rule).toEqual(expectedRule());
});

test('builds a rule using rule SO and removes internal tags', () => {
Expand All @@ -360,42 +331,110 @@ describe('buildRuleWithoutOverrides', () => {
`${INTERNAL_IMMUTABLE_KEY}:true`,
];
const rule = buildRuleWithoutOverrides(ruleSO);
expect(rule).toEqual({
actions: [],
author: ['Elastic'],
building_block_type: 'default',
id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
rule_id: 'rule-1',
false_positives: [],
max_signals: 10000,
risk_score: 50,
risk_score_mapping: [],
output_index: '.siem-signals',
description: 'Detecting root and admin users',
from: 'now-6m',
immutable: false,
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
interval: '5m',
language: 'kuery',
license: 'Elastic License',
name: 'rule-name',
query: 'user.name: root or user.name: admin',
references: ['http://google.com'],
severity: 'high',
severity_mapping: [],
tags: ['some fake tag 1', 'some fake tag 2'],
threat: [],
type: 'query',
to: 'now',
note: '',
enabled: true,
created_by: 'sample user',
updated_by: 'sample user',
version: 1,
updated_at: ruleSO.updated_at ?? '',
created_at: ruleSO.attributes.createdAt,
throttle: 'no_actions',
exceptions_list: getListArrayMock(),
});
expect(rule).toEqual(expectedRule());
});
});

describe('buildRuleWithOverrides', () => {
beforeEach(() => {
jest.clearAllMocks();
});

test('it builds a rule as expected with filters present', () => {
const ruleSO = sampleRuleSO();
ruleSO.attributes.params.filters = [
{
query: 'host.name: Rebecca',
},
{
query: 'host.name: Evan',
},
{
query: 'host.name: Braden',
},
];
const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source);
const expected: RulesSchema = {
...expectedRule(),
filters: ruleSO.attributes.params.filters,
};
expect(rule).toEqual(expected);
});

test('it builds a rule and removes internal tags', () => {
const ruleSO = sampleRuleSO();
ruleSO.attributes.tags = [
'some fake tag 1',
'some fake tag 2',
`${INTERNAL_RULE_ID_KEY}:rule-1`,
`${INTERNAL_IMMUTABLE_KEY}:true`,
];
const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source);
expect(rule).toEqual(expectedRule());
});

test('it applies rule name override in buildRule', () => {
const ruleSO = sampleRuleSO();
ruleSO.attributes.params.ruleNameOverride = 'someKey';
const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source);
const expected = {
...expectedRule(),
name: 'someValue',
rule_name_override: 'someKey',
meta: {
ruleNameOverridden: true,
},
};
expect(rule).toEqual(expected);
});

test('it applies risk score override in buildRule', () => {
const newRiskScore = 79;
const ruleSO = sampleRuleSO();
ruleSO.attributes.params.riskScoreMapping = [
{
field: 'new_risk_score',
// value and risk_score aren't used for anything but are required in the schema
value: '',
operator: 'equals',
risk_score: undefined,
},
];
const doc = sampleDocNoSortId();
doc._source.new_risk_score = newRiskScore;
const rule = buildRuleWithOverrides(ruleSO, doc._source);
const expected = {
...expectedRule(),
risk_score: newRiskScore,
risk_score_mapping: ruleSO.attributes.params.riskScoreMapping,
meta: {
riskScoreOverridden: true,
},
};
expect(rule).toEqual(expected);
});

test('it applies severity override in buildRule', () => {
const eventSeverity = '42';
const ruleSO = sampleRuleSO();
ruleSO.attributes.params.severityMapping = [
{
field: 'event.severity',
value: eventSeverity,
operator: 'equals',
severity: 'critical',
},
];
const doc = sampleDocSeverity(Number(eventSeverity));
const rule = buildRuleWithOverrides(ruleSO, doc._source);
const expected = {
...expectedRule(),
severity: 'critical',
severity_mapping: ruleSO.attributes.params.severityMapping,
meta: {
severityOverrideField: 'event.severity',
},
};
expect(rule).toEqual(expected);
});
});
Loading

0 comments on commit e41f436

Please sign in to comment.