github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Enable Detections API bundling in build pipeline (#188436)

Browse source 
**Addresses**: https://github.com/elastic/kibana/issues/184428
**Relates to**: https://github.com/elastic/kibana/pull/186384

## Summary

This PR enables Detections API OpenAPI bundling in build pipeline. It also fixes wrong references which weren't caught by the OpenAPI Linter and code generator.

For some reason https://github.com/elastic/kibana/pull/186384 didn't enable OpenAPI bundling by including `.buildkite/scripts/steps/openapi_bundling/security_solution_openapi_bundling.sh` into `.buildkite/scripts/steps/checks.sh`.
This commit is contained in:
Maxim Palenov 2024-07-17 15:04:50 +02:00 committed by GitHub
parent cf83062407
commit bd0aab6dde
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 1793 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.buildkite/scripts/steps/checks.sh
View file

@ -13,4 +13,5 @@ fi
.buildkite/scripts/steps/capture_oas_snapshot.sh
.buildkite/scripts/steps/code_generation/elastic_assistant_codegen.sh
.buildkite/scripts/steps/code_generation/security_solution_codegen.sh
.buildkite/scripts/steps/openapi_bundling/security_solution_openapi_bundling.sh
.buildkite/scripts/steps/code_generation/osquery_codegen.sh

0
.buildkite/scripts/steps/openapi_bundling/security_solution_openapi_bundling.sh Normal file → Executable file
View file

16
x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml
View file

@ -39,20 +39,20 @@ paths:
application/json:
schema:
oneOf:
- $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
- $ref: '../../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
$ref: '../../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
$ref: '../../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
post:
x-labels: [ess]
@ -89,17 +89,17 @@ paths:
application/json:
schema:
oneOf:
- $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
- $ref: '../../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
$ref: '../../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
$ref: '../../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'

8
x-pack/plugins/security_solution/common/api/detection_engine/rule_preview/rule_preview.schema.yaml
View file

@ -67,20 +67,20 @@ paths:
application/json:
schema:
oneOf:
- $ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
- $ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
- $ref: '../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
401:
description: Unsuccessful authentication response
content:
application/json:
schema:
$ref: '../../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
$ref: '../../model/error_responses.schema.yaml#/components/schemas/PlatformErrorResponse'
500:
description: Internal server error response
content:
application/json:
schema:
$ref: '../../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
$ref: '../../model/error_responses.schema.yaml#/components/schemas/SiemErrorResponse'
components:
schemas:

1209
x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml
View file

File diff suppressed because it is too large Load diff

597
x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml
View file

@ -14,6 +14,48 @@ servers:
port:
default: '5601'
paths:
/api/detection_engine/privileges:
get:
description: >
Retrieves whether or not the user is authenticated, and the user's
Kibana
space and index privileges, which determine if the user can create an
index for the Elastic Security alerts generated by
detection engine rules.
operationId: GetPrivileges
responses:
'200':
content:
application/json:
schema:
type: object
properties:
has_encryption_key:
type: boolean
is_authenticated:
type: boolean
required:
- is_authenticated
- has_encryption_key
description: Successful response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/SiemErrorResponse'
description: Internal server error response
summary: Returns user privileges for the Kibana space
tags:
- Privileges API
/api/detection_engine/rules:
delete:
description: Deletes a single rule using the `rule_id` or `id` field.
@ -142,6 +184,7 @@ paths:
- $ref: '#/components/schemas/BulkEnableRules'
- $ref: '#/components/schemas/BulkExportRules'
- $ref: '#/components/schemas/BulkDuplicateRules'
- $ref: '#/components/schemas/BulkManualRuleRun'
- $ref: '#/components/schemas/BulkEditRules'
responses:
'200':
@ -394,6 +437,85 @@ paths:
tags:
- Import/Export API
summary: Imports rules from an `.ndjson` file
/api/detection_engine/rules/preview:
post:
operationId: RulePreview
requestBody:
content:
application/json:
schema:
anyOf:
- allOf:
- $ref: '#/components/schemas/EqlRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/QueryRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/SavedQueryRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/ThresholdRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/ThreatMatchRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/MachineLearningRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/NewTermsRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
- allOf:
- $ref: '#/components/schemas/EsqlRuleCreateProps'
- $ref: '#/components/schemas/RulePreviewParams'
discriminator:
propertyName: type
description: >-
An object containing tags to add or remove and alert ids the changes
will be applied
required: true
responses:
'200':
content:
application/json:
schema:
type: object
properties:
isAborted:
type: boolean
logs:
items:
$ref: '#/components/schemas/RulePreviewLogs'
type: array
previewId:
$ref: '#/components/schemas/NonEmptyString'
required:
- logs
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/PlatformErrorResponse'
- $ref: '#/components/schemas/SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/SiemErrorResponse'
description: Internal server error response
summary: Preview rule alerts generated on specified time range
tags:
- Rule preview API
/api/detection_engine/signals/assignees:
post:
description: Assigns users to alerts.
@ -420,6 +542,175 @@ paths:
'400':
description: Invalid request.
summary: Assigns users to alerts
/api/detection_engine/signals/search:
post:
operationId: SearchAlerts
requestBody:
content:
application/json:
schema:
description: Elasticsearch query and aggregation request
type: object
properties:
_source:
oneOf:
- type: boolean
- type: string
- items:
type: string
type: array
aggs:
additionalProperties: true
type: object
fields:
items:
type: string
type: array
query:
additionalProperties: true
type: object
runtime_mappings:
additionalProperties: true
type: object
size:
minimum: 0
type: integer
sort:
$ref: '#/components/schemas/AlertsSort'
track_total_hits:
type: boolean
description: Search and/or aggregation query
required: true
responses:
'200':
content:
application/json:
schema:
additionalProperties: true
description: Elasticsearch search response
type: object
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/PlatformErrorResponse'
- $ref: '#/components/schemas/SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/SiemErrorResponse'
description: Internal server error response
summary: Find and/or aggregate detection alerts that match the given query
tags:
- Alerts API
/api/detection_engine/signals/status:
post:
operationId: SetAlertsStatus
requestBody:
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/SetAlertsStatusByIds'
- $ref: '#/components/schemas/SetAlertsStatusByQuery'
description: >-
An object containing desired status and explicit alert ids or a query
to select alerts
required: true
responses:
'200':
content:
application/json:
schema:
additionalProperties: true
description: Elasticsearch update by query response
type: object
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/PlatformErrorResponse'
- $ref: '#/components/schemas/SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/SiemErrorResponse'
description: Internal server error response
summary: Sets the status of one or more alerts
tags:
- Alerts API
/api/detection_engine/signals/tags:
post:
operationId: ManageAlertTags
requestBody:
content:
application/json:
schema:
type: object
properties:
ids:
$ref: '#/components/schemas/AlertIds'
tags:
$ref: '#/components/schemas/ManageAlertTags'
required:
- ids
- tags
description: >-
An object containing tags to add or remove and alert ids the changes
will be applied
required: true
responses:
'200':
content:
application/json:
schema:
additionalProperties: true
description: Elasticsearch update by query response
type: object
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/PlatformErrorResponse'
- $ref: '#/components/schemas/SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/SiemErrorResponse'
description: Internal server error response
summary: Manage alert tags for a one or more alerts
tags:
- Alerts API
/api/detection_engine/tags:
get:
operationId: ReadTags
@ -465,6 +756,24 @@ components:
AlertsIndexNamespace:
description: Has no effect.
type: string
AlertsSort:
oneOf:
- $ref: '#/components/schemas/AlertsSortCombinations'
- items:
$ref: '#/components/schemas/AlertsSortCombinations'
type: array
AlertsSortCombinations:
anyOf:
- type: string
- additionalProperties: true
type: object
AlertStatus:
enum:
- open
- closed
- acknowledged
- in-progress
type: string
AlertSuppression:
type: object
properties:
@ -509,6 +818,12 @@ components:
- doNotSuppress
- suppress
type: string
AlertTag:
$ref: '#/components/schemas/NonEmptyString'
AlertTags:
items:
$ref: '#/components/schemas/AlertTag'
type: array
AnomalyThreshold:
description: Anomaly threshold
minimum: 0
@ -647,6 +962,8 @@ components:
- MACHINE_LEARNING_INDEX_PATTERN
- ESQL_INDEX_PATTERN
- INVESTIGATION_FIELDS_FEATURE
- MANUAL_RULE_RUN_FEATURE
- MANUAL_RULE_RUN_DISABLED_RULE
type: string
BulkActionSkipResult:
type: object
@ -860,6 +1177,36 @@ components:
type: string
required:
- action
BulkManualRuleRun:
type: object
properties:
action:
enum:
- run
type: string
ids:
description: Array of rule IDs
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules
type: string
run:
type: object
properties:
end_date:
description: End date of the manual rule run
type: string
start_date:
description: Start date of the manual rule run
type: string
required:
- start_date
required:
- action
- run
ConcurrentSearches:
minimum: 1
type: integer
@ -1885,6 +2232,34 @@ components:
required:
- type
InvestigationFields:
description: >
Schema for fields relating to investigation fields. These are user
defined fields we use to highlight
in various features in the UI such as alert details flyout and
exceptions auto-population from alert.
Added in PR #163235
Right now we only have a single field but anticipate adding more related
fields to store various
configuration states such as `override` - where a user might say if they
want only these fields to
display, or if they want these fields + the fields we select. When
expanding this field, it may look
something like:
```typescript
const investigationFields = z.object({
field_names: NonEmptyArray(NonEmptyString),
override: z.boolean().optional(),
});
```
type: object
properties:
field_names:
@ -2040,7 +2415,9 @@ components:
- $ref: '#/components/schemas/ResponseFields'
- $ref: '#/components/schemas/MachineLearningRuleResponseFields'
MachineLearningRuleCreateFields:
$ref: '#/components/schemas/MachineLearningRuleRequiredFields'
allOf:
- $ref: '#/components/schemas/MachineLearningRuleRequiredFields'
- $ref: '#/components/schemas/MachineLearningRuleOptionalFields'
MachineLearningRuleCreateProps:
allOf:
- type: object
@ -2135,18 +2512,25 @@ components:
- risk_score
- severity
- $ref: '#/components/schemas/MachineLearningRuleCreateFields'
MachineLearningRulePatchFields:
MachineLearningRuleOptionalFields:
type: object
properties:
anomaly_threshold:
$ref: '#/components/schemas/AnomalyThreshold'
machine_learning_job_id:
$ref: '#/components/schemas/MachineLearningJobId'
type:
description: Rule type
enum:
- machine_learning
type: string
alert_suppression:
$ref: '#/components/schemas/AlertSuppression'
MachineLearningRulePatchFields:
allOf:
- type: object
properties:
anomaly_threshold:
$ref: '#/components/schemas/AnomalyThreshold'
machine_learning_job_id:
$ref: '#/components/schemas/MachineLearningJobId'
type:
description: Rule type
enum:
- machine_learning
type: string
- $ref: '#/components/schemas/MachineLearningRuleOptionalFields'
MachineLearningRulePatchProps:
allOf:
- type: object
@ -2255,7 +2639,9 @@ components:
- machine_learning_job_id
- anomaly_threshold
MachineLearningRuleResponseFields:
$ref: '#/components/schemas/MachineLearningRuleRequiredFields'
allOf:
- $ref: '#/components/schemas/MachineLearningRuleRequiredFields'
- $ref: '#/components/schemas/MachineLearningRuleOptionalFields'
MachineLearningRuleUpdateProps:
allOf:
- type: object
@ -2352,6 +2738,16 @@ components:
- risk_score
- severity
- $ref: '#/components/schemas/MachineLearningRuleCreateFields'
ManageAlertTags:
type: object
properties:
tags_to_add:
$ref: '#/components/schemas/AlertTags'
tags_to_remove:
$ref: '#/components/schemas/AlertTags'
required:
- tags_to_add
- tags_to_remove
MaxSignals:
minimum: 1
type: integer
@ -2912,6 +3308,19 @@ components:
required:
- action_type_id
- params
PlatformErrorResponse:
type: object
properties:
error:
type: string
message:
type: string
statusCode:
type: integer
required:
- statusCode
- error
- message
ProcessesParams:
type: object
properties:
@ -3393,6 +3802,63 @@ components:
- severity
- $ref: '#/components/schemas/QueryRuleCreateFields'
RelatedIntegration:
description: >
Related integration is a potential dependency of a rule. It's assumed
that if the user installs
one of the related integrations of a rule, the rule might start to work
properly because it will
have source events (generated by this integration) potentially matching
the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if
installed, can be
configured differently or generate data that is not necessarily relevant
for this rule.
Related integration is a combination of a Fleet package and (optionally)
one of the
package's "integrations" that this package contains. It is represented
by 3 properties:
- `package`: name of the package (required, unique id)
- `version`: version of the package (required, semver-compatible)
- `integration`: name of the integration of this package (optional, id
within the package)
There are Fleet packages like `windows` that contain only one
integration; in this case,
`integration` should be unspecified. There are also packages like `aws`
and `azure` that contain
several integrations; in this case, `integration` should be specified.
@example
const x: RelatedIntegration = {
package: 'windows',
version: '1.5.x',
};
@example
const x: RelatedIntegration = {
package: 'azure',
version: '~1.1.6',
integration: 'activitylogs',
};
type: object
properties:
integration:
@ -3409,7 +3875,40 @@ components:
$ref: '#/components/schemas/RelatedIntegration'
type: array
RequiredField:
description: Describes an Elasticsearch field that is needed for the rule to function
description: >
Describes an Elasticsearch field that is needed for the rule to
function.
Almost all types of Security rules check source event documents for a
match to some kind of
query or filter. If a document has certain field with certain values,
then it's a match and
the rule will generate an alert.
Required field is an event field that must be present in the source
indices of a given rule.
@example
const standardEcsField: RequiredField = {
name: 'event.action',
type: 'keyword',
ecs: true,
};
@example
const nonEcsField: RequiredField = {
name: 'winlog.event_data.AttributeLDAPDisplayName',
type: 'keyword',
ecs: false,
};
type: object
properties:
ecs:
@ -3779,6 +4278,37 @@ components:
- $ref: '#/components/schemas/MachineLearningRulePatchProps'
- $ref: '#/components/schemas/NewTermsRulePatchProps'
- $ref: '#/components/schemas/EsqlRulePatchProps'
RulePreviewLogs:
type: object
properties:
duration:
description: Execution duration in milliseconds
type: integer
errors:
items:
$ref: '#/components/schemas/NonEmptyString'
type: array
startedAt:
$ref: '#/components/schemas/NonEmptyString'
warnings:
items:
$ref: '#/components/schemas/NonEmptyString'
type: array
required:
- errors
- warnings
- duration
RulePreviewParams:
type: object
properties:
invocationCount:
type: integer
timeframeEnd:
format: date-time
type: string
required:
- invocationCount
- timeframeEnd
RuleQuery:
type: string
RuleReferenceArray:
@ -4303,6 +4833,36 @@ components:
- risk_score
- severity
- $ref: '#/components/schemas/SavedQueryRuleCreateFields'
SetAlertsStatusByIds:
type: object
properties:
signal_ids:
items:
$ref: '#/components/schemas/NonEmptyString'
minItems: 1
type: array
status:
$ref: '#/components/schemas/AlertStatus'
required:
- signal_ids
- status
SetAlertsStatusByQuery:
type: object
properties:
conflicts:
default: abort
enum:
- abort
- proceed
type: string
query:
additionalProperties: true
type: object
status:
$ref: '#/components/schemas/AlertStatus'
required:
- query
- status
SetupGuide:
type: string
Severity:
@ -4334,6 +4894,16 @@ components:
- severity
- value
type: array
SiemErrorResponse:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- status_code
- message
SortOrder:
enum:
- asc
@ -5483,3 +6053,4 @@ components:
type: http
security:
- BasicAuth: []
tags: !<tag:yaml.org,2002:js/undefined> ''