From b652c965e240f0edc90a5a90819d85698964fa68 Mon Sep 17 00:00:00 2001 From: "Devin W. Hurley" Date: Tue, 28 Jan 2020 19:20:23 -0500 Subject: [PATCH] [SIEM] [Detection Engine] Timestamps for rules (#56197) (#56224) * utilize createdAt and updatedAt from the alerting saved object * revert accidental change to test rule * updatedAt is not a part of savedObject attributes passed back from alerting, it's at the top level Co-authored-by: Elastic Machine --- .../routes/__mocks__/request_responses.ts | 2 -- .../routes/rules/create_rules_bulk_route.ts | 4 ---- .../routes/rules/create_rules_route.ts | 4 ---- .../routes/rules/import_rules_route.ts | 2 -- .../lib/detection_engine/routes/rules/utils.ts | 4 ++-- .../lib/detection_engine/rules/create_rules.ts | 2 -- .../rules/install_prepacked_rules.ts | 2 -- .../lib/detection_engine/rules/update_rules.ts | 1 - .../signals/__mocks__/es_results.ts | 2 -- .../signals/build_bulk_body.test.ts | 8 ++++++++ .../signals/build_bulk_body.ts | 6 ++++++ .../signals/build_rule.test.ts | 6 ++++++ .../lib/detection_engine/signals/build_rule.ts | 8 ++++++-- .../signals/search_after_bulk_create.test.ts | 16 ++++++++++++++++ .../signals/search_after_bulk_create.ts | 8 ++++++++ .../signals/signal_rule_alert_type.ts | 6 ++++-- .../signals/single_bulk_create.test.ts | 10 ++++++++++ .../signals/single_bulk_create.ts | 18 +++++++++++++++++- .../siem/server/lib/detection_engine/types.ts | 8 ++------ 19 files changed, 85 insertions(+), 32 deletions(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index d950d89eb22a6..eea25a1e89cc8 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -269,8 +269,6 @@ export const getResult = (): RuleAlertType => ({ alertTypeId: 'siem.signals', consumer: 'siem', params: { - createdAt: '2019-12-13T16:40:33.400Z', - updatedAt: '2019-12-13T16:40:33.400Z', description: 'Detecting root and admin users', ruleId: 'rule-1', index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts index 68375043070f8..0ffa61e2e2bed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts @@ -51,7 +51,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou const rules = await Promise.all( request.payload.map(async payloadRule => { const { - created_at: createdAt, description, enabled, false_positives: falsePositives, @@ -73,7 +72,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou threat, to, type, - updated_at: updatedAt, references, timeline_id: timelineId, timeline_title: timelineTitle, @@ -104,7 +102,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou const createdRule = await createRules({ alertsClient, actionsClient, - createdAt, description, enabled, falsePositives, @@ -129,7 +126,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou to, type, threat, - updatedAt, references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts index c631ed8f784ab..ec1df238f9483 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts @@ -35,7 +35,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = }, async handler(request: RulesRequest, headers) { const { - created_at: createdAt, description, enabled, false_positives: falsePositives, @@ -59,7 +58,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = threat, to, type, - updated_at: updatedAt, references, } = request.payload; const alertsClient = isFunction(request.getAlertsClient) ? request.getAlertsClient() : null; @@ -91,7 +89,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = const createdRule = await createRules({ alertsClient, actionsClient, - createdAt, description, enabled, falsePositives, @@ -116,7 +113,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute = to, type, threat, - updatedAt, references, version: 1, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts index 88a31c36a87fc..71fdef3623bc7 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/import_rules_route.ts @@ -130,7 +130,6 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = const createdRule = await createRules({ alertsClient, actionsClient, - createdAt: new Date().toISOString(), description, enabled, falsePositives, @@ -155,7 +154,6 @@ export const createImportRulesRoute = (server: ServerFacade): Hapi.ServerRoute = to, type, threat, - updatedAt: new Date().toISOString(), references, version, }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts index 663ddf3a835a6..b45db53c13d88 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts @@ -81,8 +81,8 @@ export const transformAlertToRule = ( ruleStatus?: SavedObject ): Partial => { return pickBy((value: unknown) => value != null, { - created_at: alert.params.createdAt, - updated_at: alert.params.updatedAt, + created_at: alert.createdAt.toISOString(), + updated_at: alert.updatedAt.toISOString(), created_by: alert.createdBy, description: alert.params.description, enabled: alert.enabled, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts index 30e8c4dbf9d88..82fe16882882e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/create_rules.ts @@ -45,7 +45,6 @@ export const createRules = ({ alertTypeId: SIGNALS_ID, consumer: APP_ID, params: { - createdAt: new Date().toISOString(), description, ruleId, index, @@ -66,7 +65,6 @@ export const createRules = ({ threat, to, type, - updatedAt: new Date().toISOString(), references, version, }, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts index 7e8ed62baf1cf..07e8c6940e747 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts @@ -75,8 +75,6 @@ export const installPrepackagedRules = ( threat, references, version, - createdAt: new Date().toISOString(), - updatedAt: new Date().toISOString(), }), ]; }, []); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts index 8234b931ad89a..304cd1962afed 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_rules.ts @@ -164,7 +164,6 @@ export const updateRules = async ({ threat, to, type, - updatedAt: new Date().toISOString(), references, version: calculatedVersion, } diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts index 6507e6ca73ede..fded0696ff8bf 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/__mocks__/es_results.ts @@ -35,8 +35,6 @@ export const sampleRuleAlertParams = ( meta: undefined, threat: undefined, version: 1, - updatedAt: '2019-12-17T15:04:25.343Z', - createdAt: '2019-12-17T15:04:37.105Z', }); export const sampleDocNoSortId = (someUuid: string = sampleIdGuid): SignalSourceHit => ({ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts index de11bf6fcc3c1..b71a7080f4147 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.test.ts @@ -25,6 +25,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -103,6 +105,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -189,6 +193,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -272,6 +278,8 @@ describe('buildBulkBody', () => { ruleParams: sampleParams, id: sampleRuleGuid, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts index 6d9f442515b2a..e77755073b374 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_bulk_body.ts @@ -15,7 +15,9 @@ interface BuildBulkBodyParams { ruleParams: RuleTypeParams; id: string; name: string; + createdAt: string; createdBy: string; + updatedAt: string; updatedBy: string; interval: string; enabled: boolean; @@ -28,7 +30,9 @@ export const buildBulkBody = ({ ruleParams, id, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, @@ -39,7 +43,9 @@ export const buildBulkBody = ({ id, name, enabled, + createdAt, createdBy, + updatedAt, updatedBy, interval, tags, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts index 451e493f3ed8a..af0883f4ce6b5 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.test.ts @@ -31,6 +31,8 @@ describe('buildRule', () => { name: 'some-name', id: sampleRuleGuid, enabled: false, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: 'some interval', @@ -85,6 +87,8 @@ describe('buildRule', () => { name: 'some-name', id: sampleRuleGuid, enabled: true, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: 'some interval', @@ -128,6 +132,8 @@ describe('buildRule', () => { name: 'some-name', id: sampleRuleGuid, enabled: true, + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: 'some interval', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts index ba1b2f695156b..70465bf1d9201 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/build_rule.ts @@ -12,7 +12,9 @@ interface BuildRuleParams { name: string; id: string; enabled: boolean; + createdAt: string; createdBy: string; + updatedAt: string; updatedBy: string; interval: string; tags: string[]; @@ -23,7 +25,9 @@ export const buildRule = ({ name, id, enabled, + createdAt, createdBy, + updatedAt, updatedBy, interval, tags, @@ -58,7 +62,7 @@ export const buildRule = ({ updated_by: updatedBy, threat: ruleParams.threat, version: ruleParams.version, - created_at: ruleParams.createdAt, - updated_at: ruleParams.updatedAt, + created_at: createdAt, + updated_at: updatedAt, }); }; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts index 0644d5e467a5a..bf7a97a29aef3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.test.ts @@ -40,6 +40,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -93,6 +95,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -117,6 +121,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -148,6 +154,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -179,6 +187,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -212,6 +222,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -245,6 +257,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -280,6 +294,8 @@ describe('searchAfterAndBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts index fb314e62ba943..8c8cef5dd3669 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/search_after_bulk_create.ts @@ -19,8 +19,10 @@ interface SearchAfterAndBulkCreateParams { id: string; signalsIndex: string; name: string; + createdAt: string; createdBy: string; updatedBy: string; + updatedAt: string; interval: string; enabled: boolean; pageSize: number; @@ -38,8 +40,10 @@ export const searchAfterAndBulkCreate = async ({ signalsIndex, filter, name, + createdAt, createdBy, updatedBy, + updatedAt, interval, enabled, pageSize, @@ -58,7 +62,9 @@ export const searchAfterAndBulkCreate = async ({ id, signalsIndex, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, @@ -118,7 +124,9 @@ export const searchAfterAndBulkCreate = async ({ id, signalsIndex, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 370ed65280849..cd28f348a27c3 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -35,7 +35,6 @@ export const signalRulesAlertType = ({ actionGroups: ['default'], validate: { params: schema.object({ - createdAt: schema.string(), description: schema.string(), falsePositives: schema.arrayOf(schema.string(), { defaultValue: [] }), from: schema.string(), @@ -56,7 +55,6 @@ export const signalRulesAlertType = ({ threat: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))), to: schema.string(), type: schema.string(), - updatedAt: schema.string(), references: schema.arrayOf(schema.string(), { defaultValue: [] }), version: schema.number({ defaultValue: 1 }), }), @@ -121,7 +119,9 @@ export const signalRulesAlertType = ({ const tags: string[] = savedObject.attributes.tags; const createdBy: string = savedObject.attributes.createdBy; + const createdAt: string = savedObject.attributes.createdAt; const updatedBy: string = savedObject.attributes.updatedBy; + const updatedAt: string = savedObject.updated_at ?? ''; const interval: string = savedObject.attributes.schedule.interval; const enabled: boolean = savedObject.attributes.enabled; const gap = getGapBetweenRuns({ @@ -210,7 +210,9 @@ export const signalRulesAlertType = ({ filter: esFilter, name, createdBy, + createdAt, updatedBy, + updatedAt, interval, enabled, pageSize: searchAfterSize, diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts index d5f11c91a2b7c..09e2c6b4fd586 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.test.ts @@ -152,6 +152,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -180,6 +182,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -200,6 +204,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -221,6 +227,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', @@ -244,6 +252,8 @@ describe('singleBulkCreate', () => { id: sampleRuleGuid, signalsIndex: DEFAULT_SIGNALS_INDEX, name: 'rule-name', + createdAt: '2020-01-28T15:58:34.810Z', + updatedAt: '2020-01-28T15:59:14.004Z', createdBy: 'elastic', updatedBy: 'elastic', interval: '5m', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts index cb5de4c974927..adc7919a09758 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/single_bulk_create.ts @@ -21,7 +21,9 @@ interface SingleBulkCreateParams { id: string; signalsIndex: string; name: string; + createdAt: string; createdBy: string; + updatedAt: string; updatedBy: string; interval: string; enabled: boolean; @@ -59,7 +61,9 @@ export const singleBulkCreate = async ({ id, signalsIndex, name, + createdAt, createdBy, + updatedAt, updatedBy, interval, enabled, @@ -91,7 +95,19 @@ export const singleBulkCreate = async ({ ), }, }, - buildBulkBody({ doc, ruleParams, id, name, createdBy, updatedBy, interval, enabled, tags }), + buildBulkBody({ + doc, + ruleParams, + id, + name, + createdAt, + createdBy, + updatedAt, + updatedBy, + interval, + enabled, + tags, + }), ]); const start = performance.now(); const response: BulkResponse = await services.callCluster('bulk', { diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts index d1c9845dbbcfc..e1069db98c8fc 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts @@ -22,7 +22,6 @@ export interface ThreatParams { } export interface RuleAlertParams { - createdAt: string; description: string; enabled: boolean; falsePositives: string[]; @@ -49,7 +48,6 @@ export interface RuleAlertParams { threat: ThreatParams[] | undefined | null; type: 'query' | 'saved_query'; version: number; - updatedAt: string; } export type RuleTypeParams = Omit; @@ -65,8 +63,6 @@ export type RuleAlertParamsRest = Omit< | 'timelineId' | 'timelineTitle' | 'outputIndex' - | 'updatedAt' - | 'createdAt' > & Omit< IRuleStatusAttributes, @@ -86,8 +82,8 @@ export type RuleAlertParamsRest = Omit< max_signals: RuleAlertParams['maxSignals']; risk_score: RuleAlertParams['riskScore']; output_index: RuleAlertParams['outputIndex']; - created_at: RuleAlertParams['createdAt']; - updated_at: RuleAlertParams['updatedAt']; + created_at: string; + updated_at: string; status?: IRuleStatusAttributes['status'] | undefined; status_date?: IRuleStatusAttributes['statusDate'] | undefined; last_failure_at?: IRuleStatusAttributes['lastFailureAt'] | undefined;