Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
  • Loading branch information
@patrykkopycinski
patrykkopycinski committed Mar 9, 2020
1 parent f0e063c commit f8892c7
Show file tree
Hide file tree
Showing 33 changed files with 165 additions and 21 deletions.
3 changes: 3 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ export const mockPrepackagedRule = (): PrepackagedRules => ({
technique: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }],
},
],
throttle: null,
enabled: true,
filters: [],
immutable: false,
Expand Down Expand Up @@ -348,6 +349,7 @@ export const getResult = (): RuleAlertType => ({
alertTypeId: 'siem.signals',
consumer: 'siem',
params: {
actions: [],
description: 'Detecting root and admin users',
ruleId: 'rule-1',
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
Expand Down Expand Up @@ -391,6 +393,7 @@ export const getResult = (): RuleAlertType => ({
],
},
],
throttle: null,
references: ['http://www.example.com', 'https://ww.example.com'],
version: 1,
},
Expand Down
4 changes: 4 additions & 0 deletions ...k/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
.filter(rule => rule.rule_id == null || !dupes.includes(rule.rule_id))
.map(async payloadRule => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -75,6 +76,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
severity,
tags,
threat,
throttle,
to,
type,
references,
Expand Down Expand Up @@ -106,6 +108,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
const createdRule = await createRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -127,6 +130,7 @@ export const createRulesBulkRoute = (router: IRouter) => {
name,
severity,
tags,
throttle,
to,
type,
threat,
Expand Down
4 changes: 4 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ export const createRulesRoute = (router: IRouter): void => {
},
async (context, request, response) => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -52,6 +53,7 @@ export const createRulesRoute = (router: IRouter): void => {
severity,
tags,
threat,
throttle,
to,
type,
references,
Expand Down Expand Up @@ -92,6 +94,7 @@ export const createRulesRoute = (router: IRouter): void => {
const createdRule = await createRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -113,6 +116,7 @@ export const createRulesRoute = (router: IRouter): void => {
name,
severity,
tags,
throttle,
to,
type,
threat,
Expand Down
6 changes: 6 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
return null;
}
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -131,6 +132,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
severity,
tags,
threat,
throttle,
to,
type,
references,
Expand Down Expand Up @@ -158,6 +160,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
await createRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -182,6 +185,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
to,
type,
threat,
throttle,
references,
version,
});
Expand All @@ -190,6 +194,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
await patchRules({
alertsClient,
actionsClient,
actions,
savedObjectsClient,
description,
enabled,
Expand All @@ -216,6 +221,7 @@ export const importRulesRoute = (router: IRouter, config: LegacyServices['config
to,
type,
threat,
throttle,
references,
version,
});
Expand Down
4 changes: 4 additions & 0 deletions ...ck/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
const rules = await Promise.all(
request.body.map(async payloadRule => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -70,6 +71,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
} = payloadRule;
Expand All @@ -78,6 +80,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
const rule = await patchRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -103,6 +106,7 @@ export const patchRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
});
Expand Down
4 changes: 4 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/patch_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ export const patchRulesRoute = (router: IRouter) => {
},
async (context, request, response) => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -54,6 +55,7 @@ export const patchRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
} = request.body;
Expand All @@ -75,6 +77,7 @@ export const patchRulesRoute = (router: IRouter) => {
const rule = await patchRules({
actionsClient,
alertsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -100,6 +103,7 @@ export const patchRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
});
Expand Down
4 changes: 4 additions & 0 deletions ...k/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
const rules = await Promise.all(
request.body.map(async payloadRule => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -71,6 +72,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
} = payloadRule;
Expand All @@ -80,6 +82,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
const rule = await updateRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
immutable: false,
Expand All @@ -106,6 +109,7 @@ export const updateRulesBulkRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
});
Expand Down
4 changes: 4 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ export const updateRulesRoute = (router: IRouter) => {
},
async (context, request, response) => {
const {
actions,
description,
enabled,
false_positives: falsePositives,
Expand All @@ -54,6 +55,7 @@ export const updateRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
} = request.body;
Expand All @@ -76,6 +78,7 @@ export const updateRulesRoute = (router: IRouter) => {
const rule = await updateRules({
alertsClient,
actionsClient,
actions,
description,
enabled,
falsePositives,
Expand All @@ -102,6 +105,7 @@ export const updateRulesRoute = (router: IRouter) => {
to,
type,
threat,
throttle,
references,
version,
});
Expand Down
14 changes: 14 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ describe('utils', () => {
const fullRule = getResult();
const rule = transformAlertToRule(fullRule);
const expected: OutputRuleAlertRest = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -101,6 +102,7 @@ describe('utils', () => {
const fullRule = getResult();
const { from, language, ...omitData } = transformAlertToRule(fullRule);
const expected: Partial<OutputRuleAlertRest> = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -164,6 +166,7 @@ describe('utils', () => {
fullRule.params.query = null;
const rule = transformAlertToRule(fullRule);
const expected: Partial<OutputRuleAlertRest> = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -228,6 +231,7 @@ describe('utils', () => {
fullRule.params.query = undefined;
const rule = transformAlertToRule(fullRule);
const expected: Partial<OutputRuleAlertRest> = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -293,6 +297,7 @@ describe('utils', () => {
fullRule.params.language = null;
const { from, enabled, ...omitData } = transformAlertToRule(fullRule);
const expected: Partial<OutputRuleAlertRest> = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -354,6 +359,7 @@ describe('utils', () => {
fullRule.enabled = false;
const ruleWithEnabledFalse = transformAlertToRule(fullRule);
const expected: OutputRuleAlertRest = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -419,6 +425,7 @@ describe('utils', () => {
fullRule.params.immutable = false;
const ruleWithEnabledFalse = transformAlertToRule(fullRule);
const expected: OutputRuleAlertRest = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -484,6 +491,7 @@ describe('utils', () => {
fullRule.tags = ['tag 1', 'tag 2', `${INTERNAL_IDENTIFIER}_some_other_value`];
const rule = transformAlertToRule(fullRule);
const expected: OutputRuleAlertRest = {
actions: [],
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
created_by: 'elastic',
Expand Down Expand Up @@ -633,6 +641,7 @@ describe('utils', () => {
data: [getResult()],
});
const expected: OutputRuleAlertRest = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -714,6 +723,7 @@ describe('utils', () => {
test('outputs 200 if the data is of type siem alert', () => {
const output = transform(getResult());
const expected: OutputRuleAlertRest = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -886,6 +896,7 @@ describe('utils', () => {
test('outputs 200 if the data is of type siem alert', () => {
const output = transformOrBulkError('rule-1', getResult());
const expected: OutputRuleAlertRest = {
actions: [],
created_by: 'elastic',
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
Expand Down Expand Up @@ -1008,6 +1019,7 @@ describe('utils', () => {
const transformed = transformAlertsToRules([result1]);
expect(transformed).toEqual([
{
actions: [],
created_at: '2019-12-13T16:40:33.400Z',
created_by: 'elastic',
description: 'Detecting root and admin users',
Expand Down Expand Up @@ -1067,6 +1079,7 @@ describe('utils', () => {
const transformed = transformAlertsToRules([result1, result2]);
expect(transformed).toEqual([
{
actions: [],
created_at: '2019-12-13T16:40:33.400Z',
created_by: 'elastic',
description: 'Detecting root and admin users',
Expand Down Expand Up @@ -1115,6 +1128,7 @@ describe('utils', () => {
version: 1,
},
{
actions: [],
created_at: '2019-12-13T16:40:33.400Z',
created_by: 'elastic',
description: 'Detecting root and admin users',
Expand Down
2 changes: 2 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ export const transformAlertToRule = (
ruleStatus?: SavedObject<IRuleSavedAttributesSavedObjectAttributes>
): Partial<OutputRuleAlertRest> => {
return pickBy<OutputRuleAlertRest>((value: unknown) => value != null, {
actions: alert.actions,
created_at: alert.createdAt.toISOString(),
updated_at: alert.updatedAt.toISOString(),
created_by: alert.createdBy,
Expand Down Expand Up @@ -131,6 +132,7 @@ export const transformAlertToRule = (
to: alert.params.to,
type: alert.params.type,
threat: alert.params.threat,
throttle: alert.params.throttle,
version: alert.params.version,
status: ruleStatus?.attributes.status,
status_date: ruleStatus?.attributes.statusDate,
Expand Down
1 change: 1 addition & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/validate.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import { RulesSchema } from '../schemas/response/rules_schema';
import { BulkError } from '../utils';

export const ruleOutput: RulesSchema = {
actions: [],
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
created_by: 'elastic',
Expand Down
Loading

0 comments on commit f8892c7

Please sign in to comment.