[Security Solution][Detections] Set default indicator path to reduce friction with new filebeat modules #92081
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We were previously conflating the path to retrieve indicator fields with the path to persist indicator fields, since they were the same value. To reduce friction in use with the new filebeat modules, we've decided to make the default source path threatintel.indicator. However, we still want to persist to threat.indicator, so we add a new constant, here.
rylnd
added
the
Team: SecuritySolution
These tests were assuming a default path of threat.indicator. Since that is the ECS standard, we're not going to rewrite the tests but instead just add this rule override. In the future if the default changes, this parameter might be unnecessary.
rylnd
added
v7.12.0
v8.0.0
release_note:skip
rylnd
changed the title
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
ecezalp
approved these changes
Feb 22, 2021
There was a problem hiding this comment.
as a part of this change, DEFAULT_INDICATOR_PATH has been renamed to INDICATOR_DESTINATION_PATH, and a new DEFAULT_INDICATOR_SOURCE_PATH has been introduced, and tests have been updated accordingly. There is a few instances where threat.indicator is hardcoded, which could be replaced with the const INDICATOR_DESTINATION_PATH. Approved
- Unit or functional tests were updated or added to match the most common scenarios
this doesn't exactly apply as there are no UI changes, it's safe to say that guidelines have not been violated
- Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
| @@ -52,7 +52,9 @@ export const buildThreatEnrichment = ({ | |||
| return threatResponse.hits.hits; | |||
| }; | |||
|
|
|||
| const defaultedIndicatorPath = threatIndicatorPath ? threatIndicatorPath : DEFAULT_INDICATOR_PATH; | |||
| const defaultedIndicatorPath = threatIndicatorPath | |||
There was a problem hiding this comment.
this could be simplified as threatIndicatorPath || DEFAULT_INDICATOR_SOURCE_PATH
| @@ -94,7 +94,7 @@ describe('buildMatchedIndicator', () => { | |||
| const indicators = buildMatchedIndicator({ | |||
| queries: [], | |||
| threats, | |||
| indicatorPath: DEFAULT_INDICATOR_PATH, | |||
| indicatorPath: 'threat.indicator', | |||
There was a problem hiding this comment.
if the intention is to keep this explicit, no need for modification - although it looks like we could declare an indicatorPath variable and assign it in thebeforeEach block with the value threat.indicator or INDICATOR_DESTINATION_PATH so that we can use shorthand. In the same vein, it looks like there are a couple of tests that build the matched indicators in the same manner, so maybe it could make sense to declare a new var called defaultIndicators in the same beforeEach block where the defaultIndicators would be buildMatchedIndicator({queries, threats, indicatorPath})
There was a problem hiding this comment.
Agreed on DRYing this up, I think I'll do that here 👍. The intention with hardcoding the path here here was to make the tests robust to default values changing; since defaulting happens outside of these functions I only want those integration/UI tests to change if those defaults do.
| @@ -92,7 +91,7 @@ export const enrichSignalThreatMatches = async ( | |||
| if (!isObject(threat)) { | |||
| throw new Error(`Expected threat field to be an object, but found: ${threat}`); | |||
| } | |||
| const existingIndicatorValue = get(signalHit._source, DEFAULT_INDICATOR_PATH) ?? []; | |||
| const existingIndicatorValue = get(signalHit._source, 'threat.indicator') ?? []; | |||
There was a problem hiding this comment.
we could use the previously declared INDICATOR_DESTINATION_PATH here instead of the hardcoded value, as this is not a test file
There was a problem hiding this comment.
I'm inclined to leave this hardcoded string for now, as the check above and the object generation below this line both make assumptions about this string in different ways.
There was a minor copy change here where part of the field's description was deleted. Trivial, but I left this in there to call that out. |
If/when that constant changes, I imagine this will be useful context.
💛 Build succeeded, but was flaky
Test FailuresKibana Pipeline / general / Deletes and recovers more than one rule.Deleting prebuilt rules Deletes and recovers more than one ruleStack TraceMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @rylnd |
rylnd
added a commit
to rylnd/kibana
that referenced
this pull request
Feb 25, 2021
…friction with new filebeat modules (elastic#92081) * Distinguish source and destination config for indicator matches We were previously conflating the path to retrieve indicator fields with the path to persist indicator fields, since they were the same value. To reduce friction in use with the new filebeat modules, we've decided to make the default source path threatintel.indicator. However, we still want to persist to threat.indicator, so we add a new constant, here. * Update our integration tests following change of default These tests were assuming a default path of threat.indicator. Since that is the ECS standard, we're not going to rewrite the tests but instead just add this rule override. In the future if the default changes, this parameter might be unnecessary. * DRY up unit tests a bit * Add a note for future devs If/when that constant changes, I imagine this will be useful context. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
rylnd
added a commit
to rylnd/kibana
that referenced
this pull request
Feb 25, 2021
…friction with new filebeat modules (elastic#92081) * Distinguish source and destination config for indicator matches We were previously conflating the path to retrieve indicator fields with the path to persist indicator fields, since they were the same value. To reduce friction in use with the new filebeat modules, we've decided to make the default source path threatintel.indicator. However, we still want to persist to threat.indicator, so we add a new constant, here. * Update our integration tests following change of default These tests were assuming a default path of threat.indicator. Since that is the ECS standard, we're not going to rewrite the tests but instead just add this rule override. In the future if the default changes, this parameter might be unnecessary. * DRY up unit tests a bit * Add a note for future devs If/when that constant changes, I imagine this will be useful context. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
rylnd
added a commit
that referenced
this pull request
Feb 25, 2021
…friction with new filebeat modules (#92081) (#92751) * Distinguish source and destination config for indicator matches We were previously conflating the path to retrieve indicator fields with the path to persist indicator fields, since they were the same value. To reduce friction in use with the new filebeat modules, we've decided to make the default source path threatintel.indicator. However, we still want to persist to threat.indicator, so we add a new constant, here. * Update our integration tests following change of default These tests were assuming a default path of threat.indicator. Since that is the ECS standard, we're not going to rewrite the tests but instead just add this rule override. In the future if the default changes, this parameter might be unnecessary. * DRY up unit tests a bit * Add a note for future devs If/when that constant changes, I imagine this will be useful context. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Feb 25, 2021
* master: (38 commits) Fixes Cypress flake by adding pipe, click, and should (elastic#92762) [Discover] Fix filtering selected sidebar fields (elastic#91828) [ML] Fixes positions of calendar arrow buttons in start datafeed modal (elastic#92625) [dev/build_ts_refs] check that commit in outDirs matches mergeBase (elastic#92513) add dep on `@kbn/config` so it is built first [Expressions] [Lens] Add id and copyMetaFrom arg to mapColumn fn + add configurable onError argument to math fn (elastic#90481) [Lens] Fix Workspace hidden when using Safari (elastic#92616) [Lens] Fixes vertical alignment validation messages (elastic#91878) forbid x-elastic-product-origin header in elasticsearch configuration (elastic#92359) [Security Solution][Detections] Set default indicator path to reduce friction with new filebeat modules (elastic#92081) [ILM][Accessibility] Added A11y test for ILM new policy form. (elastic#92570) [Security Solution][Exceptions] - Fixes exceptions builder UI where invalid values can cause overwrites of other values (elastic#90634) Automatically generated Api documentation (elastic#86232) Increase index pattern select limit to 1000 (elastic#92093) [core.logging] Add RewriteAppender for filtering LogMeta. (elastic#91492) [Security Solution][Detection Rules] Update prebuilt rule threats to match schema (elastic#92281) [Security Solutions][Detection Engine] Fixes bug with not being able to duplicate indicator matches (elastic#92565) [Dashboard] Export appropriate references from byValue panels (elastic#91567) [Upgrade Assistant] Align code between branches (elastic#91862) [Security Solution][Case] Fix alerts push (elastic#91638) ...
rylnd
added a commit
that referenced
this pull request
Feb 25, 2021
…friction with new filebeat modules (#92081) (#92752) * Distinguish source and destination config for indicator matches We were previously conflating the path to retrieve indicator fields with the path to persist indicator fields, since they were the same value. To reduce friction in use with the new filebeat modules, we've decided to make the default source path threatintel.indicator. However, we still want to persist to threat.indicator, so we add a new constant, here. * Update our integration tests following change of default These tests were assuming a default path of threat.indicator. Since that is the ECS standard, we're not going to rewrite the tests but instead just add this rule override. In the future if the default changes, this parameter might be unnecessary. * DRY up unit tests a bit * Add a note for future devs If/when that constant changes, I imagine this will be useful context. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
We were previously conflating the path to retrieve indicator fields with
the path to persist indicator fields, since they were the same value.
To reduce friction in use with the new filebeat modules, we've decided
to make the default source path
threatintel.indicator. However, we stillwant to persist to
threat.indicator, so we add a new constant, here.Checklist
Delete any items that are not applicable to this PR.
For maintainers