-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Detections] Adds support for system actions (and cases action) to detection rules #183937
base: main
Are you sure you want to change the base?
Conversation
…factor was merged
...security_solution/server/lib/detection_engine/rule_management/api/rules/create_rule/route.ts
Outdated
Show resolved
Hide resolved
/ci |
@@ -479,7 +479,6 @@ components: | |||
$ref: '#/components/schemas/RuleActionFrequency' | |||
required: | |||
- action_type_id | |||
- group |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For any questions on this, I pulled this from the system actions RFC:
All rules APIs will not accept the systemActions in their requests. The system will deduct if an action is a system action automatically using the actions’ client. As system actions are not allowed to have a group, the property will be optional (at the moment it is required) in all APIs. The APIs will convert the actions to the schema needed by the rules client. Finally, the APIs will merge the system actions with the default actions before sending the response back to the client.
Ref: https://docs.google.com/document/d/1mYStNLxrafnyxR6v_uB4ONw_iFHTg1pmE3EAQYgKFSY/edit?pli=1
/ci |
⏳ Build in-progress
History
cc @dhurley14 |
Here is a list of test cases I tried manually. All passed:
|
… into system-actions-security
...n/public/detection_engine/rule_creation/components/step_rule_actions/notification_action.tsx
Outdated
Show resolved
Hide resolved
...press/e2e/detection_response/detection_engine/rule_actions/rule_actions_pli_essentials.cy.ts
Show resolved
Hide resolved
.../lib/detection_engine/rule_management/logic/bulk_actions/action_to_rules_client_operation.ts
Show resolved
Hide resolved
...management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @dhurley14. Thanks for addressing my points. Rechecked the bulk adding of system actions and everything seems to be working as expected now 👍
Left a couple of nits, but approving ✅
(I did cause a conflict in x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/internal_rule_to_api_response.ts
when I merged #188631, sorry about that)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for implementing this feature and addressing comments.
Approving it, only one test to add left: #183937 (comment)
…creation/components/step_rule_actions/notification_action.tsx Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
⏳ Build in-progress
History
To update your PR or re-run it, just comment with: cc @dhurley14 |
Summary
Usually, connectors are used to communicate with external services like PagerDuty or ServiceNow. Automated actions like opening a case or running an OsQuery do not need any configuration. These types of actions are known as "system actions" and represent ways to automate functionality between different kibana features.
This PR allows detection rules to take advantage of system actions, like the cases action, to expedite tasks which our security customers might already undertake, while providing support for future system actions to be added later. You can read more about the cases action here: #153837
Testing
The cases system action is only available for Platinum licensing. To test all we need is to create a rule and in the Actions tab, select Cases, then turn the rule on and have it generate alerts. When the alerts are generated, a case (or cases) will be created and can be viewed in the Cases page.
The configuration options shown in the above screenshot are explained in more detail in this RFC, specifically Diagram 1, but to summarize:
The grouping pieces can be better understood via the following example:
If I select
agent.type
in the group by field for the cases action, and have a rule that generates alerts frompacketbeat-*
and fromauditbeat-*
then that singular rule will generate two separate cases. One for alerts grouped byagent.type: packetbeat
and another case for auditbeatAnd we can still use system actions in conjunction with other action connectors.
Checklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: