github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[SIEM][Detection Engine] Fixes critical regression on the backend with immutable and tags

Browse source 
## Summary

Fixes regression with immutable caused from:
https://github.com/elastic/kibana/pull/55004

* Updated types of Prepackaged 
* Updated unit tests
* Fixed unit test for it

Testing:

```
./post_rule.sh 
{
  "created_at": "2020-01-17T19:11:31.813Z",
  "updated_at": "2020-01-17T19:11:31.813Z",
  "created_by": "elastic_kibana",
  "description": "Query with a rule_id that acts like an external id",
  "enabled": true,
  "false_positives": [],
  "from": "now-6m",
  "id": "41ef6309-ef98-4c9f-8d2d-90a070361fb7",
  "immutable": false,
  "interval": "5m",
  "rule_id": "query-rule-id",
  "language": "kuery",
  "output_index": ".siem-signals-frank-hassanabad-default",
  "max_signals": 100,
  "risk_score": 1,
  "name": "Query with a rule id",
  "query": "user.name: root or user.name: admin",
  "references": [],
  "severity": "high",
  "updated_by": "elastic_kibana",
  "tags": [],
  "to": "now",
  "type": "query",
  "threats": [],
  "version": 1
}
```

Then get the saved object using whatever the id is comes back from above. In this example it is 41ef6309-ef98-4c9f-8d2d-90a070361fb7, yours will be different

```
./get_saved_objects.sh alert 41ef6309-ef98-4c9f-8d2d-90a070361fb7
{
  "id": "41ef6309-ef98-4c9f-8d2d-90a070361fb7",
  "type": "alert",
  "updated_at": "2020-01-17T19:11:32.844Z",
  "version": "WzY5NTQsMV0=",
  "attributes": {
    "name": "Query with a rule id",
    "tags": [
      "__internal_rule_id:query-rule-id",
      "__internal_immutable:false"
    ],
    "alertTypeId": "siem.signals",
    "consumer": "siem",
    "params": {
      "createdAt": "2020-01-17T19:11:31.813Z",
      "description": "Query with a rule_id that acts like an external id",
      "ruleId": "query-rule-id",
      "index": null,
      "falsePositives": [],
      "from": "now-6m",
      "immutable": false,
      "query": "user.name: root or user.name: admin",
      "language": "kuery",
      "outputIndex": ".siem-signals-frank-hassanabad-default",
      "savedId": null,
      "timelineId": null,
      "timelineTitle": null,
      "meta": null,
      "filters": null,
      "maxSignals": 100,
      "riskScore": 1,
      "severity": "high",
      "threats": [],
      "to": "now",
      "type": "query",
      "updatedAt": "2020-01-17T19:11:31.813Z",
      "references": [],
      "version": 1
    },
    "schedule": {
      "interval": "5m"
    },
    "enabled": true,
    "actions": [],
    "throttle": null,
    "apiKeyOwner": "elastic_kibana",
    "createdBy": "elastic_kibana",
    "updatedBy": "elastic_kibana",
    "createdAt": "2020-01-17T19:11:32.245Z",
    "muteAll": false,
    "mutedInstanceIds": [],
    "scheduledTaskId": "2c5cc340-395d-11ea-9276-d3c1c264ca9a"
  },
  "references": []
}
```

Ensure you have the internal immutable of "__internal_immutable:false" In your tags


Next test is to do a find filter of non-packaged rules:

```
./find_rule_by_filter.sh "alert.attributes.tags:%20%22__internal_immutable:false%22"
```

You should get back the above rule any others you created.

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
This commit is contained in:
Frank Hassanabad 2020-01-17 16:53:04 -07:00 committed by GitHub
parent 81bcaed7ae
commit 6cfd1d48b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 170 additions and 171 deletions
Download patch file Download diff file Expand all files Collapse all files

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
View file

@ -18,9 +18,9 @@ import {
DETECTION_ENGINE_PREPACKAGED_URL,
} from '../../../../../common/constants';
import { RuleAlertType, IRuleSavedAttributesSavedObjectAttributes } from '../../rules/types';
import { RuleAlertParamsRest } from '../../types';
import { RuleAlertParamsRest, PrepackagedRules } from '../../types';
export const fullRuleAlertParamsRest = (): RuleAlertParamsRest => ({
export const mockPrepackagedRule = (): PrepackagedRules => ({
rule_id: 'rule-1',
description: 'Detecting root and admin users',
index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
@ -51,8 +51,6 @@ export const fullRuleAlertParamsRest = (): RuleAlertParamsRest => ({
false_positives: [],
saved_id: 'some-id',
max_signals: 100,
created_at: '2019-12-13T16:40:33.400Z',
updated_at: '2019-12-13T16:40:33.400Z',
timeline_id: 'timeline-id',
timeline_title: 'timeline-title',
});

3
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts
View file

@ -55,7 +55,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
enabled,
false_positives: falsePositives,
from,
immutable,
query,
language,
output_index: outputIndex,
@ -109,7 +108,7 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
enabled,
falsePositives,
from,
immutable,
immutable: false,
query,
language,
outputIndex: finalIndex,

3
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts
View file

@ -39,7 +39,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
enabled,
false_positives: falsePositives,
from,
immutable,
query,
language,
output_index: outputIndex,
@ -96,7 +95,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
enabled,
falsePositives,
from,
immutable,
immutable: false,
query,
language,
outputIndex: finalIndex,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts
View file

@ -44,7 +44,6 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
enabled,
false_positives: falsePositives,
from,
immutable,
query,
language,
output_index: outputIndex,
@ -77,7 +76,6 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
enabled,
falsePositives,
from,
immutable,
query,
language,
outputIndex,

2
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts
View file

@ -33,7 +33,6 @@ export const createUpdateRulesRoute: Hapi.ServerRoute = {
enabled,
false_positives: falsePositives,
from,
immutable,
query,
language,
output_index: outputIndex,
@ -75,7 +74,6 @@ export const createUpdateRulesRoute: Hapi.ServerRoute = {
enabled,
falsePositives,
from,
immutable,
query,
language,
outputIndex,

127
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts
View file

@ -4,20 +4,17 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { UpdateRuleAlertParamsRest } from '../../rules/types';
import { ThreatParams, RuleAlertParamsRest } from '../../types';
import { ThreatParams, PrepackagedRules } from '../../types';
import { addPrepackagedRulesSchema } from './add_prepackaged_rules_schema';
describe('add prepackaged rules schema', () => {
test('empty objects do not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<UpdateRuleAlertParamsRest>>({}).error
).toBeTruthy();
expect(addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({}).error).toBeTruthy();
});
test('made up values do not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest & { madeUp: string }>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules & { madeUp: string }>>({
madeUp: 'hi',
}).error
).toBeTruthy();
@ -25,7 +22,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
}).error
).toBeTruthy();
@ -33,7 +30,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
}).error
@ -42,7 +39,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -52,7 +49,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -63,7 +60,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, name] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -75,7 +72,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, name, severity] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -88,7 +85,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, name, severity, type] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -102,7 +99,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, name, severity, type, interval] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -117,7 +114,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, name, severity, type, interval, index] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -133,7 +130,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, name, severity, type, query, index, interval, version] does validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -152,7 +149,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, query, language] does not validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -170,7 +167,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score, version] does validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -190,7 +187,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score, output_index] does not validate because output_index is not allowed', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -211,7 +208,7 @@ describe('add prepackaged rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version] does validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -229,7 +226,7 @@ describe('add prepackaged rules schema', () => {
test('You can send in an empty array to threats', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -251,7 +248,7 @@ describe('add prepackaged rules schema', () => {
});
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version, threats] does validate', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -286,7 +283,7 @@ describe('add prepackaged rules schema', () => {
test('allows references to be sent as valid', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -307,7 +304,7 @@ describe('add prepackaged rules schema', () => {
test('defaults references to an array', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -327,7 +324,7 @@ describe('add prepackaged rules schema', () => {
test('defaults immutable to true', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -347,7 +344,7 @@ describe('add prepackaged rules schema', () => {
test('immutable cannot be false', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -368,7 +365,7 @@ describe('add prepackaged rules schema', () => {
test('immutable can be true', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -389,7 +386,7 @@ describe('add prepackaged rules schema', () => {
test('defaults enabled to false', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -409,7 +406,7 @@ describe('add prepackaged rules schema', () => {
test('rule_id is required', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
risk_score: 50,
description: 'some description',
from: 'now-5m',
@ -429,7 +426,7 @@ describe('add prepackaged rules schema', () => {
test('references cannot be numbers', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'references'>> & { references: number[] }
Partial<Omit<PrepackagedRules, 'references'>> & { references: number[] }
>({
rule_id: 'rule-1',
risk_score: 50,
@ -454,7 +451,7 @@ describe('add prepackaged rules schema', () => {
test('indexes cannot be numbers', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'index'>> & { index: number[] }
Partial<Omit<PrepackagedRules, 'index'>> & { index: number[] }
>({
rule_id: 'rule-1',
risk_score: 50,
@ -477,7 +474,7 @@ describe('add prepackaged rules schema', () => {
test('defaults interval to 5 min', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -494,7 +491,7 @@ describe('add prepackaged rules schema', () => {
test('defaults max signals to 100', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -512,7 +509,7 @@ describe('add prepackaged rules schema', () => {
test('saved_id is required when type is saved_query and will not validate without out', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -530,7 +527,7 @@ describe('add prepackaged rules schema', () => {
test('saved_id is required when type is saved_query and validates with it', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -549,7 +546,7 @@ describe('add prepackaged rules schema', () => {
test('saved_query type can have filters with it', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -570,7 +567,7 @@ describe('add prepackaged rules schema', () => {
test('filters cannot be a string', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'filters'> & { filters: string }>
Partial<Omit<PrepackagedRules, 'filters'> & { filters: string }>
>({
rule_id: 'rule-1',
risk_score: 50,
@ -591,7 +588,7 @@ describe('add prepackaged rules schema', () => {
test('language validates with kuery', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -612,7 +609,7 @@ describe('add prepackaged rules schema', () => {
test('language validates with lucene', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -633,7 +630,7 @@ describe('add prepackaged rules schema', () => {
test('language does not validate with something made up', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -654,7 +651,7 @@ describe('add prepackaged rules schema', () => {
test('max_signals cannot be negative', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -676,7 +673,7 @@ describe('add prepackaged rules schema', () => {
test('max_signals cannot be zero', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -698,7 +695,7 @@ describe('add prepackaged rules schema', () => {
test('max_signals can be 1', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -720,7 +717,7 @@ describe('add prepackaged rules schema', () => {
test('You can optionally send in an array of tags', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -744,7 +741,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot send in an array of tags that are numbers', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'tags'>> & { tags: number[] }
Partial<Omit<PrepackagedRules, 'tags'>> & { tags: number[] }
>({
rule_id: 'rule-1',
risk_score: 50,
@ -771,7 +768,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot send in an array of threats that are missing "framework"', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
Partial<Omit<PrepackagedRules, 'threats'>> & {
threats: Array<Partial<Omit<ThreatParams, 'framework'>>>;
}
>({
@ -815,7 +812,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot send in an array of threats that are missing "tactic"', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
Partial<Omit<PrepackagedRules, 'threats'>> & {
threats: Array<Partial<Omit<ThreatParams, 'tactic'>>>;
}
>({
@ -855,7 +852,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot send in an array of threats that are missing "techniques"', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
Partial<Omit<PrepackagedRules, 'threats'>> & {
threats: Array<Partial<Omit<ThreatParams, 'technique'>>>;
}
>({
@ -892,7 +889,7 @@ describe('add prepackaged rules schema', () => {
test('You can optionally send in an array of false positives', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -916,7 +913,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot send in an array of false positives that are numbers', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'false_positives'>> & { false_positives: number[] }
Partial<Omit<PrepackagedRules, 'false_positives'>> & { false_positives: number[] }
>({
rule_id: 'rule-1',
risk_score: 50,
@ -942,7 +939,7 @@ describe('add prepackaged rules schema', () => {
test('You can optionally set the immutable to be true', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -966,7 +963,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot set the immutable to be a number', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'immutable'>> & { immutable: number }
Partial<Omit<PrepackagedRules, 'immutable'>> & { immutable: number }
>({
rule_id: 'rule-1',
risk_score: 50,
@ -990,7 +987,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot set the risk_score to 101', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 101,
description: 'some description',
@ -1013,7 +1010,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot set the risk_score to -1', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: -1,
description: 'some description',
@ -1036,7 +1033,7 @@ describe('add prepackaged rules schema', () => {
test('You can set the risk_score to 0', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 0,
description: 'some description',
@ -1059,7 +1056,7 @@ describe('add prepackaged rules schema', () => {
test('You can set the risk_score to 100', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 100,
description: 'some description',
@ -1082,7 +1079,7 @@ describe('add prepackaged rules schema', () => {
test('You can set meta to any object you want', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1109,7 +1106,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot create meta as a string', () => {
expect(
addPrepackagedRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'meta'> & { meta: string }>
Partial<Omit<PrepackagedRules, 'meta'> & { meta: string }>
>({
rule_id: 'rule-1',
risk_score: 50,
@ -1134,7 +1131,7 @@ describe('add prepackaged rules schema', () => {
test('You can omit the query string when filters are present', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1157,7 +1154,7 @@ describe('add prepackaged rules schema', () => {
test('validates with timeline_id and timeline_title', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1180,7 +1177,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot omit timeline_title when timeline_id is present', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1204,7 +1201,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot have a null value for timeline_title when timeline_id is present', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1229,7 +1226,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot have empty string for timeline_title when timeline_id is present', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1254,7 +1251,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot have timeline_title with an empty timeline_id', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -1279,7 +1276,7 @@ describe('add prepackaged rules schema', () => {
test('You cannot have timeline_title without timeline_id', () => {
expect(
addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',

3
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts
View file

@ -884,7 +884,6 @@ describe('create rules schema', () => {
description: 'some description',
from: 'now-5m',
to: 'now',
immutable: true,
index: ['index-1'],
name: 'some-name',
severity: 'severity',
@ -907,7 +906,6 @@ describe('create rules schema', () => {
description: 'some description',
from: 'now-5m',
to: 'now',
immutable: true,
index: ['index-1'],
name: 'some-name',
severity: 'severity',
@ -999,7 +997,6 @@ describe('create rules schema', () => {
description: 'some description',
from: 'now-5m',
to: 'now',
immutable: true,
index: ['index-1'],
name: 'some-name',
severity: 'severity',

116
x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts
View file

@ -9,18 +9,18 @@ import {
importRulesQuerySchema,
importRulesPayloadSchema,
} from './import_rules_schema';
import { ThreatParams, RuleAlertParamsRest, ImportRuleAlertRest } from '../../types';
import { ThreatParams, ImportRuleAlertRest } from '../../types';
import { ImportRulesRequest } from '../../rules/types';
describe('import rules schema', () => {
describe('importRulesSchema', () => {
test('empty objects do not validate', () => {
expect(importRulesSchema.validate<Partial<RuleAlertParamsRest>>({}).error).toBeTruthy();
expect(importRulesSchema.validate<Partial<ImportRuleAlertRest>>({}).error).toBeTruthy();
});
test('made up values do not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest & { madeUp: string }>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest & { madeUp: string }>>({
madeUp: 'hi',
}).error
).toBeTruthy();
@ -28,7 +28,7 @@ describe('import rules schema', () => {
test('[rule_id] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
}).error
).toBeTruthy();
@ -36,7 +36,7 @@ describe('import rules schema', () => {
test('[rule_id, description] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
}).error
@ -45,7 +45,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -55,7 +55,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -66,7 +66,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, name] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -78,7 +78,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, name, severity] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -91,7 +91,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, name, severity, type] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -105,7 +105,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, name, severity, type, interval] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -120,7 +120,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, name, severity, type, interval, index] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -136,7 +136,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, name, severity, type, query, index, interval] does validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -154,7 +154,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, query, language] does not validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -172,7 +172,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score] does validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
risk_score: 50,
description: 'some description',
@ -191,7 +191,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score, output_index] does validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -211,7 +211,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score] does validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
description: 'some description',
from: 'now-5m',
@ -228,7 +228,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index] does validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -246,7 +246,7 @@ describe('import rules schema', () => {
test('You can send in an empty array to threats', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -269,7 +269,7 @@ describe('import rules schema', () => {
test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threats] does validate', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -304,7 +304,7 @@ describe('import rules schema', () => {
test('allows references to be sent as valid', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -325,7 +325,7 @@ describe('import rules schema', () => {
test('defaults references to an array', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -346,7 +346,7 @@ describe('import rules schema', () => {
test('references cannot be numbers', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'references'>> & { references: number[] }
Partial<Omit<ImportRuleAlertRest, 'references'>> & { references: number[] }
>({
rule_id: 'rule-1',
output_index: '.siem-signals',
@ -371,7 +371,7 @@ describe('import rules schema', () => {
test('indexes cannot be numbers', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'index'>> & { index: number[] }
Partial<Omit<ImportRuleAlertRest, 'index'>> & { index: number[] }
>({
rule_id: 'rule-1',
output_index: '.siem-signals',
@ -394,7 +394,7 @@ describe('import rules schema', () => {
test('defaults interval to 5 min', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -411,7 +411,7 @@ describe('import rules schema', () => {
test('defaults max signals to 100', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -429,7 +429,7 @@ describe('import rules schema', () => {
test('saved_id is required when type is saved_query and will not validate without out', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -447,7 +447,7 @@ describe('import rules schema', () => {
test('saved_id is required when type is saved_query and validates with it', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
risk_score: 50,
output_index: '.siem-signals',
@ -466,7 +466,7 @@ describe('import rules schema', () => {
test('saved_query type can have filters with it', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -487,7 +487,7 @@ describe('import rules schema', () => {
test('filters cannot be a string', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'filters'> & { filters: string }>
Partial<Omit<ImportRuleAlertRest, 'filters'> & { filters: string }>
>({
rule_id: 'rule-1',
output_index: '.siem-signals',
@ -508,7 +508,7 @@ describe('import rules schema', () => {
test('language validates with kuery', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -529,7 +529,7 @@ describe('import rules schema', () => {
test('language validates with lucene', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
risk_score: 50,
output_index: '.siem-signals',
@ -550,7 +550,7 @@ describe('import rules schema', () => {
test('language does not validate with something made up', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -571,7 +571,7 @@ describe('import rules schema', () => {
test('max_signals cannot be negative', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -593,7 +593,7 @@ describe('import rules schema', () => {
test('max_signals cannot be zero', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -615,7 +615,7 @@ describe('import rules schema', () => {
test('max_signals can be 1', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -637,7 +637,7 @@ describe('import rules schema', () => {
test('You can optionally send in an array of tags', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -660,7 +660,7 @@ describe('import rules schema', () => {
test('You cannot send in an array of tags that are numbers', () => {
expect(
importRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'tags'>> & { tags: number[] }>(
importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'tags'>> & { tags: number[] }>(
{
rule_id: 'rule-1',
output_index: '.siem-signals',
@ -688,7 +688,7 @@ describe('import rules schema', () => {
test('You cannot send in an array of threats that are missing "framework"', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
Partial<Omit<ImportRuleAlertRest, 'threats'>> & {
threats: Array<Partial<Omit<ThreatParams, 'framework'>>>;
}
>({
@ -732,7 +732,7 @@ describe('import rules schema', () => {
test('You cannot send in an array of threats that are missing "tactic"', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
Partial<Omit<ImportRuleAlertRest, 'threats'>> & {
threats: Array<Partial<Omit<ThreatParams, 'tactic'>>>;
}
>({
@ -772,7 +772,7 @@ describe('import rules schema', () => {
test('You cannot send in an array of threats that are missing "techniques"', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
Partial<Omit<ImportRuleAlertRest, 'threats'>> & {
threats: Array<Partial<Omit<ThreatParams, 'technique'>>>;
}
>({
@ -809,7 +809,7 @@ describe('import rules schema', () => {
test('You can optionally send in an array of false positives', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -833,7 +833,7 @@ describe('import rules schema', () => {
test('You cannot send in an array of false positives that are numbers', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'false_positives'>> & { false_positives: number[] }
Partial<Omit<ImportRuleAlertRest, 'false_positives'>> & { false_positives: number[] }
>({
rule_id: 'rule-1',
output_index: '.siem-signals',
@ -859,7 +859,7 @@ describe('import rules schema', () => {
test('You can optionally set the immutable to be true', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -883,7 +883,7 @@ describe('import rules schema', () => {
test('You cannot set the immutable to be a number', () => {
expect(
importRulesSchema.validate<
Partial<Omit<RuleAlertParamsRest, 'immutable'>> & { immutable: number }
Partial<Omit<ImportRuleAlertRest, 'immutable'>> & { immutable: number }
>({
rule_id: 'rule-1',
output_index: '.siem-signals',
@ -907,7 +907,7 @@ describe('import rules schema', () => {
test('You cannot set the risk_score to 101', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 101,
@ -930,7 +930,7 @@ describe('import rules schema', () => {
test('You cannot set the risk_score to -1', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: -1,
@ -953,7 +953,7 @@ describe('import rules schema', () => {
test('You can set the risk_score to 0', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 0,
@ -976,7 +976,7 @@ describe('import rules schema', () => {
test('You can set the risk_score to 100', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 100,
@ -999,7 +999,7 @@ describe('import rules schema', () => {
test('You can set meta to any object you want', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1025,7 +1025,7 @@ describe('import rules schema', () => {
test('You cannot create meta as a string', () => {
expect(
importRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'meta'> & { meta: string }>>({
importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'meta'> & { meta: string }>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1049,7 +1049,7 @@ describe('import rules schema', () => {
test('You can omit the query string when filters are present', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1072,7 +1072,7 @@ describe('import rules schema', () => {
test('validates with timeline_id and timeline_title', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1095,7 +1095,7 @@ describe('import rules schema', () => {
test('You cannot omit timeline_title when timeline_id is present', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1117,7 +1117,7 @@ describe('import rules schema', () => {
test('You cannot have a null value for timeline_title when timeline_id is present', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1140,7 +1140,7 @@ describe('import rules schema', () => {
test('You cannot have empty string for timeline_title when timeline_id is present', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1165,7 +1165,7 @@ describe('import rules schema', () => {
test('You cannot have timeline_title with an empty timeline_id', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,
@ -1188,7 +1188,7 @@ describe('import rules schema', () => {
test('You cannot have timeline_title without timeline_id', () => {
expect(
importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
rule_id: 'rule-1',
output_index: '.siem-signals',
risk_score: 50,

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts
View file

@ -5,7 +5,7 @@
*/
import { getPrepackagedRules } from './get_prepackaged_rules';
import { RuleAlertParamsRest } from '../types';
import { PrepackagedRules } from '../types';
import { isEmpty } from 'lodash/fp';
describe('get_existing_prepackaged_rules', () => {
@ -15,7 +15,7 @@ describe('get_existing_prepackaged_rules', () => {
test('no rule should have the same rule_id as another rule_id', () => {
const prePacakgedRules = getPrepackagedRules();
let existingRuleIds: RuleAlertParamsRest[] = [];
let existingRuleIds: PrepackagedRules[] = [];
prePacakgedRules.forEach(rule => {
const foundDuplicate = existingRuleIds.reduce((accum, existingRule) => {
if (existingRule.rule_id === rule.rule_id) {

8
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts
View file

@ -4,7 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { RuleAlertParamsRest } from '../types';
import { PrepackagedRules } from '../types';
import { addPrepackagedRulesSchema } from '../routes/schemas/add_prepackaged_rules_schema';
import { rawRules } from './prepackaged_rules';
@ -13,9 +13,7 @@ import { rawRules } from './prepackaged_rules';
* that they are adding incorrect schema rules. Also this will auto-flush in all the default
* aspects such as default interval of 5 minutes, default arrays, etc...
*/
export const validateAllPrepackagedRules = (
rules: RuleAlertParamsRest[]
): RuleAlertParamsRest[] => {
export const validateAllPrepackagedRules = (rules: PrepackagedRules[]): PrepackagedRules[] => {
return rules.map(rule => {
const validatedRule = addPrepackagedRulesSchema.validate(rule);
if (validatedRule.error != null) {
@ -35,6 +33,6 @@ export const validateAllPrepackagedRules = (
});
};
export const getPrepackagedRules = (rules = rawRules): RuleAlertParamsRest[] => {
export const getPrepackagedRules = (rules = rawRules): PrepackagedRules[] => {
return validateAllPrepackagedRules(rules);
};

16
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_install.test.ts
View file

@ -5,7 +5,7 @@
*/
import { getRulesToInstall } from './get_rules_to_install';
import { getResult, fullRuleAlertParamsRest } from '../routes/__mocks__/request_responses';
import { getResult, mockPrepackagedRule } from '../routes/__mocks__/request_responses';
describe('get_rules_to_install', () => {
test('should return empty array if both rule sets are empty', () => {
@ -14,7 +14,7 @@ describe('get_rules_to_install', () => {
});
test('should return empty array if the two rule ids match', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
const installedRule = getResult();
@ -24,7 +24,7 @@ describe('get_rules_to_install', () => {
});
test('should return the rule to install if the id of the two rules do not match', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
const installedRule = getResult();
@ -34,10 +34,10 @@ describe('get_rules_to_install', () => {
});
test('should return two rules to install if both the ids of the two rules do not match', () => {
const ruleFromFileSystem1 = fullRuleAlertParamsRest();
const ruleFromFileSystem1 = mockPrepackagedRule();
ruleFromFileSystem1.rule_id = 'rule-1';
const ruleFromFileSystem2 = fullRuleAlertParamsRest();
const ruleFromFileSystem2 = mockPrepackagedRule();
ruleFromFileSystem2.rule_id = 'rule-2';
const installedRule = getResult();
@ -47,13 +47,13 @@ describe('get_rules_to_install', () => {
});
test('should return two rules of three to install if both the ids of the two rules do not match but the third does', () => {
const ruleFromFileSystem1 = fullRuleAlertParamsRest();
const ruleFromFileSystem1 = mockPrepackagedRule();
ruleFromFileSystem1.rule_id = 'rule-1';
const ruleFromFileSystem2 = fullRuleAlertParamsRest();
const ruleFromFileSystem2 = mockPrepackagedRule();
ruleFromFileSystem2.rule_id = 'rule-2';
const ruleFromFileSystem3 = fullRuleAlertParamsRest();
const ruleFromFileSystem3 = mockPrepackagedRule();
ruleFromFileSystem3.rule_id = 'rule-3';
const installedRule = getResult();

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_install.ts
View file

@ -4,13 +4,13 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { RuleAlertParamsRest } from '../types';
import { PrepackagedRules } from '../types';
import { RuleAlertType } from './types';
export const getRulesToInstall = (
rulesFromFileSystem: RuleAlertParamsRest[],
rulesFromFileSystem: PrepackagedRules[],
installedRules: RuleAlertType[]
): RuleAlertParamsRest[] => {
): PrepackagedRules[] => {
return rulesFromFileSystem.filter(
rule => !installedRules.some(installedRule => installedRule.params.ruleId === rule.rule_id)
);

16
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_update.test.ts
View file

@ -5,7 +5,7 @@
*/
import { getRulesToUpdate } from './get_rules_to_update';
import { getResult, fullRuleAlertParamsRest } from '../routes/__mocks__/request_responses';
import { getResult, mockPrepackagedRule } from '../routes/__mocks__/request_responses';
describe('get_rules_to_update', () => {
test('should return empty array if both rule sets are empty', () => {
@ -14,7 +14,7 @@ describe('get_rules_to_update', () => {
});
test('should return empty array if the id of the two rules do not match', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
ruleFromFileSystem.version = 2;
@ -26,7 +26,7 @@ describe('get_rules_to_update', () => {
});
test('should return empty array if the id of file system rule is less than the installed version', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
ruleFromFileSystem.version = 1;
@ -38,7 +38,7 @@ describe('get_rules_to_update', () => {
});
test('should return empty array if the id of file system rule is the same as the installed version', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
ruleFromFileSystem.version = 1;
@ -50,7 +50,7 @@ describe('get_rules_to_update', () => {
});
test('should return the rule to update if the id of file system rule is greater than the installed version', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
ruleFromFileSystem.version = 2;
@ -62,7 +62,7 @@ describe('get_rules_to_update', () => {
});
test('should return 1 rule out of 2 to update if the id of file system rule is greater than the installed version of just one', () => {
const ruleFromFileSystem = fullRuleAlertParamsRest();
const ruleFromFileSystem = mockPrepackagedRule();
ruleFromFileSystem.rule_id = 'rule-1';
ruleFromFileSystem.version = 2;
@ -79,11 +79,11 @@ describe('get_rules_to_update', () => {
});
test('should return 2 rules out of 2 to update if the id of file system rule is greater than the installed version of both', () => {
const ruleFromFileSystem1 = fullRuleAlertParamsRest();
const ruleFromFileSystem1 = mockPrepackagedRule();
ruleFromFileSystem1.rule_id = 'rule-1';
ruleFromFileSystem1.version = 2;
const ruleFromFileSystem2 = fullRuleAlertParamsRest();
const ruleFromFileSystem2 = mockPrepackagedRule();
ruleFromFileSystem2.rule_id = 'rule-2';
ruleFromFileSystem2.version = 2;

6
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_update.ts
View file

@ -4,13 +4,13 @@
* you may not use this file except in compliance with the Elastic License.
*/
import { RuleAlertParamsRest } from '../types';
import { PrepackagedRules } from '../types';
import { RuleAlertType } from './types';
export const getRulesToUpdate = (
rulesFromFileSystem: RuleAlertParamsRest[],
rulesFromFileSystem: PrepackagedRules[],
installedRules: RuleAlertType[]
): RuleAlertParamsRest[] => {
): PrepackagedRules[] => {
return rulesFromFileSystem.filter(rule =>
installedRules.some(installedRule => {
return (

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts
View file

@ -7,12 +7,12 @@
import { ActionsClient } from '../../../../../actions';
import { AlertsClient } from '../../../../../alerting';
import { createRules } from './create_rules';
import { RuleAlertParamsRest } from '../types';
import { PrepackagedRules } from '../types';
export const installPrepackagedRules = async (
alertsClient: AlertsClient,
actionsClient: ActionsClient,
rules: RuleAlertParamsRest[],
rules: PrepackagedRules[],
outputIndex: string
): Promise<void> => {
await rules.forEach(async rule => {

4
x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts
View file

@ -7,12 +7,12 @@
import { ActionsClient } from '../../../../../actions';
import { AlertsClient } from '../../../../../alerting';
import { updateRules } from './update_rules';
import { RuleAlertParamsRest } from '../types';
import { PrepackagedRules } from '../types';
export const updatePrepackagedRules = async (
alertsClient: AlertsClient,
actionsClient: ActionsClient,
rules: RuleAlertParamsRest[],
rules: PrepackagedRules[],
outputIndex: string
): Promise<void> => {
await rules.forEach(async rule => {

15
x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts
View file

@ -58,6 +58,7 @@ export type RuleAlertParamsRest = Omit<
RuleAlertParams,
| 'ruleId'
| 'falsePositives'
| 'immutable'
| 'maxSignals'
| 'savedId'
| 'riskScore'
@ -99,11 +100,25 @@ export type OutputRuleAlertRest = RuleAlertParamsRest & {
id: string;
created_by: string | undefined | null;
updated_by: string | undefined | null;
immutable: boolean;
};
export type ImportRuleAlertRest = Omit<OutputRuleAlertRest, 'rule_id' | 'id'> & {
id: string | undefined | null;
rule_id: string;
immutable: boolean;
};
export type PrepackagedRules = Omit<
RuleAlertParamsRest,
| 'status'
| 'status_date'
| 'last_failure_at'
| 'last_success_at'
| 'last_failure_message'
| 'last_success_message'
| 'updated_at'
| 'created_at'
> & { rule_id: string; immutable: boolean };
export type CallWithRequest<T, U, V> = (endpoint: string, params: T, options?: U) => Promise<V>;