Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to update threat_indicator_path for prebuilt rule #116583

Merged
merged 6 commits into from
Nov 29, 2021

Conversation

nkhristinin
Copy link
Contributor

@nkhristinin nkhristinin commented Oct 28, 2021

Add the possibility to update threat_indicator_path for the prebuilt rule.

How to reproduce the bug:

We will update this file -x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json

  • checkout master branch
  • install all prebuilt rules
  • open the Threat Intel Filebeat Module Indicator Match
  • check that in the network panel the request for this rule has threat_indicator_pathequals ""
  • change threat_indicator_path to any value
  • increase the version
  • save file
  • you should see this button

Screenshot 2021-10-28 at 19 54 07

  • update rules
  • check Indicator math rule again in the network request
  • threat_indicator_pathshould be the empty string - ""

Check out branch

  • Go to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json
  • change threat_indicator_path to any value
  • increase the version
  • you should see this button

Screenshot 2021-10-28 at 19 54 07

  • update rules
  • check Threat Intel Filebeat Module Indicator Match rule again in the network request
  • threat_indicator_pathshould has a value which you enter before

For maintainers

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin nkhristinin marked this pull request as ready for review October 28, 2021 17:57
@nkhristinin nkhristinin requested a review from a team as a code owner October 28, 2021 17:57
@nkhristinin nkhristinin added auto-backport Deprecated - use backport:version if exact versions are needed Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Oct 28, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, I missed these paths in #91260.

In order to ensure we don't introduce a regression here, it would be great to add some test coverage in update_prepacked_rules.test.ts, verifying that modification of some representative fields (including threat_indicator_path) are persisted by that function.

@ecezalp
Copy link
Contributor

ecezalp commented Nov 16, 2021

@elasticmachine merge upstream

Copy link
Contributor

@ecezalp ecezalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - making a note of the update_prepackaged_rules.test.ts in the testing doc here for 8.0

@elastic elastic deleted a comment from kibanamachine Nov 16, 2021
@ecezalp
Copy link
Contributor

ecezalp commented Nov 24, 2021

@elasticmachine merge upstream

@ecezalp
Copy link
Contributor

ecezalp commented Nov 29, 2021

@elasticmachine merge upstream

@ecezalp ecezalp added the Team:Detections and Resp Security Detection Response Team label Nov 29, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@ecezalp ecezalp enabled auto-merge (squash) November 29, 2021 19:17
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @nkhristinin

@ecezalp ecezalp merged commit b5a30fc into elastic:main Nov 29, 2021
@kibanamachine
Copy link
Contributor

The following labels were identified as gaps in your version labels and will be added automatically:

  • v8.1.0

If any of these should not be on your pull request, please manually remove them.

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 29, 2021
…astic#116583)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <[email protected]>
Co-authored-by: Ece Ozalp <[email protected]>
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
8.0

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Nov 29, 2021
…16583) (#119898)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <[email protected]>
Co-authored-by: Ece Ozalp <[email protected]>

Co-authored-by: Khristinin Nikita <[email protected]>
Co-authored-by: Ece Ozalp <[email protected]>
TinLe pushed a commit to TinLe/kibana that referenced this pull request Dec 22, 2021
…astic#116583)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <[email protected]>
Co-authored-by: Ece Ozalp <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed CTI area release_note:fix Team: CTI Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0 v8.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants