[Security Solution][Detections] Add rule overrides for single event EQL rules (#78876) (#79033)

* Add buildRuleWithOverrides function for single event EQL queries

* Disable rule overrides for all sequence signals

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Author: marshallmain

x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_eql.json

@@ -25,6 +25,7 @@
   "from": "now-300m",
   "severity": "high",
   "type": "eql",
+  "language": "eql",
   "threat": [
     {
       "framework": "MITRE ATT&CK",

x-pack/plugins/security_solution/server/lib/detection_engine/signals/__mocks__/es_results.ts

@@ -22,6 +22,7 @@ import { RuleTypeParams } from '../../types';
 import { IRuleStatusAttributes } from '../../rules/types';
 import { ruleStatusSavedObjectType } from '../../rules/saved_object_mappings';
 import { getListArrayMock } from '../../../../../common/detection_engine/schemas/types/lists.mock';
+import { RulesSchema } from '../../../../../common/detection_engine/schemas/response';
 
 export const sampleRuleAlertParams = (
   maxSignals?: number | undefined,
@@ -92,6 +93,46 @@ export const sampleRuleSO = (): SavedObject<RuleAlertAttributes> => {
   };
 };
 
+export const expectedRule = (): RulesSchema => {
+  return {
+    actions: [],
+    author: ['Elastic'],
+    building_block_type: 'default',
+    id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
+    rule_id: 'rule-1',
+    false_positives: [],
+    max_signals: 10000,
+    risk_score: 50,
+    risk_score_mapping: [],
+    output_index: '.siem-signals',
+    description: 'Detecting root and admin users',
+    from: 'now-6m',
+    immutable: false,
+    index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
+    interval: '5m',
+    language: 'kuery',
+    license: 'Elastic License',
+    name: 'rule-name',
+    query: 'user.name: root or user.name: admin',
+    references: ['http://google.com'],
+    severity: 'high',
+    severity_mapping: [],
+    tags: ['some fake tag 1', 'some fake tag 2'],
+    threat: [],
+    type: 'query',
+    to: 'now',
+    note: '',
+    enabled: true,
+    created_by: 'sample user',
+    updated_by: 'sample user',
+    version: 1,
+    updated_at: '2020-03-27T22:55:59.577Z',
+    created_at: '2020-03-27T22:55:59.577Z',
+    throttle: 'no_actions',
+    exceptions_list: getListArrayMock(),
+  };
+};
+
 export const sampleDocNoSortIdNoVersion = (someUuid: string = sampleIdGuid): SignalSourceHit => ({
   _index: 'myFakeSignalIndex',
   _type: 'doc',

x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.test.ts

@@ -546,7 +546,7 @@ describe('buildSignalFromEvent', () => {
     const ancestor = sampleDocWithAncestors().hits.hits[0];
     delete ancestor._source.source;
     const ruleSO = sampleRuleSO();
-    const signal = buildSignalFromEvent(ancestor, ruleSO);
+    const signal = buildSignalFromEvent(ancestor, ruleSO, true);
     // Timestamp will potentially always be different so remove it for the test
     // @ts-expect-error
     delete signal['@timestamp'];

x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts

@@ -13,7 +13,7 @@ import {
   BaseSignalHit,
   SignalSource,
 } from './types';
-import { buildRule, buildRuleWithoutOverrides } from './build_rule';
+import { buildRule, buildRuleWithoutOverrides, buildRuleWithOverrides } from './build_rule';
 import { additionalSignalFields, buildSignal } from './build_signal';
 import { buildEventTypeSignal } from './build_event_type_signal';
 import { RuleAlertAction } from '../../../../common/detection_engine/types';
@@ -97,7 +97,7 @@ export const buildSignalGroupFromSequence = (
 ): BaseSignalHit[] => {
   const wrappedBuildingBlocks = wrapBuildingBlocks(
     sequence.events.map((event) => {
-      const signal = buildSignalFromEvent(event, ruleSO);
+      const signal = buildSignalFromEvent(event, ruleSO, false);
       signal.signal.rule.building_block_type = 'default';
       return signal;
     }),
@@ -147,9 +147,12 @@ export const buildSignalFromSequence = (
 
 export const buildSignalFromEvent = (
   event: BaseSignalHit,
-  ruleSO: SavedObject<RuleAlertAttributes>
+  ruleSO: SavedObject<RuleAlertAttributes>,
+  applyOverrides: boolean
 ): SignalHit => {
-  const rule = buildRuleWithoutOverrides(ruleSO);
+  const rule = applyOverrides
+    ? buildRuleWithOverrides(ruleSO, event._source)
+    : buildRuleWithoutOverrides(ruleSO);
   const signal = {
     ...buildSignal([event], rule),
     ...additionalSignalFields(event),

x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_rule.test.ts

@@ -4,12 +4,19 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { buildRule, removeInternalTagsFromRule, buildRuleWithoutOverrides } from './build_rule';
+import {
+  buildRule,
+  removeInternalTagsFromRule,
+  buildRuleWithOverrides,
+  buildRuleWithoutOverrides,
+} from './build_rule';
 import {
   sampleDocNoSortId,
   sampleRuleAlertParams,
   sampleRuleGuid,
   sampleRuleSO,
+  expectedRule,
+  sampleDocSeverity,
 } from './__mocks__/es_results';
 import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema';
 import { getListArrayMock } from '../../../../common/detection_engine/schemas/types/lists.mock';
@@ -312,43 +319,7 @@ describe('buildRuleWithoutOverrides', () => {
   test('builds a rule using rule SO', () => {
     const ruleSO = sampleRuleSO();
     const rule = buildRuleWithoutOverrides(ruleSO);
-    expect(rule).toEqual({
-      actions: [],
-      author: ['Elastic'],
-      building_block_type: 'default',
-      id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
-      rule_id: 'rule-1',
-      false_positives: [],
-      max_signals: 10000,
-      risk_score: 50,
-      risk_score_mapping: [],
-      output_index: '.siem-signals',
-      description: 'Detecting root and admin users',
-      from: 'now-6m',
-      immutable: false,
-      index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
-      interval: '5m',
-      language: 'kuery',
-      license: 'Elastic License',
-      name: 'rule-name',
-      query: 'user.name: root or user.name: admin',
-      references: ['http://google.com'],
-      severity: 'high',
-      severity_mapping: [],
-      tags: ['some fake tag 1', 'some fake tag 2'],
-      threat: [],
-      type: 'query',
-      to: 'now',
-      note: '',
-      enabled: true,
-      created_by: 'sample user',
-      updated_by: 'sample user',
-      version: 1,
-      updated_at: ruleSO.updated_at ?? '',
-      created_at: ruleSO.attributes.createdAt,
-      throttle: 'no_actions',
-      exceptions_list: getListArrayMock(),
-    });
+    expect(rule).toEqual(expectedRule());
   });
 
   test('builds a rule using rule SO and removes internal tags', () => {
@@ -360,42 +331,110 @@ describe('buildRuleWithoutOverrides', () => {
       `${INTERNAL_IMMUTABLE_KEY}:true`,
     ];
     const rule = buildRuleWithoutOverrides(ruleSO);
-    expect(rule).toEqual({
-      actions: [],
-      author: ['Elastic'],
-      building_block_type: 'default',
-      id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
-      rule_id: 'rule-1',
-      false_positives: [],
-      max_signals: 10000,
-      risk_score: 50,
-      risk_score_mapping: [],
-      output_index: '.siem-signals',
-      description: 'Detecting root and admin users',
-      from: 'now-6m',
-      immutable: false,
-      index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
-      interval: '5m',
-      language: 'kuery',
-      license: 'Elastic License',
-      name: 'rule-name',
-      query: 'user.name: root or user.name: admin',
-      references: ['http://google.com'],
-      severity: 'high',
-      severity_mapping: [],
-      tags: ['some fake tag 1', 'some fake tag 2'],
-      threat: [],
-      type: 'query',
-      to: 'now',
-      note: '',
-      enabled: true,
-      created_by: 'sample user',
-      updated_by: 'sample user',
-      version: 1,
-      updated_at: ruleSO.updated_at ?? '',
-      created_at: ruleSO.attributes.createdAt,
-      throttle: 'no_actions',
-      exceptions_list: getListArrayMock(),
-    });
+    expect(rule).toEqual(expectedRule());
+  });
+});
+
+describe('buildRuleWithOverrides', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  test('it builds a rule as expected with filters present', () => {
+    const ruleSO = sampleRuleSO();
+    ruleSO.attributes.params.filters = [
+      {
+        query: 'host.name: Rebecca',
+      },
+      {
+        query: 'host.name: Evan',
+      },
+      {
+        query: 'host.name: Braden',
+      },
+    ];
+    const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source);
+    const expected: RulesSchema = {
+      ...expectedRule(),
+      filters: ruleSO.attributes.params.filters,
+    };
+    expect(rule).toEqual(expected);
+  });
+
+  test('it builds a rule and removes internal tags', () => {
+    const ruleSO = sampleRuleSO();
+    ruleSO.attributes.tags = [
+      'some fake tag 1',
+      'some fake tag 2',
+      `${INTERNAL_RULE_ID_KEY}:rule-1`,
+      `${INTERNAL_IMMUTABLE_KEY}:true`,
+    ];
+    const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source);
+    expect(rule).toEqual(expectedRule());
+  });
+
+  test('it applies rule name override in buildRule', () => {
+    const ruleSO = sampleRuleSO();
+    ruleSO.attributes.params.ruleNameOverride = 'someKey';
+    const rule = buildRuleWithOverrides(ruleSO, sampleDocNoSortId()._source);
+    const expected = {
+      ...expectedRule(),
+      name: 'someValue',
+      rule_name_override: 'someKey',
+      meta: {
+        ruleNameOverridden: true,
+      },
+    };
+    expect(rule).toEqual(expected);
+  });
+
+  test('it applies risk score override in buildRule', () => {
+    const newRiskScore = 79;
+    const ruleSO = sampleRuleSO();
+    ruleSO.attributes.params.riskScoreMapping = [
+      {
+        field: 'new_risk_score',
+        // value and risk_score aren't used for anything but are required in the schema
+        value: '',
+        operator: 'equals',
+        risk_score: undefined,
+      },
+    ];
+    const doc = sampleDocNoSortId();
+    doc._source.new_risk_score = newRiskScore;
+    const rule = buildRuleWithOverrides(ruleSO, doc._source);
+    const expected = {
+      ...expectedRule(),
+      risk_score: newRiskScore,
+      risk_score_mapping: ruleSO.attributes.params.riskScoreMapping,
+      meta: {
+        riskScoreOverridden: true,
+      },
+    };
+    expect(rule).toEqual(expected);
+  });
+
+  test('it applies severity override in buildRule', () => {
+    const eventSeverity = '42';
+    const ruleSO = sampleRuleSO();
+    ruleSO.attributes.params.severityMapping = [
+      {
+        field: 'event.severity',
+        value: eventSeverity,
+        operator: 'equals',
+        severity: 'critical',
+      },
+    ];
+    const doc = sampleDocSeverity(Number(eventSeverity));
+    const rule = buildRuleWithOverrides(ruleSO, doc._source);
+    const expected = {
+      ...expectedRule(),
+      severity: 'critical',
+      severity_mapping: ruleSO.attributes.params.severityMapping,
+      meta: {
+        severityOverrideField: 'event.severity',
+      },
+    };
+    expect(rule).toEqual(expected);
   });
 });