forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SecuritySolution][siem migrations] Onboarding UI flyout macros input (…
…elastic#203483) ## Summary From: elastic/security-team#10667 This is the part 2 of the issue - The macros input Implementation of the Onboarding card to create migrations using the flyout. > [!NOTE] > This feature needs `siemMigrationsEnabled` experimental flag enabled to work. Otherwise only the default topic will be available and the topic selector won't be displayed. ### Screenshots <img width="1457" alt="Macros step" src="https://github.com/user-attachments/assets/48ec806e-1fcf-4dbb-998e-cb6a06d9ebaa"> <img width="1457" alt="loading" src="https://github.com/user-attachments/assets/a643de40-3d62-4dbf-a7aa-4f30839bc1b8"> <img width="1457" alt="done" src="https://github.com/user-attachments/assets/b384af03-6bdb-4b10-bd26-18d3b4715677"> #### To do in part 3: - Implement missing steps in the flyout: Lookups ### Test Enable experimental flag Rule file: [rules_test.json](https://github.com/user-attachments/files/18082165/rules_test.json) Macros file: [macros_test.json](https://github.com/user-attachments/files/18082169/macros_test.json) --------- Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: kibanamachine <[email protected]>
- Loading branch information
1 parent
7218d01
commit 8c7883f
Showing
61 changed files
with
2,102 additions
and
766 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
x-pack/plugins/security_solution/common/siem_migrations/rules/resources/splunk/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { ResourceIdentifiers } from '../types'; | ||
import { splResourceIdentifier } from './splunk_identifier'; | ||
|
||
export const splResourceIdentifiers: ResourceIdentifiers = { | ||
fromOriginalRule: (originalRule) => splResourceIdentifier(originalRule.query), | ||
fromResource: (resource) => { | ||
if (resource.type === 'macro' && resource.content) { | ||
return splResourceIdentifier(resource.content); | ||
} | ||
return []; | ||
}, | ||
}; |
135 changes: 135 additions & 0 deletions
135
...security_solution/common/siem_migrations/rules/resources/splunk/splunk_identifier.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { splResourceIdentifier } from './splunk_identifier'; | ||
|
||
describe('splResourceIdentifier', () => { | ||
it('should extract macros correctly', () => { | ||
const query = | ||
'`macro_zero`, `macro_one(arg1)`, some search command `macro_two(arg1, arg2)` another command `macro_three(arg1, arg2, arg3)`'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_zero' }, | ||
{ type: 'macro', name: 'macro_one(1)' }, | ||
{ type: 'macro', name: 'macro_two(2)' }, | ||
{ type: 'macro', name: 'macro_three(3)' }, | ||
]); | ||
}); | ||
|
||
it('should extract macros with double quotes parameters correctly', () => { | ||
const query = '| `macro_one("90","2")` | `macro_two("20")`'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one(2)' }, | ||
{ type: 'macro', name: 'macro_two(1)' }, | ||
]); | ||
}); | ||
|
||
it('should extract macros with single quotes parameters correctly', () => { | ||
const query = "| `macro_one('90','2')` | `macro_two('20')`"; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one(2)' }, | ||
{ type: 'macro', name: 'macro_two(1)' }, | ||
]); | ||
}); | ||
|
||
it('should extract lookup tables correctly', () => { | ||
const query = | ||
'search ... | lookup my_lookup_table field AS alias OUTPUT new_field | lookup other_lookup_list | lookup third_lookup'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'list', name: 'my_lookup_table' }, | ||
{ type: 'list', name: 'other_lookup_list' }, | ||
{ type: 'list', name: 'third_lookup' }, | ||
]); | ||
}); | ||
|
||
it('should extract both macros and lookup tables correctly', () => { | ||
const query = | ||
'`macro_one` some search command | lookup my_lookup_table field AS alias OUTPUT new_field | lookup other_lookup_list | lookup third_lookup'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one' }, | ||
{ type: 'list', name: 'my_lookup_table' }, | ||
{ type: 'list', name: 'other_lookup_list' }, | ||
{ type: 'list', name: 'third_lookup' }, | ||
]); | ||
}); | ||
|
||
it('should extract lookup correctly when there are modifiers', () => { | ||
const query = | ||
'lookup my_lookup_1 field AS alias OUTPUT new_field | lookup local=true my_lookup_2 | lookup update=true my_lookup_3 | lookup local=true update=true my_lookup_4 | lookup update=false local=true my_lookup_5'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'list', name: 'my_lookup_1' }, | ||
{ type: 'list', name: 'my_lookup_2' }, | ||
{ type: 'list', name: 'my_lookup_3' }, | ||
{ type: 'list', name: 'my_lookup_4' }, | ||
{ type: 'list', name: 'my_lookup_5' }, | ||
]); | ||
}); | ||
|
||
it('should return empty arrays if no macros or lookup tables are found', () => { | ||
const query = 'search | stats count'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([]); | ||
}); | ||
|
||
it('should handle queries with both macros and lookup tables mixed with other commands', () => { | ||
const query = | ||
'search `macro_one` | `my_lookup_table` field AS alias myfakelookup new_field | lookup real_lookup_list | `third_macro`'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one' }, | ||
{ type: 'macro', name: 'my_lookup_table' }, | ||
{ type: 'macro', name: 'third_macro' }, | ||
{ type: 'list', name: 'real_lookup_list' }, | ||
]); | ||
}); | ||
|
||
it('should ignore macros or lookup tables inside string literals with double quotes', () => { | ||
const query = | ||
'`macro_one` | lookup my_lookup_table | search title="`macro_two` and lookup another_table"'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one' }, | ||
{ type: 'list', name: 'my_lookup_table' }, | ||
]); | ||
}); | ||
|
||
it('should ignore macros or lookup tables inside string literals with single quotes', () => { | ||
const query = | ||
"`macro_one` | lookup my_lookup_table | search title='`macro_two` and lookup another_table'"; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one' }, | ||
{ type: 'list', name: 'my_lookup_table' }, | ||
]); | ||
}); | ||
|
||
it('should ignore macros or lookup tables inside comments wrapped by ```', () => { | ||
const query = | ||
'`macro_one` ```this is a comment with `macro_two` and lookup another_table``` | lookup my_lookup_table ```this is another comment```'; | ||
|
||
const result = splResourceIdentifier(query); | ||
expect(result).toEqual([ | ||
{ type: 'macro', name: 'macro_one' }, | ||
{ type: 'list', name: 'my_lookup_table' }, | ||
]); | ||
}); | ||
}); |
Oops, something went wrong.