Skip to content

Commit

Permalink
[8.x] [EDR Workflows] Enable response actions in base rule params (el…
Browse files Browse the repository at this point in the history 
…astic#194796) (elastic#195611)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] Enable response actions in base rule params
(elastic#194796)](elastic#194796)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Tomasz
Ciecierski","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-09T14:06:02Z","message":"[EDR
Workflows] Enable response actions in base rule params
(elastic#194796)","sha":"c103d2d21452f6c73b79036c5d10a24c018e1831","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","v8.16.0","backport:version"],"title":"[EDR Workflows] Enable
response actions in base rule
params","number":194796,"url":"https://github.com/elastic/kibana/pull/194796","mergeCommit":{"message":"[EDR
Workflows] Enable response actions in base rule params
(elastic#194796)","sha":"c103d2d21452f6c73b79036c5d10a24c018e1831"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194796","number":194796,"mergeCommit":{"message":"[EDR
Workflows] Enable response actions in base rule params
(elastic#194796)","sha":"c103d2d21452f6c73b79036c5d10a24c018e1831"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Tomasz Ciecierski <[email protected]>
  • Loading branch information
@kibanamachine @tomsonpl
kibanamachine and tomsonpl authored Oct 9, 2024
1 parent 0751a8e commit a02cb35
Show file tree
Hide file tree
Showing 40 changed files with 2,643 additions and 1,492 deletions.
148 changes: 128 additions & 20 deletions oas_docs/output/kibana.serverless.staging.yaml
View file

Large diffs are not rendered by default.

148 changes: 128 additions & 20 deletions oas_docs/output/kibana.serverless.yaml
View file

Large diffs are not rendered by default.

148 changes: 128 additions & 20 deletions oas_docs/output/kibana.staging.yaml
View file

Large diffs are not rendered by default.

148 changes: 128 additions & 20 deletions oas_docs/output/kibana.yaml
View file

Large diffs are not rendered by default.

2,791 changes: 1,643 additions & 1,148 deletions ...erver/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap
View file

Large diffs are not rendered by default.

8 changes: 2 additions & 6 deletions ...ugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,13 +68,13 @@ import {
SavedQueryId,
KqlQueryLanguage,
} from './common_attributes.gen';
import { ResponseAction } from '../rule_response_actions/response_actions.gen';
import { RuleExecutionSummary } from '../../rule_monitoring/model/execution_summary.gen';
import {
EventCategoryOverride,
TiebreakerField,
TimestampField,
} from './specific_attributes/eql_attributes.gen';
import { ResponseAction } from '../rule_response_actions/response_actions.gen';
import {
Threshold,
ThresholdAlertSuppression,
Expand Down Expand Up @@ -117,6 +117,7 @@ export const BaseOptionalFields = z.object({
meta: RuleMetadata.optional(),
investigation_fields: InvestigationFields.optional(),
throttle: RuleActionThrottle.optional(),
response_actions: z.array(ResponseAction).optional(),
});

export type BaseDefaultableFields = z.infer<typeof BaseDefaultableFields>;
Expand Down Expand Up @@ -224,7 +225,6 @@ export const EqlOptionalFields = z.object({
tiebreaker_field: TiebreakerField.optional(),
timestamp_field: TimestampField.optional(),
alert_suppression: AlertSuppression.optional(),
response_actions: z.array(ResponseAction).optional(),
});

export type EqlRuleCreateFields = z.infer<typeof EqlRuleCreateFields>;
Expand Down Expand Up @@ -262,7 +262,6 @@ export const QueryRuleOptionalFields = z.object({
data_view_id: DataViewId.optional(),
filters: RuleFilterArray.optional(),
saved_id: SavedQueryId.optional(),
response_actions: z.array(ResponseAction).optional(),
alert_suppression: AlertSuppression.optional(),
});

Expand Down Expand Up @@ -313,7 +312,6 @@ export const SavedQueryRuleOptionalFields = z.object({
index: IndexPatternArray.optional(),
data_view_id: DataViewId.optional(),
filters: RuleFilterArray.optional(),
response_actions: z.array(ResponseAction).optional(),
alert_suppression: AlertSuppression.optional(),
query: RuleQuery.optional(),
});
Expand Down Expand Up @@ -522,7 +520,6 @@ export const NewTermsRuleOptionalFields = z.object({
data_view_id: DataViewId.optional(),
filters: RuleFilterArray.optional(),
alert_suppression: AlertSuppression.optional(),
response_actions: z.array(ResponseAction).optional(),
});

export type NewTermsRuleDefaultableFields = z.infer<typeof NewTermsRuleDefaultableFields>;
Expand Down Expand Up @@ -576,7 +573,6 @@ export const EsqlRuleRequiredFields = z.object({
export type EsqlRuleOptionalFields = z.infer<typeof EsqlRuleOptionalFields>;
export const EsqlRuleOptionalFields = z.object({
alert_suppression: AlertSuppression.optional(),
response_actions: z.array(ResponseAction).optional(),
});

export type EsqlRulePatchFields = z.infer<typeof EsqlRulePatchFields>;
Expand Down
25 changes: 5 additions & 20 deletions .../security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,11 @@ components:
throttle:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleActionThrottle'

response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'

BaseDefaultableFields:
x-inline: true
type: object
Expand Down Expand Up @@ -293,10 +298,6 @@ components:
$ref: './specific_attributes/eql_attributes.schema.yaml#/components/schemas/TimestampField'
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'

EqlRuleCreateFields:
allOf:
Expand Down Expand Up @@ -359,10 +360,6 @@ components:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
saved_id:
$ref: './common_attributes.schema.yaml#/components/schemas/SavedQueryId'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'

Expand Down Expand Up @@ -440,10 +437,6 @@ components:
$ref: './common_attributes.schema.yaml#/components/schemas/DataViewId'
filters:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
query:
Expand Down Expand Up @@ -767,10 +760,6 @@ components:
$ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray'
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'

NewTermsRuleDefaultableFields:
type: object
Expand Down Expand Up @@ -849,10 +838,6 @@ components:
properties:
alert_suppression:
$ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression'
response_actions:
type: array
items:
$ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction'

EsqlRulePatchFields:
allOf:
Expand Down
13 changes: 10 additions & 3 deletions x-pack/plugins/security_solution/common/detection_engine/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,9 +93,16 @@ export const isSuppressionRuleConfiguredWithMissingFields = (ruleType: Type) =>
export const isSuppressionRuleInGA = (ruleType: Type): boolean => {
return isSuppressibleAlertRule(ruleType) && SUPPRESSIBLE_ALERT_RULES_GA.includes(ruleType);
};

export const shouldShowResponseActions = (ruleType: Type | undefined) => {
export const shouldShowResponseActions = (
ruleType: Type | undefined,
automatedResponseActionsForAllRulesEnabled: boolean
) => {
return (
isQueryRule(ruleType) || isEsqlRule(ruleType) || isEqlRule(ruleType) || isNewTermsRule(ruleType)
isQueryRule(ruleType) ||
isEsqlRule(ruleType) ||
isEqlRule(ruleType) ||
isNewTermsRule(ruleType) ||
(automatedResponseActionsForAllRulesEnabled &&
(isThresholdRule(ruleType) || isThreatMatchRule(ruleType) || isMlRule(ruleType)))
);
};
5 changes: 5 additions & 0 deletions x-pack/plugins/security_solution/common/experimental_features.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ export const allowedExperimentalValues = Object.freeze({
*/
automatedProcessActionsEnabled: true,

/**
* Temporary feature flag to enable the Response Actions in Rules UI - intermediate release
*/
automatedResponseActionsForAllRulesEnabled: false,

/**
* Enables the ability to send Response actions to SentinelOne and persist the results
* in ES. Adds API changes to support `agentType` and supports `isolate` and `release`
Expand Down
Loading

0 comments on commit a02cb35

Please sign in to comment.