github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.8] [Security Solution] Add a migration to unmute custom Security Solution rules (#156593) (#156728)

Browse source 
# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution] Add a migration to unmute custom Security
Solution rules (#156593)](https://github.com/elastic/kibana/pull/156593)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2023-05-04T19:11:35Z","message":"[Security
Solution] Add a migration to unmute custom Security Solution rules
(#156593)\n\n**Addresses:**
https://github.com/elastic/kibana/issues/156352\r\n\r\n##
Summary\r\n\r\nThis PR adds a migration to unmute all Security
Solution's custom rules while migrating to Kibana `8.8`. As we added
support for rule snoozing in `8.8`
https://github.com/elastic/security-team/issues/5308 users are able to
manage muting of rule notifications. Prior `8.8` Security Solution's
custom rules were muted under the hood if there is no
actions.","sha":"fc107d0e5b36e7bc49f4230f2a85d50d16050323","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection
Rules","backport:prev-minor","v8.8.0","v8.9.0"],"number":156593,"url":"https://github.com/elastic/kibana/pull/156593","mergeCommit":{"message":"[Security
Solution] Add a migration to unmute custom Security Solution rules
(#156593)\n\n**Addresses:**
https://github.com/elastic/kibana/issues/156352\r\n\r\n##
Summary\r\n\r\nThis PR adds a migration to unmute all Security
Solution's custom rules while migrating to Kibana `8.8`. As we added
support for rule snoozing in `8.8`
https://github.com/elastic/security-team/issues/5308 users are able to
manage muting of rule notifications. Prior `8.8` Security Solution's
custom rules were muted under the hood if there is no
actions.","sha":"fc107d0e5b36e7bc49f4230f2a85d50d16050323"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156593","number":156593,"mergeCommit":{"message":"[Security
Solution] Add a migration to unmute custom Security Solution rules
(#156593)\n\n**Addresses:**
https://github.com/elastic/kibana/issues/156352\r\n\r\n##
Summary\r\n\r\nThis PR adds a migration to unmute all Security
Solution's custom rules while migrating to Kibana `8.8`. As we added
support for rule snoozing in `8.8`
https://github.com/elastic/security-team/issues/5308 users are able to
manage muting of rule notifications. Prior `8.8` Security Solution's
custom rules were muted under the hood if there is no
actions.","sha":"fc107d0e5b36e7bc49f4230f2a85d50d16050323"}}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
This commit is contained in:
Kibana Machine 2023-05-04 17:25:44 -04:00 committed by GitHub
parent a5f358ccf2
commit 67699a987e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 156 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

23
x-pack/plugins/alerting/server/saved_objects/migrations/8.8/index.ts
View file

@ -73,9 +73,30 @@ function addSecuritySolutionActionsFrequency(
return doc;
}
function unmuteSecuritySolutionCustomRules(
doc: SavedObjectUnsanitizedDoc<RawRule>
): SavedObjectUnsanitizedDoc<RawRule> {
if (!isDetectionEngineAADRuleType(doc)) {
return doc;
}
return {
...doc,
attributes: {
...doc.attributes,
muteAll: false,
},
};
}
export const getMigrations880 = (encryptedSavedObjects: EncryptedSavedObjectsPluginSetup) =>
createEsoMigration(
encryptedSavedObjects,
(doc: SavedObjectUnsanitizedDoc<RawRule>): doc is SavedObjectUnsanitizedDoc<RawRule> => true,
pipeMigrations(addActionUuid, addRevision, addSecuritySolutionActionsFrequency)
pipeMigrations(
addActionUuid,
addRevision,
addSecuritySolutionActionsFrequency,
unmuteSecuritySolutionCustomRules
)
);

58
x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
View file

@ -2653,20 +2653,26 @@ describe('successful migrations', () => {
]);
});
test('migrates rule to include revision and defaults revision to 0', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)['8.8.0'];
describe('security rule version to revision', () => {
test('migrates rule to include revision and defaults revision to 0', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];
const rule = getMockData();
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(0);
});
const rule = getMockData();
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(0);
});
test('migrates security rule version to revision', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)['8.8.0'];
test('migrates security rule version to revision', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];
const rule = getMockData({ alertTypeId: ruleTypeMappings.eql, params: { version: 2 } });
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(2);
const rule = getMockData({ alertTypeId: ruleTypeMappings.eql, params: { version: 2 } });
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.revision).toEqual(2);
});
});
describe('migrate actions frequency for Security Solution ', () => {
@ -2714,6 +2720,36 @@ describe('successful migrations', () => {
expect(updatedActions).toEqual(rule.attributes.actions);
});
});
describe('unmute security rules', () => {
test.each(Object.values(ruleTypeMappings))(
'unmutes custom rules of type "%s" successfully',
(ruleType) => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];
const rule = getMockData({ alertTypeId: ruleType, muteAll: true });
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.muteAll).toBeFalsy();
}
);
test('ignores non security rules', () => {
const migration880 = getMigrations(encryptedSavedObjectsSetup, {}, isPreconfigured)[
'8.8.0'
];
const rule = getMockData({
alertTypeId: 'unknown',
muteAll: true,
});
const migratedAlert880 = migration880(rule, migrationContext);
expect(migratedAlert880.attributes.muteAll).toBeTruthy();
});
});
});
describe('Metrics Inventory Threshold rule', () => {

22
x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group4/migrations.ts
View file

@ -692,5 +692,27 @@ export default function createGetTests({ getService }: FtrProviderContext) {
}),
]);
});
it('8.8 unmutes only security rules', async () => {
const securityCustomRuleId = 'alert:88bc8c21-07ba-42eb-ad9c-06820275ac10';
const securityImmutableRuleId = 'alert:8990af61-c09a-11ec-9164-4bfd6fc32c43';
const nonSecurityRuleId = 'alert:74f3e6d7-b7bb-477d-ac28-92ee22728e6e';
const { docs } = await es.mget<{ alert: RawRule }>({
index: ALERTING_CASES_SAVED_OBJECT_INDEX,
body: { ids: [securityCustomRuleId, securityImmutableRuleId, nonSecurityRuleId] },
});
const securityCustomRuleMuteAll =
'_source' in docs[0] ? docs[0]._source?.alert.muteAll : undefined;
const securityImmutableRuleMuteAll =
'_source' in docs[1] ? docs[1]._source?.alert.muteAll : undefined;
const nonSecurityRuleMuteAll =
'_source' in docs[2] ? docs[2]._source?.alert.muteAll : undefined;
expect(securityCustomRuleMuteAll).toBeFalsy();
expect(securityImmutableRuleMuteAll).toBeFalsy();
expect(nonSecurityRuleMuteAll).toBeTruthy();
});
});
}

67
x-pack/test/functional/es_archives/alerts/data.json
View file

@ -14,7 +14,7 @@
"createdAt": "2020-06-17T15:35:38.497Z",
"createdBy": "elastic",
"enabled": true,
"muteAll": false,
"muteAll": true,
"mutedInstanceIds": [
],
"name": "always-firing-alert",
@ -1023,7 +1023,7 @@
"createdBy":"elastic",
"updatedBy":"elastic",
"createdAt":"2021-07-27T20:42:55.896Z",
"muteAll":false,
"muteAll":true,
"mutedInstanceIds":[
],
@ -1407,4 +1407,67 @@
}
}
}
}
{
"type":"doc",
"value":{
"id":"alert:88bc8c21-07ba-42eb-ad9c-06820275ac10",
"index":".kibana_1",
"source":{
"alert":{
"name":"Test unmuting of a custom security rule",
"alertTypeId":"siem.queryRule",
"consumer":"siem",
"params":{
"immutable":false,
"ruleId":"bf9638eb-8d3c-4f40-83d7-8c40a7c80f2e",
"author":[],
"description":"Test unmuting of a custom security rule",
"falsePositives":[],
"from":"now-36000060s",
"license":"",
"outputIndex":".siem-signals-default",
"meta":{
"from":"10000h"
},
"maxSignals":100,
"riskScore":21,
"riskScoreMapping":[],
"severity":"low",
"severityMapping":[],
"threat":[],
"to":"now",
"references":[],
"version":0,
"exceptionsList":[],
"type":"query",
"language":"kuery",
"index":["test-index"],
"query":"*:*",
"filters":[]
},
"schedule":{
"interval":"5m"
},
"enabled":false,
"actions": [],
"apiKeyOwner":null,
"apiKey":null,
"createdBy":"elastic",
"updatedBy":"elastic",
"createdAt":"2023-03-27T20:42:55.896Z",
"muteAll":true,
"mutedInstanceIds":[],
"scheduledTaskId":null,
"tags":[]
},
"type":"alert",
"migrationVersion":{
"alert":"8.7.0"
},
"updated_at":"2023-03-27T20:42:55.896Z",
"references":[]
}
}
}