Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Fix prebuilt rule duplication logic to copy related integrations and required fields from the original rule #191065

Merged

Conversation

banderror
Copy link
Contributor

@banderror banderror commented Aug 22, 2024

Fixes: #190628
Related to: #173595, #173594

Summary

As stated in the bug ticket, when duplicating a prebuilt rule, the "Related Integrations" and "Required Fields" values should be inherited from the original rule, as it was specified in the Acceptance Criteria for #173595 and #173594.

This PR:

  • Removes the logic that resets these fields to empty arrays for duplicated prebuilt rules - we needed this logic in the past because these fields were not editable in the UI, but we don't need it anymore.
  • Updates the corresponding unit tests.

Screenshots

These screenshots were taken after introducing the fixes.

Original prebuilt rule:

Screenshot_2024-08-23_at_13_25_07

Duplicated prebuilt rule:

Screenshot_2024-08-23_at_13_25_43

Checklist

@banderror banderror added bug Fixes for quality problems that affect the customer experience release_note:fix impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area v8.16.0 v8.15.1 labels Aug 22, 2024
@banderror banderror self-assigned this Aug 22, 2024
@banderror banderror changed the title [Security Solution] Fix prebuilt rule duplication logic [Security Solution] Fix prebuilt rule duplication logic to copy related integrations and required fields from the original rule Aug 22, 2024
@banderror
Copy link
Contributor Author

/ci

@banderror banderror force-pushed the fix-prebuilt-rule-duplication-logic branch from dbbf90d to 2c171c3 Compare August 23, 2024 10:59
@banderror banderror marked this pull request as ready for review August 23, 2024 11:40
@banderror banderror requested a review from a team as a code owner August 23, 2024 11:40
@banderror banderror requested a review from jpdjere August 23, 2024 11:40
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@banderror banderror requested review from maximpn and nikitaindik and removed request for jpdjere August 23, 2024 11:41
Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@banderror Thanks for handling this bug and extending test coverage 🙏

I left some comments which are rather nit.


// Duplicated rules are always considered custom rules
const immutable = false;
const immutable: InternalRuleCreate['params']['immutable'] = false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious what's the point to explicitly specify types here? Usually TS is able to infer types pretty accurately (especially such simple ones) and check wether these match return type (since it's specified for the function this also the reason why it's better to have function's return type). If something is wrong TS will complain on lines 51-52.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maximpn There are sometimes instances when TS allows to return an object from a function if the object fulfills a certain type or interface, but has additional fields as well that are not part of this type. I've seen it multiple times but I can't give you a concrete example immediately.

Here maybe you're right that these type annotations are not necessary, but I figured I'd still add them because here we return a complex rule object from the function and it's probably better if we add extra type annotations. It shouldn't hurt, anyway.

}),
})
);
});

it('copies setup guide as is', async () => {
it('copies fields from the original rule', async () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I get it correctly that we wanna test for coping of ALL fields in that unit test? And it's a desired behavior to have this test failed when a new field got added for example by Response Ops team?

WDYT about changing the test name to copies all fields from the original rule?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I get it correctly that we wanna test for coping of ALL fields in that unit test?

@maximpn Strictly speaking, we don't copy all rule fields. We copy all parameters + some of the fields that Alerting Framework owns. Some fields get adjusted (e.g. name), some fields get regenerated. I don't think it would be correct to rename the test to copies all fields from the original rule.

And it's a desired behavior to have this test failed when a new field got added for example by Response Ops team?

Yes, because if they add a new top-level framework's field we need to make sure it is correctly handled by the rule duplication logic: copied, adjusted, or regenerated.


it('keeps it custom', async () => {
const rule = createCustomRule();
const result = await duplicateRule({
rule,
});

expect(result).toEqual(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It should be simpler to assert result.params directly

Suggested change
expect(result).toEqual(
expect(result.params).toEqual(
expect.objectContaining({
requiredFields: rule.params.requiredFields,
immutable: false,
ruleSource: {
type: 'internal',
},
}),
})
);

},
];

it('copies fields from the original rule', async () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The same as before should it be renamed copies fields from the original rule -> copies all fields from the original rule?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@banderror banderror force-pushed the fix-prebuilt-rule-duplication-logic branch from 2c171c3 to 0941f9d Compare August 26, 2024 08:11
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

  • 💔 Build #229428 failed 2c171c3d7abd58041a760baa57513c2dba12c663
  • 💚 Build #229100 succeeded dbbf90dd3878c678d8c31ff377913c7273b04704

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @banderror

Copy link
Contributor

@nikitaindik nikitaindik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix @banderror! I have checked the implementation and tested locally. Found no issues.

@banderror
Copy link
Contributor Author

Thanks @maximpn and @nikitaindik 👍 I'll respond to the comments tomorrow and open a follow-up PR, if needed. Gonna merge this one now so we have the fix in main before the 8.15.1 FF.

@banderror banderror merged commit b144c05 into elastic:main Aug 26, 2024
39 checks passed
@kibanamachine
Copy link
Contributor

💔 All backports failed

Status Branch Result
8.15 Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 191065

Questions ?

Please refer to the Backport tool documentation

@banderror
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.15

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

banderror added a commit to banderror/kibana that referenced this pull request Aug 27, 2024
…ed integrations and required fields from the original rule (elastic#191065)

**Fixes: elastic#190628
**Related to:** elastic#173595,
elastic#173594

## Summary

As stated in the bug ticket, when duplicating a prebuilt rule, the
"Related Integrations" and "Required Fields" values should be inherited
from the original rule, as it was specified in the Acceptance Criteria
for elastic#173595 and
elastic#173594.

This PR:

- Removes the logic that resets these fields to empty arrays for
duplicated prebuilt rules - we needed this logic in the past because
these fields were not editable in the UI, but we don't need it anymore.
- Updates the corresponding unit tests.

## Screenshots

These screenshots were taken after introducing the fixes.

**Original prebuilt rule:**

<img width="1463" alt="Screenshot_2024-08-23_at_13_25_07"
src="https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119">

**Duplicated prebuilt rule:**

<img width="1469" alt="Screenshot_2024-08-23_at_13_25_43"
src="https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b">

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit b144c05)

# Conflicts:
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/actions/duplicate_rule.test.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/actions/duplicate_rule.ts
@banderror banderror deleted the fix-prebuilt-rule-duplication-logic branch August 27, 2024 12:54
banderror added a commit that referenced this pull request Aug 27, 2024
…y related integrations and required fields from the original rule (#191065) (#191493)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[Security Solution] Fix prebuilt rule duplication logic to copy
related integrations and required fields from the original rule
(#191065)](#191065)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Georgii
Gorbachev","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-08-26T13:42:52Z","message":"[Security
Solution] Fix prebuilt rule duplication logic to copy related
integrations and required fields from the original rule
(#191065)\n\n**Fixes:
https://github.com/elastic/kibana/issues/190628**\r\n**Related to:**
https://github.com/elastic/kibana/issues/173595,\r\nhttps://github.com/elastic/kibana/issues/173594\r\n\r\n##
Summary\r\n\r\nAs stated in the bug ticket, when duplicating a prebuilt
rule, the\r\n\"Related Integrations\" and \"Required Fields\" values
should be inherited\r\nfrom the original rule, as it was specified in
the Acceptance Criteria\r\nfor
#173595
and\r\nhttps://github.com//issues/173594.\r\n\r\nThis
PR:\r\n\r\n- Removes the logic that resets these fields to empty arrays
for\r\nduplicated prebuilt rules - we needed this logic in the past
because\r\nthese fields were not editable in the UI, but we don't need
it anymore.\r\n- Updates the corresponding unit tests.\r\n\r\n##
Screenshots\r\n\r\nThese screenshots were taken after introducing the
fixes.\r\n\r\n**Original prebuilt rule:**\r\n\r\n<img width=\"1463\"
alt=\"Screenshot_2024-08-23_at_13_25_07\"\r\nsrc=\"https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119\">\r\n\r\n**Duplicated
prebuilt rule:**\r\n\r\n<img width=\"1469\"
alt=\"Screenshot_2024-08-23_at_13_25_43\"\r\nsrc=\"https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b\">\r\n\r\n###
Checklist\r\n\r\n- [
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"b144c05e8f39f28dd9551b7c62daa01cfa1d2cd5","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","impact:medium","Team:Detections
and Resp","Team: SecuritySolution","Feature:Rule
Management","Team:Detection Rule Management","Feature:Prebuilt Detection
Rules","v8.16.0","v8.15.1"],"number":191065,"url":"https://github.com/elastic/kibana/pull/191065","mergeCommit":{"message":"[Security
Solution] Fix prebuilt rule duplication logic to copy related
integrations and required fields from the original rule
(#191065)\n\n**Fixes:
https://github.com/elastic/kibana/issues/190628**\r\n**Related to:**
https://github.com/elastic/kibana/issues/173595,\r\nhttps://github.com/elastic/kibana/issues/173594\r\n\r\n##
Summary\r\n\r\nAs stated in the bug ticket, when duplicating a prebuilt
rule, the\r\n\"Related Integrations\" and \"Required Fields\" values
should be inherited\r\nfrom the original rule, as it was specified in
the Acceptance Criteria\r\nfor
#173595
and\r\nhttps://github.com//issues/173594.\r\n\r\nThis
PR:\r\n\r\n- Removes the logic that resets these fields to empty arrays
for\r\nduplicated prebuilt rules - we needed this logic in the past
because\r\nthese fields were not editable in the UI, but we don't need
it anymore.\r\n- Updates the corresponding unit tests.\r\n\r\n##
Screenshots\r\n\r\nThese screenshots were taken after introducing the
fixes.\r\n\r\n**Original prebuilt rule:**\r\n\r\n<img width=\"1463\"
alt=\"Screenshot_2024-08-23_at_13_25_07\"\r\nsrc=\"https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119\">\r\n\r\n**Duplicated
prebuilt rule:**\r\n\r\n<img width=\"1469\"
alt=\"Screenshot_2024-08-23_at_13_25_43\"\r\nsrc=\"https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b\">\r\n\r\n###
Checklist\r\n\r\n- [
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"b144c05e8f39f28dd9551b7c62daa01cfa1d2cd5"}},"sourceBranch":"main","suggestedTargetBranches":["8.15"],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","labelRegex":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/191065","number":191065,"mergeCommit":{"message":"[Security
Solution] Fix prebuilt rule duplication logic to copy related
integrations and required fields from the original rule
(#191065)\n\n**Fixes:
https://github.com/elastic/kibana/issues/190628**\r\n**Related to:**
https://github.com/elastic/kibana/issues/173595,\r\nhttps://github.com/elastic/kibana/issues/173594\r\n\r\n##
Summary\r\n\r\nAs stated in the bug ticket, when duplicating a prebuilt
rule, the\r\n\"Related Integrations\" and \"Required Fields\" values
should be inherited\r\nfrom the original rule, as it was specified in
the Acceptance Criteria\r\nfor
#173595
and\r\nhttps://github.com//issues/173594.\r\n\r\nThis
PR:\r\n\r\n- Removes the logic that resets these fields to empty arrays
for\r\nduplicated prebuilt rules - we needed this logic in the past
because\r\nthese fields were not editable in the UI, but we don't need
it anymore.\r\n- Updates the corresponding unit tests.\r\n\r\n##
Screenshots\r\n\r\nThese screenshots were taken after introducing the
fixes.\r\n\r\n**Original prebuilt rule:**\r\n\r\n<img width=\"1463\"
alt=\"Screenshot_2024-08-23_at_13_25_07\"\r\nsrc=\"https://github.com/user-attachments/assets/ad8673f5-aba3-40c8-ae91-bbd7d334b119\">\r\n\r\n**Duplicated
prebuilt rule:**\r\n\r\n<img width=\"1469\"
alt=\"Screenshot_2024-08-23_at_13_25_43\"\r\nsrc=\"https://github.com/user-attachments/assets/03761a2b-6f53-4bab-bf4c-a71c6860802b\">\r\n\r\n###
Checklist\r\n\r\n- [
]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"b144c05e8f39f28dd9551b7c62daa01cfa1d2cd5"}},{"branch":"8.15","label":"v8.15.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area Feature:Rule Management Security Solution Detection Rule Management area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. release_note:fix Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.15.1 v8.16.0
Projects
None yet
6 participants