[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) #216656
Conversation
e40pud
added
release_note:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
| @@ -35,6 +43,10 @@ export const getAttackDiscoveryBaseKibanaFeature = (): BaseKibanaFeatureConfig = | |||
| all: [], | |||
| read: [], | |||
| }, | |||
| alerting: { | |||
There was a problem hiding this comment.
Same privileges as we have for the detection alerts https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts#L95
| expect(geoPointFieldStats.count).to.be(55); | ||
| expect(geoPointFieldStats.index_count).to.be(12); | ||
| expect(geoPointFieldStats.count).to.be(63); | ||
| expect(geoPointFieldStats.index_count).to.be(13); |
There was a problem hiding this comment.
Updated because we added a new attack discovery alerts aad index that maps the ecs fields. Similarly to this https://github.com/elastic/kibana/pull/194322/files#r1781620194 and this https://github.com/elastic/kibana/pull/184541/files#r1628183656.
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]Module Count
Public APIs missing comments
Unknown metric groupsAPI count
History
cc @e40pud |
| @@ -89,6 +90,13 @@ export class ElasticAssistantPlugin | |||
|
|
|||
| registerRoutes(router, this.logger, this.getElserId); | |||
|
|
|||
| // Register Attack Discovery Schedule type | |||
| plugins.alerting.registerType( | |||
There was a problem hiding this comment.
Consider migrating to the featureFlags service. It's available in the plugin setup lifecycle (with a little bit of 🪄 ):
public setup(
core: ElasticAssistantPluginCoreSetupDependencies,
plugins: ElasticAssistantPluginSetupDependencies
) {
this.logger.debug('elasticAssistant: Setup');
// The featureFlags service is not available in the core setup, so we need
// to wait for the start services to be available to read the feature flags.
// This can take a while, but the plugin setup phase cannot run for a long time.
// As a workaround, this promise does not block the setup phase.
core
.getStartServices()
.then(([{ featureFlags }]) => {
// read all feature flags:
void Promise.all([
featureFlags.getBooleanValue(SAVED_ATTACK_DISCOVERIES_ENABLED_FEATURE_FLAG, false),
// add more feature flags here
]).then(([savedAttackDiscoveriesFeatureFlag]) => {
this.logger.debug(`feature flags are:
- ${SAVED_ATTACK_DISCOVERIES_ENABLED_FEATURE_FLAG}: ${savedAttackDiscoveriesFeatureFlag}
`);
// ...| router: IRouter<ElasticAssistantRequestHandlerContext> | ||
| ): void => { | ||
| router.versioned | ||
| .put({ |
There was a problem hiding this comment.
Consider put -> post, because this route has side effects
| router: IRouter<ElasticAssistantRequestHandlerContext> | ||
| ): void => { | ||
| router.versioned | ||
| .put({ |
There was a problem hiding this comment.
Consider put -> post, because this route has side effects
| x-labels: [ess, serverless] | ||
| operationId: GetAttackDiscoverySchedules | ||
| description: Gets attack discovery schedule | ||
| summary: Gets attack discovery schedule via the Elastic Assistant |
There was a problem hiding this comment.
Gets attack discovery schedule via the Elastic Assistant
nit: I'm wondering if via the Elastic Assistant is applicable in this summary (and the others in this route)
| }); | ||
| }); | ||
|
|
||
| it('should handle `dataClient.createSchedule` error', async () => { |
There was a problem hiding this comment.
nit: Consider createSchedule -> findSchedules
| }); | ||
| }); | ||
|
|
||
| it('should handle `dataClient.createSchedule` error', async () => { |
There was a problem hiding this comment.
nit: Consider createSchedule -> updateSchedule
There was a problem hiding this comment.
Thanks @e40pud for the new scheduling APIs!
✅ Desk tested locally
LGTM 🚀
Summary
Main ticket (Internal link)
To allow users to schedule Attack Discovery generations, we will use either Alerting Framework. These changes add functionality to manage new alerts type - Attack Discovery Schedule.
Introduced endpoints
POST /internal/elastic_assistant/attack_discovery/schedulesGET /internal/elastic_assistant/attack_discovery/schedules/{id}PUT /internal/elastic_assistant/attack_discovery/schedules/{id}DELETE /internal/elastic_assistant/attack_discovery/schedules/{id}PUT /internal/elastic_assistant/attack_discovery/schedules/{id}/_enablePUT /internal/elastic_assistant/attack_discovery/schedules/{id}/_disableGET /internal/elastic_assistant/attack_discovery/schedules/_findNOTES
The feature is hidden behind the feature flag:
cURL examples
Create AD scheduling rule route
Read/Get AD scheduling rule by id route
Update AD scheduling rule by id route
Delete AD scheduling rule by id route
Enable AD scheduling rule by id route
Disable AD scheduling rule by id route
Find all existing AD scheduling rules route