[SIEM][Detection Engine] Refactors signal rule alert type into smalle…

…r code by creating functions Refactors signal rule alert type into a smaller executor ## Summary * Breaks out the schema into its own file and function * Breaks out the action group into its own file and function * Moves misc types being added to this into the `./types` file * Breaks out all the writing of errors and success into their own functions * Uses destructuring to pull data out of some of the data types * Tweaks the gap detection to accept a date instead of moment to ease "ergonomics" * Updates unit tests for the gap detection ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios
elastic · Mar 16, 2020 · dfff4fd · dfff4fd
1 parent 8a57896
commit dfff4fd
Show file tree

Hide file tree

Showing 11 changed files with 416 additions and 238 deletions.
diff --git a/...egacy/plugins/siem/server/lib/detection_engine/signals/get_current_status_saved_object.ts b/...egacy/plugins/siem/server/lib/detection_engine/signals/get_current_status_saved_object.ts
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SavedObjectsFindResponse, SavedObject } from 'src/core/server';
+
+import { AlertServices } from '../../../../../../../plugins/alerting/server';
+import { IRuleSavedAttributesSavedObjectAttributes } from '../rules/types';
+import { ruleStatusSavedObjectType } from '../rules/saved_object_mappings';
+
+interface CurrentStatusSavedObjectParams {
+  alertId: string;
+  services: AlertServices;
+  ruleStatusSavedObjects: SavedObjectsFindResponse<IRuleSavedAttributesSavedObjectAttributes>;
+}
+
+export const getCurrentStatusSavedObject = async ({
+  alertId,
+  services,
+  ruleStatusSavedObjects,
+}: CurrentStatusSavedObjectParams): Promise<SavedObject<
+  IRuleSavedAttributesSavedObjectAttributes
+>> => {
+  if (ruleStatusSavedObjects.saved_objects.length === 0) {
+    // create
+    const date = new Date().toISOString();
+    const currentStatusSavedObject = await services.savedObjectsClient.create<
+      IRuleSavedAttributesSavedObjectAttributes
+    >(ruleStatusSavedObjectType, {
+      alertId, // do a search for this id.
+      statusDate: date,
+      status: 'going to run',
+      lastFailureAt: null,
+      lastSuccessAt: null,
+      lastFailureMessage: null,
+      lastSuccessMessage: null,
+    });
+    return currentStatusSavedObject;
+  } else {
+    // update 0th to executing.
+    const currentStatusSavedObject = ruleStatusSavedObjects.saved_objects[0];
+    const sDate = new Date().toISOString();
+    currentStatusSavedObject.attributes.status = 'going to run';
+    currentStatusSavedObject.attributes.statusDate = sDate;
+    await services.savedObjectsClient.update(
+      ruleStatusSavedObjectType,
+      currentStatusSavedObject.id,
+      {
+        ...currentStatusSavedObject.attributes,
+      }
+    );
+    return currentStatusSavedObject;
+  }
+};
diff --git a/.../legacy/plugins/siem/server/lib/detection_engine/signals/get_rule_status_saved_objects.ts b/.../legacy/plugins/siem/server/lib/detection_engine/signals/get_rule_status_saved_objects.ts
@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SavedObjectsFindResponse } from 'kibana/server';
+import { AlertServices } from '../../../../../../../plugins/alerting/server';
+import { ruleStatusSavedObjectType } from '../rules/saved_object_mappings';
+import { IRuleSavedAttributesSavedObjectAttributes } from '../rules/types';
+
+interface GetRuleStatusSavedObject {
+  alertId: string;
+  services: AlertServices;
+}
+
+export const getRuleStatusSavedObjects = async ({
+  alertId,
+  services,
+}: GetRuleStatusSavedObject): Promise<SavedObjectsFindResponse<
+  IRuleSavedAttributesSavedObjectAttributes
+>> => {
+  return services.savedObjectsClient.find<IRuleSavedAttributesSavedObjectAttributes>({
+    type: ruleStatusSavedObjectType,
+    perPage: 6, // 0th element is current status, 1-5 is last 5 failures.
+    sortField: 'statusDate',
+    sortOrder: 'desc',
+    search: `${alertId}`,
+    searchFields: ['alertId'],
+  });
+};
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/siem_rule_action_groups.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/siem_rule_action_groups.ts
@@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const siemRuleActionGroups = [
+  {
+    id: 'default',
+    name: i18n.translate('xpack.siem.detectionEngine.signalRuleAlert.actionGroups.default', {
+      defaultMessage: 'Default',
+    }),
+  },
+];
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_params_schema.ts
@@ -0,0 +1,40 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { schema } from '@kbn/config-schema';
+
+import { DEFAULT_MAX_SIGNALS } from '../../../../common/constants';
+
+/**
+ * This is the schema for the Alert Rule that represents the SIEM alert for signals
+ * that index into the .siem-signals-${space-id}
+ */
+export const signalParamsSchema = () =>
+  schema.object({
+    description: schema.string(),
+    note: schema.nullable(schema.string()),
+    falsePositives: schema.arrayOf(schema.string(), { defaultValue: [] }),
+    from: schema.string(),
+    ruleId: schema.string(),
+    immutable: schema.boolean({ defaultValue: false }),
+    index: schema.nullable(schema.arrayOf(schema.string())),
+    language: schema.nullable(schema.string()),
+    outputIndex: schema.nullable(schema.string()),
+    savedId: schema.nullable(schema.string()),
+    timelineId: schema.nullable(schema.string()),
+    timelineTitle: schema.nullable(schema.string()),
+    meta: schema.nullable(schema.object({}, { allowUnknowns: true })),
+    query: schema.nullable(schema.string()),
+    filters: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
+    maxSignals: schema.number({ defaultValue: DEFAULT_MAX_SIGNALS }),
+    riskScore: schema.number(),
+    severity: schema.string(),
+    threat: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
+    to: schema.string(),
+    type: schema.string(),
+    references: schema.arrayOf(schema.string(), { defaultValue: [] }),
+    version: schema.number({ defaultValue: 1 }),
+  });