[Detections][EQL] EQL rule execution in detection engine

[marshallmain]

Summary

Adds backend functionality for EQL rules in detection engine. Now updated to create a building block alert for each event within a sequence as well as an alert for the sequence as a whole. Non-sequence EQL queries work very similarly to KQL detection rules.

Chart of example sequence signal structure updated with building blocks

Work for follow up PRs:

• Enrich shell alert by finding common field values across all events in a sequence
• Add field for Detection Engine run instance (each time alert executor runs gets a unique id)
• Add a schema version check before rule execution and if there is a version mis-match we'll throw an error and not create alerts, and then have documentation that references this error so users can search to find out how to upgrade their signals index
• Add rule overrides for single event EQL queries

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[elasticmachine]

Pinging @elastic/endpoint-response (Team:Endpoint Response)

[andrew-goldstein]

Thanks for this enhancement @marshallmain! 🚀

Per the demo over zoom with @spong @peluja1012 and @XavierM, this PR LGTM WRT enabling the Investigate in timeline workflow, which should display (in Timeline) both the 🐢 "shell" detection, and the building block alerts representing the EQL sequences that triggered the shell detection.

More specifically, we validated that when a user clicks the Investigate in timeline action on a shell alert in Detections page, we can display both the shell and it's associated building blocks alerts in Timeline with the following (pseudo) query:

_id: id_of_the_shell_detection OR signal.group.id: id_of_the_shell_detection

[marshallmain]

@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[spong]

Testing the field overrides with both sequence and non-sequence queries and doesn't look like they're working. No need to fix in this PR, but just commenting for tracking purposes. Not sure what we want to do here with sequence queries as there's no single source event (unless we want to use the shell alert with the common fields?), but queries which result in an alert created from a single event should be able to work with the existing override logic we have.

edit: Ahh yeah, I see in code now where you worked around the overrides... 🙂 This seems good to me for sequences, but shouldn't we be able to use the overrides for non-sequence results where one event results in one alert?

[spong]

I believe this is the last guard in place to remove any extraneous null/undefined's before writing the rule to the signals. In testing everything looks 👌 without (and I believe we've got tests covering this as well), but just want to verify the intent here.

[marshallmain]

Yeah converting the entire rule to Partial makes it harder to deal with when building the rest of the signal document since we need signal.rule.id later to compute the doc id. My thought is that we should be able to rely on the elasticsearch js library not to convert undefined fields to null or anything else so ES should never see undefined fields. Explicit null fields I think we should handle (usually reject) at the schema level instead of stripping them out later on. Some nulls are making it into the signal document since they're explicit in the rule SO.

I did more testing on this to figure out where the explicit null fields are coming from and we have some mismatches in the types between signalSchema and RuleTypeParams. For example, timestampOverride is schema.nullable(schema.string()) (so string | null) in signalSchema, but string | undefined in RuleTypeParams. So what happens when we don't define timestampOverride when creating a rule is it starts as undefined in the request but then the alert plugin validates using signalSchema which coerces the undefined into null and stores it in the SO. Then, when we get the rule SO back later to use in the alert executor, timestampOverride is string | null but RuleTypeParams says it's string | undefined and we use it as such. When it's null (which is when we originally sent undefined as part of rule creation), we end up with signal.rule.timestamp_override: null in the signal document.

The UI isn't displaying the null fields which is probably good. I think the best solution is to resolve the schema mismatches so that our undefined values stay undefined instead of being coerced into null.

[spong]

Thanks for the extra sleuthing here! 🙂 And yeah, that was my worry with regards to the null's leaking into the signals. ++ to solving this via the schema mismatches to prevent that coercion in the first place.

[spong]

Checked out, tested locally and LGTM! Great clean code here @marshallmain, and tests to boot! 🙂

Congrats on all your hard work here to realize EQL within the Detection Engine, this is going to be an absolute game changer for our users! 🚀

[marshallmain]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 9a6e908

Metrics [docs]

async chunks size

id	value	diff	baseline
securitySolution	10.2MB	+4.3KB	10.2MB

page load bundle size

id	value	diff	baseline
securitySolution	581.0KB	+136.0B	580.9KB

distributable file count

id	value	diff	baseline
default	45631	+1	45630

History

• 💔 Build #77034 failed 45ecb42
• 💚 Build #76982 succeeded 22383a9
• 💚 Build #76762 succeeded 1942bf9
• 💚 Build #76745 succeeded b42cf73
• 💔 Build #76553 failed f445d87

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[marshallmain]

@spong yeah I was so focused on sequences the single event case was kind of an afterthought 😆 I'll add the overrides for those in the next PR if it's not a blocker here

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)