Skip to content

Commit

Permalink
[SIEM] Add support for actions and throttle in Rules (#59641)
Browse files Browse the repository at this point in the history
  • Loading branch information
@patrykkopycinski
patrykkopycinski authored Mar 20, 2020
1 parent b841526 commit 8f1e22f
Show file tree
Hide file tree
Showing 48 changed files with 1,314 additions and 27 deletions.
1 change: 1 addition & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ export const mockPrepackagedRule = (): PrepackagedRules => ({
technique: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }],
},
],
throttle: null,
enabled: true,
filters: [],
immutable: false,
Expand Down
1 change: 1 addition & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ export const getOutputRuleAlertForRest = (): Omit<
OutputRuleAlertRest,
'machine_learning_job_id' | 'anomaly_threshold'
> => ({
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down
4 changes: 4 additions & 0 deletions ...k/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
.filter(rule => rule.rule_id == null || !dupes.includes(rule.rule_id))
.map(async payloadRule => {
const {
actions,
anomaly_threshold: anomalyThreshold,
description,
enabled,
Expand All @@ -77,6 +78,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
severity,
tags,
threat,
throttle,
to,
type,
references,
Expand Down Expand Up @@ -110,6 +112,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
const createdRule = await createRules({
alertsClient,
actionsClient,
actions,
anomalyThreshold,
description,
enabled,
Expand All @@ -133,6 +136,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
name,
severity,
tags,
throttle,
to,
type,
threat,
Expand Down
4 changes: 4 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ export const createRulesRoute = (router: IRouter): void => {
},
async (context, request, response) => {
const {
actions,
anomaly_threshold: anomalyThreshold,
description,
enabled,
Expand All @@ -54,6 +55,7 @@ export const createRulesRoute = (router: IRouter): void => {
severity,
tags,
threat,
throttle,
to,
type,
references,
Expand Down Expand Up @@ -96,6 +98,7 @@ export const createRulesRoute = (router: IRouter): void => {
const createdRule = await createRules({
alertsClient,
actionsClient,
actions,
anomalyThreshold,
description,
enabled,
Expand All @@ -119,6 +122,7 @@ export const createRulesRoute = (router: IRouter): void => {
name,
severity,
tags,
throttle,
to,
type,
threat,
Expand Down
6 changes: 6 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
return null;
}
const {
actions,
anomaly_threshold: anomalyThreshold,
description,
enabled,
Expand All @@ -133,6 +134,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
severity,
tags,
threat,
throttle,
to,
type,
references,
Expand Down Expand Up @@ -163,6 +165,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
await createRules({
alertsClient,
actionsClient,
actions,
anomalyThreshold,
description,
enabled,
Expand All @@ -189,6 +192,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
to,
type,
threat,
throttle,
references,
note,
version,
Expand All @@ -199,6 +203,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
await patchRules({
alertsClient,
actionsClient,
actions,
savedObjectsClient,
description,
enabled,
Expand All @@ -225,6 +230,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
to,
type,
threat,
throttle,
references,
note,
version,
Expand Down
4 changes: 4 additions & 0 deletions ...ck/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
const rules = await Promise.all(
request.body.map(async payloadRule => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -70,6 +71,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand All @@ -79,6 +81,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
const rule = await patchRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -104,6 +107,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand Down
4 changes: 4 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ export const patchRulesRoute = (router: IRouter) => {
},
async (context, request, response) => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -54,6 +55,7 @@ export const patchRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand All @@ -76,6 +78,7 @@ export const patchRulesRoute = (router: IRouter) => {
const rule = await patchRules({
actionsClient,
alertsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -101,6 +104,7 @@ export const patchRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand Down
4 changes: 4 additions & 0 deletions ...k/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
const rules = await Promise.all(
request.body.map(async payloadRule => {
const {
actions,
anomaly_threshold: anomalyThreshold,
description,
enabled,
Expand All @@ -73,6 +74,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand All @@ -84,6 +86,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
const rule = await updateRules({
alertsClient,
actionsClient,
actions,
anomalyThreshold,
description,
enabled,
Expand Down Expand Up @@ -112,6 +115,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand Down
4 changes: 4 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ export const updateRulesRoute = (router: IRouter) => {
},
async (context, request, response) => {
const {
actions,
anomaly_threshold: anomalyThreshold,
description,
enabled,
Expand All @@ -56,6 +57,7 @@ export const updateRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand All @@ -80,6 +82,7 @@ export const updateRulesRoute = (router: IRouter) => {
const rule = await updateRules({
alertsClient,
actionsClient,
actions,
anomalyThreshold,
description,
enabled,
Expand Down Expand Up @@ -108,6 +111,7 @@ export const updateRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
note,
version,
Expand Down
3 changes: 3 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import {
OutputError,
} from '../utils';
import { hasListsFeature } from '../../feature_flags';
import { transformAlertToRuleAction } from '../../rules/transform_actions';

type PromiseFromStreams = ImportRuleAlertRest | Error;

Expand Down Expand Up @@ -102,6 +103,7 @@ export const transformAlertToRule = (
ruleStatus?: SavedObject<IRuleSavedAttributesSavedObjectAttributes>
): Partial<OutputRuleAlertRest> => {
return pickBy<OutputRuleAlertRest>((value: unknown) => value != null, {
actions: alert.actions.map(transformAlertToRuleAction),
created_at: alert.createdAt.toISOString(),
updated_at: alert.updatedAt.toISOString(),
created_by: alert.createdBy,
Expand Down Expand Up @@ -134,6 +136,7 @@ export const transformAlertToRule = (
to: alert.params.to,
type: alert.params.type,
threat: alert.params.threat,
throttle: alert.throttle,
note: alert.params.note,
version: alert.params.version,
status: ruleStatus?.attributes.status,
Expand Down
1 change: 1 addition & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import { BulkError } from '../utils';
import { setFeatureFlagsForTestsOnly, unSetFeatureFlagsForTestsOnly } from '../../feature_flags';

export const ruleOutput: RulesSchema = {
actions: [],
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
created_by: 'elastic',
Expand Down
Loading

0 comments on commit 8f1e22f

Please sign in to comment.