[Security Solution] Add Threat Match rule specific editable fields #200308
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maximpn
added
release_note:skip
maximpn
force-pushed
the
add-threat-match-specific-editable-fields
branch
2 times, most recently
from
018a0c9 to
9b576a1
Compare
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
54 tasks
vitaliidm
reviewed
Nov 19, 2024
...tection_engine/rule_creation/components/threat_match_index_edit/threat_match_index_field.tsx
Outdated
Show resolved
Hide resolved
...rity_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx
Outdated
Show resolved
Hide resolved
...ion_engine/rule_creation_ui/components/step_define_rule/use_persistent_threat_match_state.ts
Outdated
Show resolved
Hide resolved
...etection_engine/rule_creation/components/threat_match_index_edit/threat_match_index_edit.tsx
Outdated
Show resolved
Hide resolved
...rity_solution/public/detection_engine/rule_creation_ui/components/description_step/index.tsx
Outdated
Show resolved
Hide resolved
...olution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
Outdated
Show resolved
Hide resolved
...olution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/common/components/threat_match/index.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/common/components/threat_match/index.tsx
Outdated
Show resolved
Hide resolved
...olution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
Outdated
Show resolved
Hide resolved
|
I don’t have any changes in the filters field, but the diff shows some empty
What is the cc @dplumlee This seems similar to the issue we recently had with the schedule and threat fields. |
|
The incorrect final field version has been selected. I have modifications to the field, so in this case, we should pre-select the
|
maximpn
force-pushed
the
add-threat-match-specific-editable-fields
branch
from
e0ff1dd to
f9e8e69
Compare
maximpn
force-pushed
the
add-threat-match-specific-editable-fields
branch
from
52808bc to
db006e0
Compare
nikitaindik
approved these changes
Jan 6, 2025
There was a problem hiding this comment.
Nicely done, @maximpn! 👍 I've tested the PR locally and can confirm that Threat Match fields seem to be working well and rule upgrade works.
During testing found this header height issue, which was already fixed.
Left: this branch. Right: main.
Also in a separate PR we may consider adapting the Indicator Mapping field UI for a narrower container size. Right now it feels a little cramped.
|
Starting backport for target branches: 8.x |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
cc @maximpn |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Jan 7, 2025
…lastic#200308) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds the following editable components for Threat Match rule type - threat_index - threat_query - threat_mapping - threat_indicator_path - ~~threat_language~~ `threat_language` was merged with `threat_query` ## Details This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done - Fixes a bug blocking Threat Match rules upgrading - Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields - `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar - threat mapping input was split into separate component for individual fields to be reused - `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component. - Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](elastic#200308 (comment)) - Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](elastic#200308 (comment)) ## How to test - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`. - Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button ## Screenshots Threat Match Query edit component <img width="1720" alt="image" src="https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69"> Threat Match Index edit component <img width="1727" alt="image" src="https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d"> Threat Match Mapping edit component <img width="1725" alt="image" src="https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e"> Threat Match Indicator Path edit component <img width="1725" alt="image" src="https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e"> Threat Match Mapping unknown field names validation warnings <img width="979" alt="Screenshot 2024-12-18 at 12 45 41" src="https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671" /> <img width="1094" alt="Screenshot 2024-12-18 at 12 45 53" src="https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3" /> <img width="2552" alt="Screenshot 2024-12-18 at 12 47 05" src="https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d" /> <img width="2550" alt="Screenshot 2024-12-18 at 12 47 15" src="https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700" /> (cherry picked from commit 40f6628) # Conflicts: # x-pack/platform/plugins/private/translations/translations/zh-CN.json
maximpn
added a commit
that referenced
this pull request
Jan 7, 2025
…lds (#200308) (#205681) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add Threat Match rule specific editable fields (#200308)](#200308) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-07T08:52:07Z","message":"[Security Solution] Add Threat Match rule specific editable fields (#200308)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type\r\n\r\n- threat_index\r\n- threat_query\r\n- threat_mapping\r\n- threat_indicator_path\r\n- ~~threat_language~~ `threat_language` was merged with `threat_query`\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done\r\n\r\n- Fixes a bug blocking Threat Match rules upgrading\r\n- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields \r\n- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar\r\n- threat mapping input was split into separate component for individual fields to be reused\r\n- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled\r\n `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.\r\n- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869385209)\r\n- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869412952)\r\n\r\n## How to test\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)\r\n- Install an outdated version of the `security_detection_engine` Fleet package\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.\r\n\r\n- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\nThreat Match Query edit component\r\n<img width=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69\">\r\n\r\nThreat Match Index edit component\r\n<img width=\"1727\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d\">\r\n\r\nThreat Match Mapping edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e\">\r\n\r\nThreat Match Indicator Path edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e\">\r\n\r\nThreat Match Mapping unknown field names validation warnings\r\n<img width=\"979\" alt=\"Screenshot 2024-12-18 at 12 45 41\" src=\"https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671\" />\r\n\r\n<img width=\"1094\" alt=\"Screenshot 2024-12-18 at 12 45 53\" src=\"https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3\" />\r\n\r\n<img width=\"2552\" alt=\"Screenshot 2024-12-18 at 12 47 05\" src=\"https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d\" />\r\n\r\n<img width=\"2550\" alt=\"Screenshot 2024-12-18 at 12 47 15\" src=\"https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700\" />","sha":"40f6628c220217fa5bebcc546d21730ccf754d90","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0"],"number":200308,"url":"https://github.com/elastic/kibana/pull/200308","mergeCommit":{"message":"[Security Solution] Add Threat Match rule specific editable fields (#200308)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type\r\n\r\n- threat_index\r\n- threat_query\r\n- threat_mapping\r\n- threat_indicator_path\r\n- ~~threat_language~~ `threat_language` was merged with `threat_query`\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done\r\n\r\n- Fixes a bug blocking Threat Match rules upgrading\r\n- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields \r\n- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar\r\n- threat mapping input was split into separate component for individual fields to be reused\r\n- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled\r\n `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.\r\n- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869385209)\r\n- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869412952)\r\n\r\n## How to test\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)\r\n- Install an outdated version of the `security_detection_engine` Fleet package\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.\r\n\r\n- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\nThreat Match Query edit component\r\n<img width=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69\">\r\n\r\nThreat Match Index edit component\r\n<img width=\"1727\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d\">\r\n\r\nThreat Match Mapping edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e\">\r\n\r\nThreat Match Indicator Path edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e\">\r\n\r\nThreat Match Mapping unknown field names validation warnings\r\n<img width=\"979\" alt=\"Screenshot 2024-12-18 at 12 45 41\" src=\"https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671\" />\r\n\r\n<img width=\"1094\" alt=\"Screenshot 2024-12-18 at 12 45 53\" src=\"https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3\" />\r\n\r\n<img width=\"2552\" alt=\"Screenshot 2024-12-18 at 12 47 05\" src=\"https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d\" />\r\n\r\n<img width=\"2550\" alt=\"Screenshot 2024-12-18 at 12 47 15\" src=\"https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700\" />","sha":"40f6628c220217fa5bebcc546d21730ccf754d90"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200308","number":200308,"mergeCommit":{"message":"[Security Solution] Add Threat Match rule specific editable fields (#200308)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type\r\n\r\n- threat_index\r\n- threat_query\r\n- threat_mapping\r\n- threat_indicator_path\r\n- ~~threat_language~~ `threat_language` was merged with `threat_query`\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done\r\n\r\n- Fixes a bug blocking Threat Match rules upgrading\r\n- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields \r\n- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar\r\n- threat mapping input was split into separate component for individual fields to be reused\r\n- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled\r\n `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.\r\n- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869385209)\r\n- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869412952)\r\n\r\n## How to test\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)\r\n- Install an outdated version of the `security_detection_engine` Fleet package\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.\r\n\r\n- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\nThreat Match Query edit component\r\n<img width=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69\">\r\n\r\nThreat Match Index edit component\r\n<img width=\"1727\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d\">\r\n\r\nThreat Match Mapping edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e\">\r\n\r\nThreat Match Indicator Path edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e\">\r\n\r\nThreat Match Mapping unknown field names validation warnings\r\n<img width=\"979\" alt=\"Screenshot 2024-12-18 at 12 45 41\" src=\"https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671\" />\r\n\r\n<img width=\"1094\" alt=\"Screenshot 2024-12-18 at 12 45 53\" src=\"https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3\" />\r\n\r\n<img width=\"2552\" alt=\"Screenshot 2024-12-18 at 12 47 05\" src=\"https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d\" />\r\n\r\n<img width=\"2550\" alt=\"Screenshot 2024-12-18 at 12 47 15\" src=\"https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700\" />","sha":"40f6628c220217fa5bebcc546d21730ccf754d90"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
@nikitaindik @maximpn Can we please create a bug for that? |
@banderror I created #205722. |
kowalczyk-krzysztof
pushed a commit
to kowalczyk-krzysztof/kibana
that referenced
this pull request
Jan 7, 2025
…lastic#200308) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds the following editable components for Threat Match rule type - threat_index - threat_query - threat_mapping - threat_indicator_path - ~~threat_language~~ `threat_language` was merged with `threat_query` ## Details This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done - Fixes a bug blocking Threat Match rules upgrading - Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields - `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar - threat mapping input was split into separate component for individual fields to be reused - `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component. - Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](elastic#200308 (comment)) - Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](elastic#200308 (comment)) ## How to test - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`. - Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button ## Screenshots Threat Match Query edit component <img width="1720" alt="image" src="https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69"> Threat Match Index edit component <img width="1727" alt="image" src="https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d"> Threat Match Mapping edit component <img width="1725" alt="image" src="https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e"> Threat Match Indicator Path edit component <img width="1725" alt="image" src="https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e"> Threat Match Mapping unknown field names validation warnings <img width="979" alt="Screenshot 2024-12-18 at 12 45 41" src="https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671" /> <img width="1094" alt="Screenshot 2024-12-18 at 12 45 53" src="https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3" /> <img width="2552" alt="Screenshot 2024-12-18 at 12 47 05" src="https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d" /> <img width="2550" alt="Screenshot 2024-12-18 at 12 47 15" src="https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700" />
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Partially addresses: #171520
Summary
This PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type
threat_languagethreat_languagewas merged withthreat_queryDetails
This PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done
threat_index,threat_query,threat_mappingandthreat_indicator_pathrule fieldsthreat_languagewas removed since query type is included inthreat_queryfield and can be edited with Query BarThreatMatchComponentwas refactored to be a controlled component instead of uncontrolledThreatMatchComponenthas a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusableThreatMappingEditcomponent. Instead of trying to find a tricky fixThreatMatchComponentwas refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented inThreatMappingEditcomponent.mainwhere validation errors duplicated described in a commentmainallowing to save unknown source indices or indicator indices fields described in a commentHow to test
prebuiltRulesCustomizationEnabledfeature flag is enabledserver.restrictInternalApis: falsetokibana.dev.yamlsecurity_detection_engineFleet packageOpen a
threat_matchrule for editing. For exampleThreat Intel Hash Indicator Matchwith rule_idaab184d3-72b3-4639-b242-6597c99d8bca.Edit
Indicator index patterns,Indicator index queryand/orIndicator filters,Indicator mappingandIndicator prefix overridefieldsOpen
Detection Rules (SIEM)Page ->Rule Updates-> click onThreat Intel Hash Indicator Matchrule -> expand each Threat Match rule type specific field -> pressEditbuttonScreenshots
Threat Match Query edit component
Threat Match Index edit component
Threat Match Mapping edit component
Threat Match Indicator Path edit component
Threat Match Mapping unknown field names validation warnings
