Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Security Solution] Add Threat Match rule specific editable fie…
…lds (#200308) (#205681) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add Threat Match rule specific editable fields (#200308)](#200308) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-07T08:52:07Z","message":"[Security Solution] Add Threat Match rule specific editable fields (#200308)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type\r\n\r\n- threat_index\r\n- threat_query\r\n- threat_mapping\r\n- threat_indicator_path\r\n- ~~threat_language~~ `threat_language` was merged with `threat_query`\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done\r\n\r\n- Fixes a bug blocking Threat Match rules upgrading\r\n- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields \r\n- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar\r\n- threat mapping input was split into separate component for individual fields to be reused\r\n- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled\r\n `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.\r\n- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869385209)\r\n- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869412952)\r\n\r\n## How to test\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)\r\n- Install an outdated version of the `security_detection_engine` Fleet package\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.\r\n\r\n- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\nThreat Match Query edit component\r\n<img width=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69\">\r\n\r\nThreat Match Index edit component\r\n<img width=\"1727\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d\">\r\n\r\nThreat Match Mapping edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e\">\r\n\r\nThreat Match Indicator Path edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e\">\r\n\r\nThreat Match Mapping unknown field names validation warnings\r\n<img width=\"979\" alt=\"Screenshot 2024-12-18 at 12 45 41\" src=\"https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671\" />\r\n\r\n<img width=\"1094\" alt=\"Screenshot 2024-12-18 at 12 45 53\" src=\"https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3\" />\r\n\r\n<img width=\"2552\" alt=\"Screenshot 2024-12-18 at 12 47 05\" src=\"https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d\" />\r\n\r\n<img width=\"2550\" alt=\"Screenshot 2024-12-18 at 12 47 15\" src=\"https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700\" />","sha":"40f6628c220217fa5bebcc546d21730ccf754d90","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0"],"number":200308,"url":"https://github.com/elastic/kibana/pull/200308","mergeCommit":{"message":"[Security Solution] Add Threat Match rule specific editable fields (#200308)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type\r\n\r\n- threat_index\r\n- threat_query\r\n- threat_mapping\r\n- threat_indicator_path\r\n- ~~threat_language~~ `threat_language` was merged with `threat_query`\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done\r\n\r\n- Fixes a bug blocking Threat Match rules upgrading\r\n- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields \r\n- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar\r\n- threat mapping input was split into separate component for individual fields to be reused\r\n- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled\r\n `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.\r\n- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869385209)\r\n- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869412952)\r\n\r\n## How to test\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)\r\n- Install an outdated version of the `security_detection_engine` Fleet package\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.\r\n\r\n- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\nThreat Match Query edit component\r\n<img width=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69\">\r\n\r\nThreat Match Index edit component\r\n<img width=\"1727\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d\">\r\n\r\nThreat Match Mapping edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e\">\r\n\r\nThreat Match Indicator Path edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e\">\r\n\r\nThreat Match Mapping unknown field names validation warnings\r\n<img width=\"979\" alt=\"Screenshot 2024-12-18 at 12 45 41\" src=\"https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671\" />\r\n\r\n<img width=\"1094\" alt=\"Screenshot 2024-12-18 at 12 45 53\" src=\"https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3\" />\r\n\r\n<img width=\"2552\" alt=\"Screenshot 2024-12-18 at 12 47 05\" src=\"https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d\" />\r\n\r\n<img width=\"2550\" alt=\"Screenshot 2024-12-18 at 12 47 15\" src=\"https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700\" />","sha":"40f6628c220217fa5bebcc546d21730ccf754d90"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200308","number":200308,"mergeCommit":{"message":"[Security Solution] Add Threat Match rule specific editable fields (#200308)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds the following editable components for Threat Match rule type\r\n\r\n- threat_index\r\n- threat_query\r\n- threat_mapping\r\n- threat_indicator_path\r\n- ~~threat_language~~ `threat_language` was merged with `threat_query`\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing Threat Match form fields easily reusable as editable components and type safe when used in forms. In particular the following was done\r\n\r\n- Fixes a bug blocking Threat Match rules upgrading\r\n- Existing functionality was refactored to have reusable self-contained editable components for `threat_index`, `threat_query`, `threat_mapping` and `threat_indicator_path` rule fields \r\n- `threat_language` was removed since query type is included in `threat_query` field and can be edited with Query Bar\r\n- threat mapping input was split into separate component for individual fields to be reused\r\n- `ThreatMatchComponent` was refactored to be a controlled component instead of uncontrolled\r\n `ThreatMatchComponent` has a feature preventing users removing the single last entry. Instead deleting the last entry the delete button clears inputs. That functionality didn't work properly in Prebuilt Rule Customization workflow and rule creation/editing forms after creating a reusable `ThreatMappingEdit` component. Instead of trying to find a tricky fix `ThreatMatchComponent` was refactored to remove internal state. The feature preventing users removing the single last entry was reimplemented in `ThreatMappingEdit` component.\r\n- Fixes a bug reproducible in `main` where validation errors duplicated described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869385209)\r\n- Fixes a bug reproducible in `main` allowing to save unknown source indices or indicator indices fields described in a [comment](https://github.com/elastic/kibana/pull/200308#discussion_r1869412952)\r\n\r\n## How to test\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml`\r\n- Clear Elasticsearch data\r\n- Run Elasticsearch and Kibana locally (do not open Kibana in a web browser)\r\n- Install an outdated version of the `security_detection_engine` Fleet package\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"force\":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1\r\n```\r\n\r\n- Install prebuilt rules\r\n```bash\r\ncurl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 1\" -d '{\"mode\":\"ALL_RULES\"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform\r\n```\r\n\r\n- Open a `threat_match` rule for editing. For example `Threat Intel Hash Indicator Match` with rule_id `aab184d3-72b3-4639-b242-6597c99d8bca`.\r\n\r\n- Edit `Indicator index patterns`, `Indicator index query` and/or `Indicator filters`, `Indicator mapping` and `Indicator prefix override` fields\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Threat Intel Hash Indicator Match` rule -> expand each Threat Match rule type specific field -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\nThreat Match Query edit component\r\n<img width=\"1720\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c7183ddf-8795-424c-90e4-b7eff14d9f69\">\r\n\r\nThreat Match Index edit component\r\n<img width=\"1727\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5e50cc98-6cc6-464d-a29d-89d31718482d\">\r\n\r\nThreat Match Mapping edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/aba6a723-0283-4b9e-80d2-376b1dea102e\">\r\n\r\nThreat Match Indicator Path edit component\r\n<img width=\"1725\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59aa12d9-377c-4c24-ab40-fef19e55e44e\">\r\n\r\nThreat Match Mapping unknown field names validation warnings\r\n<img width=\"979\" alt=\"Screenshot 2024-12-18 at 12 45 41\" src=\"https://github.com/user-attachments/assets/0cfd8ae3-4865-49f8-a4ac-bafe19e01671\" />\r\n\r\n<img width=\"1094\" alt=\"Screenshot 2024-12-18 at 12 45 53\" src=\"https://github.com/user-attachments/assets/7f204e12-fe65-4a64-a029-1bb44ea366a3\" />\r\n\r\n<img width=\"2552\" alt=\"Screenshot 2024-12-18 at 12 47 05\" src=\"https://github.com/user-attachments/assets/53ac4612-f443-4d89-9474-8693ab9ced2d\" />\r\n\r\n<img width=\"2550\" alt=\"Screenshot 2024-12-18 at 12 47 15\" src=\"https://github.com/user-attachments/assets/1e345c88-9427-44ba-bc25-0164c39d1700\" />","sha":"40f6628c220217fa5bebcc546d21730ccf754d90"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
- Loading branch information
