[Security Solution][Detections] Adds sequence callout in the exceptions modals for eql rule types #79007
Conversation
dplumlee
added
Team:SIEM
v8.0.0
release_note:skip
| @@ -316,6 +317,13 @@ export const AddExceptionModal = memo(function AddExceptionModal({ | |||
| [fetchOrCreateListError, exceptionItemsToAdd] | |||
| ); | |||
|
|
|||
| const isRuleEQLSequenceStatement = useMemo((): boolean => { | |||
| if (maybeRule != null && maybeRule.query != null) { | |||
| return maybeRule.type === 'eql' && maybeRule.query.startsWith('sequence'); | |||
There was a problem hiding this comment.
This is the logic I chose to go with for delineating sequence queries and non-sequence queries. When rylands validation pr gets merged, this should cover all cases given that sequence is a saved term in eql, but any comments/suggestions from those more versed in EQL would be appreciated
There was a problem hiding this comment.
@rw-access may have ideas about the best way to do this
There was a problem hiding this comment.
@dplumlee FYI we have some helpers available to avoid these kinds of hardcoded strings. Since this logic is duplicated in a few spots, I'd say that moving this function out to a shared location makes sense.
There was a problem hiding this comment.
nice. for the logic in general, first word is sequence and the second word is not where.
then you'll be set (assuming it's valid syntax in the first place)
There was a problem hiding this comment.
is sequence where ... valid eql? I tested using sequence as an event category in the EQL ES api and got an exception, wasn't sure if that just isn't allowed since sequence is a reserved word.
There was a problem hiding this comment.
I haven't tried sequence where true in ES EQL, wasn't sure how ANTLR handled it.
|
Pinging @elastic/siem (Team:SIEM) |
| export const hasEqlSequenceQuery = (ruleQuery: string | undefined): boolean => { | ||
| if (ruleQuery != null) { | ||
| const parsedQuery = ruleQuery.split(' '); | ||
| return parsedQuery[0] === 'sequence' && parsedQuery[1] !== 'where'; |
There was a problem hiding this comment.
@rylnd @rw-access will something like this work, or is it valid syntax to begin an eql query with a leading space?
There was a problem hiding this comment.
It is valid, or at least valid to pass to the EQL api, so I just trimmed it that should solve any potential edge cases problems
There was a problem hiding this comment.
might wanna add a test case for other forms of whitespace and multiple between sequence and where, but I think this approach is solid.
There was a problem hiding this comment.
ah yeah good call. new fix should cover that too, thanks
|
@elasticmachine merge upstream |
dplumlee
force-pushed
the
modal-sequence-callout
branch
from
dde40d8 to
abd131a
Compare
| 'xpack.securitySolution.exceptions.addException.sequenceWarning', | ||
| { | ||
| defaultMessage: | ||
| 'This rule is a sequence statement. The exception created will apply to all events in the sequence.', |
There was a problem hiding this comment.
@paulewing Do you have any preferences on the language here? I'm thinking that the first sentence could be more specific and say something like this:
This rule's query contains an EQL sequence statement.
| }); | ||
| }); | ||
|
|
||
| describe('when a sequence query is passed with extra white space', () => { |
There was a problem hiding this comment.
thanks for the updates.
how does this work for "sequence\n..."? or "sequence where ..." which should be invalid syntax on the ES side. but if it is accepted syntax, then it's definitely not a sequence query
There was a problem hiding this comment.
added coverage for \n but it should work for the sequence where ... case already. Added another test for coverage sake
| @@ -17,6 +17,14 @@ export const hasNestedEntry = (entries: EntriesArray): boolean => { | |||
| return found.length > 0; | |||
| }; | |||
|
|
|||
| export const hasEqlSequenceQuery = (ruleQuery: string | undefined): boolean => { | |||
| if (ruleQuery != null) { | |||
| const parsedQuery = ruleQuery.split(' ').filter((word) => word !== '' && word !== '\n'); | |||
There was a problem hiding this comment.
It still seems brittle for some reason, since there are four whitespace characters for EQL. sequence\n[x] may slip through.
ruleQuery.trim().split(/[ \t\r\n]+/); should do it the same way ANTLR does
There was a problem hiding this comment.
ah cool, i'll switch to that then
dplumlee
force-pushed
the
modal-sequence-callout
branch
2 times, most recently
from
98bcfa4 to
618cd74
Compare
|
@elasticmachine merge upstream |
1 similar comment
|
@elasticmachine merge upstream |
dplumlee
force-pushed
the
modal-sequence-callout
branch
from
1defbb6 to
bc046d4
Compare
💚 Build SucceededMetrics [docs]async chunks size
History
To update your PR or re-run it, just comment with: |
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Adds a callout warning to inform users of exception-related side effects should they choose to create/edit an exception tied to a eql rule type that has a sequence query.
Checklist
Delete any items that are not applicable to this PR.
For maintainers