Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Adds field mapping support to rule creation Part II #71402

Merged
merged 7 commits into from
Jul 14, 2020

Conversation

spong
Copy link
Member

@spong spong commented Jul 13, 2020

Summary

Followup to #70288, which includes:

  • Rule Execution logic for:
    • Severity Override
    • Risk Score Override
    • Rule Name Override
    • Timestamp Override
  • Support for toggling display of Building Block Rules:
    • Main Detections Page
    • Rule Details Page
  • Integrates AutocompleteField for:
    • Severity Override
    • Risk Score Override
    • Rule Name Override
    • Timestamp Override
  • Fixes rehydration of EditAboutStep in Edit Rule
  • Fixes Rule Details Description rollup

Additional followup cleanup:

  • Adds risk_scoretorisk_score_mapping`
  • Improves field validation
  • Disables override fields for ML Rules
  • Orders SeverityMapping by severity on create/update
  • Allow unbounded max-signals

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@spong spong added enhancement New value added to drive a business result Team:SIEM release_note:skip Skip the PR/issue when compiling release notes Feature:Detection Rules Security Solution rules and Detection Engine labels Jul 13, 2020
@spong spong requested review from a team as code owners July 13, 2020 06:31
@spong spong self-assigned this Jul 13, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Played around a bit with creating rules with overrides and things look to be working! Nothing's obviously broken, at least 😉 .

Thanks for improving those form components while you were in there 👍

{
title: label,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this fix that UI warning about title being undefined?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think that should take care of it. Was a little split on pulling in the i18n from the fields vs leveraging the forms schema label. I think it'll be best to use the label from the schema, but will need to re-work the data model for these complex fields once the hooksform fixes land.

@@ -192,18 +193,12 @@ export const getDescriptionItem = (
} else if (Array.isArray(get(field, data))) {
const values: string[] = get(field, data);
return buildStringArrayDescription(label, field, values);
// TODO: Add custom UI for Risk/Severity Mappings (and fix missing label)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here it is 👍


const SeverityMappingParentContainer = styled(EuiFlexItem)`
max-width: 471px;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a specific number!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to work with @marrasherrier after the first BC to determine the best styling for the serverity/risk overrides, as it's a lot of fields bunched up together (and is hard to make sense of the longer field/values). This is just to lock the container in place with the left-most portion of the form row.

expect(riskScore).toEqual({ riskScore: 57, riskScoreMeta: {} });
});

// TODO: Enhance...
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, there are plenty of tests to write for exercising all the areas around building these mappings. I think I saw a situation where the io-ts type wasn't validating correctly and was getting risk scores > 100. So more to dig into here for sure. 🙂

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@spong spong merged commit 8da80fe into elastic:master Jul 14, 2020
@spong spong deleted the rule-schema-updates-2 branch July 14, 2020 21:48
spong added a commit that referenced this pull request Jul 14, 2020
… (#71775)

## Summary

Followup to #70288, which includes:

- [X] Rule Execution logic for:
  - [X] Severity Override
  - [X] Risk Score Override
  - [X] Rule Name Override
  - [X] Timestamp Override
- [X] Support for toggling display of Building Block Rules:
  - [X] Main Detections Page
  - [X] Rule Details Page
- [X] Integrates `AutocompleteField` for:
  - [X] Severity Override
  - [X] Risk Score Override
  - [X] Rule Name Override
  - [X] Timestamp Override
- [X] Fixes rehydration of `EditAboutStep` in `Edit Rule`
- [X] Fixes `Rule Details` Description rollup


Additional followup cleanup:
- [ ] Adds risk_score` to `risk_score_mapping`
- [ ] Improves field validation
- [ ] Disables override fields for ML Rules
- [ ] Orders `SeverityMapping` by `severity` on create/update
- [ ] Allow unbounded max-signals


### Checklist

Delete any items that are not applicable to this PR.

- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Syncing w/ @benskelker
- [X] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios
### For maintainers

- [X] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants