From c8b46e87c4d61de4fe046ce5ea0a0b68aad5acf9 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 19 Nov 2024 08:36:29 +1100 Subject: [PATCH] [8.16] [Security Solution] Fixes data normalization in diff algorithms for `threat` and `rule_schedule` fields (#200105) (#200645) # Backport This will backport the following commits from `main` to `8.16`: - [[Security Solution] Fixes data normalization in diff algorithms for `threat` and `rule_schedule` fields (#200105)](https://github.com/elastic/kibana/pull/200105) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com> --- .../diff/convert_rule_to_diffable.ts | 3 +- .../diff/extract_rule_schedule.test.ts | 18 ++++++ .../diff/extract_rule_schedule.ts | 19 +------ .../diff/extract_threat_array.test.ts | 56 +++++++++++++++++++ .../diff/extract_threat_array.ts | 28 ++++++++++ .../pages/rule_creation/helpers.ts | 4 +- 6 files changed, 108 insertions(+), 20 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts index 0f70a86c54e29..882dcae3e36aa 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts @@ -53,6 +53,7 @@ import { extractRuleNameOverrideObject } from './extract_rule_name_override_obje import { extractRuleSchedule } from './extract_rule_schedule'; import { extractTimelineTemplateReference } from './extract_timeline_template_reference'; import { extractTimestampOverrideObject } from './extract_timestamp_override_object'; +import { extractThreatArray } from './extract_threat_array'; /** * Normalizes a given rule to the form which is suitable for passing to the diff algorithm. @@ -128,7 +129,7 @@ const extractDiffableCommonFields = ( // About -> Advanced settings references: rule.references ?? [], false_positives: rule.false_positives ?? [], - threat: rule.threat ?? [], + threat: extractThreatArray(rule), note: rule.note ?? '', setup: rule.setup ?? '', related_integrations: rule.related_integrations ?? [], diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts new file mode 100644 index 0000000000000..7c03aae9a012c --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getRulesSchemaMock } from '../../../api/detection_engine/model/rule_schema/mocks'; +import { extractRuleSchedule } from './extract_rule_schedule'; + +describe('extractRuleSchedule', () => { + it('normalizes lookback strings to seconds', () => { + const mockRule = { ...getRulesSchemaMock(), from: 'now-6m', interval: '5m', to: 'now' }; + const normalizedRuleSchedule = extractRuleSchedule(mockRule); + + expect(normalizedRuleSchedule).toEqual({ interval: '5m', lookback: '60s' }); + }); +}); diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts index 6812a0a2f6fc6..7a128c24492ab 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts @@ -9,7 +9,7 @@ import moment from 'moment'; import dateMath from '@elastic/datemath'; import { parseDuration } from '@kbn/alerting-plugin/common'; -import type { RuleMetadata, RuleResponse } from '../../../api/detection_engine/model/rule_schema'; +import type { RuleResponse } from '../../../api/detection_engine/model/rule_schema'; import type { RuleSchedule } from '../../../api/detection_engine/prebuilt_rules'; export const extractRuleSchedule = (rule: RuleResponse): RuleSchedule => { @@ -17,26 +17,9 @@ export const extractRuleSchedule = (rule: RuleResponse): RuleSchedule => { const from = rule.from ?? 'now-6m'; const to = rule.to ?? 'now'; - const ruleMeta: RuleMetadata = ('meta' in rule ? rule.meta : undefined) ?? {}; - const lookbackFromMeta = String(ruleMeta.from ?? ''); - const intervalDuration = parseInterval(interval); - const lookbackFromMetaDuration = parseInterval(lookbackFromMeta); const driftToleranceDuration = parseDriftTolerance(from, to); - if (lookbackFromMetaDuration != null) { - if (intervalDuration != null) { - return { - interval, - lookback: lookbackFromMeta, - }; - } - return { - interval: `Cannot parse: interval="${interval}"`, - lookback: lookbackFromMeta, - }; - } - if (intervalDuration == null) { return { interval: `Cannot parse: interval="${interval}"`, diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts new file mode 100644 index 0000000000000..115ea26c9ea83 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getRulesSchemaMock } from '../../../api/detection_engine/model/rule_schema/mocks'; +import { getThreatMock } from '../../schemas/types/threat.mock'; +import { extractThreatArray } from './extract_threat_array'; + +const mockThreat = getThreatMock()[0]; + +describe('extractThreatArray', () => { + it('trims empty technique fields from threat object', () => { + const mockRule = { ...getRulesSchemaMock(), threat: [{ ...mockThreat, technique: [] }] }; + const normalizedThreatArray = extractThreatArray(mockRule); + + expect(normalizedThreatArray).toEqual([ + { + framework: 'MITRE ATT&CK', + tactic: { + id: 'TA0000', + name: 'test tactic', + reference: 'https://attack.mitre.org/tactics/TA0000/', + }, + }, + ]); + }); + + it('trims empty subtechnique fields from threat object', () => { + const mockRule = { + ...getRulesSchemaMock(), + threat: [{ ...mockThreat, technique: [{ ...mockThreat.technique![0], subtechnique: [] }] }], + }; + const normalizedThreatArray = extractThreatArray(mockRule); + + expect(normalizedThreatArray).toEqual([ + { + framework: 'MITRE ATT&CK', + tactic: { + id: 'TA0000', + name: 'test tactic', + reference: 'https://attack.mitre.org/tactics/TA0000/', + }, + technique: [ + { + id: 'T0000', + name: 'test technique', + reference: 'https://attack.mitre.org/techniques/T0000/', + }, + ], + }, + ]); + }); +}); diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts new file mode 100644 index 0000000000000..019d8ceee4f5e --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { + RuleResponse, + ThreatArray, + ThreatTechnique, +} from '../../../api/detection_engine/model/rule_schema'; + +export const extractThreatArray = (rule: RuleResponse): ThreatArray => + rule.threat.map((threat) => { + if (threat.technique && threat.technique.length) { + return { ...threat, technique: trimTechniqueArray(threat.technique) }; + } + return { ...threat, technique: undefined }; // If `technique` is an empty array, remove the field from the `threat` object + }); + +const trimTechniqueArray = (techniqueArray: ThreatTechnique[]): ThreatTechnique[] => { + return techniqueArray.map((technique) => ({ + ...technique, + subtechnique: + technique.subtechnique && technique.subtechnique.length ? technique.subtechnique : undefined, // If `subtechnique` is an empty array, remove the field from the `technique` object + })); +}; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts index 46dde209804f2..4d57eb49ec2d2 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts @@ -375,7 +375,9 @@ export const filterEmptyThreats = (threats: Threats): Threats => { return { ...technique, subtechnique: - technique.subtechnique != null ? trimThreatsWithNoName(technique.subtechnique) : [], + technique.subtechnique != null + ? trimThreatsWithNoName(technique.subtechnique) + : undefined, }; }), };