Skip to content

[SIEM][Exceptions] - Cleaned up and updated exception list item comment structure#69532

Merged
yctercero merged 16 commits intoelastic:masterfrom
yctercero:exceptions_comments_2
Jun 26, 2020
Merged

[SIEM][Exceptions] - Cleaned up and updated exception list item comment structure#69532
yctercero merged 16 commits intoelastic:masterfrom
yctercero:exceptions_comments_2

Conversation

@yctercero
Copy link
Copy Markdown
Contributor

@yctercero yctercero commented Jun 18, 2020
edited
Loading

Summary

This PR is a follow up to #68864 . That PR used a partial to differentiate between new and existing comments, this meant that comments could be updated when they shouldn't. It was decided in our discussion of exception list schemas that comments should be append only. This PR assures that's the case, but also leaves it open to editing comments (via API). It checks to make sure that users can only update their own comments.

Created 3 different schemas for comments, during creation, should only accept comments of following schema:

{
  "comment": "This is a comment"
}

Saved comments must be of the following schema:

{
  "comment": "This is a comment",
  "created_at": "timestamp_here",
  "created_by": "user"
}

Much of the added logic deals with updating comments (PUT), the exception list item comments can include a mix of the two above schemas, but the added logic ensures that:

  • a user cannot rearrange order of comments
  • a user cannot delete comments
  • a user cannot update a comment that is not their own
  • when comment is updated, it adds updated_at and updated_by
  • if user tries to update a comment, they must pass the original created_at, and created_by
  • empty comments cannot be added

Looking over the tests is helpful in understanding the logic, and may help you help me find any logic I've missed. 😄

I chose to separate out the different schemas into their own files to maintain readability and maintainability. It looked a little icky when putting everything into one file.

Testing

I added unit tests to confirm the logic, but also used the existing scripts.

To turn on lists plugin - in kibana.dev.yml

# Enable lists feature
xpack.lists.enabled: true
xpack.lists.listIndex: '.lists-yara'
xpack.lists.listItemIndex: '.items-yara'

Use the scripts in x-pack/plugins/lists/server/scripts to create some sample exception lists and items. You can use the following:

  • Create exception list ./post_exception_list.sh
  • Create exception list items ./post_exception_list_item.sh
  • Use update script to add comments ./update_exception_list_item.sh

You can update the scripts to try different edge cases (deleting comments, updating different user comments, etc).

If you want to view the comments in the UI:

  • Run ./find_exception_lists.sh to get the id of the two lists you created
  • Update the ExceptionsViewer component in x-pack/plugins/security_solution/public/alerts/pages/detection_engine/rules/details/index.tsx to something like the following:
 <ExceptionsViewer
    ruleId={ruleId ?? ''}
    availableListTypes={[
      ExceptionListType.DETECTION_ENGINE,
      ExceptionListType.ENDPOINT,
    ]}
    commentsAccordionId={'ruleDetailsTabExceptions'}
    exceptionListsMeta ={[
       {
         id: [ENDPOINT_LIST_ID],  // `id` not `list_id`
         type: 'endpoint',
         namespaceType: 'single',
       },
    ]}  />

Navigate to the rules details page and click on the 'Exceptions' tab. Voila!

Checklist

Delete any items that are not applicable to this PR.

For maintainers

  • This was checked for breaking API changes and was labeled appropriately
    (It is a breaking change, however this API is not yet public and behind feature flag, only devs working on this feature would be affected)

yctercero
yctercero commented Jun 18, 2020
View reviewed changes
x-pack/plugins/lists/common/schemas/types/default_comments_array.ts
t.array(commentPartial).is,
(input, context): Either<t.Errors, CommentsPartialArray> =>
input == null ? t.success([]) : t.array(commentPartial).validate(input, context),
t.array(comments).is,
Copy link
Copy Markdown
Contributor Author

@yctercero yctercero Jun 18, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOTE: Previously had the different comment schemas all in one doc, but started to feel really messy. Broke out into their own docs, tests, and mocks.

@yctercero yctercero self-assigned this Jun 18, 2020
@yctercero yctercero marked this pull request as ready for review June 18, 2020 18:23
@yctercero yctercero requested review from a team as code owners June 18, 2020 18:23
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jun 18, 2020

Pinging @elastic/siem (Team:SIEM)

peluja1012
peluja1012 reviewed Jun 24, 2020
View reviewed changes
x-pack/plugins/lists/public/exceptions/api.ts
if (validatedRequest != null) {
try {
const response = await http.fetch<ExceptionListItemSchema>(EXCEPTION_LIST_URL, {
const response = await http.fetch<ExceptionListItemSchema>(EXCEPTION_LIST_ITEM_URL, {
Copy link
Copy Markdown
Contributor

@peluja1012 peluja1012 Jun 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this fix!

@yctercero
Copy link
Copy Markdown
Contributor Author

yctercero commented Jun 25, 2020

@elasticmachine merge upstream

@yctercero
Copy link
Copy Markdown
Contributor Author

yctercero commented Jun 26, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Jun 26, 2020

💚 Build Succeeded

Build metrics

@kbn/optimizer bundle module count

id value diff baseline
securitySolution 781 +4 777

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@yctercero yctercero merged commit e4043b7 into elastic:master Jun 26, 2020
yctercero added a commit to yctercero/kibana that referenced this pull request Jun 26, 2020
@yctercero
[SIEM][Exceptions] - Cleaned up and updated exception list item comme…
613465e 
…nt structure (elastic#69532)

### Summary

This PR is a follow up to elastic#68864 . That PR used a partial to differentiate between new and existing comments, this meant that comments could be updated when they shouldn't. It was decided in our discussion of exception list schemas that comments should be append only. This PR assures that's the case, but also leaves it open to editing comments (via API). It checks to make sure that users can only update their own comments.
@yctercero yctercero mentioned this pull request Jun 26, 2020
Merged
rylnd added a commit to rylnd/kibana that referenced this pull request Jun 26, 2020
@rylnd
Merge branch 'master' into value_lists_api
9364770 
* master:
  skip failing suite (elastic#70104) (elastic#70103)
  [ENDPOINT] Hide the Timeline Flyout while on the Management Pages (elastic#69998)
  [SIEM][CASE] Persist callout when dismissed (elastic#68372)
  [SIEM][Exceptions] - Cleaned up and updated exception list item comment structure (elastic#69532)
  [Maps] remove indexing state from redux (elastic#69765)
  Add API integration test for deleting data streams. (elastic#70020)
  renames SIEM to Security Solution (elastic#70070)
yctercero added a commit that referenced this pull request Jun 26, 2020
@yctercero
[SIEM][Exceptions] - Cleaned up and updated exception list item comme…
936af29 
…nt structure (#69532) (#70107)

### Summary

This PR is a follow up to #68864 . That PR used a partial to differentiate between new and existing comments, this meant that comments could be updated when they shouldn't. It was decided in our discussion of exception list schemas that comments should be append only. This PR assures that's the case, but also leaves it open to editing comments (via API). It checks to make sure that users can only update their own comments.
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jun 29, 2020
@gmmorris
Merge branch 'master' into alerting/fix-eslint
1dc23f4 
* master: (59 commits)
  [Lens] Fix broken test (elastic#70117)
  [SIEM] Import timeline fix (elastic#65448)
  [SECURITY SOLUTION][INGEST] UX update for ingest manager edit/create datasource for endpoint (elastic#70079)
  [Telemetry] Collector Schema (elastic#64942)
  [Endpoint] Add Endpoint empty states for onboarding (elastic#69626)
  Hide unused resolver buttons (elastic#70112)
  [Security] `Investigate in Resolver` Timeline Integration (elastic#70111)
  [Discover] Improve styling of graphs in sidebar (elastic#69440)
  [Metrics UI] Fix EuiTheme type issue (elastic#69735)
  skip failing suite (elastic#70104) (elastic#70103)
  [ENDPOINT] Hide the Timeline Flyout while on the Management Pages (elastic#69998)
  [SIEM][CASE] Persist callout when dismissed (elastic#68372)
  [SIEM][Exceptions] - Cleaned up and updated exception list item comment structure (elastic#69532)
  [Maps] remove indexing state from redux (elastic#69765)
  Add API integration test for deleting data streams. (elastic#70020)
  renames SIEM to Security Solution (elastic#70070)
  Adding saved_objects_page in OSS (elastic#69900)
  [Lens] Use accordion menus in field list for available and empty fields (elastic#68871)
  Dynamic uiActions & license support (elastic#68507)
  [SIEM] Update readme for timeline apis (elastic#67038)
  ...
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jun 29, 2020
@gmmorris
Merge branch 'alerting/consumer-based-rbac' of github.com:gmmorris/ki…
970656d 
…bana into alerting/consumer-based-rbac

* 'alerting/consumer-based-rbac' of github.com:gmmorris/kibana: (25 commits)
  [Lens] Fix broken test (elastic#70117)
  [SIEM] Import timeline fix (elastic#65448)
  [SECURITY SOLUTION][INGEST] UX update for ingest manager edit/create datasource for endpoint (elastic#70079)
  [Telemetry] Collector Schema (elastic#64942)
  [Endpoint] Add Endpoint empty states for onboarding (elastic#69626)
  Hide unused resolver buttons (elastic#70112)
  [Security] `Investigate in Resolver` Timeline Integration (elastic#70111)
  [Discover] Improve styling of graphs in sidebar (elastic#69440)
  [Metrics UI] Fix EuiTheme type issue (elastic#69735)
  skip failing suite (elastic#70104) (elastic#70103)
  [ENDPOINT] Hide the Timeline Flyout while on the Management Pages (elastic#69998)
  [SIEM][CASE] Persist callout when dismissed (elastic#68372)
  [SIEM][Exceptions] - Cleaned up and updated exception list item comment structure (elastic#69532)
  [Maps] remove indexing state from redux (elastic#69765)
  Add API integration test for deleting data streams. (elastic#70020)
  renames SIEM to Security Solution (elastic#70070)
  Adding saved_objects_page in OSS (elastic#69900)
  [Lens] Use accordion menus in field list for available and empty fields (elastic#68871)
  Dynamic uiActions & license support (elastic#68507)
  [SIEM] Update readme for timeline apis (elastic#67038)
  ...
@yctercero yctercero deleted the exceptions_comments_2 branch October 14, 2020 12:00
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peluja1012 peluja1012 peluja1012 approved these changes

Assignees

@yctercero yctercero

Labels

release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@yctercero @elasticmachine @kibanamachine @peluja1012 @MindyRS