Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EDR Workflows] Automated Actions in more rule types #191874

Merged
merged 50 commits into from
Sep 18, 2024
Merged

[EDR Workflows] Automated Actions in more rule types #191874

Show file tree
Hide file tree
Changes from 39 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
5fb4a70
response actions in eql and esql rules
tomsonpl Aug 30, 2024
96c92ed
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 2, 2024
2b342da
limit to esql and eql
tomsonpl Sep 2, 2024
0db366d
add type
tomsonpl Sep 2, 2024
e9b272c
fix types
tomsonpl Sep 2, 2024
45c6f9a
fix cy test
tomsonpl Sep 2, 2024
a07a932
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 2, 2024
90990df
[CI] Auto-commit changed files from 'yarn openapi:bundle'
kibanamachine Sep 2, 2024
5c3701b
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Sep 2, 2024
3a983f9
snapshots
tomsonpl Sep 2, 2024
ac7010c
Merge remote-tracking branch 'origin/automated-in-all-rules' into aut…
tomsonpl Sep 2, 2024
62f3045
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 3, 2024
e3cef1a
fix
tomsonpl Sep 3, 2024
28a93d2
rename type
tomsonpl Sep 3, 2024
f566043
roll back ThresholdRule position
maximpn Sep 3, 2024
e878208
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 9, 2024
4e3be88
pass response actions to more rules
tomsonpl Sep 9, 2024
4bdb90c
Merge remote-tracking branch 'origin/automated-in-all-rules' into aut…
tomsonpl Sep 9, 2024
9453127
[CI] Auto-commit changed files from 'yarn openapi:bundle'
kibanamachine Sep 9, 2024
a73360b
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Sep 9, 2024
8cd270d
fix tests, remove TypeSpecificFields filter
tomsonpl Sep 9, 2024
f989c37
Merge remote-tracking branch 'origin/automated-in-all-rules' into aut…
tomsonpl Sep 9, 2024
64dffe1
fix e2e
tomsonpl Sep 10, 2024
3e46918
fix header
tomsonpl Sep 10, 2024
3977af5
temporary hide other rule types - intermediate release
tomsonpl Sep 11, 2024
eac4b45
intermediate release - comment out e2e test
tomsonpl Sep 11, 2024
cab1f84
Update form.cy.ts
tomsonpl Sep 11, 2024
618982b
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 11, 2024
3fc2bcf
feature flag
tomsonpl Sep 12, 2024
708905a
fix
tomsonpl Sep 12, 2024
28e37f2
fixes
tomsonpl Sep 12, 2024
a27a0dd
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 12, 2024
07a573c
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Sep 12, 2024
16a534c
fix
tomsonpl Sep 12, 2024
2f79a3d
Merge remote-tracking branch 'origin/automated-in-all-rules' into aut…
tomsonpl Sep 13, 2024
6f0e36e
use TypeSpecificCreatePropsInternal instead of TypeSpecificFields
tomsonpl Sep 13, 2024
c1536b9
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 13, 2024
81fc160
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 13, 2024
6a39a14
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 16, 2024
ebf458d
Merge branch 'main' into automated-in-all-rules
tomsonpl Sep 18, 2024
ee68d55
move back response_actions to typespecific rules
tomsonpl Sep 18, 2024
1dc5cf4
move condition logic to scheduleNotificationResponseActionsService
tomsonpl Sep 18, 2024
412e456
Merge remote-tracking branch 'origin/automated-in-all-rules' into aut…
tomsonpl Sep 18, 2024
69d9cd0
tests
tomsonpl Sep 18, 2024
d787d0a
[CI] Auto-commit changed files from 'yarn openapi:bundle'
kibanamachine Sep 18, 2024
e2680e9
fix
tomsonpl Sep 18, 2024
6215ded
Merge remote-tracking branch 'origin/automated-in-all-rules' into aut…
tomsonpl Sep 18, 2024
87c0c8b
fix tests
tomsonpl Sep 18, 2024
2b7c7f4
fix license header again
tomsonpl Sep 18, 2024
ade46fd
remove redundant spaces
tomsonpl Sep 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,661 changes: 1,247 additions & 414 deletions ...erver/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 2 additions & 3 deletions ...ugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,13 +68,13 @@ import {
SavedQueryId,
KqlQueryLanguage,
} from './common_attributes.gen';
import { ResponseAction } from '../rule_response_actions/response_actions.gen';
import { RuleExecutionSummary } from '../../rule_monitoring/model/execution_summary.gen';
import {
EventCategoryOverride,
TiebreakerField,
TimestampField,
} from './specific_attributes/eql_attributes.gen';
import { ResponseAction } from '../rule_response_actions/response_actions.gen';
import {
Threshold,
ThresholdAlertSuppression,
Expand Down Expand Up @@ -117,6 +117,7 @@ export const BaseOptionalFields = z.object({
meta: RuleMetadata.optional(),
investigation_fields: InvestigationFields.optional(),
throttle: RuleActionThrottle.optional(),
response_actions: z.array(ResponseAction).optional(),
});

export type BaseDefaultableFields = z.infer<typeof BaseDefaultableFields>;
Expand Down Expand Up @@ -261,7 +262,6 @@ export const QueryRuleOptionalFields = z.object({
data_view_id: DataViewId.optional(),
filters: RuleFilterArray.optional(),
saved_id: SavedQueryId.optional(),
response_actions: z.array(ResponseAction).optional(),
alert_suppression: AlertSuppression.optional(),
});

Expand Down Expand Up @@ -312,7 +312,6 @@ export const SavedQueryRuleOptionalFields = z.object({
index: IndexPatternArray.optional(),
data_view_id: DataViewId.optional(),
filters: RuleFilterArray.optional(),
response_actions: z.array(ResponseAction).optional(),
alert_suppression: AlertSuppression.optional(),
query: RuleQuery.optional(),
});
Expand Down
14 changes: 6 additions & 8 deletions .../security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,12 @@ components:
# Throttle
throttle:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleActionThrottle'
# Response Actions
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'


BaseDefaultableFields:
x-inline: true
Expand Down Expand Up @@ -354,10 +360,6 @@ components:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
saved_id:
$ref: './common_attributes.schema.yaml#/components/schemas/SavedQueryId'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'

Expand Down Expand Up @@ -435,10 +437,6 @@ components:
$ref: './common_attributes.schema.yaml#/components/schemas/DataViewId'
filters:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
query:
Expand Down
12 changes: 12 additions & 0 deletions x-pack/plugins/security_solution/common/detection_engine/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,3 +93,15 @@ export const isSuppressionRuleConfiguredWithMissingFields = (ruleType: Type) =>
export const isSuppressionRuleInGA = (ruleType: Type): boolean => {
return isSuppressibleAlertRule(ruleType) && SUPPRESSIBLE_ALERT_RULES_GA.includes(ruleType);
};

export const shouldShowResponseActions = (
ruleType: Type | undefined,
automatedResponseActionsForMoreRulesEnabled: boolean
) => {
return automatedResponseActionsForMoreRulesEnabled
? isQueryRule(ruleType) ||
isEsqlRule(ruleType) ||
isEqlRule(ruleType) ||
isNewTermsRule(ruleType)
: isQueryRule(ruleType);
};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel the following representation of the logic is a bit clearer.

Suggested change
return automatedResponseActionsForMoreRulesEnabled
? isQueryRule(ruleType) ||
isEsqlRule(ruleType) ||
isEqlRule(ruleType) ||
isNewTermsRule(ruleType)
: isQueryRule(ruleType);
};
return isQueryRule(ruleType) || (automatedResponseActionsForMoreRulesEnabled && (isEsqlRule(ruleType) || isEqlRule(ruleType) || isNewTermsRule(ruleType)))
};

The current implementation reads as "show response actions if feature flag is true then is it one of these rule types, if not, is it a query rule"

I think my suggestion is a bit clearer - "show response actions if it's a query rule or the feature flag is enabled AND it's one of these rule types"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, this makes sense to me too 👍 however, need to mention that the feature flag will get removed in the following serverless release.

5 changes: 5 additions & 0 deletions x-pack/plugins/security_solution/common/experimental_features.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ export const allowedExperimentalValues = Object.freeze({
*/
automatedProcessActionsEnabled: true,

/**
* Temporary feature flag to enable the Response Actions in Rules UI - intermediate release
*/
automatedResponseActionsForMoreRulesEnabled: false,

/**
* Enables the ability to send Response actions to SentinelOne and persist the results
* in ES. Adds API changes to support `agentType` and supports `isolate` and `release`
Expand Down
Loading