mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 09:48:58 -04:00
# Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] Enable response actions in base rule params (#194796)](https://github.com/elastic/kibana/pull/194796) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Tomasz Ciecierski","email":"tomasz.ciecierski@elastic.co"},"sourceCommit":{"committedDate":"2024-10-09T14:06:02Z","message":"[EDR Workflows] Enable response actions in base rule params (#194796)","sha":"c103d2d21452f6c73b79036c5d10a24c018e1831","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","v8.16.0","backport:version"],"title":"[EDR Workflows] Enable response actions in base rule params","number":194796,"url":"https://github.com/elastic/kibana/pull/194796","mergeCommit":{"message":"[EDR Workflows] Enable response actions in base rule params (#194796)","sha":"c103d2d21452f6c73b79036c5d10a24c018e1831"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194796","number":194796,"mergeCommit":{"message":"[EDR Workflows] Enable response actions in base rule params (#194796)","sha":"c103d2d21452f6c73b79036c5d10a24c018e1831"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Tomasz Ciecierski <tomasz.ciecierski@elastic.co>
This commit is contained in:
Kibana Machine
GitHub
parent
0751a8ea34
commit
a02cb35f39
40 changed files with 2183 additions and 1032 deletions
|
|
@ -23492,10 +23492,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
tiebreaker_field:
|
||||
$ref: '#/components/schemas/Security_Detections_API_TiebreakerField'
|
||||
timestamp_field:
|
||||
|
|
@ -23585,6 +23581,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -23709,6 +23709,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -23830,6 +23834,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -23934,6 +23942,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24068,6 +24080,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24192,6 +24208,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24237,10 +24257,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_EsqlRulePatchProps:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -24311,6 +24327,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24437,6 +24457,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24676,6 +24700,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24803,6 +24831,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24930,6 +24962,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25053,6 +25089,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25166,6 +25206,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25295,6 +25339,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25352,10 +25400,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_NewTermsRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -25440,6 +25484,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25571,6 +25619,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25805,6 +25857,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25931,6 +25987,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25989,10 +26049,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
saved_id:
|
||||
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
|
||||
Security_Detections_API_QueryRulePatchFields:
|
||||
|
|
@ -26072,6 +26128,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -26195,6 +26255,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -26904,6 +26968,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27033,6 +27101,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27092,10 +27164,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
query:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_SavedQueryRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -27176,6 +27244,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27302,6 +27374,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27552,6 +27628,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27681,6 +27761,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27836,6 +27920,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27971,6 +28059,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28171,6 +28263,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28300,6 +28396,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28442,6 +28542,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28571,6 +28675,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
|
|||
|
|
@ -23492,10 +23492,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
tiebreaker_field:
|
||||
$ref: '#/components/schemas/Security_Detections_API_TiebreakerField'
|
||||
timestamp_field:
|
||||
|
|
@ -23585,6 +23581,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -23709,6 +23709,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -23830,6 +23834,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -23934,6 +23942,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24068,6 +24080,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24192,6 +24208,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24237,10 +24257,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_EsqlRulePatchProps:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -24311,6 +24327,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24437,6 +24457,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24676,6 +24700,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24803,6 +24831,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -24930,6 +24962,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25053,6 +25089,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25166,6 +25206,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25295,6 +25339,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25352,10 +25400,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_NewTermsRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -25440,6 +25484,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25571,6 +25619,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25805,6 +25857,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25931,6 +25987,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -25989,10 +26049,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
saved_id:
|
||||
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
|
||||
Security_Detections_API_QueryRulePatchFields:
|
||||
|
|
@ -26072,6 +26128,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -26195,6 +26255,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -26904,6 +26968,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27033,6 +27101,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27092,10 +27164,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
query:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_SavedQueryRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -27176,6 +27244,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27302,6 +27374,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27552,6 +27628,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27681,6 +27761,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27836,6 +27920,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -27971,6 +28059,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28171,6 +28263,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28300,6 +28396,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28442,6 +28542,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -28571,6 +28675,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
|
|||
|
|
@ -31376,10 +31376,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
tiebreaker_field:
|
||||
$ref: '#/components/schemas/Security_Detections_API_TiebreakerField'
|
||||
timestamp_field:
|
||||
|
|
@ -31469,6 +31465,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31593,6 +31593,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31714,6 +31718,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31818,6 +31826,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31952,6 +31964,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32076,6 +32092,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32121,10 +32141,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_EsqlRulePatchProps:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -32195,6 +32211,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32321,6 +32341,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32583,6 +32607,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32710,6 +32738,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32837,6 +32869,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32960,6 +32996,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33171,6 +33211,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33300,6 +33344,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33357,10 +33405,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_NewTermsRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -33445,6 +33489,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33576,6 +33624,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33810,6 +33862,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33936,6 +33992,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33994,10 +34054,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
saved_id:
|
||||
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
|
||||
Security_Detections_API_QueryRulePatchFields:
|
||||
|
|
@ -34077,6 +34133,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -34200,6 +34260,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -34909,6 +34973,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35038,6 +35106,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35097,10 +35169,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
query:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_SavedQueryRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -35181,6 +35249,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35307,6 +35379,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35564,6 +35640,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35693,6 +35773,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35848,6 +35932,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35983,6 +36071,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36183,6 +36275,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36312,6 +36408,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36454,6 +36554,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36583,6 +36687,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
|
|||
|
|
@ -31376,10 +31376,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
tiebreaker_field:
|
||||
$ref: '#/components/schemas/Security_Detections_API_TiebreakerField'
|
||||
timestamp_field:
|
||||
|
|
@ -31469,6 +31465,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31593,6 +31593,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31714,6 +31718,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31818,6 +31826,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -31952,6 +31964,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32076,6 +32092,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32121,10 +32141,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_EsqlRulePatchProps:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -32195,6 +32211,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32321,6 +32341,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32583,6 +32607,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32710,6 +32738,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32837,6 +32869,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -32960,6 +32996,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33171,6 +33211,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33300,6 +33344,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33357,10 +33405,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_NewTermsRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -33445,6 +33489,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33576,6 +33624,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33810,6 +33862,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33936,6 +33992,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -33994,10 +34054,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
saved_id:
|
||||
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
|
||||
Security_Detections_API_QueryRulePatchFields:
|
||||
|
|
@ -34077,6 +34133,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -34200,6 +34260,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -34909,6 +34973,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35038,6 +35106,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35097,10 +35169,6 @@ components:
|
|||
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
|
||||
query:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
Security_Detections_API_SavedQueryRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -35181,6 +35249,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35307,6 +35379,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35564,6 +35640,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35693,6 +35773,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35848,6 +35932,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -35983,6 +36071,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36183,6 +36275,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36312,6 +36408,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36454,6 +36554,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -36583,6 +36687,10 @@ components:
|
|||
$ref: >-
|
||||
#/components/schemas/Security_Detections_API_RequiredFieldInput
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -68,13 +68,13 @@ import {
|
|||
SavedQueryId,
|
||||
KqlQueryLanguage,
|
||||
} from './common_attributes.gen';
|
||||
import { ResponseAction } from '../rule_response_actions/response_actions.gen';
|
||||
import { RuleExecutionSummary } from '../../rule_monitoring/model/execution_summary.gen';
|
||||
import {
|
||||
EventCategoryOverride,
|
||||
TiebreakerField,
|
||||
TimestampField,
|
||||
} from './specific_attributes/eql_attributes.gen';
|
||||
import { ResponseAction } from '../rule_response_actions/response_actions.gen';
|
||||
import {
|
||||
Threshold,
|
||||
ThresholdAlertSuppression,
|
||||
|
|
@ -117,6 +117,7 @@ export const BaseOptionalFields = z.object({
|
|||
meta: RuleMetadata.optional(),
|
||||
investigation_fields: InvestigationFields.optional(),
|
||||
throttle: RuleActionThrottle.optional(),
|
||||
response_actions: z.array(ResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type BaseDefaultableFields = z.infer<typeof BaseDefaultableFields>;
|
||||
|
|
@ -224,7 +225,6 @@ export const EqlOptionalFields = z.object({
|
|||
tiebreaker_field: TiebreakerField.optional(),
|
||||
timestamp_field: TimestampField.optional(),
|
||||
alert_suppression: AlertSuppression.optional(),
|
||||
response_actions: z.array(ResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type EqlRuleCreateFields = z.infer<typeof EqlRuleCreateFields>;
|
||||
|
|
@ -262,7 +262,6 @@ export const QueryRuleOptionalFields = z.object({
|
|||
data_view_id: DataViewId.optional(),
|
||||
filters: RuleFilterArray.optional(),
|
||||
saved_id: SavedQueryId.optional(),
|
||||
response_actions: z.array(ResponseAction).optional(),
|
||||
alert_suppression: AlertSuppression.optional(),
|
||||
});
|
||||
|
||||
|
|
@ -313,7 +312,6 @@ export const SavedQueryRuleOptionalFields = z.object({
|
|||
index: IndexPatternArray.optional(),
|
||||
data_view_id: DataViewId.optional(),
|
||||
filters: RuleFilterArray.optional(),
|
||||
response_actions: z.array(ResponseAction).optional(),
|
||||
alert_suppression: AlertSuppression.optional(),
|
||||
query: RuleQuery.optional(),
|
||||
});
|
||||
|
|
@ -522,7 +520,6 @@ export const NewTermsRuleOptionalFields = z.object({
|
|||
data_view_id: DataViewId.optional(),
|
||||
filters: RuleFilterArray.optional(),
|
||||
alert_suppression: AlertSuppression.optional(),
|
||||
response_actions: z.array(ResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type NewTermsRuleDefaultableFields = z.infer<typeof NewTermsRuleDefaultableFields>;
|
||||
|
|
@ -576,7 +573,6 @@ export const EsqlRuleRequiredFields = z.object({
|
|||
export type EsqlRuleOptionalFields = z.infer<typeof EsqlRuleOptionalFields>;
|
||||
export const EsqlRuleOptionalFields = z.object({
|
||||
alert_suppression: AlertSuppression.optional(),
|
||||
response_actions: z.array(ResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type EsqlRulePatchFields = z.infer<typeof EsqlRulePatchFields>;
|
||||
|
|
|
|||
|
|
@ -74,6 +74,11 @@ components:
|
|||
throttle:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/RuleActionThrottle'
|
||||
|
||||
response_actions:
|
||||
type: array
|
||||
items:
|
||||
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
|
||||
|
||||
BaseDefaultableFields:
|
||||
x-inline: true
|
||||
type: object
|
||||
|
|
@ -293,10 +298,6 @@ components:
|
|||
$ref: './specific_attributes/eql_attributes.schema.yaml#/components/schemas/TimestampField'
|
||||
alert_suppression:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
|
||||
response_actions:
|
||||
type: array
|
||||
items:
|
||||
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
|
||||
|
||||
EqlRuleCreateFields:
|
||||
allOf:
|
||||
|
|
@ -359,10 +360,6 @@ components:
|
|||
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
|
||||
saved_id:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/SavedQueryId'
|
||||
response_actions:
|
||||
type: array
|
||||
items:
|
||||
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
|
||||
alert_suppression:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
|
||||
|
||||
|
|
@ -440,10 +437,6 @@ components:
|
|||
$ref: './common_attributes.schema.yaml#/components/schemas/DataViewId'
|
||||
filters:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
|
||||
response_actions:
|
||||
type: array
|
||||
items:
|
||||
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
|
||||
alert_suppression:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
|
||||
query:
|
||||
|
|
@ -767,10 +760,6 @@ components:
|
|||
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
|
||||
alert_suppression:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
|
||||
response_actions:
|
||||
type: array
|
||||
items:
|
||||
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
|
||||
|
||||
NewTermsRuleDefaultableFields:
|
||||
type: object
|
||||
|
|
@ -849,10 +838,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
|
||||
response_actions:
|
||||
type: array
|
||||
items:
|
||||
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
|
||||
|
||||
EsqlRulePatchFields:
|
||||
allOf:
|
||||
|
|
|
|||
|
|
@ -93,9 +93,16 @@ export const isSuppressionRuleConfiguredWithMissingFields = (ruleType: Type) =>
|
|||
export const isSuppressionRuleInGA = (ruleType: Type): boolean => {
|
||||
return isSuppressibleAlertRule(ruleType) && SUPPRESSIBLE_ALERT_RULES_GA.includes(ruleType);
|
||||
};
|
||||
|
||||
export const shouldShowResponseActions = (ruleType: Type | undefined) => {
|
||||
export const shouldShowResponseActions = (
|
||||
ruleType: Type | undefined,
|
||||
automatedResponseActionsForAllRulesEnabled: boolean
|
||||
) => {
|
||||
return (
|
||||
isQueryRule(ruleType) || isEsqlRule(ruleType) || isEqlRule(ruleType) || isNewTermsRule(ruleType)
|
||||
isQueryRule(ruleType) ||
|
||||
isEsqlRule(ruleType) ||
|
||||
isEqlRule(ruleType) ||
|
||||
isNewTermsRule(ruleType) ||
|
||||
(automatedResponseActionsForAllRulesEnabled &&
|
||||
(isThresholdRule(ruleType) || isThreatMatchRule(ruleType) || isMlRule(ruleType)))
|
||||
);
|
||||
};
|
||||
|
|
|
|||
|
|
@ -52,6 +52,11 @@ export const allowedExperimentalValues = Object.freeze({
|
|||
*/
|
||||
automatedProcessActionsEnabled: true,
|
||||
|
||||
/**
|
||||
* Temporary feature flag to enable the Response Actions in Rules UI - intermediate release
|
||||
*/
|
||||
automatedResponseActionsForAllRulesEnabled: false,
|
||||
|
||||
/**
|
||||
* Enables the ability to send Response actions to SentinelOne and persist the results
|
||||
* in ES. Adds API changes to support `agentType` and supports `isolate` and `release`
|
||||
|
|
|
|||
|
|
@ -2051,10 +2051,6 @@ components:
|
|||
$ref: '#/components/schemas/RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
tiebreaker_field:
|
||||
$ref: '#/components/schemas/TiebreakerField'
|
||||
timestamp_field:
|
||||
|
|
@ -2137,6 +2133,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2252,6 +2252,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2364,6 +2368,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2459,6 +2467,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2584,6 +2596,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2699,6 +2715,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2742,10 +2762,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: '#/components/schemas/AlertSuppression'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
EsqlRulePatchProps:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -2809,6 +2825,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2926,6 +2946,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3178,6 +3202,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3293,6 +3321,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3408,6 +3440,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3519,6 +3555,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3720,6 +3760,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3836,6 +3880,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3890,10 +3938,6 @@ components:
|
|||
$ref: '#/components/schemas/RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
NewTermsRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -3969,6 +4013,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4089,6 +4137,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4312,6 +4364,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4428,6 +4484,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4484,10 +4544,6 @@ components:
|
|||
$ref: '#/components/schemas/RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
saved_id:
|
||||
$ref: '#/components/schemas/SavedQueryId'
|
||||
QueryRulePatchFields:
|
||||
|
|
@ -4559,6 +4615,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4673,6 +4733,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5359,6 +5423,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5475,6 +5543,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5531,10 +5603,6 @@ components:
|
|||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
query:
|
||||
$ref: '#/components/schemas/RuleQuery'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
SavedQueryRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -5606,6 +5674,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5720,6 +5792,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5967,6 +6043,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6083,6 +6163,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6226,6 +6310,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6349,6 +6437,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6538,6 +6630,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6654,6 +6750,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6783,6 +6883,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6900,6 +7004,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
|
|||
|
|
@ -1325,10 +1325,6 @@ components:
|
|||
$ref: '#/components/schemas/RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
tiebreaker_field:
|
||||
$ref: '#/components/schemas/TiebreakerField'
|
||||
timestamp_field:
|
||||
|
|
@ -1411,6 +1407,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -1526,6 +1526,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -1638,6 +1642,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -1733,6 +1741,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -1858,6 +1870,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -1973,6 +1989,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2016,10 +2036,6 @@ components:
|
|||
properties:
|
||||
alert_suppression:
|
||||
$ref: '#/components/schemas/AlertSuppression'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
EsqlRulePatchProps:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -2083,6 +2099,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2200,6 +2220,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2429,6 +2453,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2544,6 +2572,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2659,6 +2691,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2770,6 +2806,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2873,6 +2913,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -2989,6 +3033,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3043,10 +3091,6 @@ components:
|
|||
$ref: '#/components/schemas/RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
NewTermsRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -3122,6 +3166,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3242,6 +3290,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3465,6 +3517,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3581,6 +3637,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3637,10 +3697,6 @@ components:
|
|||
$ref: '#/components/schemas/RuleFilterArray'
|
||||
index:
|
||||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
saved_id:
|
||||
$ref: '#/components/schemas/SavedQueryId'
|
||||
QueryRulePatchFields:
|
||||
|
|
@ -3712,6 +3768,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -3826,6 +3886,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4512,6 +4576,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4628,6 +4696,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4684,10 +4756,6 @@ components:
|
|||
$ref: '#/components/schemas/IndexPatternArray'
|
||||
query:
|
||||
$ref: '#/components/schemas/RuleQuery'
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
SavedQueryRulePatchFields:
|
||||
allOf:
|
||||
- type: object
|
||||
|
|
@ -4759,6 +4827,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -4873,6 +4945,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5113,6 +5189,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5229,6 +5309,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5372,6 +5456,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5495,6 +5583,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5684,6 +5776,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5800,6 +5896,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -5929,6 +6029,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
@ -6046,6 +6150,10 @@ components:
|
|||
items:
|
||||
$ref: '#/components/schemas/RequiredFieldInput'
|
||||
type: array
|
||||
response_actions:
|
||||
items:
|
||||
$ref: '#/components/schemas/ResponseAction'
|
||||
type: array
|
||||
risk_score:
|
||||
$ref: '#/components/schemas/RiskScore'
|
||||
risk_score_mapping:
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ import type {
|
|||
} from '@kbn/triggers-actions-ui-plugin/public';
|
||||
import { UseArray } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib';
|
||||
import type { Type } from '@kbn/securitysolution-io-ts-alerting-types';
|
||||
import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
|
||||
import { shouldShowResponseActions } from '../../../../../common/detection_engine/utils';
|
||||
import type { RuleObjectId } from '../../../../../common/api/detection_engine/model/rule_schema';
|
||||
import { ResponseActionsForm } from '../../../rule_response_actions/response_actions_form';
|
||||
|
|
@ -84,7 +85,9 @@ const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
|
|||
const {
|
||||
services: { application },
|
||||
} = useKibana();
|
||||
|
||||
const automatedResponseActionsForAllRulesEnabled = useIsExperimentalFeatureEnabled(
|
||||
'automatedResponseActionsForAllRulesEnabled'
|
||||
);
|
||||
const displayActionsOptions = useMemo(
|
||||
() => (
|
||||
<>
|
||||
|
|
@ -102,7 +105,7 @@ const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
|
|||
[actionMessageParams, summaryActionMessageParams]
|
||||
);
|
||||
const displayResponseActionsOptions = useMemo(() => {
|
||||
if (shouldShowResponseActions(ruleType)) {
|
||||
if (shouldShowResponseActions(ruleType, automatedResponseActionsForAllRulesEnabled)) {
|
||||
return (
|
||||
<UseArray path="responseActions" initialNumberOfItems={0}>
|
||||
{ResponseActionsForm}
|
||||
|
|
@ -110,7 +113,7 @@ const StepRuleActionsComponent: FC<StepRuleActionsProps> = ({
|
|||
);
|
||||
}
|
||||
return null;
|
||||
}, [ruleType]);
|
||||
}, [automatedResponseActionsForAllRulesEnabled, ruleType]);
|
||||
// only display the actions dropdown if the user has "read" privileges for actions
|
||||
const displayActionsDropDown = useMemo(() => {
|
||||
return application.capabilities.actions.show ? (
|
||||
|
|
|
|||
|
|
@ -7,23 +7,10 @@
|
|||
|
||||
import { expectParseError, expectParseSuccess, stringifyZodError } from '@kbn/zod-helpers';
|
||||
import { getListArrayMock } from '../../../../../../common/detection_engine/schemas/types/lists.mock';
|
||||
import { PrebuiltRuleAsset, TypeSpecificFields } from './prebuilt_rule_asset';
|
||||
import { PrebuiltRuleAsset } from './prebuilt_rule_asset';
|
||||
import { getPrebuiltRuleMock, getPrebuiltThreatMatchRuleMock } from './prebuilt_rule_asset.mock';
|
||||
import { TypeSpecificCreatePropsInternal } from '../../../../../../common/api/detection_engine';
|
||||
|
||||
describe('Prebuilt rule asset schema', () => {
|
||||
it('can be of all rule types that are supported', () => {
|
||||
// Check that the discriminated union TypeSpecificFields, which is used to create
|
||||
// the PrebuiltRuleAsset schema, contains all the rule types that are supported.
|
||||
const createPropsTypes = TypeSpecificCreatePropsInternal.options.map(
|
||||
(option) => option.shape.type.value
|
||||
);
|
||||
const fieldsTypes = TypeSpecificFields.options.map((option) => option.shape.type.value);
|
||||
|
||||
expect(createPropsTypes).toHaveLength(fieldsTypes.length);
|
||||
expect(new Set(createPropsTypes)).toEqual(new Set(fieldsTypes));
|
||||
});
|
||||
|
||||
test('empty objects do not validate', () => {
|
||||
const payload: Partial<PrebuiltRuleAsset> = {};
|
||||
|
||||
|
|
|
|||
|
|
@ -6,20 +6,11 @@
|
|||
*/
|
||||
|
||||
import * as z from '@kbn/zod';
|
||||
import type { IsEqual } from 'type-fest';
|
||||
import type { TypeSpecificCreateProps } from '../../../../../../common/api/detection_engine/model/rule_schema';
|
||||
import {
|
||||
RuleSignatureId,
|
||||
RuleVersion,
|
||||
BaseCreateProps,
|
||||
EqlRuleCreateFields,
|
||||
EsqlRuleCreateFields,
|
||||
MachineLearningRuleCreateFields,
|
||||
NewTermsRuleCreateFields,
|
||||
QueryRuleCreateFields,
|
||||
SavedQueryRuleCreateFields,
|
||||
ThreatMatchRuleCreateFields,
|
||||
ThresholdRuleCreateFields,
|
||||
TypeSpecificCreatePropsInternal,
|
||||
} from '../../../../../../common/api/detection_engine/model/rule_schema';
|
||||
|
||||
function zodMaskFor<T>() {
|
||||
|
|
@ -38,6 +29,7 @@ function zodMaskFor<T>() {
|
|||
*/
|
||||
const BASE_PROPS_REMOVED_FROM_PREBUILT_RULE_ASSET = zodMaskFor<BaseCreateProps>()([
|
||||
'actions',
|
||||
'response_actions',
|
||||
'throttle',
|
||||
'meta',
|
||||
'output_index',
|
||||
|
|
@ -47,40 +39,6 @@ const BASE_PROPS_REMOVED_FROM_PREBUILT_RULE_ASSET = zodMaskFor<BaseCreateProps>(
|
|||
'outcome',
|
||||
]);
|
||||
|
||||
/**
|
||||
* Aditionally remove fields which are part only of the optional fields in the rule types that make up
|
||||
* the TypeSpecificCreateProps discriminatedUnion, by recreating a discriminated union of the types, but
|
||||
* with the necessary fields omitted, in the types where they exist. Fields to extract:
|
||||
* - response_actions: from Query and SavedQuery rules
|
||||
*/
|
||||
const TYPE_SPECIFIC_FIELDS_TO_OMIT = ['response_actions'] as const;
|
||||
|
||||
const TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES = zodMaskFor<QueryRuleCreateFields>()([
|
||||
...TYPE_SPECIFIC_FIELDS_TO_OMIT,
|
||||
]);
|
||||
const TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_SAVED_QUERY_RULES =
|
||||
zodMaskFor<SavedQueryRuleCreateFields>()([...TYPE_SPECIFIC_FIELDS_TO_OMIT]);
|
||||
|
||||
export type TypeSpecificFields = z.infer<typeof TypeSpecificFields>;
|
||||
export const TypeSpecificFields = z.discriminatedUnion('type', [
|
||||
EqlRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES),
|
||||
QueryRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES),
|
||||
SavedQueryRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_SAVED_QUERY_RULES),
|
||||
ThresholdRuleCreateFields,
|
||||
ThreatMatchRuleCreateFields,
|
||||
MachineLearningRuleCreateFields,
|
||||
NewTermsRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES),
|
||||
EsqlRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES),
|
||||
]);
|
||||
|
||||
// Make sure the type-specific fields contain all the same rule types as the type-specific rule params.
|
||||
// TS will throw a type error if the types are not equal (for example, if a new rule type is added to
|
||||
// the TypeSpecificCreateProps and the new type is not reflected in TypeSpecificFields).
|
||||
export const areTypesEqual: IsEqual<
|
||||
typeof TypeSpecificCreateProps._type.type,
|
||||
typeof TypeSpecificFields._type.type
|
||||
> = true;
|
||||
|
||||
export const PrebuiltAssetBaseProps = BaseCreateProps.omit(
|
||||
BASE_PROPS_REMOVED_FROM_PREBUILT_RULE_ASSET
|
||||
);
|
||||
|
|
@ -101,7 +59,7 @@ export const PrebuiltAssetBaseProps = BaseCreateProps.omit(
|
|||
* - some fields are omitted because they are not present in https://github.com/elastic/detection-rules
|
||||
*/
|
||||
export type PrebuiltRuleAsset = z.infer<typeof PrebuiltRuleAsset>;
|
||||
export const PrebuiltRuleAsset = PrebuiltAssetBaseProps.and(TypeSpecificFields).and(
|
||||
export const PrebuiltRuleAsset = PrebuiltAssetBaseProps.and(TypeSpecificCreatePropsInternal).and(
|
||||
z.object({
|
||||
rule_id: RuleSignatureId,
|
||||
version: RuleVersion,
|
||||
|
|
@ -112,7 +70,7 @@ function createUpgradableRuleFieldsPayloadByType() {
|
|||
const baseFields = Object.keys(PrebuiltAssetBaseProps.shape);
|
||||
|
||||
return new Map(
|
||||
TypeSpecificFields.options.map((option) => {
|
||||
TypeSpecificCreatePropsInternal.options.map((option) => {
|
||||
const typeName = option.shape.type.value;
|
||||
const typeSpecificFieldsForType = Object.keys(option.shape);
|
||||
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
*/
|
||||
|
||||
import snakecaseKeys from 'snakecase-keys';
|
||||
import { transformAlertToRuleResponseAction } from '../../../../../../../common/detection_engine/transform_actions';
|
||||
import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters';
|
||||
import type { BaseRuleParams } from '../../../../rule_schema';
|
||||
import { migrateLegacyInvestigationFields } from '../../../utils/utils';
|
||||
|
|
@ -44,6 +45,7 @@ export const commonParamsCamelToSnake = (params: BaseRuleParams) => {
|
|||
rule_source: convertObjectKeysToSnakeCase(params.ruleSource),
|
||||
related_integrations: params.relatedIntegrations ?? [],
|
||||
required_fields: params.requiredFields ?? [],
|
||||
response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
|
||||
setup: params.setup ?? '',
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -53,6 +53,9 @@ export const convertRuleResponseToAlertingRule = (
|
|||
const alertActions = ruleActions?.map((action) => transformRuleToAlertAction(action)) ?? [];
|
||||
const actions = transformToActionFrequency(alertActions as RuleActionCamel[], rule.throttle);
|
||||
|
||||
const responseActions = rule.response_actions?.map((ruleResponseAction) =>
|
||||
transformRuleToAlertResponseAction(ruleResponseAction)
|
||||
);
|
||||
// Because of Omit<RuleResponse, RuntimeFields> Typescript doesn't recognize
|
||||
// that rule is assignable to TypeSpecificCreateProps despite omitted fields
|
||||
// are not part of type specific props. So we need to cast here.
|
||||
|
|
@ -94,6 +97,7 @@ export const convertRuleResponseToAlertingRule = (
|
|||
note: rule.note,
|
||||
version: rule.version,
|
||||
exceptionsList: rule.exceptions_list,
|
||||
responseActions,
|
||||
...typeSpecificParams,
|
||||
},
|
||||
schedule: { interval: rule.interval },
|
||||
|
|
@ -119,9 +123,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific
|
|||
eventCategoryOverride: params.event_category_override,
|
||||
tiebreakerField: params.tiebreaker_field,
|
||||
alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression),
|
||||
responseActions: params.response_actions?.map((rule) =>
|
||||
transformRuleToAlertResponseAction(rule)
|
||||
),
|
||||
};
|
||||
}
|
||||
case 'esql': {
|
||||
|
|
@ -130,9 +131,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific
|
|||
language: params.language,
|
||||
query: params.query,
|
||||
alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression),
|
||||
responseActions: params.response_actions?.map((rule) =>
|
||||
transformRuleToAlertResponseAction(rule)
|
||||
),
|
||||
};
|
||||
}
|
||||
case 'threat_match': {
|
||||
|
|
@ -164,9 +162,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific
|
|||
query: params.query ?? '',
|
||||
filters: params.filters,
|
||||
savedId: params.saved_id,
|
||||
responseActions: params.response_actions?.map((rule) =>
|
||||
transformRuleToAlertResponseAction(rule)
|
||||
),
|
||||
alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression),
|
||||
};
|
||||
}
|
||||
|
|
@ -216,9 +211,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific
|
|||
language: params.language ?? 'kuery',
|
||||
dataViewId: params.data_view_id,
|
||||
alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression),
|
||||
responseActions: params.response_actions?.map((rule) =>
|
||||
transformRuleToAlertResponseAction(rule)
|
||||
),
|
||||
};
|
||||
}
|
||||
default: {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@
|
|||
*/
|
||||
|
||||
import type { RequiredOptional } from '@kbn/zod-helpers';
|
||||
import { transformAlertToRuleResponseAction } from '../../../../../../../common/detection_engine/transform_actions';
|
||||
import type { TypeSpecificResponse } from '../../../../../../../common/api/detection_engine/model/rule_schema';
|
||||
import { assertUnreachable } from '../../../../../../../common/utility_types';
|
||||
import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters';
|
||||
|
|
@ -28,7 +27,6 @@ export const typeSpecificCamelToSnake = (
|
|||
event_category_override: params.eventCategoryOverride,
|
||||
tiebreaker_field: params.tiebreakerField,
|
||||
alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression),
|
||||
response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
|
||||
};
|
||||
}
|
||||
case 'esql': {
|
||||
|
|
@ -37,7 +35,6 @@ export const typeSpecificCamelToSnake = (
|
|||
language: params.language,
|
||||
query: params.query,
|
||||
alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression),
|
||||
response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
|
||||
};
|
||||
}
|
||||
case 'threat_match': {
|
||||
|
|
@ -69,7 +66,6 @@ export const typeSpecificCamelToSnake = (
|
|||
query: params.query,
|
||||
filters: params.filters,
|
||||
saved_id: params.savedId,
|
||||
response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
|
||||
alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression),
|
||||
};
|
||||
}
|
||||
|
|
@ -82,7 +78,6 @@ export const typeSpecificCamelToSnake = (
|
|||
filters: params.filters,
|
||||
saved_id: params.savedId,
|
||||
data_view_id: params.dataViewId,
|
||||
response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
|
||||
alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression),
|
||||
};
|
||||
}
|
||||
|
|
@ -120,7 +115,6 @@ export const typeSpecificCamelToSnake = (
|
|||
language: params.language,
|
||||
data_view_id: params.dataViewId,
|
||||
alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression),
|
||||
response_actions: params.responseActions?.map(transformAlertToRuleResponseAction),
|
||||
};
|
||||
}
|
||||
default: {
|
||||
|
|
|
|||
|
|
@ -86,7 +86,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => {
|
|||
event_category_override: props.event_category_override,
|
||||
tiebreaker_field: props.tiebreaker_field,
|
||||
alert_suppression: props.alert_suppression,
|
||||
response_actions: props.response_actions,
|
||||
};
|
||||
}
|
||||
case 'esql': {
|
||||
|
|
@ -95,7 +94,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => {
|
|||
language: props.language,
|
||||
query: props.query,
|
||||
alert_suppression: props.alert_suppression,
|
||||
response_actions: props.response_actions,
|
||||
};
|
||||
}
|
||||
case 'threat_match': {
|
||||
|
|
@ -127,7 +125,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => {
|
|||
query: props.query ?? '',
|
||||
filters: props.filters,
|
||||
saved_id: props.saved_id,
|
||||
response_actions: props.response_actions,
|
||||
alert_suppression: props.alert_suppression,
|
||||
};
|
||||
}
|
||||
|
|
@ -140,7 +137,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => {
|
|||
filters: props.filters,
|
||||
saved_id: props.saved_id,
|
||||
data_view_id: props.data_view_id,
|
||||
response_actions: props.response_actions,
|
||||
alert_suppression: props.alert_suppression,
|
||||
};
|
||||
}
|
||||
|
|
@ -178,7 +174,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => {
|
|||
language: props.language ?? 'kuery',
|
||||
data_view_id: props.data_view_id,
|
||||
alert_suppression: props.alert_suppression,
|
||||
response_actions: props.response_actions,
|
||||
};
|
||||
}
|
||||
default: {
|
||||
|
|
|
|||
|
|
@ -111,6 +111,7 @@ export const applyRulePatch = async ({
|
|||
interval: rulePatch.interval ?? existingRule.interval,
|
||||
throttle: rulePatch.throttle ?? existingRule.throttle,
|
||||
actions: rulePatch.actions ?? existingRule.actions,
|
||||
response_actions: rulePatch.response_actions ?? existingRule.response_actions,
|
||||
...typeSpecificParams,
|
||||
};
|
||||
|
||||
|
|
@ -138,7 +139,6 @@ const patchEqlParams = (
|
|||
rulePatch.event_category_override ?? existingRule.event_category_override,
|
||||
tiebreaker_field: rulePatch.tiebreaker_field ?? existingRule.tiebreaker_field,
|
||||
alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression,
|
||||
response_actions: rulePatch.response_actions ?? existingRule.response_actions,
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -151,7 +151,6 @@ const patchEsqlParams = (
|
|||
language: rulePatch.language ?? existingRule.language,
|
||||
query: rulePatch.query ?? existingRule.query,
|
||||
alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression,
|
||||
response_actions: rulePatch.response_actions ?? existingRule.response_actions,
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -191,7 +190,6 @@ const patchQueryParams = (
|
|||
query: rulePatch.query ?? existingRule.query,
|
||||
filters: rulePatch.filters ?? existingRule.filters,
|
||||
saved_id: rulePatch.saved_id ?? existingRule.saved_id,
|
||||
response_actions: rulePatch.response_actions ?? existingRule.response_actions,
|
||||
alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression,
|
||||
};
|
||||
};
|
||||
|
|
@ -208,7 +206,6 @@ const patchSavedQueryParams = (
|
|||
query: rulePatch.query ?? existingRule.query,
|
||||
filters: rulePatch.filters ?? existingRule.filters,
|
||||
saved_id: rulePatch.saved_id ?? existingRule.saved_id,
|
||||
response_actions: rulePatch.response_actions ?? existingRule.response_actions,
|
||||
alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression,
|
||||
};
|
||||
};
|
||||
|
|
@ -260,7 +257,6 @@ const patchNewTermsParams = (
|
|||
new_terms_fields: params.new_terms_fields ?? existingRule.new_terms_fields,
|
||||
history_window_start: params.history_window_start ?? existingRule.history_window_start,
|
||||
alert_suppression: params.alert_suppression ?? existingRule.alert_suppression,
|
||||
response_actions: params.response_actions ?? existingRule.response_actions,
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -6,15 +6,9 @@
|
|||
*/
|
||||
|
||||
import type { PartialRule } from '@kbn/alerting-plugin/server';
|
||||
import type { Rule } from '@kbn/alerting-plugin/common';
|
||||
import { isEqual, xorWith } from 'lodash';
|
||||
import { stringifyZodError } from '@kbn/zod-helpers';
|
||||
import type {
|
||||
EqlRule,
|
||||
EsqlRule,
|
||||
NewTermsRule,
|
||||
QueryRule,
|
||||
} from '../../../../../common/api/detection_engine';
|
||||
import { shouldShowResponseActions } from '../../../../../common/detection_engine/utils';
|
||||
import {
|
||||
type ResponseAction,
|
||||
type RuleCreateProps,
|
||||
|
|
@ -26,16 +20,9 @@ import {
|
|||
RESPONSE_ACTION_API_COMMAND_TO_CONSOLE_COMMAND_MAP,
|
||||
RESPONSE_CONSOLE_ACTION_COMMANDS_TO_REQUIRED_AUTHZ,
|
||||
} from '../../../../../common/endpoint/service/response_actions/constants';
|
||||
import { shouldShowResponseActions } from '../../../../../common/detection_engine/utils';
|
||||
import type { SecuritySolutionApiRequestHandlerContext } from '../../../..';
|
||||
import { CustomHttpRequestError } from '../../../../utils/custom_http_request_error';
|
||||
import type { EqlRuleParams, EsqlRuleParams, NewTermsRuleParams } from '../../rule_schema';
|
||||
import {
|
||||
hasValidRuleType,
|
||||
type RuleAlertType,
|
||||
type RuleParams,
|
||||
type UnifiedQueryRuleParams,
|
||||
} from '../../rule_schema';
|
||||
import { hasValidRuleType, type RuleAlertType, type RuleParams } from '../../rule_schema';
|
||||
import { type BulkError, createBulkErrorObject } from '../../routes/utils';
|
||||
import { internalRuleToAPIResponse } from '../logic/detection_rules_client/converters/internal_rule_to_api_response';
|
||||
|
||||
|
|
@ -70,7 +57,13 @@ export const validateResponseActionsPermissions = async (
|
|||
ruleUpdate: RuleCreateProps | RuleUpdateProps,
|
||||
existingRule?: RuleAlertType | null
|
||||
): Promise<void> => {
|
||||
if (!shouldShowResponseActions(ruleUpdate.type)) {
|
||||
const { experimentalFeatures } = await securitySolution.getConfig();
|
||||
if (
|
||||
!shouldShowResponseActions(
|
||||
ruleUpdate.type,
|
||||
experimentalFeatures.automatedResponseActionsForAllRulesEnabled
|
||||
)
|
||||
) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
@ -117,14 +110,10 @@ export const validateResponseActionsPermissions = async (
|
|||
});
|
||||
};
|
||||
|
||||
function rulePayloadContainsResponseActions(
|
||||
rule: RuleCreateProps | RuleUpdateProps
|
||||
): rule is QueryRule | EsqlRule | EqlRule | NewTermsRule {
|
||||
function rulePayloadContainsResponseActions(rule: RuleCreateProps | RuleUpdateProps) {
|
||||
return 'response_actions' in rule;
|
||||
}
|
||||
|
||||
function ruleObjectContainsResponseActions(
|
||||
rule?: RuleAlertType
|
||||
): rule is Rule<UnifiedQueryRuleParams | EsqlRuleParams | EqlRuleParams | NewTermsRuleParams> {
|
||||
function ruleObjectContainsResponseActions(rule?: RuleAlertType) {
|
||||
return rule != null && 'params' in rule && 'responseActions' in rule?.params;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,6 +32,9 @@ export const getScheduleNotificationResponseActionsService =
|
|||
const nestedAlerts = signals.map((signal) => expandDottedObject(signal as object)) as Alert[];
|
||||
const alerts = nestedAlerts.filter((alert) => alert.agent?.id) as AlertWithAgent[];
|
||||
|
||||
if (!alerts.length) {
|
||||
return;
|
||||
}
|
||||
return Promise.all(
|
||||
responseActions.map(async (responseAction) => {
|
||||
if (
|
||||
|
|
|
|||
|
|
@ -148,6 +148,7 @@ export const BaseRuleParams = z.object({
|
|||
relatedIntegrations: RelatedIntegrationArray.optional(),
|
||||
requiredFields: RequiredFieldArray.optional(),
|
||||
setup: SetupGuide.optional(),
|
||||
responseActions: z.array(RuleResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type EqlSpecificRuleParams = z.infer<typeof EqlSpecificRuleParams>;
|
||||
|
|
@ -162,7 +163,6 @@ export const EqlSpecificRuleParams = z.object({
|
|||
timestampField: TimestampField.optional(),
|
||||
tiebreakerField: TiebreakerField.optional(),
|
||||
alertSuppression: AlertSuppressionCamel.optional(),
|
||||
responseActions: z.array(RuleResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type EqlRuleParams = BaseRuleParams & EqlSpecificRuleParams;
|
||||
|
|
@ -174,7 +174,6 @@ export const EsqlSpecificRuleParams = z.object({
|
|||
language: z.literal('esql'),
|
||||
query: RuleQuery,
|
||||
alertSuppression: AlertSuppressionCamel.optional(),
|
||||
responseActions: z.array(RuleResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type EsqlRuleParams = BaseRuleParams & EsqlSpecificRuleParams;
|
||||
|
|
@ -212,7 +211,6 @@ export const QuerySpecificRuleParams = z.object({
|
|||
filters: RuleFilterArray.optional(),
|
||||
savedId: SavedQueryId.optional(),
|
||||
dataViewId: DataViewId.optional(),
|
||||
responseActions: z.array(RuleResponseAction).optional(),
|
||||
alertSuppression: AlertSuppressionCamel.optional(),
|
||||
});
|
||||
|
||||
|
|
@ -228,7 +226,6 @@ export const SavedQuerySpecificRuleParams = z.object({
|
|||
query: RuleQuery.optional(),
|
||||
filters: RuleFilterArray.optional(),
|
||||
savedId: SavedQueryId,
|
||||
responseActions: z.array(RuleResponseAction).optional(),
|
||||
alertSuppression: AlertSuppressionCamel.optional(),
|
||||
});
|
||||
|
||||
|
|
@ -282,7 +279,6 @@ export const NewTermsSpecificRuleParams = z.object({
|
|||
language: KqlQueryLanguage,
|
||||
dataViewId: DataViewId.optional(),
|
||||
alertSuppression: AlertSuppressionCamel.optional(),
|
||||
responseActions: z.array(RuleResponseAction).optional(),
|
||||
});
|
||||
|
||||
export type NewTermsRuleParams = BaseRuleParams & NewTermsSpecificRuleParams;
|
||||
|
|
|
|||
|
|
@ -11,19 +11,14 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
|
|||
import { SERVER_APP_ID } from '../../../../../common/constants';
|
||||
import { EqlRuleParams } from '../../rule_schema';
|
||||
import { eqlExecutor } from './eql';
|
||||
import type {
|
||||
CreateRuleOptions,
|
||||
SecurityAlertType,
|
||||
SignalSourceHit,
|
||||
CreateRuleAdditionalOptions,
|
||||
} from '../types';
|
||||
import type { CreateRuleOptions, SecurityAlertType, SignalSourceHit } from '../types';
|
||||
import { validateIndexPatterns } from '../utils';
|
||||
import type { BuildReasonMessage } from '../utils/reason_formatters';
|
||||
import { wrapSuppressedAlerts } from '../utils/wrap_suppressed_alerts';
|
||||
import { getIsAlertSuppressionActive } from '../utils/get_is_alert_suppression_active';
|
||||
|
||||
export const createEqlAlertType = (
|
||||
createOptions: CreateRuleOptions & CreateRuleAdditionalOptions
|
||||
createOptions: CreateRuleOptions
|
||||
): SecurityAlertType<EqlRuleParams, {}, {}, 'default'> => {
|
||||
const { experimentalFeatures, version, licensing, scheduleNotificationResponseActionsService } =
|
||||
createOptions;
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ import type {
|
|||
SearchAfterAndBulkCreateReturnType,
|
||||
SignalSource,
|
||||
WrapSuppressedHits,
|
||||
CreateRuleAdditionalOptions,
|
||||
CreateRuleOptions,
|
||||
} from '../types';
|
||||
import {
|
||||
addToSearchAfterReturn,
|
||||
|
|
@ -71,7 +71,7 @@ interface EqlExecutorParams {
|
|||
isAlertSuppressionActive: boolean;
|
||||
experimentalFeatures: ExperimentalFeatures;
|
||||
state?: Record<string, unknown>;
|
||||
scheduleNotificationResponseActionsService: CreateRuleAdditionalOptions['scheduleNotificationResponseActionsService'];
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
}
|
||||
|
||||
export const eqlExecutor = async ({
|
||||
|
|
@ -104,7 +104,6 @@ export const eqlExecutor = async ({
|
|||
const isLoggedRequestsEnabled = state?.isLoggedRequestsEnabled ?? false;
|
||||
const loggedRequests: RulePreviewLoggedRequest[] = [];
|
||||
|
||||
// eslint-disable-next-line complexity
|
||||
return withSecuritySpan('eqlExecutor', async () => {
|
||||
const result = createSearchAfterReturnType();
|
||||
|
||||
|
|
@ -213,13 +212,11 @@ export const eqlExecutor = async ({
|
|||
result.warningMessages.push(maxSignalsWarning);
|
||||
}
|
||||
|
||||
if (scheduleNotificationResponseActionsService) {
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
}
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
return { result, ...(isLoggedRequestsEnabled ? { loggedRequests } : {}) };
|
||||
} catch (error) {
|
||||
if (
|
||||
|
|
|
|||
|
|
@ -11,10 +11,10 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
|
|||
import { SERVER_APP_ID } from '../../../../../common/constants';
|
||||
import { EsqlRuleParams } from '../../rule_schema';
|
||||
import { esqlExecutor } from './esql';
|
||||
import type { CreateRuleOptions, SecurityAlertType, CreateRuleAdditionalOptions } from '../types';
|
||||
import type { CreateRuleOptions, SecurityAlertType } from '../types';
|
||||
|
||||
export const createEsqlAlertType = (
|
||||
createOptions: CreateRuleOptions & CreateRuleAdditionalOptions
|
||||
createOptions: CreateRuleOptions
|
||||
): SecurityAlertType<EsqlRuleParams, {}, {}, 'default'> => {
|
||||
const { version, experimentalFeatures, licensing, scheduleNotificationResponseActionsService } =
|
||||
createOptions;
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ import { rowToDocument } from './utils';
|
|||
import { fetchSourceDocuments } from './fetch_source_documents';
|
||||
import { buildReasonMessageForEsqlAlert } from '../utils/reason_formatters';
|
||||
import type { RulePreviewLoggedRequest } from '../../../../../common/api/detection_engine/rule_preview/rule_preview.gen';
|
||||
import type { RunOpts, SignalSource, CreateRuleAdditionalOptions } from '../types';
|
||||
import type { CreateRuleOptions, RunOpts, SignalSource } from '../types';
|
||||
import { logEsqlRequest } from '../utils/logged_requests';
|
||||
import * as i18n from '../translations';
|
||||
|
||||
|
|
@ -74,7 +74,7 @@ export const esqlExecutor = async ({
|
|||
version: string;
|
||||
experimentalFeatures: ExperimentalFeatures;
|
||||
licensing: LicensingPluginSetup;
|
||||
scheduleNotificationResponseActionsService: CreateRuleAdditionalOptions['scheduleNotificationResponseActionsService'];
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
}) => {
|
||||
const loggedRequests: RulePreviewLoggedRequest[] = [];
|
||||
const ruleParams = completeRule.ruleParams;
|
||||
|
|
@ -245,13 +245,11 @@ export const esqlExecutor = async ({
|
|||
}
|
||||
}
|
||||
|
||||
if (scheduleNotificationResponseActionsService) {
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
}
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
|
||||
// no more results will be found
|
||||
if (response.values.length < size) {
|
||||
|
|
|
|||
|
|
@ -20,7 +20,13 @@ import type { BuildReasonMessage } from '../utils/reason_formatters';
|
|||
export const createIndicatorMatchAlertType = (
|
||||
createOptions: CreateRuleOptions
|
||||
): SecurityAlertType<ThreatRuleParams, {}, {}, 'default'> => {
|
||||
const { eventsTelemetry, version, licensing, experimentalFeatures } = createOptions;
|
||||
const {
|
||||
eventsTelemetry,
|
||||
version,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
} = createOptions;
|
||||
return {
|
||||
id: INDICATOR_RULE_TYPE_ID,
|
||||
name: 'Indicator Match Rule',
|
||||
|
|
@ -122,6 +128,7 @@ export const createIndicatorMatchAlertType = (
|
|||
runOpts,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
});
|
||||
return { ...result, state };
|
||||
},
|
||||
|
|
|
|||
|
|
@ -16,7 +16,14 @@ import type {
|
|||
} from '@kbn/alerting-plugin/server';
|
||||
import type { ListClient } from '@kbn/lists-plugin/server';
|
||||
import type { Filter } from '@kbn/es-query';
|
||||
import type { RuleRangeTuple, BulkCreate, WrapHits, WrapSuppressedHits, RunOpts } from '../types';
|
||||
import type {
|
||||
RuleRangeTuple,
|
||||
BulkCreate,
|
||||
WrapHits,
|
||||
WrapSuppressedHits,
|
||||
RunOpts,
|
||||
CreateRuleOptions,
|
||||
} from '../types';
|
||||
import type { ITelemetryEventsSender } from '../../../telemetry/sender';
|
||||
import { createThreatSignals } from './threat_mapping/create_threat_signals';
|
||||
import type { CompleteRule, ThreatRuleParams } from '../../rule_schema';
|
||||
|
|
@ -47,6 +54,7 @@ export const indicatorMatchExecutor = async ({
|
|||
runOpts,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
}: {
|
||||
inputIndex: string[];
|
||||
runtimeMappings: estypes.MappingRuntimeFields | undefined;
|
||||
|
|
@ -67,6 +75,7 @@ export const indicatorMatchExecutor = async ({
|
|||
wrapSuppressedHits: WrapSuppressedHits;
|
||||
runOpts: RunOpts<ThreatRuleParams>;
|
||||
licensing: LicensingPluginSetup;
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
experimentalFeatures: ExperimentalFeatures;
|
||||
}) => {
|
||||
const ruleParams = completeRule.ruleParams;
|
||||
|
|
@ -107,6 +116,7 @@ export const indicatorMatchExecutor = async ({
|
|||
runOpts,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
});
|
||||
});
|
||||
};
|
||||
|
|
|
|||
|
|
@ -74,6 +74,7 @@ export const createThreatSignals = async ({
|
|||
unprocessedExceptions,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
}: CreateThreatSignalsOptions): Promise<SearchAfterAndBulkCreateReturnType> => {
|
||||
const threatMatchedFields = getMatchedFields(threatMapping);
|
||||
const threatFieldsLength = threatMatchedFields.threat.length;
|
||||
|
|
@ -460,7 +461,11 @@ export const createThreatSignals = async ({
|
|||
`Error trying to close point in time: "${threatPitId}", it will expire within "${THREAT_PIT_KEEP_ALIVE}". Error is: "${error}"`
|
||||
);
|
||||
}
|
||||
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: results.createdSignals,
|
||||
signalsCount: results.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
ruleExecutionLogger.debug('Indicator matching rule has completed');
|
||||
return results;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ import type {
|
|||
WrapSuppressedHits,
|
||||
OverrideBodyQuery,
|
||||
RunOpts,
|
||||
CreateRuleOptions,
|
||||
} from '../../types';
|
||||
import type { CompleteRule, ThreatRuleParams } from '../../../rule_schema';
|
||||
import type { IRuleExecutionLogForExecutors } from '../../../rule_monitoring';
|
||||
|
|
@ -80,6 +81,7 @@ export interface CreateThreatSignalsOptions {
|
|||
runOpts: RunOpts<ThreatRuleParams>;
|
||||
licensing: LicensingPluginSetup;
|
||||
experimentalFeatures: ExperimentalFeatures;
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
}
|
||||
|
||||
export interface CreateThreatSignalOptions {
|
||||
|
|
@ -172,6 +174,7 @@ export interface CreateEventSignalOptions {
|
|||
}
|
||||
|
||||
type EntryKey = 'field' | 'value';
|
||||
|
||||
export interface BuildThreatMappingFilterOptions {
|
||||
chunkSize?: number;
|
||||
threatList: ThreatListItem[];
|
||||
|
|
@ -273,6 +276,7 @@ interface BaseThreatNamedQuery {
|
|||
value: string;
|
||||
queryType: string;
|
||||
}
|
||||
|
||||
export interface ThreatMatchNamedQuery extends BaseThreatNamedQuery {
|
||||
id: string;
|
||||
index: string;
|
||||
|
|
@ -325,6 +329,7 @@ export interface EventDoc {
|
|||
}
|
||||
|
||||
export type EventItem = estypes.SearchHit<EventDoc>;
|
||||
|
||||
export interface EventCountOptions {
|
||||
esClient: ElasticsearchClient;
|
||||
index: string[];
|
||||
|
|
|
|||
|
|
@ -19,7 +19,8 @@ import { wrapSuppressedAlerts } from '../utils/wrap_suppressed_alerts';
|
|||
export const createMlAlertType = (
|
||||
createOptions: CreateRuleOptions
|
||||
): SecurityAlertType<MachineLearningRuleParams, {}, {}, 'default'> => {
|
||||
const { experimentalFeatures, ml, licensing } = createOptions;
|
||||
const { experimentalFeatures, ml, licensing, scheduleNotificationResponseActionsService } =
|
||||
createOptions;
|
||||
return {
|
||||
id: ML_RULE_TYPE_ID,
|
||||
name: 'Machine Learning Rule',
|
||||
|
|
@ -106,6 +107,7 @@ export const createMlAlertType = (
|
|||
alertWithSuppression,
|
||||
isAlertSuppressionActive,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
});
|
||||
return { ...result, state };
|
||||
},
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ jest.mock('./bulk_create_ml_signals');
|
|||
|
||||
describe('ml_executor', () => {
|
||||
let mockExperimentalFeatures: jest.Mocked<ExperimentalFeatures>;
|
||||
let mockScheduledNotificationResponseAction: jest.Mock;
|
||||
let jobsSummaryMock: jest.Mock;
|
||||
let forceStartDatafeedsMock: jest.Mock;
|
||||
let stopDatafeedsMock: jest.Mock;
|
||||
|
|
@ -40,6 +41,7 @@ describe('ml_executor', () => {
|
|||
|
||||
beforeEach(() => {
|
||||
mockExperimentalFeatures = {} as jest.Mocked<ExperimentalFeatures>;
|
||||
mockScheduledNotificationResponseAction = jest.fn();
|
||||
jobsSummaryMock = jest.fn();
|
||||
mlMock = mlPluginServerMock.createSetupContract();
|
||||
mlMock.jobServiceProvider.mockReturnValue({
|
||||
|
|
@ -88,6 +90,7 @@ describe('ml_executor', () => {
|
|||
alertWithSuppression: jest.fn(),
|
||||
isAlertSuppressionActive: true,
|
||||
experimentalFeatures: mockExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
})
|
||||
).rejects.toThrow('ML plugin unavailable during rule execution');
|
||||
});
|
||||
|
|
@ -110,6 +113,7 @@ describe('ml_executor', () => {
|
|||
alertWithSuppression: jest.fn(),
|
||||
isAlertSuppressionActive: true,
|
||||
experimentalFeatures: mockExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(ruleExecutionLogger.warn).toHaveBeenCalled();
|
||||
expect(ruleExecutionLogger.warn.mock.calls[0][0]).toContain(
|
||||
|
|
@ -143,6 +147,7 @@ describe('ml_executor', () => {
|
|||
alertWithSuppression: jest.fn(),
|
||||
isAlertSuppressionActive: true,
|
||||
experimentalFeatures: mockExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(ruleExecutionLogger.warn).toHaveBeenCalled();
|
||||
expect(ruleExecutionLogger.warn.mock.calls[0][0]).toContain(
|
||||
|
|
@ -172,6 +177,7 @@ describe('ml_executor', () => {
|
|||
alertWithSuppression: jest.fn(),
|
||||
isAlertSuppressionActive: true,
|
||||
experimentalFeatures: mockExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(result.userError).toEqual(true);
|
||||
expect(result.success).toEqual(false);
|
||||
|
|
@ -204,6 +210,7 @@ describe('ml_executor', () => {
|
|||
alertWithSuppression: jest.fn(),
|
||||
isAlertSuppressionActive: true,
|
||||
experimentalFeatures: mockExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
|
||||
expect(result).toEqual(
|
||||
|
|
@ -212,4 +219,29 @@ describe('ml_executor', () => {
|
|||
})
|
||||
);
|
||||
});
|
||||
it('should call scheduleNotificationResponseActionsService', async () => {
|
||||
const result = await mlExecutor({
|
||||
completeRule: mlCompleteRule,
|
||||
tuple,
|
||||
ml: mlMock,
|
||||
services: alertServices,
|
||||
ruleExecutionLogger,
|
||||
listClient,
|
||||
bulkCreate: jest.fn(),
|
||||
wrapHits: jest.fn(),
|
||||
exceptionFilter: undefined,
|
||||
unprocessedExceptions: [],
|
||||
wrapSuppressedHits: jest.fn(),
|
||||
alertTimestampOverride: undefined,
|
||||
alertWithSuppression: jest.fn(),
|
||||
isAlertSuppressionActive: true,
|
||||
experimentalFeatures: mockExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(mockScheduledNotificationResponseAction).toBeCalledWith({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: mlCompleteRule.ruleParams.responseActions,
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -23,7 +23,13 @@ import type { CompleteRule, MachineLearningRuleParams } from '../../rule_schema'
|
|||
import { bulkCreateMlSignals } from './bulk_create_ml_signals';
|
||||
import { filterEventsAgainstList } from '../utils/large_list_filters/filter_events_against_list';
|
||||
import { findMlSignals } from './find_ml_signals';
|
||||
import type { BulkCreate, RuleRangeTuple, WrapHits, WrapSuppressedHits } from '../types';
|
||||
import type {
|
||||
BulkCreate,
|
||||
CreateRuleOptions,
|
||||
RuleRangeTuple,
|
||||
WrapHits,
|
||||
WrapSuppressedHits,
|
||||
} from '../types';
|
||||
import {
|
||||
addToSearchAfterReturn,
|
||||
createErrorsFromShard,
|
||||
|
|
@ -54,6 +60,7 @@ interface MachineLearningRuleExecutorParams {
|
|||
alertWithSuppression: SuppressedAlertService;
|
||||
isAlertSuppressionActive: boolean;
|
||||
experimentalFeatures: ExperimentalFeatures;
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
}
|
||||
|
||||
export const mlExecutor = async ({
|
||||
|
|
@ -72,6 +79,7 @@ export const mlExecutor = async ({
|
|||
alertTimestampOverride,
|
||||
alertWithSuppression,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
}: MachineLearningRuleExecutorParams) => {
|
||||
const result = createSearchAfterReturnType();
|
||||
const ruleParams = completeRule.ruleParams;
|
||||
|
|
@ -191,6 +199,11 @@ export const mlExecutor = async ({
|
|||
const searchErrors = createErrorsFromShard({
|
||||
errors: shardFailures,
|
||||
});
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
return mergeReturns([
|
||||
result,
|
||||
createSearchAfterReturnType({
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
|
|||
import { SERVER_APP_ID } from '../../../../../common/constants';
|
||||
|
||||
import { NewTermsRuleParams } from '../../rule_schema';
|
||||
import type { CreateRuleOptions, SecurityAlertType, CreateRuleAdditionalOptions } from '../types';
|
||||
import type { CreateRuleOptions, SecurityAlertType } from '../types';
|
||||
import { singleSearchAfter } from '../utils/single_search_after';
|
||||
import { getFilter } from '../utils/get_filter';
|
||||
import { wrapNewTermsAlerts } from './wrap_new_terms_alerts';
|
||||
|
|
@ -46,7 +46,7 @@ import { multiTermsComposite } from './multi_terms_composite';
|
|||
import type { GenericBulkCreateResponse } from '../utils/bulk_create_with_suppression';
|
||||
|
||||
export const createNewTermsAlertType = (
|
||||
createOptions: CreateRuleOptions & CreateRuleAdditionalOptions
|
||||
createOptions: CreateRuleOptions
|
||||
): SecurityAlertType<NewTermsRuleParams, {}, {}, 'default'> => {
|
||||
const { logger, licensing, experimentalFeatures, scheduleNotificationResponseActionsService } =
|
||||
createOptions;
|
||||
|
|
@ -415,13 +415,11 @@ export const createNewTermsAlertType = (
|
|||
afterKey = searchResultWithAggs.aggregations.new_terms.after_key;
|
||||
}
|
||||
|
||||
if (scheduleNotificationResponseActionsService) {
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
}
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
|
||||
return { ...result, state };
|
||||
},
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ import type { UnifiedQueryRuleParams } from '../../rule_schema';
|
|||
import type { ExperimentalFeatures } from '../../../../../common/experimental_features';
|
||||
import { buildReasonMessageForQueryAlert } from '../utils/reason_formatters';
|
||||
import { withSecuritySpan } from '../../../../utils/with_security_span';
|
||||
import type { CreateRuleAdditionalOptions, RunOpts } from '../types';
|
||||
import type { CreateRuleOptions, RunOpts } from '../types';
|
||||
|
||||
export const queryExecutor = async ({
|
||||
runOpts,
|
||||
|
|
@ -42,7 +42,7 @@ export const queryExecutor = async ({
|
|||
version: string;
|
||||
spaceId: string;
|
||||
bucketHistory?: BucketHistory[];
|
||||
scheduleNotificationResponseActionsService: CreateRuleAdditionalOptions['scheduleNotificationResponseActionsService'];
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
licensing: LicensingPluginSetup;
|
||||
}) => {
|
||||
const completeRule = runOpts.completeRule;
|
||||
|
|
@ -98,13 +98,11 @@ export const queryExecutor = async ({
|
|||
state: {},
|
||||
};
|
||||
|
||||
if (scheduleNotificationResponseActionsService) {
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
}
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
|
||||
return result;
|
||||
});
|
||||
|
|
|
|||
|
|
@ -19,7 +19,8 @@ import { validateIndexPatterns } from '../utils';
|
|||
export const createThresholdAlertType = (
|
||||
createOptions: CreateRuleOptions
|
||||
): SecurityAlertType<ThresholdRuleParams, ThresholdAlertState, {}, 'default'> => {
|
||||
const { version, licensing, experimentalFeatures } = createOptions;
|
||||
const { version, licensing, experimentalFeatures, scheduleNotificationResponseActionsService } =
|
||||
createOptions;
|
||||
return {
|
||||
id: THRESHOLD_RULE_TYPE_ID,
|
||||
name: 'Threshold Rule',
|
||||
|
|
@ -102,6 +103,7 @@ export const createThresholdAlertType = (
|
|||
runOpts: execOptions.runOpts,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
});
|
||||
return result;
|
||||
},
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ jest.mock('../utils/get_filter', () => ({ getFilter: jest.fn() }));
|
|||
describe('threshold_executor', () => {
|
||||
let alertServices: RuleExecutorServicesMock;
|
||||
let ruleExecutionLogger: ReturnType<typeof ruleExecutionLogMock.forExecutors.create>;
|
||||
|
||||
let mockScheduledNotificationResponseAction: jest.Mock;
|
||||
const version = '8.0.0';
|
||||
const params = getThresholdRuleParams();
|
||||
const thresholdCompleteRule = getCompleteRuleMock<ThresholdRuleParams>(params);
|
||||
|
|
@ -54,6 +54,7 @@ describe('threshold_executor', () => {
|
|||
ruleName: thresholdCompleteRule.ruleConfig.name,
|
||||
ruleType: thresholdCompleteRule.ruleConfig.ruleTypeId,
|
||||
});
|
||||
mockScheduledNotificationResponseAction = jest.fn();
|
||||
});
|
||||
|
||||
describe('thresholdExecutor', () => {
|
||||
|
|
@ -113,6 +114,7 @@ describe('threshold_executor', () => {
|
|||
runOpts: {} as RunOpts<ThresholdRuleParams>,
|
||||
licensing,
|
||||
experimentalFeatures: {} as ExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(response.state).toEqual({
|
||||
initialized: true,
|
||||
|
|
@ -178,6 +180,7 @@ describe('threshold_executor', () => {
|
|||
runOpts: {} as RunOpts<ThresholdRuleParams>,
|
||||
licensing,
|
||||
experimentalFeatures: {} as ExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(result.warningMessages).toEqual([
|
||||
`The following exceptions won't be applied to rule execution: ${
|
||||
|
|
@ -185,5 +188,46 @@ describe('threshold_executor', () => {
|
|||
}`,
|
||||
]);
|
||||
});
|
||||
it('should call scheduleNotificationResponseActionsService', async () => {
|
||||
const ruleDataClientMock = createRuleDataClientMock();
|
||||
const state = {
|
||||
initialized: true,
|
||||
signalHistory: {},
|
||||
};
|
||||
const result = await thresholdExecutor({
|
||||
completeRule: thresholdCompleteRule,
|
||||
tuple,
|
||||
services: alertServices,
|
||||
state,
|
||||
version,
|
||||
ruleExecutionLogger,
|
||||
startedAt: new Date(),
|
||||
bulkCreate: jest.fn().mockImplementation((hits) => ({
|
||||
errors: [],
|
||||
success: true,
|
||||
bulkCreateDuration: '0',
|
||||
createdItemsCount: 0,
|
||||
createdItems: [],
|
||||
})),
|
||||
wrapHits: jest.fn(),
|
||||
ruleDataClient: ruleDataClientMock,
|
||||
runtimeMappings: {},
|
||||
inputIndex: ['auditbeat-*'],
|
||||
primaryTimestamp: TIMESTAMP,
|
||||
aggregatableTimestampField: TIMESTAMP,
|
||||
exceptionFilter: undefined,
|
||||
unprocessedExceptions: [getExceptionListItemSchemaMock()],
|
||||
spaceId: 'default',
|
||||
runOpts: {} as RunOpts<ThresholdRuleParams>,
|
||||
licensing,
|
||||
experimentalFeatures: {} as ExperimentalFeatures,
|
||||
scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction,
|
||||
});
|
||||
expect(mockScheduledNotificationResponseAction).toBeCalledWith({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: thresholdCompleteRule.ruleParams.responseActions,
|
||||
});
|
||||
});
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ import type {
|
|||
SearchAfterAndBulkCreateReturnType,
|
||||
WrapHits,
|
||||
RunOpts,
|
||||
CreateRuleOptions,
|
||||
} from '../types';
|
||||
import type { ThresholdAlertState, ThresholdSignalHistory } from './types';
|
||||
import {
|
||||
|
|
@ -68,6 +69,7 @@ export const thresholdExecutor = async ({
|
|||
runOpts,
|
||||
licensing,
|
||||
experimentalFeatures,
|
||||
scheduleNotificationResponseActionsService,
|
||||
}: {
|
||||
inputIndex: string[];
|
||||
runtimeMappings: estypes.MappingRuntimeFields | undefined;
|
||||
|
|
@ -90,6 +92,7 @@ export const thresholdExecutor = async ({
|
|||
runOpts: RunOpts<ThresholdRuleParams>;
|
||||
licensing: LicensingPluginSetup;
|
||||
experimentalFeatures: ExperimentalFeatures;
|
||||
scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService'];
|
||||
}): Promise<SearchAfterAndBulkCreateReturnType & { state: ThresholdAlertState }> => {
|
||||
const result = createSearchAfterReturnType();
|
||||
const ruleParams = completeRule.ruleParams;
|
||||
|
|
@ -209,7 +212,11 @@ export const thresholdExecutor = async ({
|
|||
result.errors.push(...searchErrors);
|
||||
result.warningMessages.push(...warnings);
|
||||
result.searchAfterTimes = searchDurations;
|
||||
|
||||
scheduleNotificationResponseActionsService({
|
||||
signals: result.createdSignals,
|
||||
signalsCount: result.createdSignalsCount,
|
||||
responseActions: completeRule.ruleParams.responseActions,
|
||||
});
|
||||
return {
|
||||
...result,
|
||||
state: {
|
||||
|
|
|
|||
|
|
@ -163,6 +163,7 @@ export interface CreateRuleOptions {
|
|||
eventsTelemetry?: ITelemetryEventsSender | undefined;
|
||||
version: string;
|
||||
licensing: LicensingPluginSetup;
|
||||
scheduleNotificationResponseActionsService: (params: ScheduleNotificationActions) => void;
|
||||
}
|
||||
|
||||
export interface ScheduleNotificationActions {
|
||||
|
|
@ -171,11 +172,7 @@ export interface ScheduleNotificationActions {
|
|||
responseActions: RuleResponseAction[] | undefined;
|
||||
}
|
||||
|
||||
export interface CreateRuleAdditionalOptions {
|
||||
scheduleNotificationResponseActionsService?: (params: ScheduleNotificationActions) => void;
|
||||
}
|
||||
|
||||
export interface CreateQueryRuleOptions extends CreateRuleOptions, CreateRuleAdditionalOptions {
|
||||
export interface CreateQueryRuleOptions extends CreateRuleOptions {
|
||||
id: typeof QUERY_RULE_TYPE_ID | typeof SAVED_QUERY_RULE_TYPE_ID;
|
||||
name: 'Custom Query Rule' | 'Saved Query Rule';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -76,10 +76,7 @@ import { PolicyWatcher } from './endpoint/lib/policy/license_watch';
|
|||
import previewPolicy from './lib/detection_engine/routes/index/preview_policy.json';
|
||||
import type { IRuleMonitoringService } from './lib/detection_engine/rule_monitoring';
|
||||
import { createRuleMonitoringService } from './lib/detection_engine/rule_monitoring';
|
||||
import type {
|
||||
CreateRuleAdditionalOptions,
|
||||
CreateRuleOptions,
|
||||
} from './lib/detection_engine/rule_types/types';
|
||||
import type { CreateRuleOptions } from './lib/detection_engine/rule_types/types';
|
||||
// eslint-disable-next-line no-restricted-imports
|
||||
import {
|
||||
isLegacyNotificationRuleExecutor,
|
||||
|
|
@ -280,6 +277,10 @@ export class Plugin implements ISecuritySolutionPlugin {
|
|||
eventsTelemetry: this.telemetryEventsSender,
|
||||
version: pluginContext.env.packageInfo.version,
|
||||
licensing: plugins.licensing,
|
||||
scheduleNotificationResponseActionsService: getScheduleNotificationResponseActionsService({
|
||||
endpointAppContextService: this.endpointAppContextService,
|
||||
osqueryCreateActionService: plugins.osquery.createActionService,
|
||||
}),
|
||||
};
|
||||
|
||||
const ruleDataServiceOptions = {
|
||||
|
|
@ -321,28 +322,18 @@ export class Plugin implements ISecuritySolutionPlugin {
|
|||
analytics: core.analytics,
|
||||
};
|
||||
|
||||
const ruleAdditionalOptions: CreateRuleAdditionalOptions = {
|
||||
scheduleNotificationResponseActionsService: getScheduleNotificationResponseActionsService({
|
||||
endpointAppContextService: this.endpointAppContextService,
|
||||
osqueryCreateActionService: plugins.osquery.createActionService,
|
||||
}),
|
||||
};
|
||||
|
||||
const securityRuleTypeWrapper = createSecurityRuleTypeWrapper(securityRuleTypeOptions);
|
||||
|
||||
plugins.alerting.registerType(
|
||||
securityRuleTypeWrapper(createEqlAlertType({ ...ruleOptions, ...ruleAdditionalOptions }))
|
||||
);
|
||||
plugins.alerting.registerType(securityRuleTypeWrapper(createEqlAlertType({ ...ruleOptions })));
|
||||
if (!experimentalFeatures.esqlRulesDisabled) {
|
||||
plugins.alerting.registerType(
|
||||
securityRuleTypeWrapper(createEsqlAlertType({ ...ruleOptions, ...ruleAdditionalOptions }))
|
||||
securityRuleTypeWrapper(createEsqlAlertType({ ...ruleOptions }))
|
||||
);
|
||||
}
|
||||
plugins.alerting.registerType(
|
||||
securityRuleTypeWrapper(
|
||||
createQueryAlertType({
|
||||
...ruleOptions,
|
||||
...ruleAdditionalOptions,
|
||||
id: SAVED_QUERY_RULE_TYPE_ID,
|
||||
name: 'Saved Query Rule',
|
||||
})
|
||||
|
|
@ -356,7 +347,6 @@ export class Plugin implements ISecuritySolutionPlugin {
|
|||
securityRuleTypeWrapper(
|
||||
createQueryAlertType({
|
||||
...ruleOptions,
|
||||
...ruleAdditionalOptions,
|
||||
id: QUERY_RULE_TYPE_ID,
|
||||
name: 'Custom Query Rule',
|
||||
})
|
||||
|
|
@ -364,7 +354,7 @@ export class Plugin implements ISecuritySolutionPlugin {
|
|||
);
|
||||
plugins.alerting.registerType(securityRuleTypeWrapper(createThresholdAlertType(ruleOptions)));
|
||||
plugins.alerting.registerType(
|
||||
securityRuleTypeWrapper(createNewTermsAlertType({ ...ruleOptions, ...ruleAdditionalOptions }))
|
||||
securityRuleTypeWrapper(createNewTermsAlertType({ ...ruleOptions }))
|
||||
);
|
||||
|
||||
// TODO We need to get the endpoint routes inside of initRoutes
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue