-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Create rule from timeline #143020
Changes from 55 commits
5e2926e
9e27d07
22667b2
79c58c4
8cfede7
0a73748
db55207
626cb40
cc3f91b
9bb7fd7
2c539df
e16d6b2
ffa8fa3
cc82005
54e3414
f805875
d75150d
35fd82a
32f67ec
acdfb0d
d302c47
5d989e7
3a270a5
4a86f3a
4faa184
83d606a
2adc118
324fe75
d48119f
0f3f329
2694a5a
7eec14e
16cc5ae
aa31d4e
e933eb4
2ea52de
52d47a6
ef6cbd5
b270044
b54c15a
30202ce
e4fda72
11e8541
00fb55c
e1af016
9ede9a4
9bd8801
0298d2d
2ff4713
bd8db38
b6764ff
e0aafad
0187e4b
7503b74
77e76d0
e67a962
a02eba6
2e476b1
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -105,6 +105,8 @@ import { | |
ACTIONS_THROTTLE_INPUT, | ||
CONTINUE_BUTTON, | ||
CREATE_WITHOUT_ENABLING_BTN, | ||
RULE_INDICES, | ||
ALERTS_INDEX_BUTTON, | ||
} from '../screens/create_new_rule'; | ||
import { | ||
INDEX_SELECTOR, | ||
|
@@ -344,13 +346,27 @@ const fillCustomQuery = (rule: CustomRule | OverrideRule) => { | |
cy.get(IMPORT_QUERY_FROM_SAVED_TIMELINE_LINK).click(); | ||
cy.get(TIMELINE(rule.timeline.id)).click(); | ||
cy.get(CUSTOM_QUERY_INPUT).should('have.value', rule.customQuery); | ||
if (rule.dataSource.type === 'indexPatterns') { | ||
removeAlertsIndex(); | ||
} | ||
} else { | ||
cy.get(CUSTOM_QUERY_INPUT) | ||
.first() | ||
.type(rule.customQuery || ''); | ||
} | ||
}; | ||
|
||
// called after import rule from saved timeline | ||
// if alerts index is created, it is included in the timeline | ||
// to be consistent in multiple test runs, remove it if it's there | ||
export const removeAlertsIndex = () => { | ||
cy.get(RULE_INDICES).then(($body) => { | ||
if ($body.find(ALERTS_INDEX_BUTTON).length > 0) { | ||
cy.get(ALERTS_INDEX_BUTTON).click(); | ||
} | ||
}); | ||
}; | ||
|
||
export const continueWithNextSection = () => { | ||
cy.get(CONTINUE_BUTTON).should('exist').click(); | ||
}; | ||
|
@@ -690,20 +706,3 @@ export const checkLoadQueryDynamically = () => { | |
export const uncheckLoadQueryDynamically = () => { | ||
cy.get(LOAD_QUERY_DYNAMICALLY_CHECKBOX).click({ force: true }).should('not.be.checked'); | ||
}; | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. unused |
||
export const defineSection = { importSavedQuery }; | ||
export const aboutSection = { | ||
fillRuleName, | ||
fillDescription, | ||
fillSeverity, | ||
fillRiskScore, | ||
fillRuleTags, | ||
expandAdvancedSettings, | ||
fillReferenceUrls, | ||
fillFalsePositiveExamples, | ||
fillThreat, | ||
fillThreatTechnique, | ||
fillThreatSubtechnique, | ||
fillNote, | ||
}; | ||
export const scheduleSection = { fillFrom }; |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,14 +28,6 @@ export const RULE_PREVIEW_TITLE = i18n.translate( | |
} | ||
); | ||
|
||
export const RULE_PREVIEW_DESCRIPTION = i18n.translate( | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. unused |
||
'xpack.securitySolution.detectionEngine.createRule.rulePreviewDescription', | ||
{ | ||
defaultMessage: | ||
'Rule preview reflects the current configuration of your rule settings and exceptions, click refresh icon to see the updated preview.', | ||
} | ||
); | ||
|
||
export const CANCEL_BUTTON_LABEL = i18n.translate( | ||
'xpack.securitySolution.detectionEngine.createRule.cancelButtonLabel', | ||
{ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,9 +17,6 @@ import type { BrowserFields } from '../../../../common/containers/source'; | |
import { OpenTimelineModal } from '../../../../timelines/components/open_timeline/open_timeline_modal'; | ||
import type { ActionTimelineToShow } from '../../../../timelines/components/open_timeline/types'; | ||
import { QueryBar } from '../../../../common/components/query_bar'; | ||
import { buildGlobalQuery } from '../../../../timelines/components/timeline/helpers'; | ||
import { getDataProviderFilter } from '../../../../timelines/components/timeline/query_bar'; | ||
import { convertKueryToElasticSearchQuery } from '../../../../common/lib/kuery'; | ||
import { useKibana } from '../../../../common/lib/kibana'; | ||
import type { TimelineModel } from '../../../../timelines/store/timeline/model'; | ||
import { useSavedQueryServices } from '../../../../common/utils/saved_query_services'; | ||
|
@@ -54,6 +51,7 @@ export interface QueryBarDefineRuleProps { | |
*/ | ||
onSavedQueryError?: () => void; | ||
defaultSavedQuery?: SavedQuery | undefined; | ||
onOpenTimeline?: (timeline: TimelineModel) => void; | ||
} | ||
|
||
const actionTimelineToHide: ActionTimelineToShow[] = ['duplicate', 'createFrom']; | ||
|
@@ -88,6 +86,7 @@ export const QueryBarDefineRule = ({ | |
onValidityChange, | ||
isDisabled, | ||
resetToSavedQuery, | ||
onOpenTimeline, | ||
onSavedQueryError, | ||
}: QueryBarDefineRuleProps) => { | ||
const { value: fieldValue, setValue: setFieldValue } = field as FieldHook<FieldValueQueryBar>; | ||
|
@@ -234,31 +233,12 @@ export const QueryBarDefineRule = ({ | |
onCloseTimelineSearch(); | ||
}, [onCloseTimelineSearch]); | ||
|
||
const onOpenTimeline = useCallback( | ||
const onOpenTimelineCb = useCallback( | ||
(timeline: TimelineModel) => { | ||
setLoadingTimeline(false); | ||
const newQuery = { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this logic gets moved to new hook, |
||
query: timeline.kqlQuery.filterQuery?.kuery?.expression ?? '', | ||
language: timeline.kqlQuery.filterQuery?.kuery?.kind ?? 'kuery', | ||
}; | ||
const dataProvidersDsl = | ||
timeline.dataProviders != null && timeline.dataProviders.length > 0 | ||
? convertKueryToElasticSearchQuery( | ||
buildGlobalQuery(timeline.dataProviders, browserFields), | ||
indexPattern | ||
) | ||
: ''; | ||
const newFilters = timeline.filters ?? []; | ||
setFieldValue({ | ||
filters: | ||
dataProvidersDsl !== '' | ||
? [...newFilters, getDataProviderFilter(dataProvidersDsl)] | ||
: newFilters, | ||
query: newQuery, | ||
saved_id: null, | ||
}); | ||
if (onOpenTimeline != null) onOpenTimeline(timeline); | ||
stephmilovic marked this conversation as resolved.
Show resolved
Hide resolved
|
||
}, | ||
[browserFields, indexPattern, setFieldValue] | ||
[onOpenTimeline] | ||
); | ||
|
||
const onMutation = () => { | ||
|
@@ -324,7 +304,7 @@ export const QueryBarDefineRule = ({ | |
hideActions={actionTimelineToHide} | ||
modalTitle={i18n.IMPORT_TIMELINE_MODAL} | ||
onClose={onCloseTimelineModal} | ||
onOpen={onOpenTimeline} | ||
onOpen={onOpenTimelineCb} | ||
/> | ||
) : null} | ||
</> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The behavior of import rule from saved timeline changed with this PR to match the index pattern of the timeline. Because the saved timeline used in tests has
dataViewId: null
andindexNames: []
, we know that this is a pre-sourcerer timeline when we only used our default security data view, so we use that data view for this timeline.Depending on if any alerts have been generated yet, this data view includes
auditbeat-*
and.alerts-security.alerts-default
. We now need to check if alerts index exists and remove it if it does, or it will break tests.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation here. I worry that the information you shared here can be forgotten in the future so it won't be so clear why alerts index is cleared here. Is it possible to remove alerts index inside
importSavedQuery()
? If not I'd leave a short comment in the code.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes it looks like this is the only place its used, will do