[RAC][Security Solution] Adds migration to new SecuritySolution rule types #112113
Conversation
madirey
added
release_note:skip
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: |
| @@ -55,7 +55,7 @@ describe('CTI Enrichment', () => { | |||
| goToRuleDetails(); | |||
| }); | |||
|
|
|||
| it('Displays enrichment matched.* fields on the timeline', () => { | |||
| it.skip('Displays enrichment matched.* fields on the timeline', () => { | |||
There was a problem hiding this comment.
@ecezalp fyi. We need to get this in for 8.0, but just wanted you and the threat intel team to be aware
| @@ -64,7 +64,7 @@ describe('AlertSummaryView', () => { | |||
| expect(queryByTestId('summary-view-guide')).not.toBeInTheDocument(); | |||
| }); | |||
| }); | |||
| test('Memory event code renders additional summary rows', () => { | |||
| test.skip('Memory event code renders additional summary rows', () => { | |||
There was a problem hiding this comment.
@angorayc - just an fyi since I think you worked on this?
| context.core.elasticsearch.client.asCurrentUser.search.mockResolvedValue( | ||
| elasticsearchClientMock.createSuccessTransportRequestPromise(getEmptySignalsResponse()) | ||
| ); | ||
| // eslint-disable-next-line @typescript-eslint/no-explicit-any |
There was a problem hiding this comment.
Just a minor nit if we can replace any here later on
| export const NOTIFICATION_THROTTLE_NO_ACTIONS = 'no_actions'; | ||
| export const NOTIFICATION_THROTTLE_RULE = 'rule'; | ||
| export const NOTIFICATION_THROTTLE_NO_ACTIONS = 'no_actions' as const; | ||
| export const NOTIFICATION_THROTTLE_RULE = 'rule' as const; | ||
|
|
||
| export const showAllOthersBucket: string[] = [ | ||
| 'destination.ip', |
There was a problem hiding this comment.
TODO: Does 'signal.rule.threat.tactic.name' need to be replaced here as well?
There was a problem hiding this comment.
Thanks for doing this @madirey 💪🏾 🎉 ! Tested our critical paths and most of them look good, but I noted all my initial findings below. Approving so we can get it in and fix any bugs during our 8.0 cycle
- I was able to switch the open, acknowledged, and close states successfully.
- I was able to successfully open an alert in timeline, add to timeline, query in timeline, and open the analyzer when available
- The table also successfully loads in the hosts page and the flyout there looks as expected as well
Just to note some things I noticed, and the people who (I believe) worked on them in case they get bug tickets (or just generally bugged) about the issues:
- The details flyout loads data and shows what I would expect in the JSON and Table Fields, but there may be some fields missing in the
overviewandthreat intelviews. @angorayc and @ecezalp may be able to help confirm here - The context menu seems to have the case actions perpetually disabled, but that can probably be fixed in
use_add_to_case.ts(fyi @kqualters-elastic) - The reason field renderer needs to be updated as it still references
signalfields (fyi @machadoum) - Generally there are some additional signal-* references that probably need to be updated in the
x-pack/plugins/timelinesdirectory as well - @MadameSheema there will probably be some bugs that pop up as this work is the updated version of ([Security Solution][RAC] - Update UI signal references #107713) which we had discussed before, so the test plan we talked about for that work will apply here
| @@ -254,7 +254,12 @@ export const useIndexFields = (sourcererScopeName: SourcererScopeName) => { | |||
| errorMessage: null, | |||
| id: sourcererScopeName, | |||
| indexPattern: getIndexFields(stringifyIndices, response.indexFields), | |||
| indicesExist: response.indicesExist.length > 0, | |||
| // If checking for DE signals index, lie and say the index is created (it's | |||
There was a problem hiding this comment.
dont do this! we will not have fields for signals index yet
There was a problem hiding this comment.
I'm going to overwrite this tomorrow with #114806
| @@ -11,65 +11,65 @@ import type { TransformConfigSchema } from './transforms/types'; | |||
| import { ENABLE_CASE_CONNECTOR } from '../../cases/common'; | |||
| import { METADATA_TRANSFORMS_PATTERN } from './endpoint/constants'; | |||
|
|
|||
| export const APP_ID = 'securitySolution'; | |||
| export const APP_ID = 'securitySolution' as const; | |||
There was a problem hiding this comment.
why? could you please explain this
There was a problem hiding this comment.
do all new variables need this? i have a bunch of conflicts. a code comment would be super helpful if this is truly necessary, but I cannot understand why we would need this.
There was a problem hiding this comment.
@stephmilovic The const assertions are not strictly necessary for the string literals, but have been used as a convention for consistency in other parts of the code base, e.g. constants in rule_registry (this also ensures that type widening does not occur if the value/type of the const is changed to a value which would be widened by TS by default). For other types (template strings, arrays, objects, etc.), as const ensures that the type cannot be widened, which provides a compile-time hint that is useful for IDEs. It was super useful in debugging the AAD changes to be able to have the IDE resolve the values of all the constants without having to go look them up every time. Happy to discuss!
…-migrate-away-from-injected-css-js * 'master' of github.com:elastic/kibana: (61 commits) [ML] Nodes overview for the Model Management page (elastic#116361) [Uptime] Uptime index config using kibana.yml (elastic#115775) [Controls] Dashboard Integration (elastic#115991) skip flaky suite (elastic#104260) Include Files in GitHub UI (elastic#115956) skip flaky suite (elastic#116060) [Canvas] By-Value Embeddables (elastic#113827) Skip failing test (elastic#115366) [Osquery] Fix live query search doesn't return relevant results for agents (elastic#116332) [Integrations] Added link in old Add Data description and fixed alignment in cards (elastic#116213) [Actions] Extended ActionTypeRegistry with connector validation to validate config with secrets (elastic#116079) skip flaky suite (elastic#109329) Grant access to machine learning features when base privileges are used (elastic#115444) Skipping failing test (elastic#84957) [RAC][Security Solution] Adds migration to new SecuritySolution rule types (elastic#112113) skip flaky suite (elastic#115366) [Fleet] Marking API spec as experimental (elastic#116331) [Docs] Cleaning up the versions in the upgrade paths. Closes elastic#116223 (elastic#116228) [Reporting] Suppress debug logs in the mock logger (elastic#116012) [Metrics UI] Clear threshold alert groups state when filterQuery changes (elastic#116205) ... # Conflicts: # src/plugins/dashboard/public/application/embeddable/dashboard_container.tsx # src/plugins/dashboard/public/types.ts
|
Hey @madirey as @michaelolo24 mentioned it looks like the menu actions for attaching alerts to cases are now disabled in this PR:
I looked into it a bit and it seems like this component is getting an undefined event: I just wanted to see if we already had a fix in the works, or if you knew what might be happening. |
|
@jonathan-buttner That issue is documented, but we don't have a fix in the works yet. I'll be going through shortly to fix the skipped tests, which I think will uncover the issue (if nobody gets to it first). Most likely something is still looking for a legacy field name, and so the event is not resolved properly. Perhaps here? https://github.com/elastic/kibana/blob/master/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts#L129 |
PR: #116768 |
…74216) ## Summary We just got an [SDH#814](elastic/sdh-security-team#814) that tell us that some feature like `KPIs` and `grouping` are not acting as they should be. @PhilippeOberti is doing an investigation to check which feature has been impacted by this bug. This bug has been introduced in this #112113 since 8.0.0 I think this simple solution should not impact any features.
…astic#174216) ## Summary We just got an [SDH#814](elastic/sdh-security-team#814) that tell us that some feature like `KPIs` and `grouping` are not acting as they should be. @PhilippeOberti is doing an investigation to check which feature has been impacted by this bug. This bug has been introduced in this elastic#112113 since 8.0.0 I think this simple solution should not impact any features. (cherry picked from commit 4af36fe)
…74216) We just got an [SDH#814](elastic/sdh-security-team#814) that tell us that some feature like `KPIs` and `grouping` are not acting as they should be. @PhilippeOberti is doing an investigation to check which feature has been impacted by this bug. This bug has been introduced in this #112113 since 8.0.0 I think this simple solution should not impact any features. (cherry picked from commit 4af36fe)
…ser (#174216) (#174304) # Backport This will backport the following commits from `main` to `8.12`: - [[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)](#174216) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-04T21:41:30Z","message":"[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)\n\n## Summary\r\n\r\nWe just got an\r\n[SDH#814](elastic/sdh-security-team#814) that\r\ntell us that some feature like `KPIs` and `grouping` are not acting as\r\nthey should be.\r\n\r\n@PhilippeOberti is doing an investigation to check which feature has\r\nbeen impacted by this bug. This bug has been introduced in this\r\nhttps://github.com//pull/112113 since 8.0.0\r\n\r\nI think this simple solution should not impact any features.","sha":"4af36fece290263c4fd86f0e06d3e12bdb05f81b","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:fix","impact:critical","Team:ResponseOps","Team:Detection Alerts","v8.12.0","v8.13.0","v8.11.4"],"title":"[SECURITY_SOLUTIONS] Only query security alerts with current user","number":174216,"url":"https://github.com/elastic/kibana/pull/174216","mergeCommit":{"message":"[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)\n\n## Summary\r\n\r\nWe just got an\r\n[SDH#814](elastic/sdh-security-team#814) that\r\ntell us that some feature like `KPIs` and `grouping` are not acting as\r\nthey should be.\r\n\r\n@PhilippeOberti is doing an investigation to check which feature has\r\nbeen impacted by this bug. This bug has been introduced in this\r\nhttps://github.com//pull/112113 since 8.0.0\r\n\r\nI think this simple solution should not impact any features.","sha":"4af36fece290263c4fd86f0e06d3e12bdb05f81b"}},"sourceBranch":"main","suggestedTargetBranches":["8.12","8.11"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174216","number":174216,"mergeCommit":{"message":"[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)\n\n## Summary\r\n\r\nWe just got an\r\n[SDH#814](elastic/sdh-security-team#814) that\r\ntell us that some feature like `KPIs` and `grouping` are not acting as\r\nthey should be.\r\n\r\n@PhilippeOberti is doing an investigation to check which feature has\r\nbeen impacted by this bug. This bug has been introduced in this\r\nhttps://github.com//pull/112113 since 8.0.0\r\n\r\nI think this simple solution should not impact any features.","sha":"4af36fece290263c4fd86f0e06d3e12bdb05f81b"}},{"branch":"8.11","label":"v8.11.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Xavier Mouligneau <[email protected]>
…ser (#174216) (#174306) # Backport This will backport the following commits from `main` to `8.11`: - [[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)](#174216) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-04T21:41:30Z","message":"[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)\n\n## Summary\r\n\r\nWe just got an\r\n[SDH#814](elastic/sdh-security-team#814) that\r\ntell us that some feature like `KPIs` and `grouping` are not acting as\r\nthey should be.\r\n\r\n@PhilippeOberti is doing an investigation to check which feature has\r\nbeen impacted by this bug. This bug has been introduced in this\r\nhttps://github.com//pull/112113 since 8.0.0\r\n\r\nI think this simple solution should not impact any features.","sha":"4af36fece290263c4fd86f0e06d3e12bdb05f81b","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:fix","impact:critical","Team:ResponseOps","Team:Detection Alerts","v8.12.0","v8.13.0","v8.11.4"],"title":"[SECURITY_SOLUTIONS] Only query security alerts with current user","number":174216,"url":"https://github.com/elastic/kibana/pull/174216","mergeCommit":{"message":"[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)\n\n## Summary\r\n\r\nWe just got an\r\n[SDH#814](elastic/sdh-security-team#814) that\r\ntell us that some feature like `KPIs` and `grouping` are not acting as\r\nthey should be.\r\n\r\n@PhilippeOberti is doing an investigation to check which feature has\r\nbeen impacted by this bug. This bug has been introduced in this\r\nhttps://github.com//pull/112113 since 8.0.0\r\n\r\nI think this simple solution should not impact any features.","sha":"4af36fece290263c4fd86f0e06d3e12bdb05f81b"}},"sourceBranch":"main","suggestedTargetBranches":["8.12","8.11"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174216","number":174216,"mergeCommit":{"message":"[SECURITY_SOLUTIONS] Only query security alerts with current user (#174216)\n\n## Summary\r\n\r\nWe just got an\r\n[SDH#814](elastic/sdh-security-team#814) that\r\ntell us that some feature like `KPIs` and `grouping` are not acting as\r\nthey should be.\r\n\r\n@PhilippeOberti is doing an investigation to check which feature has\r\nbeen impacted by this bug. This bug has been introduced in this\r\nhttps://github.com//pull/112113 since 8.0.0\r\n\r\nI think this simple solution should not impact any features.","sha":"4af36fece290263c4fd86f0e06d3e12bdb05f81b"}},{"branch":"8.11","label":"v8.11.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Kibana Machine <[email protected]>
Summary
This PR adds a migration for 8.0 to the new security solution rule types.
Changes include
@kbn/securitysolution-rulespackage to share rules data and utilities between pluginsalertingplugin to split thesiem.signalsrule type into 6 distinct DE rule typesruleDataClient(for ease of testing)signal.*alert fields withkibana.alert.*equivalentsoriginal_eventfieldsTo be addressed later
x-pack/plugins/security_solution/public/common/components/event_details/reason.tsxandx-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.tsandx-pack/plugins/timelines/public/hooks/use_add_to_case.ts(fix add to case)Checklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:
For maintainers