[8.x] [Security Solution] Add Threat Match rule specific editable fields (#200308) #205681
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…lastic#200308) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds the following editable components for Threat Match rule type - threat_index - threat_query - threat_mapping - threat_indicator_path - ~~threat_language~~ `threat_language` was merged with `threat_query` ## Details This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done - Fixes a bug blocking Threat Match rules upgrading - Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields - `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar - threat mapping input was split into separate component for individual fields to be reused - `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component. - Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](elastic#200308 (comment)) - Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](elastic#200308 (comment)) ## How to test - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`. - Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button ## Screenshots Threat Match Query edit component <img width="1720" alt="image" src="https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69"> Threat Match Index edit component <img width="1727" alt="image" src="https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d"> Threat Match Mapping edit component <img width="1725" alt="image" src="https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e"> Threat Match Indicator Path edit component <img width="1725" alt="image" src="https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e"> Threat Match Mapping unknown field names validation warnings <img width="979" alt="Screenshot 2024-12-18 at 12 45 41" src="https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671" /> <img width="1094" alt="Screenshot 2024-12-18 at 12 45 53" src="https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3" /> <img width="2552" alt="Screenshot 2024-12-18 at 12 47 05" src="https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d" /> <img width="2550" alt="Screenshot 2024-12-18 at 12 47 15" src="https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700" /> (cherry picked from commit 40f6628) # Conflicts: # x-pack/platform/plugins/private/translations/translations/zh-CN.json
nikitaindik
approved these changes
Jan 7, 2025
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.x:Questions ?
Please refer to the Backport tool documentation