From 2d8a41d3679ff77a60c6c417cdc10f88a4ed3203 Mon Sep 17 00:00:00 2001 From: Chris Cowan Date: Tue, 28 Jul 2020 12:39:36 -0700 Subject: [PATCH 1/3] [Metrics UI] Make composite size configurable to avoid max buckets (#72955) Co-authored-by: Elastic Machine --- x-pack/plugins/infra/common/http_api/snapshot_api.ts | 1 + x-pack/plugins/infra/public/metrics_overview_fetchers.test.ts | 1 + x-pack/plugins/infra/public/metrics_overview_fetchers.ts | 1 + x-pack/plugins/infra/server/lib/snapshot/snapshot.ts | 4 ++-- x-pack/plugins/infra/server/routes/snapshot/index.ts | 2 ++ 5 files changed, 7 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/infra/common/http_api/snapshot_api.ts b/x-pack/plugins/infra/common/http_api/snapshot_api.ts index 9ddbcb17089f3c..11cb57238f917c 100644 --- a/x-pack/plugins/infra/common/http_api/snapshot_api.ts +++ b/x-pack/plugins/infra/common/http_api/snapshot_api.ts @@ -107,6 +107,7 @@ export const SnapshotRequestRT = rt.intersection([ region: rt.string, filterQuery: rt.union([rt.string, rt.null]), includeTimeseries: rt.boolean, + overrideCompositeSize: rt.number, }), ]); diff --git a/x-pack/plugins/infra/public/metrics_overview_fetchers.test.ts b/x-pack/plugins/infra/public/metrics_overview_fetchers.test.ts index 88bc426e9a0f76..135b4ea9a5335f 100644 --- a/x-pack/plugins/infra/public/metrics_overview_fetchers.test.ts +++ b/x-pack/plugins/infra/public/metrics_overview_fetchers.test.ts @@ -75,6 +75,7 @@ describe('Metrics UI Observability Homepage Functions', () => { groupBy: [], nodeType: 'host', includeTimeseries: true, + overrideCompositeSize: 5, timerange: { from: startTime.valueOf(), to: endTime.valueOf(), diff --git a/x-pack/plugins/infra/public/metrics_overview_fetchers.ts b/x-pack/plugins/infra/public/metrics_overview_fetchers.ts index 4eaf903e17608a..79e0850635138f 100644 --- a/x-pack/plugins/infra/public/metrics_overview_fetchers.ts +++ b/x-pack/plugins/infra/public/metrics_overview_fetchers.ts @@ -87,6 +87,7 @@ export const createMetricsFetchData = ( groupBy: [], nodeType: 'host', includeTimeseries: true, + overrideCompositeSize: 5, timerange: { from: start, to: end, diff --git a/x-pack/plugins/infra/server/lib/snapshot/snapshot.ts b/x-pack/plugins/infra/server/lib/snapshot/snapshot.ts index 9ca10d5e39da7f..5f359b0523d9ff 100644 --- a/x-pack/plugins/infra/server/lib/snapshot/snapshot.ts +++ b/x-pack/plugins/infra/server/lib/snapshot/snapshot.ts @@ -86,7 +86,7 @@ const requestGroupedNodes = async ( aggregations: { nodes: { composite: { - size: SNAPSHOT_COMPOSITE_REQUEST_SIZE, + size: options.overrideCompositeSize || SNAPSHOT_COMPOSITE_REQUEST_SIZE, sources: getGroupedNodesSources(options), }, aggs: { @@ -142,7 +142,7 @@ const requestNodeMetrics = async ( aggregations: { nodes: { composite: { - size: SNAPSHOT_COMPOSITE_REQUEST_SIZE, + size: options.overrideCompositeSize || SNAPSHOT_COMPOSITE_REQUEST_SIZE, sources: getMetricsSources(options), }, aggregations: { diff --git a/x-pack/plugins/infra/server/routes/snapshot/index.ts b/x-pack/plugins/infra/server/routes/snapshot/index.ts index 7c81c6eef675ff..e99103080463e9 100644 --- a/x-pack/plugins/infra/server/routes/snapshot/index.ts +++ b/x-pack/plugins/infra/server/routes/snapshot/index.ts @@ -40,6 +40,7 @@ export const initSnapshotRoute = (libs: InfraBackendLibs) => { accountId, region, includeTimeseries, + overrideCompositeSize, } = pipe( SnapshotRequestRT.decode(request.body), fold(throwErrors(Boom.badRequest), identity) @@ -59,6 +60,7 @@ export const initSnapshotRoute = (libs: InfraBackendLibs) => { metrics, timerange, includeTimeseries, + overrideCompositeSize, }; const searchES = ( From 5e624502f82085802333c225882e0d91665355e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Kopyci=C5=84ski?= Date: Tue, 28 Jul 2020 22:13:02 +0200 Subject: [PATCH 2/3] [Security Solution] Fix query fetchPolicy and deduplication (#73199) --- .../components/events_viewer/events_viewer.tsx | 1 + .../common/components/events_viewer/index.tsx | 5 ++++- .../common/components/events_viewer/mock.ts | 1 + .../public/common/containers/source/index.tsx | 17 +++++++++++++---- .../components/alerts_table/index.tsx | 7 ++++--- .../components/rules/step_about_rule/index.tsx | 3 ++- .../components/rules/step_define_rule/index.tsx | 2 +- .../rules/fetch_index_patterns.tsx | 2 +- .../timelines/components/timeline/timeline.tsx | 1 + .../public/timelines/containers/index.tsx | 9 ++++++++- 10 files changed, 36 insertions(+), 12 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx index bc036b38524bad..e836e2e20432aa 100644 --- a/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx +++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.tsx @@ -222,6 +222,7 @@ const EventsViewerComponent: React.FC = ({ sourceId="default" startDate={start} endDate={end} + queryDeduplication="events_viewer" > {({ events, diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx index 80831b4022ace8..c402116ee27146 100644 --- a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx @@ -69,7 +69,10 @@ const StatefulEventsViewerComponent: React.FC = ({ }) => { const [ { docValueFields, browserFields, indexPatterns, isLoading: isLoadingIndexPattern }, - ] = useFetchIndexPatterns(defaultIndices ?? useUiSetting(DEFAULT_INDEX_KEY)); + ] = useFetchIndexPatterns( + defaultIndices ?? useUiSetting(DEFAULT_INDEX_KEY), + 'events_viewer' + ); useEffect(() => { if (createTimeline != null) { diff --git a/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts b/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts index ea2e60ebc82b87..6266e840519011 100644 --- a/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts +++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/mock.ts @@ -40,6 +40,7 @@ export const mockEventViewerResponse = [ { field: 'event.end', format: 'date_time' }, ], inspect: false, + queryDeduplication: 'events_viewer', }, }, result: { diff --git a/x-pack/plugins/security_solution/public/common/containers/source/index.tsx b/x-pack/plugins/security_solution/public/common/containers/source/index.tsx index 54d49d7279d68e..ffbecf9e3d4334 100644 --- a/x-pack/plugins/security_solution/public/common/containers/source/index.tsx +++ b/x-pack/plugins/security_solution/public/common/containers/source/index.tsx @@ -122,7 +122,12 @@ interface UseWithSourceState { export const useWithSource = ( sourceId = 'default', indexToAdd?: string[] | null, - onlyCheckIndexToAdd?: boolean + onlyCheckIndexToAdd?: boolean, + // Fun fact: When using this hook multiple times within a component (e.g. add_exception_modal & edit_exception_modal), + // the apolloClient will perform queryDeduplication and prevent the first query from executing. A deep compare is not + // performed on `indices`, so another field must be passed to circumvent this. + // For details, see https://github.com/apollographql/react-apollo/issues/2202 + queryDeduplication = 'default' ) => { const [configIndex] = useUiSetting$(DEFAULT_INDEX_KEY); const defaultIndex = useMemo(() => { @@ -154,12 +159,16 @@ export const useWithSource = ( setState((prevState) => ({ ...prevState, loading: true })); try { - const result = await apolloClient.query({ + const result = await apolloClient.query< + SourceQuery.Query, + SourceQuery.Variables & { queryDeduplication: string } + >({ query: sourceQuery, - fetchPolicy: 'network-only', + fetchPolicy: 'cache-first', variables: { sourceId, defaultIndex, + queryDeduplication, }, context: { fetchOptions: { @@ -206,7 +215,7 @@ export const useWithSource = ( isSubscribed = false; return abortCtrl.abort(); }; - }, [apolloClient, sourceId, defaultIndex]); + }, [apolloClient, sourceId, defaultIndex, queryDeduplication]); return state; }; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx index 1eda358fe5944e..ab95e433d92f3e 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx @@ -116,8 +116,9 @@ export const AlertsTableComponent: React.FC = ({ const [addExceptionModalState, setAddExceptionModalState] = useState( addExceptionModalInitialState ); - const [{ browserFields, indexPatterns }] = useFetchIndexPatterns( - signalsIndex !== '' ? [signalsIndex] : [] + const [{ browserFields, indexPatterns, isLoading: indexPatternsLoading }] = useFetchIndexPatterns( + signalsIndex !== '' ? [signalsIndex] : [], + 'alerts_table' ); const kibana = useKibana(); const [, dispatchToaster] = useStateToaster(); @@ -433,7 +434,7 @@ export const AlertsTableComponent: React.FC = ({ closeAddExceptionModal, ]); - if (loading || isEmpty(signalsIndex)) { + if (loading || indexPatternsLoading || isEmpty(signalsIndex)) { return ( diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx index ec812fa63eadfe..5edf6f0a9312ef 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.tsx @@ -74,7 +74,8 @@ const StepAboutRuleComponent: FC = ({ const initialState = defaultValues ?? stepAboutDefaultValue; const [myStepData, setMyStepData] = useState(initialState); const [{ isLoading: indexPatternLoading, indexPatterns }] = useFetchIndexPatterns( - defineRuleData?.index ?? [] + defineRuleData?.index ?? [], + 'step_about_rule' ); const canUseExceptions = defineRuleData?.ruleType && diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx index 51e9291f319413..3d5b66b8869ccb 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx @@ -117,7 +117,7 @@ const StepDefineRuleComponent: FC = ({ const [myStepData, setMyStepData] = useState(initialState); const [ { browserFields, indexPatterns: indexPatternQueryBar, isLoading: indexPatternLoadingQueryBar }, - ] = useFetchIndexPatterns(myStepData.index); + ] = useFetchIndexPatterns(myStepData.index, 'step_define_rule'); const { form } = useForm({ defaultValue: initialState, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/fetch_index_patterns.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/fetch_index_patterns.tsx index c0997a5e629083..82c9292af74515 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/fetch_index_patterns.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/fetch_index_patterns.tsx @@ -77,7 +77,7 @@ export const useFetchIndexPatterns = ( apolloClient .query({ query: sourceQuery, - fetchPolicy: 'network-only', + fetchPolicy: 'cache-first', variables: { sourceId: 'default', defaultIndex: indices, diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx index c27af94addeab2..a2ee1e56306b53 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/timeline.tsx @@ -286,6 +286,7 @@ export const TimelineComponent: React.FC = ({ filterQuery={combinedQueries!.filterQuery} sortField={timelineQuerySortField} startDate={start} + queryDeduplication="timeline" > {({ events, diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx index 510d58dbe6a696..562999108b4b0a 100644 --- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx @@ -58,6 +58,7 @@ export interface OwnProps extends QueryTemplateProps { sortField: SortField; fields: string[]; startDate: string; + queryDeduplication: string; } type TimelineQueryProps = OwnProps & PropsFromRedux & WithKibanaProps & CustomReduxProps; @@ -93,6 +94,7 @@ class TimelineQueryComponent extends QueryTemplate< sourceId, sortField, startDate, + queryDeduplication, } = this.props; const defaultKibanaIndex = kibana.services.uiSettings.get(DEFAULT_INDEX_KEY); const defaultIndex = @@ -102,7 +104,11 @@ class TimelineQueryComponent extends QueryTemplate< ...(['all', 'alert', 'signal'].includes(eventType) ? indexToAdd : []), ] : indexPattern?.title.split(',') ?? []; - const variables: GetTimelineQuery.Variables = { + // Fun fact: When using this hook multiple times within a component (e.g. add_exception_modal & edit_exception_modal), + // the apolloClient will perform queryDeduplication and prevent the first query from executing. A deep compare is not + // performed on `indices`, so another field must be passed to circumvent this. + // For details, see https://github.com/apollographql/react-apollo/issues/2202 + const variables: GetTimelineQuery.Variables & { queryDeduplication: string } = { fieldRequested: fields, filterQuery: createFilter(filterQuery), sourceId, @@ -116,6 +122,7 @@ class TimelineQueryComponent extends QueryTemplate< defaultIndex, docValueFields: docValueFields ?? [], inspect: isInspected, + queryDeduplication, }; return ( From 0b3dab7318c49e95a53c5f207bd1a850f0c2ef8a Mon Sep 17 00:00:00 2001 From: Garrett Spong Date: Tue, 28 Jul 2020 14:25:32 -0600 Subject: [PATCH 3/3] [Security Solution][Detections] Fixes Risk Score and Severity mapping issues (#73233) ## Summary Fixes the following issues around Risk Score/Severity mapping: * Severity override option cannot be unselected during rule creation * Risk score override option cannot be unselected during rule creation * Cannot fill Critical Severity override at the first attempt * Cannot create a rule with just a Critical severity override Note: When editing rules there is the possibility of the mapping fields remaining `disabled` as they are locked to the 'isLoading' flag from the gql `useFetchIndexPatterns` call, which can sometimes not return/get stuck as loading. @patrykkopycinski has a draft PR to fix this here: https://github.com/elastic/kibana/pull/73199 cc @MadameSheema ##### Severity Mapping Fixes:

Now distinguishes between empty string/value

##### Risk Score Mapping Fixes:

### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * Working with @benskelker on API docs. This PR adds `risk_score` (can be `undefined`) to `risk_score.mapping` for future compatibility with mapping to specific risk score values. - [X] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios --- .../schemas/common/schemas.ts | 3 +- .../rules/description_step/helpers.test.tsx | 1 + .../rules/description_step/helpers.tsx | 114 ++++---- .../rules/risk_score_mapping/index.tsx | 66 ++--- .../rules/severity_mapping/index.tsx | 248 ++++++++++-------- .../rules/step_about_rule/default_value.ts | 5 +- .../rules/step_about_rule/index.test.tsx | 9 +- .../rules/step_about_rule/schema.tsx | 10 +- .../rules/all/__mocks__/mock.ts | 5 +- .../detection_engine/rules/create/helpers.ts | 8 +- .../detection_engine/rules/helpers.test.tsx | 5 +- .../pages/detection_engine/rules/helpers.tsx | 24 +- .../pages/detection_engine/rules/types.ts | 2 + .../mappings/build_risk_score_from_mapping.ts | 9 +- 14 files changed, 294 insertions(+), 215 deletions(-) diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts index 273ea72a2ffe30..21fa780badd84a 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts @@ -222,8 +222,9 @@ export const risk_score_mapping_value = t.string; export const risk_score_mapping_item = t.exact( t.type({ field: risk_score_mapping_field, - operator, value: risk_score_mapping_value, + operator, + risk_score: riskScoreOrUndefined, }) ); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx index 2a6cd3fc5bb7a4..0d98a0f2f26ff5 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.test.tsx @@ -331,6 +331,7 @@ describe('helpers', () => { const result: ListItems[] = buildSeverityDescription({ value: 'low', mapping: [{ field: 'host.name', operator: 'equals', value: 'hello', severity: 'high' }], + isMappingChecked: true, }); expect(result[0].title).toEqual('Severity'); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index 1110c8c098988b..600bc999849d1d 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -35,6 +35,7 @@ import { SeverityBadge } from '../severity_badge'; import ListTreeIcon from './assets/list_tree_icon.svg'; import { assertUnreachable } from '../../../../common/lib/helpers'; import { AboutStepRiskScore, AboutStepSeverity } from '../../../pages/detection_engine/rules/types'; +import { defaultToEmptyTag } from '../../../../common/components/empty_value'; const NoteDescriptionContainer = styled(EuiFlexItem)` height: 105px; @@ -236,35 +237,44 @@ export const buildSeverityDescription = (severity: AboutStepSeverity): ListItems title: i18nSeverity.DEFAULT_SEVERITY, description: , }, - ...severity.mapping.map((severityItem, index) => { - return { - title: index === 0 ? i18nSeverity.SEVERITY_MAPPING : '', - description: ( - - - - <>{severityItem.field} - - - - <>{severityItem.value} - - - - - - - - - ), - }; - }), + ...(severity.isMappingChecked + ? severity.mapping + .filter((severityItem) => severityItem.field !== '') + .map((severityItem, index) => { + return { + title: index === 0 ? i18nSeverity.SEVERITY_MAPPING : '', + description: ( + + + + <>{`${severityItem.field}:`} + + + + + {defaultToEmptyTag(severityItem.value)} + + + + + + + + + + ), + }; + }) + : []), ]; export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListItems[] => [ @@ -272,27 +282,31 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt title: i18nRiskScore.RISK_SCORE, description: riskScore.value, }, - ...riskScore.mapping.map((riskScoreItem, index) => { - return { - title: index === 0 ? i18nRiskScore.RISK_SCORE_MAPPING : '', - description: ( - - - - <>{riskScoreItem.field} - - - - - - {'signal.rule.risk_score'} - - ), - }; - }), + ...(riskScore.isMappingChecked + ? riskScore.mapping + .filter((riskScoreItem) => riskScoreItem.field !== '') + .map((riskScoreItem, index) => { + return { + title: index === 0 ? i18nRiskScore.RISK_SCORE_MAPPING : '', + description: ( + + + + <>{riskScoreItem.field} + + + + + + {'signal.rule.risk_score'} + + ), + }; + }) + : []), ]; const MyRefUrlLink = styled(EuiLink)` diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx index c9e2cb1a8ca24f..35816e82540d1d 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/index.tsx @@ -14,8 +14,9 @@ import { EuiIcon, EuiSpacer, } from '@elastic/eui'; -import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import React, { useCallback, useMemo } from 'react'; import styled from 'styled-components'; +import { noop } from 'lodash/fp'; import * as i18n from './translations'; import { FieldHook } from '../../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib'; import { CommonUseField } from '../../../../cases/components/create'; @@ -24,6 +25,10 @@ import { FieldComponent } from '../../../../common/components/autocomplete/field import { IFieldType } from '../../../../../../../../src/plugins/data/common/index_patterns/fields'; import { IIndexPattern } from '../../../../../../../../src/plugins/data/common/index_patterns'; +const RiskScoreMappingEuiFormRow = styled(EuiFormRow)` + width: 468px; +`; + const NestedContent = styled.div` margin-left: 24px; `; @@ -41,6 +46,7 @@ interface RiskScoreFieldProps { field: FieldHook; idAria: string; indices: IIndexPattern; + isDisabled: boolean; placeholder?: string; } @@ -49,40 +55,23 @@ export const RiskScoreField = ({ field, idAria, indices, + isDisabled, placeholder, }: RiskScoreFieldProps) => { - const [isRiskScoreMappingChecked, setIsRiskScoreMappingChecked] = useState(false); - const [initialFieldCheck, setInitialFieldCheck] = useState(true); - const fieldTypeFilter = useMemo(() => ['number'], []); - useEffect(() => { - if ( - !isRiskScoreMappingChecked && - initialFieldCheck && - (field.value as AboutStepRiskScore).mapping?.length > 0 - ) { - setIsRiskScoreMappingChecked(true); - setInitialFieldCheck(false); - } - }, [ - field, - initialFieldCheck, - isRiskScoreMappingChecked, - setIsRiskScoreMappingChecked, - setInitialFieldCheck, - ]); - const handleFieldChange = useCallback( ([newField]: IFieldType[]): void => { const values = field.value as AboutStepRiskScore; field.setValue({ value: values.value, + isMappingChecked: values.isMappingChecked, mapping: [ { field: newField?.name ?? '', operator: 'equals', - value: '', + value: undefined, + riskScore: undefined, }, ], }); @@ -99,8 +88,13 @@ export const RiskScoreField = ({ }, [field.value, indices]); const handleRiskScoreMappingChecked = useCallback(() => { - setIsRiskScoreMappingChecked(!isRiskScoreMappingChecked); - }, [isRiskScoreMappingChecked, setIsRiskScoreMappingChecked]); + const values = field.value as AboutStepRiskScore; + field.setValue({ + value: values.value, + mapping: [...values.mapping], + isMappingChecked: !values.isMappingChecked, + }); + }, [field]); const riskScoreLabel = useMemo(() => { return ( @@ -117,11 +111,16 @@ export const RiskScoreField = ({ const riskScoreMappingLabel = useMemo(() => { return (
- + @@ -133,7 +132,7 @@ export const RiskScoreField = ({
); - }, [handleRiskScoreMappingChecked, isRiskScoreMappingChecked]); + }, [field.value, handleRiskScoreMappingChecked, isDisabled]); return ( @@ -153,6 +152,7 @@ export const RiskScoreField = ({ componentProps={{ idAria: 'detectionEngineStepAboutRuleRiskScore', 'data-test-subj': 'detectionEngineStepAboutRuleRiskScore', + isDisabled, euiFieldProps: { max: 100, min: 0, @@ -166,11 +166,11 @@ export const RiskScoreField = ({ - {i18n.RISK_SCORE_MAPPING_DETAILS} ) : ( '' @@ -184,7 +184,7 @@ export const RiskScoreField = ({ > - {isRiskScoreMappingChecked && ( + {(field.value as AboutStepRiskScore).isMappingChecked && ( @@ -208,11 +208,11 @@ export const RiskScoreField = ({ fieldTypeFilter={fieldTypeFilter} isLoading={false} isClearable={false} - isDisabled={false} + isDisabled={isDisabled} onChange={handleFieldChange} data-test-subj={dataTestSubj} aria-label={idAria} - fieldInputWidth={230} + fieldInputWidth={270} /> @@ -226,7 +226,7 @@ export const RiskScoreField = ({ )} - + ); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx index 579c60579b32ee..54d505a4d867f1 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/severity_mapping/index.tsx @@ -14,7 +14,8 @@ import { EuiIcon, EuiSpacer, } from '@elastic/eui'; -import React, { useCallback, useEffect, useMemo, useState } from 'react'; +import { noop } from 'lodash/fp'; +import React, { useCallback, useMemo } from 'react'; import styled from 'styled-components'; import * as i18n from './translations'; import { FieldHook } from '../../../../../../../../src/plugins/es_ui_shared/static/forms/hook_form_lib'; @@ -27,10 +28,16 @@ import { } from '../../../../../../../../src/plugins/data/common/index_patterns'; import { FieldComponent } from '../../../../common/components/autocomplete/field'; import { AutocompleteFieldMatchComponent } from '../../../../common/components/autocomplete/field_value_match'; +import { + Severity, + SeverityMapping, + SeverityMappingItem, +} from '../../../../../common/detection_engine/schemas/common/schemas'; -const SeverityMappingParentContainer = styled(EuiFlexItem)` - max-width: 471px; +const SeverityMappingEuiFormRow = styled(EuiFormRow)` + width: 468px; `; + const NestedContent = styled.div` margin-left: 24px; `; @@ -48,6 +55,7 @@ interface SeverityFieldProps { field: FieldHook; idAria: string; indices: IIndexPattern; + isDisabled: boolean; options: SeverityOptionItem[]; } @@ -56,42 +64,20 @@ export const SeverityField = ({ field, idAria, indices, + isDisabled, options, }: SeverityFieldProps) => { - const [isSeverityMappingChecked, setIsSeverityMappingChecked] = useState(false); - const [initialFieldCheck, setInitialFieldCheck] = useState(true); const fieldValueInputWidth = 160; - useEffect(() => { - if ( - !isSeverityMappingChecked && - initialFieldCheck && - (field.value as AboutStepSeverity).mapping?.length > 0 - ) { - setIsSeverityMappingChecked(true); - setInitialFieldCheck(false); - } - }, [ - field, - initialFieldCheck, - isSeverityMappingChecked, - setIsSeverityMappingChecked, - setInitialFieldCheck, - ]); - - const handleFieldChange = useCallback( - (index: number, severity: string, [newField]: IFieldType[]): void => { + const handleFieldValueChange = useCallback( + (newMappingItems: SeverityMapping, index: number): void => { const values = field.value as AboutStepSeverity; field.setValue({ value: values.value, + isMappingChecked: values.isMappingChecked, mapping: [ ...values.mapping.slice(0, index), - { - ...values.mapping[index], - field: newField?.name ?? '', - operator: 'equals', - severity, - }, + ...newMappingItems, ...values.mapping.slice(index + 1), ], }); @@ -99,40 +85,59 @@ export const SeverityField = ({ [field] ); + const handleFieldChange = useCallback( + (index: number, severity: Severity, [newField]: IFieldType[]): void => { + const values = field.value as AboutStepSeverity; + const newMappingItems: SeverityMapping = [ + { + ...values.mapping[index], + field: newField?.name ?? '', + value: newField != null ? values.mapping[index].value : '', + operator: 'equals', + severity, + }, + ]; + handleFieldValueChange(newMappingItems, index); + }, + [field, handleFieldValueChange] + ); + const handleFieldMatchValueChange = useCallback( - (index: number, severity: string, newMatchValue: string): void => { + (index: number, severity: Severity, newMatchValue: string): void => { const values = field.value as AboutStepSeverity; - field.setValue({ - value: values.value, - mapping: [ - ...values.mapping.slice(0, index), - { - ...values.mapping[index], - value: newMatchValue, - operator: 'equals', - severity, - }, - ...values.mapping.slice(index + 1), - ], - }); + const newMappingItems: SeverityMapping = [ + { + ...values.mapping[index], + field: values.mapping[index].field, + value: + values.mapping[index].field != null && values.mapping[index].field !== '' + ? newMatchValue + : '', + operator: 'equals', + severity, + }, + ]; + handleFieldValueChange(newMappingItems, index); }, - [field] + [field, handleFieldValueChange] ); - const selectedState = useMemo(() => { - return ( - (field.value as AboutStepSeverity).mapping?.map((mapping) => { - const [newSelectedField] = indices.fields.filter( - ({ name }) => mapping.field != null && mapping.field === name - ); - return { field: newSelectedField, value: mapping.value }; - }) ?? [] - ); - }, [field.value, indices]); + const getIFieldTypeFromFieldName = ( + fieldName: string | undefined, + iIndexPattern: IIndexPattern + ): IFieldType | undefined => { + const [iFieldType] = iIndexPattern.fields.filter(({ name }) => fieldName === name); + return iFieldType; + }; - const handleSeverityMappingSelected = useCallback(() => { - setIsSeverityMappingChecked(!isSeverityMappingChecked); - }, [isSeverityMappingChecked, setIsSeverityMappingChecked]); + const handleSeverityMappingChecked = useCallback(() => { + const values = field.value as AboutStepSeverity; + field.setValue({ + value: values.value, + mapping: [...values.mapping], + isMappingChecked: !values.isMappingChecked, + }); + }, [field]); const severityLabel = useMemo(() => { return ( @@ -149,12 +154,17 @@ export const SeverityField = ({ const severityMappingLabel = useMemo(() => { return (
- + {i18n.SEVERITY_MAPPING} @@ -165,7 +175,7 @@ export const SeverityField = ({
); - }, [handleSeverityMappingSelected, isSeverityMappingChecked]); + }, [field.value, handleSeverityMappingChecked, isDisabled]); return ( @@ -185,6 +195,7 @@ export const SeverityField = ({ componentProps={{ idAria: 'detectionEngineStepAboutRuleSeverity', 'data-test-subj': 'detectionEngineStepAboutRuleSeverity', + isDisabled, euiFieldProps: { fullWidth: false, disabled: false, @@ -195,12 +206,12 @@ export const SeverityField = ({ - - + {i18n.SEVERITY_MAPPING_DETAILS} ) : ( '' @@ -214,7 +225,7 @@ export const SeverityField = ({ > - {isSeverityMappingChecked && ( + {(field.value as AboutStepSeverity).isMappingChecked && ( @@ -231,53 +242,72 @@ export const SeverityField = ({ - {options.map((option, index) => ( - - - - - + {(field.value as AboutStepSeverity).mapping.map( + (severityMappingItem: SeverityMappingItem, index) => ( + + + + + - - - - - - - - {option.inputDisplay} - - - - ))} + + + + + + + + { + options.find((o) => o.value === severityMappingItem.severity) + ?.inputDisplay + } + + + + ) + )} )} - - + + ); }; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts index f5d61553b595b6..b9c3e4f84c18ee 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/default_value.ts @@ -5,6 +5,7 @@ */ import { AboutStepRule } from '../../../pages/detection_engine/rules/types'; +import { fillEmptySeverityMappings } from '../../../pages/detection_engine/rules/helpers'; export const threatDefault = [ { @@ -21,8 +22,8 @@ export const stepAboutDefaultValue: AboutStepRule = { isAssociatedToEndpointList: false, isBuildingBlock: false, isNew: true, - severity: { value: 'low', mapping: [] }, - riskScore: { value: 50, mapping: [] }, + severity: { value: 'low', mapping: fillEmptySeverityMappings([]), isMappingChecked: false }, + riskScore: { value: 50, mapping: [], isMappingChecked: false }, references: [''], falsePositives: [''], license: '', diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.test.tsx index a86c1b7ce1beaa..cb3fd5e5bec32f 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/index.test.tsx @@ -16,6 +16,7 @@ import { stepAboutDefaultValue } from './default_value'; // we don't have the types for waitFor just yet, so using "as waitFor" until when we do import { wait as waitFor } from '@testing-library/react'; import { AboutStepRule } from '../../../pages/detection_engine/rules/types'; +import { fillEmptySeverityMappings } from '../../../pages/detection_engine/rules/helpers'; const theme = () => ({ eui: euiDarkVars, darkMode: true }); @@ -176,8 +177,8 @@ describe('StepAboutRuleComponent', () => { name: 'Test name text', note: '', references: [''], - riskScore: { value: 50, mapping: [] }, - severity: { value: 'low', mapping: [] }, + riskScore: { value: 50, mapping: [], isMappingChecked: false }, + severity: { value: 'low', mapping: fillEmptySeverityMappings([]), isMappingChecked: false }, tags: [], threat: [ { @@ -236,8 +237,8 @@ describe('StepAboutRuleComponent', () => { name: 'Test name text', note: '', references: [''], - riskScore: { value: 80, mapping: [] }, - severity: { value: 'low', mapping: [] }, + riskScore: { value: 80, mapping: [], isMappingChecked: false }, + severity: { value: 'low', mapping: fillEmptySeverityMappings([]), isMappingChecked: false }, tags: [], threat: [ { diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/schema.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/schema.tsx index fbd03850eee754..20470d7bb924ff 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/schema.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/step_about_rule/schema.tsx @@ -117,18 +117,16 @@ export const schema: FormSchema = { }, ], }, - mapping: { - type: FIELD_TYPES.TEXT, - }, + mapping: {}, + isMappingChecked: {}, }, riskScore: { value: { type: FIELD_TYPES.RANGE, serializer: (input: string) => Number(input), }, - mapping: { - type: FIELD_TYPES.TEXT, - }, + mapping: {}, + isMappingChecked: {}, }, references: { label: i18n.translate( diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts index 14cf476e66563b..7a6b61f0dfd893 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/__mocks__/mock.ts @@ -9,6 +9,7 @@ import { Rule, RuleError } from '../../../../../containers/detection_engine/rule import { List } from '../../../../../../../common/detection_engine/schemas/types'; import { AboutStepRule, ActionsStepRule, DefineStepRule, ScheduleStepRule } from '../../types'; import { FieldValueQueryBar } from '../../../../../components/rules/query_bar'; +import { fillEmptySeverityMappings } from '../../helpers'; export const mockQueryBar: FieldValueQueryBar = { query: { @@ -175,8 +176,8 @@ export const mockAboutStepRule = (isNew = false): AboutStepRule => ({ license: 'Elastic License', name: 'Query with rule-id', description: '24/7', - severity: { value: 'low', mapping: [] }, - riskScore: { value: 21, mapping: [] }, + riskScore: { value: 21, mapping: [], isMappingChecked: false }, + severity: { value: 'low', mapping: fillEmptySeverityMappings([]), isMappingChecked: false }, references: ['www.test.co'], falsePositives: ['test'], tags: ['tag1', 'tag2'], diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts index 705013beb750f9..8b03f62fc82bde 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/create/helpers.ts @@ -189,10 +189,14 @@ export const formatAboutStepData = ( false_positives: falsePositives.filter((item) => !isEmpty(item)), references: references.filter((item) => !isEmpty(item)), risk_score: riskScore.value, - risk_score_mapping: riskScore.mapping, + risk_score_mapping: riskScore.isMappingChecked + ? riskScore.mapping.filter((m) => m.field != null && m.field !== '') + : [], rule_name_override: ruleNameOverride !== '' ? ruleNameOverride : undefined, severity: severity.value, - severity_mapping: severity.mapping, + severity_mapping: severity.isMappingChecked + ? severity.mapping.filter((m) => m.field != null && m.field !== '' && m.value != null) + : [], threat: threat .filter((singleThreat) => singleThreat.tactic.name !== 'none') .map((singleThreat) => ({ diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx index b40243efcfb46d..10a20807d6f879 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.test.tsx @@ -17,6 +17,7 @@ import { getPrePackagedTimelineStatus, determineDetailsValue, userHasNoPermissions, + fillEmptySeverityMappings, } from './helpers'; import { mockRuleWithEverything, mockRule } from './all/__mocks__/mock'; import { esFilters } from '../../../../../../../../src/plugins/data/public'; @@ -97,9 +98,9 @@ describe('rule helpers', () => { name: 'Query with rule-id', note: '# this is some markdown documentation', references: ['www.test.co'], - riskScore: { value: 21, mapping: [] }, + riskScore: { value: 21, mapping: [], isMappingChecked: false }, ruleNameOverride: 'message', - severity: { value: 'low', mapping: [] }, + severity: { value: 'low', mapping: fillEmptySeverityMappings([]), isMappingChecked: false }, tags: ['tag1', 'tag2'], threat: [ { diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx index 8f8967f2ff6d54..f9279ce6395344 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/helpers.tsx @@ -24,6 +24,8 @@ import { ScheduleStepRule, ActionsStepRule, } from './types'; +import { SeverityMapping } from '../../../../../common/detection_engine/schemas/common/schemas'; +import { severityOptions } from '../../../components/rules/step_about_rule/data'; export interface GetStepsData { aboutRuleData: AboutStepRule; @@ -150,18 +152,38 @@ export const getAboutStepsData = (rule: Rule, detailsView: boolean): AboutStepRu references, severity: { value: severity, - mapping: severityMapping, + mapping: fillEmptySeverityMappings(severityMapping), + isMappingChecked: severityMapping.length > 0, }, tags, riskScore: { value: riskScore, mapping: riskScoreMapping, + isMappingChecked: riskScoreMapping.length > 0, }, falsePositives, threat: threat as IMitreEnterpriseAttack[], }; }; +const severitySortMapping = { + low: 0, + medium: 1, + high: 2, + critical: 3, +}; + +export const fillEmptySeverityMappings = (mappings: SeverityMapping): SeverityMapping => { + const missingMappings: SeverityMapping = severityOptions.flatMap((so) => + mappings.find((mapping) => mapping.severity === so.value) == null + ? [{ field: '', value: '', operator: 'equals', severity: so.value }] + : [] + ); + return [...mappings, ...missingMappings].sort( + (a, b) => severitySortMapping[a.severity] - severitySortMapping[b.severity] + ); +}; + export const determineDetailsValue = ( rule: Rule, detailsView: boolean diff --git a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts index 23715a88efc7b0..e36f08703dae51 100644 --- a/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts +++ b/x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts @@ -88,11 +88,13 @@ export interface AboutStepRuleDetails { export interface AboutStepSeverity { value: string; mapping: SeverityMapping; + isMappingChecked: boolean; } export interface AboutStepRiskScore { value: number; mapping: RiskScoreMapping; + isMappingChecked: boolean; } export interface DefineStepRule extends StepRuleData { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts index 356cf95fc0d24f..888642f77af60c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/mappings/build_risk_score_from_mapping.ts @@ -10,7 +10,6 @@ import { RiskScoreMappingOrUndefined, } from '../../../../../common/detection_engine/schemas/common/schemas'; import { SignalSourceHit } from '../types'; -import { RiskScore as RiskScoreIOTS } from '../../../../../common/detection_engine/schemas/types'; interface BuildRiskScoreFromMappingProps { doc: SignalSourceHit; @@ -33,8 +32,12 @@ export const buildRiskScoreFromMapping = ({ const mappedField = riskScoreMapping[0].field; // TODO: Expand by verifying fieldType from index via doc._index const mappedValue = get(mappedField, doc._source); - // TODO: This doesn't seem to validate...identified riskScore > 100 😬 - if (RiskScoreIOTS.is(mappedValue)) { + if ( + typeof mappedValue === 'number' && + Number.isSafeInteger(mappedValue) && + mappedValue >= 0 && + mappedValue <= 100 + ) { return { riskScore: mappedValue, riskScoreMeta: { riskScoreOverridden: true } }; } }