From fa4e9c4ee97b5d08a22644ddbb671c8974337885 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Wed, 13 Nov 2024 17:32:21 -0500 Subject: [PATCH 1/2] makes diff algorithms normalize data before comparison --- .../diff/convert_rule_to_diffable.ts | 3 +- .../diff/extract_rule_schedule.ts | 19 +------------ .../diff/extract_threat_array.ts | 28 +++++++++++++++++++ .../pages/rule_creation/helpers.ts | 4 ++- 4 files changed, 34 insertions(+), 20 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts index 0f70a86c54e29..882dcae3e36aa 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts @@ -53,6 +53,7 @@ import { extractRuleNameOverrideObject } from './extract_rule_name_override_obje import { extractRuleSchedule } from './extract_rule_schedule'; import { extractTimelineTemplateReference } from './extract_timeline_template_reference'; import { extractTimestampOverrideObject } from './extract_timestamp_override_object'; +import { extractThreatArray } from './extract_threat_array'; /** * Normalizes a given rule to the form which is suitable for passing to the diff algorithm. @@ -128,7 +129,7 @@ const extractDiffableCommonFields = ( // About -> Advanced settings references: rule.references ?? [], false_positives: rule.false_positives ?? [], - threat: rule.threat ?? [], + threat: extractThreatArray(rule), note: rule.note ?? '', setup: rule.setup ?? '', related_integrations: rule.related_integrations ?? [], diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts index 6812a0a2f6fc6..7a128c24492ab 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.ts @@ -9,7 +9,7 @@ import moment from 'moment'; import dateMath from '@elastic/datemath'; import { parseDuration } from '@kbn/alerting-plugin/common'; -import type { RuleMetadata, RuleResponse } from '../../../api/detection_engine/model/rule_schema'; +import type { RuleResponse } from '../../../api/detection_engine/model/rule_schema'; import type { RuleSchedule } from '../../../api/detection_engine/prebuilt_rules'; export const extractRuleSchedule = (rule: RuleResponse): RuleSchedule => { @@ -17,26 +17,9 @@ export const extractRuleSchedule = (rule: RuleResponse): RuleSchedule => { const from = rule.from ?? 'now-6m'; const to = rule.to ?? 'now'; - const ruleMeta: RuleMetadata = ('meta' in rule ? rule.meta : undefined) ?? {}; - const lookbackFromMeta = String(ruleMeta.from ?? ''); - const intervalDuration = parseInterval(interval); - const lookbackFromMetaDuration = parseInterval(lookbackFromMeta); const driftToleranceDuration = parseDriftTolerance(from, to); - if (lookbackFromMetaDuration != null) { - if (intervalDuration != null) { - return { - interval, - lookback: lookbackFromMeta, - }; - } - return { - interval: `Cannot parse: interval="${interval}"`, - lookback: lookbackFromMeta, - }; - } - if (intervalDuration == null) { return { interval: `Cannot parse: interval="${interval}"`, diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts new file mode 100644 index 0000000000000..019d8ceee4f5e --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { + RuleResponse, + ThreatArray, + ThreatTechnique, +} from '../../../api/detection_engine/model/rule_schema'; + +export const extractThreatArray = (rule: RuleResponse): ThreatArray => + rule.threat.map((threat) => { + if (threat.technique && threat.technique.length) { + return { ...threat, technique: trimTechniqueArray(threat.technique) }; + } + return { ...threat, technique: undefined }; // If `technique` is an empty array, remove the field from the `threat` object + }); + +const trimTechniqueArray = (techniqueArray: ThreatTechnique[]): ThreatTechnique[] => { + return techniqueArray.map((technique) => ({ + ...technique, + subtechnique: + technique.subtechnique && technique.subtechnique.length ? technique.subtechnique : undefined, // If `subtechnique` is an empty array, remove the field from the `technique` object + })); +}; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts index a50564fff6e38..9aeea303c6c32 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts @@ -385,7 +385,9 @@ export const filterEmptyThreats = (threats: Threats): Threats => { return { ...technique, subtechnique: - technique.subtechnique != null ? trimThreatsWithNoName(technique.subtechnique) : [], + technique.subtechnique != null + ? trimThreatsWithNoName(technique.subtechnique) + : undefined, }; }), }; From 5486f88ad0e378696a1d0685834b427e936a617b Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Thu, 14 Nov 2024 13:42:07 -0500 Subject: [PATCH 2/2] adds unit tests --- .../diff/extract_rule_schedule.test.ts | 18 ++++++ .../diff/extract_threat_array.test.ts | 56 +++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts create mode 100644 x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts new file mode 100644 index 0000000000000..7c03aae9a012c --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_rule_schedule.test.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getRulesSchemaMock } from '../../../api/detection_engine/model/rule_schema/mocks'; +import { extractRuleSchedule } from './extract_rule_schedule'; + +describe('extractRuleSchedule', () => { + it('normalizes lookback strings to seconds', () => { + const mockRule = { ...getRulesSchemaMock(), from: 'now-6m', interval: '5m', to: 'now' }; + const normalizedRuleSchedule = extractRuleSchedule(mockRule); + + expect(normalizedRuleSchedule).toEqual({ interval: '5m', lookback: '60s' }); + }); +}); diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts new file mode 100644 index 0000000000000..115ea26c9ea83 --- /dev/null +++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/extract_threat_array.test.ts @@ -0,0 +1,56 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getRulesSchemaMock } from '../../../api/detection_engine/model/rule_schema/mocks'; +import { getThreatMock } from '../../schemas/types/threat.mock'; +import { extractThreatArray } from './extract_threat_array'; + +const mockThreat = getThreatMock()[0]; + +describe('extractThreatArray', () => { + it('trims empty technique fields from threat object', () => { + const mockRule = { ...getRulesSchemaMock(), threat: [{ ...mockThreat, technique: [] }] }; + const normalizedThreatArray = extractThreatArray(mockRule); + + expect(normalizedThreatArray).toEqual([ + { + framework: 'MITRE ATT&CK', + tactic: { + id: 'TA0000', + name: 'test tactic', + reference: 'https://attack.mitre.org/tactics/TA0000/', + }, + }, + ]); + }); + + it('trims empty subtechnique fields from threat object', () => { + const mockRule = { + ...getRulesSchemaMock(), + threat: [{ ...mockThreat, technique: [{ ...mockThreat.technique![0], subtechnique: [] }] }], + }; + const normalizedThreatArray = extractThreatArray(mockRule); + + expect(normalizedThreatArray).toEqual([ + { + framework: 'MITRE ATT&CK', + tactic: { + id: 'TA0000', + name: 'test tactic', + reference: 'https://attack.mitre.org/tactics/TA0000/', + }, + technique: [ + { + id: 'T0000', + name: 'test technique', + reference: 'https://attack.mitre.org/techniques/T0000/', + }, + ], + }, + ]); + }); +});