Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add possibility to update threat_indicator_path for prebuilt rule #116583

Merged
merged 6 commits into from
Nov 29, 2021
Merged

Add possibility to update threat_indicator_path for prebuilt rule #116583

merged 6 commits into from
Nov 29, 2021

Conversation

nkhristinin
Copy link
Contributor

@nkhristinin nkhristinin commented Oct 28, 2021
edited
Loading

Add the possibility to update threat_indicator_path for the prebuilt rule.

How to reproduce the bug:

We will update this file -x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json

  • checkout master branch
  • install all prebuilt rules
  • open the Threat Intel Filebeat Module Indicator Match
  • check that in the network panel the request for this rule has threat_indicator_pathequals ""
  • change threat_indicator_path to any value
  • increase the version
  • save file
  • you should see this button

Screenshot 2021-10-28 at 19 54 07

  • update rules
  • check Indicator math rule again in the network request
  • threat_indicator_pathshould be the empty string - ""

Check out branch

  • Go to x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/threat_intel_module_match.json
  • change threat_indicator_path to any value
  • increase the version
  • you should see this button

Screenshot 2021-10-28 at 19 54 07

  • update rules
  • check Threat Intel Filebeat Module Indicator Match rule again in the network request
  • threat_indicator_pathshould has a value which you enter before

For maintainers

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin nkhristinin marked this pull request as ready for review October 28, 2021 17:57
@nkhristinin nkhristinin requested a review from a team as a code owner October 28, 2021 17:57
@nkhristinin nkhristinin added auto-backport Deprecated: Automatically backport this PR after it's merged Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Oct 28, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

rylnd
rylnd reviewed Oct 28, 2021
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch, I missed these paths in #91260.

In order to ensure we don't introduce a regression here, it would be great to add some test coverage in update_prepacked_rules.test.ts, verifying that modification of some representative fields (including threat_indicator_path) are persisted by that function.

This was referenced Nov 10, 2021
Closed
Merged
@ecezalp
Copy link
Contributor

ecezalp commented Nov 16, 2021

@elasticmachine merge upstream

ecezalp
ecezalp approved these changes Nov 16, 2021
View reviewed changes
Copy link
Contributor

@ecezalp ecezalp left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - making a note of the update_prepackaged_rules.test.ts in the testing doc here for 8.0

@elastic elastic deleted a comment from kibanamachine Nov 16, 2021
@ecezalp
Copy link
Contributor

ecezalp commented Nov 24, 2021

@elasticmachine merge upstream

@ecezalp
Copy link
Contributor

ecezalp commented Nov 29, 2021

@elasticmachine merge upstream

@ecezalp ecezalp added the Team:Detections and Resp Security Detection Response Team label Nov 29, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@ecezalp ecezalp enabled auto-merge (squash) November 29, 2021 19:17
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @nkhristinin

@ecezalp ecezalp merged commit b5a30fc into elastic:main Nov 29, 2021
@kibanamachine
Copy link
Contributor

The following labels were identified as gaps in your version labels and will be added automatically:

  • v8.1.0

If any of these should not be on your pull request, please manually remove them.

@kibanamachine kibanamachine mentioned this pull request Nov 29, 2021
Merged
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 29, 2021
@nkhristinin @kibanamachine
Add possibility to update threat_indicator_path for prebuilt rule (el…
12f4309 
…astic#116583)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
8.0

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Nov 29, 2021
@kibanamachine @nkhristinin
Add possibility to update threat_indicator_path for prebuilt rule (#1…
e636327 
…16583) (#119898)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>

Co-authored-by: Khristinin Nikita <nikita.khristinin@elastic.co>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
TinLe pushed a commit to TinLe/kibana that referenced this pull request Dec 22, 2021
@nkhristinin @kibanamachine @TinLe
Add possibility to update threat_indicator_path for prebuilt rule (el…
61f905d 
…astic#116583)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
gbamparop pushed a commit to gbamparop/kibana that referenced this pull request Jan 12, 2022
@nkhristinin @kibanamachine @gbamparop
Add possibility to update threat_indicator_path for prebuilt rule (el…
098d44f 
…astic#116583)

* Add possibility to update threat_indicator_path for prebuiltt rule

* Fix types

* adds update_prepacked_rules test

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylnd rylnd rylnd left review comments

@ecezalp ecezalp ecezalp approved these changes

@banderror banderror Awaiting requested review from banderror

Assignees

@nkhristinin nkhristinin

Labels
auto-backport Deprecated: Automatically backport this PR after it's merged CTI area release_note:fix Team: CTI Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0 v8.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@nkhristinin @elasticmachine @ecezalp @kibana-ci @kibanamachine @rylnd