address 'event.' fields

elastic · Jul 14, 2020 · e7ecadc · e7ecadc
1 parent 1a3ce47
commit e7ecadc
Show file tree

Hide file tree

Showing 4 changed files with 162 additions and 2 deletions.
diff --git a/x-pack/plugins/security_solution/common/shared_imports.ts b/x-pack/plugins/security_solution/common/shared_imports.ts
@@ -39,4 +39,5 @@ export {
   entriesList,
   namespaceType,
   ExceptionListType,
+  EntryMatch,
 } from '../../lists/common';
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
@@ -25,6 +25,7 @@ import {
   enrichExceptionItemsWithOS,
   entryHasListType,
   entryHasNonEcsType,
+  prepareExceptionItemsForBulkClose,
 } from './helpers';
 import { FormattedEntry, DescriptionListItem, EmptyEntry } from './types';
 import {
@@ -44,6 +45,7 @@ import {
   getEntryListMock,
   getEntryMatchMock,
   getEntryMatchAnyMock,
+  getEntryNestedMock,
   getEntriesArrayMock,
 } from '../../../../../lists/common/schemas/types/entries.mock';
 import { getCommentsArrayMock } from '../../../../../lists/common/schemas/types/comments.mock';
@@ -683,4 +685,112 @@ describe('Exception helpers', () => {
       expect(result).toEqual(true);
     });
   });
+
+  describe('#prepareExceptionItemsForBulkClose', () => {
+    test('it should return no exceptionw when passed in an empty array', () => {
+      const payload: ExceptionListItemSchema[] = [];
+      const result = prepareExceptionItemsForBulkClose(payload);
+      expect(result).toEqual([]);
+    });
+
+    test("should not make any updates when the exception entries don't contain 'event.'", () => {
+      const payload = [getExceptionListItemSchemaMock(), getExceptionListItemSchemaMock()];
+      const result = prepareExceptionItemsForBulkClose(payload);
+      expect(result).toEqual(payload);
+    });
+
+    test("should update entry fields when they start with 'event.'", () => {
+      const payload = [
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            {
+              ...getEntryMatchMock(),
+              field: 'event.kind',
+            },
+            getEntryMatchMock(),
+          ],
+        },
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            {
+              ...getEntryMatchMock(),
+              field: 'event.module',
+            },
+          ],
+        },
+      ];
+      const expected = [
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            {
+              ...getEntryMatchMock(),
+              field: 'signal.original_event.kind',
+            },
+            getEntryMatchMock(),
+          ],
+        },
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            {
+              ...getEntryMatchMock(),
+              field: 'signal.original_event.module',
+            },
+          ],
+        },
+      ];
+      const result = prepareExceptionItemsForBulkClose(payload);
+      expect(result).toEqual(expected);
+    });
+
+    test("should update nested entry fields when they start with 'event.'", () => {
+      const payload: ExceptionListItemSchema[] = [
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            {
+              ...getEntryNestedMock(),
+              field: 'event.kind',
+            },
+            {
+              ...getEntryNestedMock(),
+              entries: [
+                {
+                  ...getEntryMatchMock(),
+                  field: 'event.module',
+                },
+                getEntryMatchMock(),
+              ],
+            },
+          ],
+        },
+      ];
+      const expected = [
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            {
+              ...getEntryNestedMock(),
+              field: 'signal.original_event.kind',
+            },
+            {
+              ...getEntryNestedMock(),
+              entries: [
+                {
+                  ...getEntryMatchMock(),
+                  field: 'signal.original_event.module',
+                },
+                getEntryMatchMock(),
+              ],
+            },
+          ],
+        },
+      ];
+      const result = prepareExceptionItemsForBulkClose(payload);
+      expect(result).toEqual(expected);
+    });
+  });
 });
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -36,6 +36,8 @@ import {
   exceptionListItemSchema,
   UpdateExceptionListItemSchema,
   ExceptionListType,
+  EntriesArray,
+  EntryMatch,
 } from '../../../lists_plugin_deps';
 import { IFieldType, IIndexPattern } from '../../../../../../../src/plugins/data/common';
 import { TimelineNonEcsData } from '../../../graphql/types';
@@ -380,6 +382,53 @@ export const formatExceptionItemForUpdate = (
   };
 };
 
+/**
+ * Maps "event." fields to "signal.original_event.". This is because when a rule is created
+ * the "event" field is copied over to "original_event". When the user creates an exception,
+ * they expect it to match against the original_event's fields, not the signal event's.
+ * @param exceptionItems new or existing ExceptionItem[]
+ */
+export const prepareExceptionItemsForBulkClose = (
+  exceptionItems: Array<ExceptionListItemSchema | CreateExceptionListItemSchema>
+): Array<ExceptionListItemSchema | CreateExceptionListItemSchema> => {
+  const replaceField = (fieldToReplace: string) => {
+    return fieldToReplace.startsWith('event.')
+      ? fieldToReplace.replace(/^event./, 'signal.original_event.')
+      : fieldToReplace;
+  };
+
+  return exceptionItems.map((item: ExceptionListItemSchema | CreateExceptionListItemSchema) => {
+    if (item.entries !== undefined) {
+      const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => {
+        if (itemEntry.type === 'nested') {
+          const newNestedEntries = itemEntry.entries.map((nestedEntry: EntryMatch) => {
+            return {
+              ...nestedEntry,
+              field: replaceField(nestedEntry.field),
+            };
+          });
+          return {
+            ...itemEntry,
+            field: replaceField(itemEntry.field),
+            entries: newNestedEntries,
+          };
+        } else {
+          return {
+            ...itemEntry,
+            field: replaceField(itemEntry.field),
+          };
+        }
+      });
+      return {
+        ...item,
+        entries: newEntries,
+      };
+    } else {
+      return item;
+    }
+  });
+};
+
 /**
  * Adds new and existing comments to all new exceptionItems if not present already
  * @param exceptionItems new or existing ExceptionItem[]

diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/use_add_exception.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/use_add_exception.tsx
@@ -19,7 +19,7 @@ import { getUpdateAlertsQuery } from '../../../detections/components/alerts_tabl
 import { buildAlertStatusFilter } from '../../../detections/components/alerts_table/default_config';
 import { getQueryFilter } from '../../../../common/detection_engine/get_query_filter';
 import { Index } from '../../../../common/detection_engine/schemas/common/schemas';
-import { formatExceptionItemForUpdate } from './helpers';
+import { formatExceptionItemForUpdate, prepareExceptionItemsForBulkClose } from './helpers';
 
 /**
  * Adds exception items to the list. Also optionally closes alerts.
@@ -123,7 +123,7 @@ export const useAddOrUpdateException = ({
             'kuery',
             buildAlertStatusFilter('open'),
             bulkCloseIndex,
-            exceptionItemsToAddOrUpdate,
+            prepareExceptionItemsForBulkClose(exceptionItemsToAddOrUpdate),
             false
           );
           await updateAlertStatus({