Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detection Engine] adds backend implementation for IM alert suppression #175032

Merged
merged 44 commits into from
Jan 26, 2024
Merged

[Security Solution][Detection Engine] adds backend implementation for IM alert suppression #175032

merged 44 commits into from
Jan 26, 2024

Conversation

vitaliidm
Copy link
Contributor

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

Checklist

Delete any items that are not applicable to this PR.

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk Probability Severity Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space. Low High Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. High Low Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled. Medium High Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

@vitaliidm
initial commit
c5586d0
@vitaliidm
cover code branches
55c8262
@vitaliidm
Merge branch 'security/alert-suppression-im-eql' into suppression/add…
ff21f56 
…-im-ftr-tests
@vitaliidm
Update mappings.json
7623305
@vitaliidm
Update mappings.json
42cd3b7
@vitaliidm
deduplication test
3dfd64c
@vitaliidm
Update indicator_match_alert_suppression.ts
52392c5
@vitaliidm
Merge branch 'security/alert-suppression-im-eql' into suppression/add…
c1f22b5 
…-im-ftr-tests
@vitaliidm
Update indicator_match_alert_suppression.ts
672978b
@vitaliidm
Merge branch 'security/alert-suppression-im-eql' into suppression/add…
ea0426b 
…-im-ftr-tests
@vitaliidm
Merge branch 'security/alert-suppression-im-eql' into suppression/add…
52d4517 
…-im-ftr-tests
@vitaliidm
[Security Solution][Detection Engine] adds backend implementation for…
6287048 
… IM alert suppression
@vitaliidm
Merge branch 'security/alert-suppression-im-eql' into suppression/im-…
eecd793 
…backend
@vitaliidm vitaliidm requested a review from WafaaNasr January 17, 2024 14:56
@vitaliidm vitaliidm self-assigned this Jan 17, 2024
@vitaliidm
Copy link
Contributor Author

/ci

kibanamachine and others added 4 commits January 17, 2024 15:25
@kibanamachine
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
c076394 
…-fix'
@vitaliidm
fix tests
938a69f
@vitaliidm
Merge branch 'suppression/im-backend' of https://github.com/vitaliidm…
d5bb020 
…/kibana into suppression/im-backend

# Conflicts:
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create_suppressed_alerts.ts
@vitaliidm
remove .only
19096a7
@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm vitaliidm force-pushed the suppression/im-backend branch from 9c44daa to 2e33138 Compare January 26, 2024 10:24
@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
fix corner cases
f944321
@vitaliidm
fixes
0852428
@vitaliidm
Merge branch 'security/alert-suppression-im-eql' into suppression/im-…
2f08c53 
…backend

# Conflicts:
#	x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/indicator_match_alert_suppression.ts
@vitaliidm
Copy link
Contributor Author

/ci

@vitaliidm
Copy link
Contributor Author

/ci

@kibana-ci
Copy link
Collaborator

kibana-ci commented Jan 26, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Defend Workflows Cypress Tests #5 / Automated Response Actions From alerts "before all" hook for "should have generated endpoint and rule" "before all" hook for "should have generated endpoint and rule"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Automated Response Actions From alerts "before all" hook for "should have generated endpoint and rule" "before all" hook for "should have generated endpoint and rule"
  • [job] [logs] Defend Workflows Cypress Tests #14 / Document signing: "before all" hook for "should fail if data tampered" "before all" hook for "should fail if data tampered"
  • [job] [logs] Defend Workflows Cypress Tests #14 / Document signing: "before all" hook for "should fail if data tampered" "before all" hook for "should fail if data tampered"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #1 / Endpoint generated alerts "before each" hook for "should create a Detection Engine alert from an endpoint alert" "before each" hook for "should create a Detection Engine alert from an endpoint alert"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #1 / Endpoint generated alerts "before each" hook for "should create a Detection Engine alert from an endpoint alert" "before each" hook for "should create a Detection Engine alert from an endpoint alert"
  • [job] [logs] Defend Workflows Cypress Tests #3 / Response console Execute operations: "before all" hook for ""execute --command" - should execute a command" "before all" hook for ""execute --command" - should execute a command"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #3 / Response console Execute operations: "before all" hook for ""execute --command" - should execute a command" "before all" hook for ""execute --command" - should execute a command"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #3 / Response console Execute operations: "before all" hook for ""execute --command" - should execute a command" "before all" hook for ""execute --command" - should execute a command"
  • [job] [logs] Defend Workflows Cypress Tests #3 / Response console Execute operations: "before all" hook for ""execute --command" - should execute a command" "before all" hook for ""execute --command" - should execute a command"
  • [job] [logs] Defend Workflows Cypress Tests #4 / Response console File operations: "before all" hook for ""get-file --path" - should retrieve a file" "before all" hook for ""get-file --path" - should retrieve a file"
  • [job] [logs] Defend Workflows Cypress Tests #4 / Response console File operations: "before all" hook for ""get-file --path" - should retrieve a file" "before all" hook for ""get-file --path" - should retrieve a file"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Response console From endpoint list "before all" hook for "should open responder" "before all" hook for "should open responder"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Response console From endpoint list "before all" hook for "should open responder" "before all" hook for "should open responder"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Response console Host Isolation: "before all" hook for "should isolate a host from response console" "before all" hook for "should isolate a host from response console"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Response console Host Isolation: "before all" hook for "should isolate a host from response console" "before all" hook for "should isolate a host from response console"
  • [job] [logs] Defend Workflows Cypress Tests #7 / Response console Host Isolation: "before all" hook for "should release an isolated host via response console" "before all" hook for "should release an isolated host via response console"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #1 / Response console Host Isolation: "before all" hook for "should release an isolated host via response console" "before all" hook for "should release an isolated host via response console"
  • [job] [logs] Defend Workflows Cypress Tests #7 / Response console Host Isolation: "before all" hook for "should release an isolated host via response console" "before all" hook for "should release an isolated host via response console"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #1 / Response console Host Isolation: "before all" hook for "should release an isolated host via response console" "before all" hook for "should release an isolated host via response console"
  • [job] [logs] Defend Workflows Cypress Tests #6 / Response console Processes operations: "before all" hook for ""processes" - should obtain a list of processes" "before all" hook for ""processes" - should obtain a list of processes"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #6 / Response console Processes operations: "before all" hook for ""processes" - should obtain a list of processes" "before all" hook for ""processes" - should obtain a list of processes"
  • [job] [logs] Defend Workflows Cypress Tests #6 / Response console Processes operations: "before all" hook for ""processes" - should obtain a list of processes" "before all" hook for ""processes" - should obtain a list of processes"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #6 / Response console Processes operations: "before all" hook for ""processes" - should obtain a list of processes" "before all" hook for ""processes" - should obtain a list of processes"
  • [job] [logs] Defend Workflows Cypress Tests #13 / Response console: From Alerts "before all" hook for "should open responder from alert details flyout" "before all" hook for "should open responder from alert details flyout"
  • [job] [logs] Defend Workflows Cypress Tests #13 / Response console: From Alerts "before all" hook for "should open responder from alert details flyout" "before all" hook for "should open responder from alert details flyout"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Unenroll agent from fleet changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Unenroll agent from fleet changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #4 / Unenroll agent from fleet changing when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #4 / Unenroll agent from fleet changing when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #3 / Unenroll agent from fleet when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #3 / Unenroll agent from fleet when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Unenroll agent from fleet with agent tamper protection is disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Unenroll agent from fleet with agent tamper protection is disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #6 / Uninstall agent from host changing agent policy when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #6 / Uninstall agent from host changing agent policy when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #8 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #8 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #7 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #7 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #16 / Uninstall agent from host when agent tamper protection is disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #16 / Uninstall agent from host when agent tamper protection is disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #2 / Uninstall agent from host when agent tamper protection is enabled "before each" hook for "should uninstall from host with the uninstall token" "before each" hook for "should uninstall from host with the uninstall token"
  • [job] [logs] Defend Workflows Cypress Tests #2 / Uninstall agent from host when agent tamper protection is enabled "before each" hook for "should uninstall from host with the uninstall token" "before each" hook for "should uninstall from host with the uninstall token"

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @vitaliidm

@vitaliidm vitaliidm marked this pull request as ready for review January 26, 2024 18:31
@vitaliidm vitaliidm requested review from a team as code owners January 26, 2024 18:31
@vitaliidm vitaliidm removed request for a team and WafaaNasr January 26, 2024 18:31
@vitaliidm vitaliidm merged commit a7a4281 into elastic:security/alert-suppression-im-eql Jan 26, 2024
4 of 5 checks passed
@vitaliidm vitaliidm deleted the suppression/im-backend branch March 4, 2024 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@vitaliidm vitaliidm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vitaliidm @kibana-ci @kibanamachine