Skip to content

Commit

Permalink
[SIEM] Updates process and TLS tables to use ECS 1.5 fields (#60854) (#…
Browse files Browse the repository at this point in the history
…61031)

* Added new process filter
* Use new ECS TLS fields
  • Loading branch information
tsg authored Mar 24, 2020
1 parent 775280e commit 0dba353
Show file tree
Hide file tree
Showing 17 changed files with 9,739 additions and 377 deletions.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ export const getTlsColumns = (tableId: string): TlsColumns => [
truncateText: false,
hideForMobile: false,
sortable: false,
render: ({ _id, issuerNames }) =>
render: ({ _id, issuers }) =>
getRowItemDraggables({
rowItems: issuerNames,
attrName: 'tls.server_certificate.issuer.common_name',
idPrefix: `${tableId}-${_id}-table-issuerNames`,
rowItems: issuers,
attrName: 'tls.server.issuer',
idPrefix: `${tableId}-${_id}-table-issuers`,
}),
},
{
Expand All @@ -45,18 +45,12 @@ export const getTlsColumns = (tableId: string): TlsColumns => [
truncateText: false,
hideForMobile: false,
sortable: false,
render: ({ _id, alternativeNames, commonNames }) =>
alternativeNames != null && alternativeNames.length > 0
? getRowItemDraggables({
rowItems: alternativeNames,
attrName: 'tls.server_certificate.alternative_names',
idPrefix: `${tableId}-${_id}-table-alternative-name`,
})
: getRowItemDraggables({
rowItems: commonNames,
attrName: 'tls.server_certificate.subject.common_name',
idPrefix: `${tableId}-${_id}-table-common-name`,
}),
render: ({ _id, subjects }) =>
getRowItemDraggables({
rowItems: subjects,
attrName: 'tls.server.subject',
idPrefix: `${tableId}-${_id}-table-subjects`,
}),
},
{
field: 'node._id',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,9 @@ export const mockTlsData: TlsData = {
{
node: {
_id: '2fe3bdf168af35b9e0ce5dc583bab007c40d47de',
alternativeNames: ['*.elastic.co', 'elastic.co'],
commonNames: ['*.elastic.co'],
subjects: ['*.elastic.co'],
ja3: ['7851693188210d3b271aa1713d8c68c2', 'fb4726d465c5f28b84cd6d14cedd13a7'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
issuers: ['DigiCert SHA2 Secure Server CA'],
notAfter: ['2021-04-22T12:00:00.000Z'],
},
cursor: {
Expand All @@ -25,10 +24,9 @@ export const mockTlsData: TlsData = {
{
node: {
_id: '61749734b3246f1584029deb4f5276c64da00ada',
alternativeNames: ['api.snapcraft.io'],
commonNames: ['api.snapcraft.io'],
subjects: ['api.snapcraft.io'],
ja3: ['839868ad711dc55bde0d37a87f14740d'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
issuers: ['DigiCert SHA2 Secure Server CA'],
notAfter: ['2019-05-22T12:00:00.000Z'],
},
cursor: {
Expand All @@ -38,10 +36,9 @@ export const mockTlsData: TlsData = {
{
node: {
_id: '6560d3b7dd001c989b85962fa64beb778cdae47a',
alternativeNames: ['changelogs.ubuntu.com', 'manpages.ubuntu.com'],
commonNames: ['changelogs.ubuntu.com'],
subjects: ['changelogs.ubuntu.com'],
ja3: ['da12c94da8021bbaf502907ad086e7bc'],
issuerNames: ["Let's Encrypt Authority X3"],
issuers: ["Let's Encrypt Authority X3"],
notAfter: ['2019-06-27T01:09:59.000Z'],
},
cursor: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ export const TRANSPORT_LAYER_SECURITY = i18n.translate(
export const UNIT = (totalCount: number) =>
i18n.translate('xpack.siem.network.ipDetails.tlsTable.unit', {
values: { totalCount },
defaultMessage: `{totalCount, plural, =1 {issuer} other {issuers}}`,
defaultMessage: `{totalCount, plural, =1 {server certificate} other {server certificates}}`,
});

// Columns
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,9 @@ export const tlsQuery = gql`
edges {
node {
_id
alternativeNames
commonNames
subjects
ja3
issuerNames
issuers
notAfter
}
cursor {
Expand Down
20 changes: 2 additions & 18 deletions x-pack/legacy/plugins/siem/public/graphql/introspection.json
Original file line number Diff line number Diff line change
Expand Up @@ -9213,22 +9213,6 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "alternativeNames",
"description": "",
"args": [],
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "String", "ofType": null }
}
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "notAfter",
"description": "",
Expand All @@ -9246,7 +9230,7 @@
"deprecationReason": null
},
{
"name": "commonNames",
"name": "subjects",
"description": "",
"args": [],
"type": {
Expand Down Expand Up @@ -9278,7 +9262,7 @@
"deprecationReason": null
},
{
"name": "issuerNames",
"name": "issuers",
"description": "",
"args": [],
"type": {
Expand Down
12 changes: 4 additions & 8 deletions x-pack/legacy/plugins/siem/public/graphql/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1859,15 +1859,13 @@ export interface TlsNode {

timestamp?: Maybe<string>;

alternativeNames?: Maybe<string[]>;

notAfter?: Maybe<string[]>;

commonNames?: Maybe<string[]>;
subjects?: Maybe<string[]>;

ja3?: Maybe<string[]>;

issuerNames?: Maybe<string[]>;
issuers?: Maybe<string[]>;
}

export interface UncommonProcessesData {
Expand Down Expand Up @@ -5679,13 +5677,11 @@ export namespace GetTlsQuery {

_id: Maybe<string>;

alternativeNames: Maybe<string[]>;

commonNames: Maybe<string[]>;
subjects: Maybe<string[]>;

ja3: Maybe<string[]>;

issuerNames: Maybe<string[]>;
issuers: Maybe<string[]>;

notAfter: Maybe<string[]>;
};
Expand Down
5 changes: 2 additions & 3 deletions x-pack/legacy/plugins/siem/server/graphql/tls/schema.gql.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,10 @@ export const tlsSchema = gql`
type TlsNode {
_id: String
timestamp: Date
alternativeNames: [String!]
notAfter: [String!]
commonNames: [String!]
subjects: [String!]
ja3: [String!]
issuerNames: [String!]
issuers: [String!]
}
input TlsSortField {
field: TlsFields!
Expand Down
21 changes: 6 additions & 15 deletions x-pack/legacy/plugins/siem/server/graphql/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1861,15 +1861,13 @@ export interface TlsNode {

timestamp?: Maybe<string>;

alternativeNames?: Maybe<string[]>;

notAfter?: Maybe<string[]>;

commonNames?: Maybe<string[]>;
subjects?: Maybe<string[]>;

ja3?: Maybe<string[]>;

issuerNames?: Maybe<string[]>;
issuers?: Maybe<string[]>;
}

export interface UncommonProcessesData {
Expand Down Expand Up @@ -7824,15 +7822,13 @@ export namespace TlsNodeResolvers {

timestamp?: TimestampResolver<Maybe<string>, TypeParent, TContext>;

alternativeNames?: AlternativeNamesResolver<Maybe<string[]>, TypeParent, TContext>;

notAfter?: NotAfterResolver<Maybe<string[]>, TypeParent, TContext>;

commonNames?: CommonNamesResolver<Maybe<string[]>, TypeParent, TContext>;
subjects?: SubjectsResolver<Maybe<string[]>, TypeParent, TContext>;

ja3?: Ja3Resolver<Maybe<string[]>, TypeParent, TContext>;

issuerNames?: IssuerNamesResolver<Maybe<string[]>, TypeParent, TContext>;
issuers?: IssuersResolver<Maybe<string[]>, TypeParent, TContext>;
}

export type _IdResolver<R = Maybe<string>, Parent = TlsNode, TContext = SiemContext> = Resolver<
Expand All @@ -7845,17 +7841,12 @@ export namespace TlsNodeResolvers {
Parent = TlsNode,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type AlternativeNamesResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type NotAfterResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type CommonNamesResolver<
export type SubjectsResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
Expand All @@ -7865,7 +7856,7 @@ export namespace TlsNodeResolvers {
Parent,
TContext
>;
export type IssuerNamesResolver<
export type IssuersResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,10 +66,9 @@ export const formatTlsEdges = (buckets: TlsBuckets[]): TlsEdges[] => {
const edge: TlsEdges = {
node: {
_id: bucket.key,
alternativeNames: bucket.alternative_names.buckets.map(({ key }) => key),
commonNames: bucket.common_names.buckets.map(({ key }) => key),
subjects: bucket.subjects.buckets.map(({ key }) => key),
ja3: bucket.ja3.buckets.map(({ key }) => key),
issuerNames: bucket.issuer_names.buckets.map(({ key }) => key),
issuers: bucket.issuers.buckets.map(({ key }) => key),
// eslint-disable-next-line @typescript-eslint/camelcase
notAfter: bucket.not_after.buckets.map(({ key_as_string }) => key_as_string),
},
Expand Down
Loading

0 comments on commit 0dba353

Please sign in to comment.