-
Notifications
You must be signed in to change notification settings - Fork 8.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Cloud Security] Mute detection rules
- Loading branch information
Showing
14 changed files
with
553 additions
and
186 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
113 changes: 113 additions & 0 deletions
113
x-pack/plugins/cloud_security_posture/common/utils/detection_rules.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { CspBenchmarkRuleMetadata } from '../types'; | ||
import { | ||
convertRuleTagsToKQL, | ||
generateBenchmarkRuleTags, | ||
getFindingsDetectionRuleSearchTags, | ||
} from './detection_rules'; | ||
|
||
describe('Detection rules utils', () => { | ||
it('should convert tags to KQL format', () => { | ||
const inputTags = ['tag1', 'tag2', 'tag3']; | ||
|
||
const result = convertRuleTagsToKQL(inputTags); | ||
|
||
const expectedKQL = 'alert.attributes.tags:("tag1" AND "tag2" AND "tag3")'; | ||
expect(result).toBe(expectedKQL); | ||
}); | ||
|
||
it('Should convert tags to KQL format', () => { | ||
const inputTags = [] as string[]; | ||
|
||
const result = convertRuleTagsToKQL(inputTags); | ||
|
||
const expectedKQL = 'alert.attributes.tags:()'; | ||
expect(result).toBe(expectedKQL); | ||
}); | ||
|
||
it('Should generate search tags for a CSP benchmark rule', () => { | ||
const cspBenchmarkRule = { | ||
benchmark: { | ||
id: 'cis_gcp', | ||
rule_number: '1.1', | ||
}, | ||
} as unknown as CspBenchmarkRuleMetadata; | ||
|
||
const result = getFindingsDetectionRuleSearchTags(cspBenchmarkRule); | ||
|
||
const expectedTags = ['CIS', 'GCP', 'CIS GCP 1.1']; | ||
expect(result).toEqual(expectedTags); | ||
}); | ||
|
||
it('Should handle undefined benchmark object gracefully', () => { | ||
const cspBenchmarkRule = { benchmark: {} } as any; | ||
const expectedTags: string[] = []; | ||
const result = getFindingsDetectionRuleSearchTags(cspBenchmarkRule); | ||
expect(result).toEqual(expectedTags); | ||
}); | ||
|
||
it('Should handle undefined rule number gracefully', () => { | ||
const cspBenchmarkRule = { | ||
benchmark: { | ||
id: 'cis_gcp', | ||
}, | ||
} as unknown as CspBenchmarkRuleMetadata; | ||
const result = getFindingsDetectionRuleSearchTags(cspBenchmarkRule); | ||
const expectedTags = ['CIS', 'GCP', 'CIS GCP']; | ||
expect(result).toEqual(expectedTags); | ||
}); | ||
|
||
it('Should generate tags for a CSPM benchmark rule', () => { | ||
const cspBenchmarkRule = { | ||
benchmark: { | ||
id: 'cis_gcp', | ||
rule_number: '1.1', | ||
posture_type: 'cspm', | ||
}, | ||
} as unknown as CspBenchmarkRuleMetadata; | ||
|
||
const result = generateBenchmarkRuleTags(cspBenchmarkRule); | ||
|
||
const expectedTags = [ | ||
'Cloud Security', | ||
'Use Case: Configuration Audit', | ||
'CIS', | ||
'GCP', | ||
'CIS GCP 1.1', | ||
'CSPM', | ||
'Data Source: CSPM', | ||
'Domain: Cloud', | ||
]; | ||
expect(result).toEqual(expectedTags); | ||
}); | ||
|
||
it('Should generate tags for a KSPM benchmark rule', () => { | ||
const cspBenchmarkRule = { | ||
benchmark: { | ||
id: 'cis_gcp', | ||
rule_number: '1.1', | ||
posture_type: 'kspm', | ||
}, | ||
} as unknown as CspBenchmarkRuleMetadata; | ||
|
||
const result = generateBenchmarkRuleTags(cspBenchmarkRule); | ||
|
||
const expectedTags = [ | ||
'Cloud Security', | ||
'Use Case: Configuration Audit', | ||
'CIS', | ||
'GCP', | ||
'CIS GCP 1.1', | ||
'KSPM', | ||
'Data Source: KSPM', | ||
'Domain: Container', | ||
]; | ||
expect(result).toEqual(expectedTags); | ||
}); | ||
}); |
58 changes: 58 additions & 0 deletions
58
x-pack/plugins/cloud_security_posture/common/utils/detection_rules.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { CspBenchmarkRuleMetadata } from '../types/latest'; | ||
|
||
const CSP_RULE_TAG = 'Cloud Security'; | ||
const CSP_RULE_TAG_USE_CASE = 'Use Case: Configuration Audit'; | ||
const CSP_RULE_TAG_DATA_SOURCE_PREFIX = 'Data Source: '; | ||
|
||
const STATIC_RULE_TAGS = [CSP_RULE_TAG, CSP_RULE_TAG_USE_CASE]; | ||
|
||
export const convertRuleTagsToKQL = (tags: string[]): string => { | ||
const TAGS_FIELD = 'alert.attributes.tags'; | ||
return `${TAGS_FIELD}:(${tags.map((tag) => `"${tag}"`).join(' AND ')})`; | ||
}; | ||
|
||
/* | ||
* Returns an array of CspFinding tags that can be used to search and filter a detection rule | ||
*/ | ||
export const getFindingsDetectionRuleSearchTags = ( | ||
cspBenchmarkRule: CspBenchmarkRuleMetadata | ||
): string[] => { | ||
if (!cspBenchmarkRule.benchmark || !cspBenchmarkRule.benchmark.id) { | ||
// Return an empty array if benchmark ID is undefined | ||
return []; | ||
} | ||
|
||
// ex: cis_gcp to ['CIS', 'GCP'] | ||
const benchmarkIdTags = cspBenchmarkRule.benchmark.id.split('_').map((tag) => tag.toUpperCase()); | ||
|
||
// ex: 'CIS GCP 1.1' | ||
const benchmarkRuleNumberTag = cspBenchmarkRule.benchmark.rule_number | ||
? `${cspBenchmarkRule.benchmark.id.replace('_', ' ').toUpperCase()} ${ | ||
cspBenchmarkRule.benchmark.rule_number | ||
}` | ||
: cspBenchmarkRule.benchmark.id.replace('_', ' ').toUpperCase(); | ||
|
||
return benchmarkIdTags.concat([benchmarkRuleNumberTag]); | ||
}; | ||
|
||
export const generateBenchmarkRuleTags = (rule: CspBenchmarkRuleMetadata) => { | ||
return [STATIC_RULE_TAGS] | ||
.concat(getFindingsDetectionRuleSearchTags(rule)) | ||
.concat( | ||
rule.benchmark.posture_type | ||
? [ | ||
rule.benchmark.posture_type.toUpperCase(), | ||
`${CSP_RULE_TAG_DATA_SOURCE_PREFIX}${rule.benchmark.posture_type.toUpperCase()}`, | ||
] | ||
: [] | ||
) | ||
.concat(rule.benchmark.posture_type === 'cspm' ? ['Domain: Cloud'] : ['Domain: Container']) | ||
.flat(); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 0 additions & 36 deletions
36
...gins/cloud_security_posture/server/routes/benchmark_rules/bulk_action/bulk_action.test.ts
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.