Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detection Engine] Adds support for suppressing EQL sequence alerts #189725

Merged
merged 91 commits into from
Dec 4, 2024

Conversation

dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Aug 1, 2024

Summary

Provide support for suppressing EQL sequence alerts.

To test, start up auditbeat and packetbeat locally and run the following:

cd ~/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/scripts && ./post_rule.sh ./rules/queries/sequence_eql_query.json

This will create a sample rule to suppress on agent.name with a suppression duration of 5 hours and runs every 30 seconds with a 90 second lookback. There is another sequence rule in that dir sequence_eql_query_no_duration.json that will suppress per-execution for testing that functionality.

Checklist

Detection Engine Team Checklist:

  • Functional changes are hidden behind a feature flag. If not hidden, the PR explains why these changes are being implemented in a long-living feature branch.
    alertSuppressionForSequenceEqlRuleEnabled
  • Functional changes are covered with a test plan and automated tests.
    https://github.com/elastic/security-team/pull/10386
  • Stability of new and changed tests is verified using the Flaky Test Runner in both ESS and Serverless. By default, use 200 runs for ESS and 200 runs for Serverless.
  • Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless.
  • Functional changes are communicated to the Docs team. A ticket is opened in https://github.com/elastic/security-docs using the Internal documentation request (Elastic employees) template. The following information is included: feature flags used, target ESS version, planned timing for ESS and Serverless releases.

@dhurley14
Copy link
Contributor Author

/ci

@dhurley14
Copy link
Contributor Author

/ci

@dhurley14
Copy link
Contributor Author

/ci

@dhurley14 dhurley14 added v8.18.0 and removed v8.17.0 labels Nov 27, 2024
@dhurley14
Copy link
Contributor Author

/ci

Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dhurley14 I looked through part of the changes and tested rule creation.

Is it expected behavior that alert suppression get hidden for EQL sequence queries with feature flag disabled?

The PR
Screenshot 2024-11-28 at 15 54 28

Main
Screenshot 2024-11-28 at 16 20 35

@dhurley14
Copy link
Contributor Author

@approksiu what are your thoughts on the linked question below? Is it okay to hide the UI elements when writing an eql sequence query and the feature flag is not enabled?

#189725 (review)

@approksiu
Copy link

approksiu commented Dec 2, 2024

@approksiu what are your thoughts on the linked question below? Is it okay to hide the UI elements when writing an eql sequence query and the feature flag is not enabled?

#189725 (review)

@dhurley14 I would prefer to keep the current behavior with showing user that suppression is not supported by EQL sequences.

@dhurley14 dhurley14 requested a review from maximpn December 2, 2024 15:42
@approksiu
Copy link

We had a discussion, and I changed my mind. We will keep the current behavior: hiding the component on the disabled feature flag, and plan to release it with the feature flag enabled by default. cc @maximpn @dhurley14

Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dhurley14 Thanks for responding on my comments 🙏

I tested the PR and haven't revealed any issues.

…pes support suppression, with eql sequence dependent on feature flag, so that is now the only parameter necessary
@elasticmachine
Copy link
Contributor

⏳ Build in-progress, with failures

Failed CI Steps

History

@dhurley14 dhurley14 merged commit 5fa4af9 into elastic:main Dec 4, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12159631381

@kibanamachine
Copy link
Contributor

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

You might need to backport the following PRs to 8.x:
- [React18] Migrate test suites to account for testing library upgrades security-detection-rule-management (#201177)

Manual backport

To create the backport manually run:

node scripts/backport --pr 189725

Questions ?

Please refer to the Backport tool documentation

@dhurley14
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

dhurley14 added a commit that referenced this pull request Dec 4, 2024
…ing EQL sequence alerts (#189725) (#202960)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Detection Engine] Adds support for suppressing
EQL sequence alerts
(#189725)](#189725)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Devin W.
Hurley","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-04T12:21:49Z","message":"[Security
Solution][Detection Engine] Adds support for suppressing EQL sequence
alerts (#189725)\n\n## Summary\r\n\r\nProvide support for suppressing
EQL sequence alerts.\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>\r\nCo-authored-by:
Marshall Main
<[email protected]>","sha":"5fa4af9c8b0e0ec675ee2b84b5b60207e3043ffa","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","v9.0.0","Feature:Detection
Rules","release_note:feature","Feature:Alert
Suppression","Team:Detection
Engine","backport:version","v8.18.0"],"number":189725,"url":"https://github.com/elastic/kibana/pull/189725","mergeCommit":{"message":"[Security
Solution][Detection Engine] Adds support for suppressing EQL sequence
alerts (#189725)\n\n## Summary\r\n\r\nProvide support for suppressing
EQL sequence alerts.\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>\r\nCo-authored-by:
Marshall Main
<[email protected]>","sha":"5fa4af9c8b0e0ec675ee2b84b5b60207e3043ffa"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/189725","number":189725,"mergeCommit":{"message":"[Security
Solution][Detection Engine] Adds support for suppressing EQL sequence
alerts (#189725)\n\n## Summary\r\n\r\nProvide support for suppressing
EQL sequence alerts.\r\n\r\nCo-authored-by: kibanamachine
<[email protected]>\r\nCo-authored-by:
Marshall Main
<[email protected]>","sha":"5fa4af9c8b0e0ec675ee2b84b5b60207e3043ffa"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
hop-dev pushed a commit to hop-dev/kibana that referenced this pull request Dec 5, 2024
…L sequence alerts (elastic#189725)

## Summary

Provide support for suppressing EQL sequence alerts.

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Marshall Main <[email protected]>
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Dec 9, 2024
…L sequence alerts (elastic#189725)

## Summary

Provide support for suppressing EQL sequence alerts.

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Marshall Main <[email protected]>
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Dec 9, 2024
…L sequence alerts (elastic#189725)

## Summary

Provide support for suppressing EQL sequence alerts.

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Marshall Main <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 9, 2024
…L sequence alerts (elastic#189725)

## Summary

Provide support for suppressing EQL sequence alerts.

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Marshall Main <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
…L sequence alerts (elastic#189725)

## Summary

Provide support for suppressing EQL sequence alerts.

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Marshall Main <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:version Backport to applied version labels Feature:Alert Suppression Security Solution Alert Suppression feature Feature:Detection Rules Security Solution rules and Detection Engine release_note:feature Makes this part of the condensed release notes review Team:Detection Engine Security Solution Detection Engine Area v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.