[Security Solution] Add aliases, fix types, remove extra fields (#122880

) (#123319) * Add aliases, fix types, remove extra fields * Update aliases version and update tests * Update aliases version test * Remove dangling references to fields * Update test Co-authored-by: Kibana Machine <[email protected]> (cherry picked from commit 886ad6f) Co-authored-by: Marshall Main <[email protected]>
elastic · Jan 19, 2022 · 1939432 · 1939432
1 parent f83ef8d
commit 1939432
Show file tree

Hide file tree

Showing 16 changed files with 50 additions and 496 deletions.
diff --git a/x-pack/plugins/security_solution/common/field_maps/alerts.ts b/x-pack/plugins/security_solution/common/field_maps/alerts.ts
@@ -54,7 +54,7 @@ export const alertsFieldMap: FieldMap = {
     required: false,
   },
   'kibana.alert.group.index': {
-    type: 'keyword',
+    type: 'integer',
     array: false,
     required: false,
   },

diff --git a/x-pack/plugins/security_solution/common/field_maps/rules.ts b/x-pack/plugins/security_solution/common/field_maps/rules.ts
@@ -26,31 +26,11 @@ export const rulesFieldMap = {
     array: true,
     required: false,
   },
-  'kibana.alert.rule.index': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
-  'kibana.alert.rule.language': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
   'kibana.alert.rule.max_signals': {
     type: 'long',
     array: true,
     required: true,
   },
-  'kibana.alert.rule.query': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
-  'kibana.alert.rule.saved_id': {
-    type: 'keyword',
-    array: true,
-    required: true,
-  },
   'kibana.alert.rule.threat.framework': {
     type: 'keyword',
     array: false,
@@ -101,91 +81,21 @@ export const rulesFieldMap = {
     array: false,
     required: true,
   },
-  'kibana.alert.rule.threat_filters': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_index': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_indicator_path': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_language': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping.entries.field': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threat_mapping.entries.value': {
+  'kibana.alert.rule.timeline_id': {
     type: 'keyword',
     array: true,
     required: false,
   },
-  'kibana.alert.rule.threat_mapping.entries.type': {
+  'kibana.alert.rule.timeline_title': {
     type: 'keyword',
     array: true,
     required: false,
   },
-  'kibana.alert.rule.threat_query': {
+  'kibana.alert.rule.timestamp_override': {
     type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threshold': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.field': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.value': {
-    type: 'float',
     array: false,
     required: false,
   },
-  'kibana.alert.rule.threshold.cardinality': {
-    type: 'object',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.cardinality.field': {
-    type: 'keyword',
-    array: false,
-    required: false,
-  },
-  'kibana.alert.rule.threshold.cardinality.value': {
-    type: 'long',
-    array: false,
-    required: false,
-  },
-  'kibana.alert.rule.timeline_id': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
-  'kibana.alert.rule.timeline_title': {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
 } as const;
 
 export type RulesFieldMap = typeof rulesFieldMap;
diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
@@ -139,31 +139,20 @@ export const allowTopN = ({
     'kibana.alert.original_event.timezone',
     'kibana.alert.original_event.type',
     'kibana.alert.original_time',
-    'kibana.alert.parent.depth',
-    'kibana.alert.parent.id',
-    'kibana.alert.parent.index',
-    'kibana.alert.parent.rule',
-    'kibana.alert.parent.type',
     'kibana.alert.rule.created_by',
     'kibana.alert.rule.description',
     'kibana.alert.rule.enabled',
     'kibana.alert.rule.false_positives',
-    'kibana.alert.rule.filters',
     'kibana.alert.rule.from',
     'kibana.alert.rule.uuid',
     'kibana.alert.rule.immutable',
-    'kibana.alert.rule.index',
     'kibana.alert.rule.interval',
-    'kibana.alert.rule.language',
     'kibana.alert.rule.max_signals',
     'kibana.alert.rule.name',
     'kibana.alert.rule.note',
-    'kibana.alert.rule.output_index',
-    'kibana.alert.rule.query',
     'kibana.alert.rule.references',
     'kibana.alert.risk_score',
     'kibana.alert.rule.rule_id',
-    'kibana.alert.rule.saved_id',
     'kibana.alert.severity',
     'kibana.alert.rule.size',
     'kibana.alert.rule.tags',

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts
@@ -332,22 +332,6 @@ export const mockAlertDetailsData = [
     originalValue: 'administrator',
   },
   { category: 'user', field: 'user.id', values: ['S-1-0-0'], originalValue: 'S-1-0-0' },
-  // TODO: The `parents` field no longer exists... use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parents',
-    values: [
-      '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}',
-    ],
-    originalValue: [
-      {
-        id: '688MAHYB7WTwW_Glsi_d',
-        type: 'event',
-        index: 'winlogbeat-7.10.0-2020.11.12-000001',
-        depth: 0,
-      },
-    ],
-  },
   {
     category: 'kibana',
     field: 'kibana.alert.ancestors',
@@ -399,12 +383,6 @@ export const mockAlertDetailsData = [
     values: [],
     originalValue: [],
   },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.output_index',
-    values: ['.siem-signals-angelachuang-default'],
-    originalValue: '.siem-signals-angelachuang-default',
-  },
   {
     category: 'kibana',
     field: 'kibana.alert.rule.description',
@@ -417,45 +395,9 @@ export const mockAlertDetailsData = [
     values: ['now-360s'],
     originalValue: 'now-360s',
   },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.index',
-    values: [
-      'apm-*-transaction*',
-      'traces-apm*',
-      'auditbeat-*',
-      'endgame-*',
-      'filebeat-*',
-      'logs-*',
-      'packetbeat-*',
-      'winlogbeat-*',
-    ],
-    originalValue: [
-      'apm-*-transaction*',
-      'traces-apm*',
-      'auditbeat-*',
-      'endgame-*',
-      'filebeat-*',
-      'logs-*',
-      'packetbeat-*',
-      'winlogbeat-*',
-    ],
-  },
   { category: 'kibana', field: 'kibana.alert.rule.interval', values: ['5m'], originalValue: '5m' },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.language',
-    values: ['kuery'],
-    originalValue: 'kuery',
-  },
   { category: 'kibana', field: 'kibana.alert.rule.license', values: [''], originalValue: '' },
   { category: 'kibana', field: 'kibana.alert.rule.name', values: ['xxx'], originalValue: 'xxx' },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.query',
-    values: ['@timestamp : * '],
-    originalValue: '@timestamp : * ',
-  },
   { category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] },
   {
     category: 'kibana',
@@ -477,27 +419,6 @@ export const mockAlertDetailsData = [
     originalValue: 'query',
   },
   { category: 'kibana', field: 'kibana.alert.rule.to', values: ['now'], originalValue: 'now' },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.filters',
-    values: [
-      '{"meta":{"alias":null,"negate":false,"disabled":false,"type":"exists","key":"message","value":"exists"},"exists":{"field":"message"},"$state":{"store":"appState"}}',
-    ],
-    originalValue: [
-      {
-        meta: {
-          alias: null,
-          negate: false,
-          disabled: false,
-          type: 'exists',
-          key: 'message',
-          value: 'exists',
-        },
-        exists: { field: 'message' },
-        $state: { store: 'appState' },
-      },
-    ],
-  },
   {
     category: 'kibana',
     field: 'kibana.alert.rule.created_by',
@@ -526,28 +447,6 @@ export const mockAlertDetailsData = [
   },
   { category: 'kibana', field: 'kibana.alert.rule.exceptions_list', values: [], originalValue: [] },
   { category: 'kibana', field: 'kibana.alert.depth', values: [1], originalValue: 1 },
-  // TODO: The `parent` no longer exists. Use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parent.id',
-    values: ['688MAHYB7WTwW_Glsi_d'],
-    originalValue: '688MAHYB7WTwW_Glsi_d',
-  },
-  // TODO: The `parent` no longer exists. Use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parent.type',
-    values: ['event'],
-    originalValue: 'event',
-  },
-  // TODO: The `parent` no longer exists. Use `ancestors` and `depth`
-  {
-    category: 'kibana',
-    field: 'kibana.alert.parent.index',
-    values: ['winlogbeat-7.10.0-2020.11.12-000001'],
-    originalValue: 'winlogbeat-7.10.0-2020.11.12-000001',
-  },
-  { category: 'kibana', field: 'kibana.alert.parent.depth', values: [0], originalValue: 0 },
   {
     category: 'kibana',
     field: 'kibana.alert.original_time',

diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/helpers.test.tsx
@@ -115,17 +115,12 @@ const ruleNameFilter: Filter = {
 const threatMappingFilter: Filter = {
   meta: {
     alias: null,
-    negate: true,
     disabled: false,
-    type: 'exists',
-    key: 'kibana.alert.rule.threat_mapping',
-    value: 'exists',
-  },
-  query: {
-    exists: {
-      field: 'kibana.alert.rule.threat_mapping',
-    },
+    negate: false,
+    key: 'kibana.alert.rule.type',
+    type: 'term',
   },
+  query: { term: { 'kibana.alert.rule.type': 'threat_match' } },
 };
 
 const workflowStatusFilter: Filter = {

diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/helpers.ts b/x-pack/plugins/security_solution/public/common/components/top_n/helpers.ts
@@ -158,7 +158,6 @@ export const IGNORED_ALERT_FILTERS = [
   ALERT_RULE_RULE_ID, // filters alerts to a single rule on the Security > Rules > details pages
   ALERT_RULE_RULE_NAME_OVERRIDE,
   ALERT_RULE_TAGS,
-  'kibana.alert.rule.threat_mapping', // an "Additional filters" option on the alerts table
   ALERT_RULE_TO,
   ALERT_RULE_TYPE,
   ALERT_RULE_TYPE_ID,

diff --git a/...ck/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/...ck/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
@@ -162,14 +162,10 @@ export const requiredFieldsForActions = [
   'kibana.alert.group.id',
   'kibana.alert.original_time',
   'kibana.alert.building_block_type',
-  'kibana.alert.rule.filters',
   'kibana.alert.rule.from',
-  'kibana.alert.rule.language',
-  'kibana.alert.rule.query',
   'kibana.alert.rule.name',
   'kibana.alert.rule.to',
   'kibana.alert.rule.uuid',
-  'kibana.alert.rule.index',
   'kibana.alert.rule.type',
   'kibana.alert.original_event.kind',
   'kibana.alert.original_event.module',

diff --git a/...plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx b/...plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
@@ -59,7 +59,8 @@ export const EventDetailsFooterComponent = React.memo(
     const ruleIndex = useMemo(
       () =>
         find({ category: 'signal', field: 'signal.rule.index' }, detailsData)?.values ??
-        find({ category: 'kibana', field: 'kibana.alert.rule.index' }, detailsData)?.values,
+        find({ category: 'kibana', field: 'kibana.alert.rule.parameters.index' }, detailsData)
+          ?.values,
       [detailsData]
     );