Ref updates

elastic · Sep 27, 2021 · 4d1473d · 4d1473d
1 parent 98c6bcb
commit 4d1473d
Show file tree

Hide file tree

Showing 122 changed files with 1,449 additions and 1,400 deletions.
diff --git a/packages/kbn-securitysolution-rules/BUILD.bazel b/packages/kbn-securitysolution-rules/BUILD.bazel
@@ -29,15 +29,19 @@ NPM_MODULE_EXTRA_FILES = [
 ]
 
 RUNTIME_DEPS = [
+  "@npm//lodash",
   "@npm//tslib",
   "@npm//uuid",
+  "//packages/kbn-rule-data-utils"
 ]
 
 TYPES_DEPS = [
+  "@npm//lodash",
   "@npm//tslib",
   "@npm//@types/jest",
   "@npm//@types/node",
-  "@npm//@types/uuid"
+  "@npm//@types/uuid",
+  "//packages/kbn-rule-data-utils"
 ]
 
 jsts_transpiler(

diff --git a/...gine/rule_types/field_maps/field_names.ts → ...n-securitysolution-rules/src/constants.ts b/...gine/rule_types/field_maps/field_names.ts → ...n-securitysolution-rules/src/constants.ts
@@ -1,8 +1,9 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
 
 import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils';

diff --git a/packages/kbn-securitysolution-rules/src/index.ts b/packages/kbn-securitysolution-rules/src/index.ts
@@ -6,6 +6,7 @@
  * Side Public License, v 1.
  */
 
+export * from './constants';
 export * from './rule_type_constants';
 export * from './rule_type_mappings';
 export * from './utils';
diff --git a/packages/kbn-securitysolution-rules/src/types.ts b/packages/kbn-securitysolution-rules/src/types.ts
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+/**
+ * Copied from security_solution:
+ *
+ * Defines the search types you can have from Elasticsearch within a
+ * doc._source. It uses recursive types of "| SearchTypes[]" to designate
+ * anything can also be of a type array, and it uses the recursive type of
+ * "| { [property: string]: SearchTypes }" to designate you can can sub-objects
+ * or sub-sub-objects, etc...
+ */
+export type SearchTypes = string | number | boolean | object | SearchTypes[] | undefined;
diff --git a/packages/kbn-securitysolution-rules/src/utils.ts b/packages/kbn-securitysolution-rules/src/utils.ts
@@ -6,7 +6,10 @@
  * Side Public License, v 1.
  */
 
+import { isPlainObject } from 'lodash';
+
 import { RuleType, RuleTypeId, ruleTypeMappings } from './rule_type_mappings';
+import { SearchTypes } from './types';
 
 export const isRuleType = (ruleType: unknown): ruleType is RuleType => {
   return Object.keys(ruleTypeMappings).includes(ruleType as string);
@@ -15,3 +18,24 @@ export const isRuleType = (ruleType: unknown): ruleType is RuleType => {
 export const isRuleTypeId = (ruleTypeId: unknown): ruleTypeId is RuleTypeId => {
   return Object.values(ruleTypeMappings).includes(ruleTypeId as RuleTypeId);
 };
+
+export const flattenWithPrefix = (
+  prefix: string,
+  maybeObj: unknown
+): Record<string, SearchTypes> => {
+  if (maybeObj != null && isPlainObject(maybeObj)) {
+    return Object.keys(maybeObj as Record<string, SearchTypes>).reduce(
+      (acc: Record<string, SearchTypes>, key) => {
+        return {
+          ...acc,
+          ...flattenWithPrefix(`${prefix}.${key}`, (maybeObj as Record<string, SearchTypes>)[key]),
+        };
+      },
+      {}
+    );
+  } else {
+    return {
+      [prefix]: maybeObj as SearchTypes,
+    };
+  }
+};
diff --git a/x-pack/plugins/cases/public/components/connectors/case/alert_fields.tsx b/x-pack/plugins/cases/public/components/connectors/case/alert_fields.tsx
@@ -30,7 +30,7 @@ const Container = styled.div`
 
 const defaultAlertComment = {
   type: CommentType.generatedAlert,
-  alerts: `[{{#context.alerts}}{"_id": "{{_id}}", "_index": "{{_index}}", "ruleId": "{{signal.rule.id}}", "ruleName": "{{signal.rule.name}}"}__SEPARATOR__{{/context.alerts}}]`,
+  alerts: `[{{#context.alerts}}{"_id": "{{_id}}", "_index": "{{_index}}", "ruleId": "{{kibana.alert.rule.uuid}}", "ruleName": "{{kibana.alert.rule.name}}"}__SEPARATOR__{{/context.alerts}}]`,
 };
 
 const CaseParamsFields: React.FunctionComponent<ActionParamsProps<CaseActionParams>> = ({

diff --git a/x-pack/plugins/cases/server/services/alerts/index.test.ts b/x-pack/plugins/cases/server/services/alerts/index.test.ts
@@ -39,8 +39,8 @@ describe('updateAlertsStatus', () => {
             source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
               ctx._source['${ALERT_WORKFLOW_STATUS}'] = 'closed'
             }
-            if (ctx._source.signal != null && ctx._source.signal.status != null) {
-              ctx._source.signal.status = 'closed'
+            if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+              ctx._source.kibana.alert.workflow_status = 'closed'
             }`,
             lang: 'painless',
           },
@@ -75,8 +75,8 @@ describe('updateAlertsStatus', () => {
             source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
               ctx._source['${ALERT_WORKFLOW_STATUS}'] = 'closed'
             }
-            if (ctx._source.signal != null && ctx._source.signal.status != null) {
-              ctx._source.signal.status = 'closed'
+            if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+              ctx._source.kibana.alert.workflow_status = 'closed'
             }`,
             lang: 'painless',
           },
@@ -116,8 +116,8 @@ describe('updateAlertsStatus', () => {
                 "source": "if (ctx._source['kibana.alert.workflow_status'] != null) {
                       ctx._source['kibana.alert.workflow_status'] = 'acknowledged'
                     }
-                    if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                      ctx._source.signal.status = 'acknowledged'
+                    if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+                      ctx._source.kibana.alert.workflow_status = 'acknowledged'
                     }",
               },
             },
@@ -159,8 +159,8 @@ describe('updateAlertsStatus', () => {
                 "source": "if (ctx._source['kibana.alert.workflow_status'] != null) {
                       ctx._source['kibana.alert.workflow_status'] = 'closed'
                     }
-                    if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                      ctx._source.signal.status = 'closed'
+                    if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+                      ctx._source.kibana.alert.workflow_status = 'closed'
                     }",
               },
             },
@@ -188,8 +188,8 @@ describe('updateAlertsStatus', () => {
                 "source": "if (ctx._source['kibana.alert.workflow_status'] != null) {
                       ctx._source['kibana.alert.workflow_status'] = 'open'
                     }
-                    if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                      ctx._source.signal.status = 'open'
+                    if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+                      ctx._source.kibana.alert.workflow_status = 'open'
                     }",
               },
             },
@@ -231,8 +231,8 @@ describe('updateAlertsStatus', () => {
                 "source": "if (ctx._source['kibana.alert.workflow_status'] != null) {
                       ctx._source['kibana.alert.workflow_status'] = 'closed'
                     }
-                    if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                      ctx._source.signal.status = 'closed'
+                    if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+                      ctx._source.kibana.alert.workflow_status = 'closed'
                     }",
               },
             },
@@ -260,8 +260,8 @@ describe('updateAlertsStatus', () => {
                 "source": "if (ctx._source['kibana.alert.workflow_status'] != null) {
                       ctx._source['kibana.alert.workflow_status'] = 'open'
                     }
-                    if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                      ctx._source.signal.status = 'open'
+                    if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+                      ctx._source.kibana.alert.workflow_status = 'open'
                     }",
               },
             },

diff --git a/x-pack/plugins/cases/server/services/alerts/index.ts b/x-pack/plugins/cases/server/services/alerts/index.ts
@@ -196,8 +196,8 @@ async function updateByQuery(
             source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
               ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
             }
-            if (ctx._source.signal != null && ctx._source.signal.status != null) {
-              ctx._source.signal.status = '${status}'
+            if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+              ctx._source.kibana.alert.workflow_status = '${status}'
             }`,
             lang: 'painless',
           },

diff --git a/x-pack/plugins/osquery/common/ecs/ecs_fields/index.ts b/x-pack/plugins/osquery/common/ecs/ecs_fields/index.ts
@@ -291,40 +291,40 @@ export const systemFieldsMap: Readonly<Record<string, string>> = {
 };
 
 export const signalFieldsMap: Readonly<Record<string, string>> = {
-  'signal.original_time': 'signal.original_time',
-  'signal.rule.id': 'signal.rule.id',
-  'signal.rule.saved_id': 'signal.rule.saved_id',
-  'signal.rule.timeline_id': 'signal.rule.timeline_id',
-  'signal.rule.timeline_title': 'signal.rule.timeline_title',
-  'signal.rule.output_index': 'signal.rule.output_index',
-  'signal.rule.from': 'signal.rule.from',
-  'signal.rule.index': 'signal.rule.index',
-  'signal.rule.language': 'signal.rule.language',
-  'signal.rule.query': 'signal.rule.query',
-  'signal.rule.to': 'signal.rule.to',
-  'signal.rule.filters': 'signal.rule.filters',
-  'signal.rule.rule_id': 'signal.rule.rule_id',
-  'signal.rule.false_positives': 'signal.rule.false_positives',
-  'signal.rule.max_signals': 'signal.rule.max_signals',
-  'signal.rule.risk_score': 'signal.rule.risk_score',
-  'signal.rule.description': 'signal.rule.description',
-  'signal.rule.name': 'signal.rule.name',
-  'signal.rule.immutable': 'signal.rule.immutable',
-  'signal.rule.references': 'signal.rule.references',
-  'signal.rule.severity': 'signal.rule.severity',
-  'signal.rule.tags': 'signal.rule.tags',
-  'signal.rule.threat': 'signal.rule.threat',
-  'signal.rule.type': 'signal.rule.type',
-  'signal.rule.size': 'signal.rule.size',
-  'signal.rule.enabled': 'signal.rule.enabled',
-  'signal.rule.created_at': 'signal.rule.created_at',
-  'signal.rule.updated_at': 'signal.rule.updated_at',
-  'signal.rule.created_by': 'signal.rule.created_by',
-  'signal.rule.updated_by': 'signal.rule.updated_by',
-  'signal.rule.version': 'signal.rule.version',
-  'signal.rule.note': 'signal.rule.note',
-  'signal.rule.threshold': 'signal.rule.threshold',
-  'signal.rule.exceptions_list': 'signal.rule.exceptions_list',
+  'kibana.alert.original_time': 'kibana.alert.original_time',
+  'kibana.alert.rule.uuid': 'kibana.alert.rule.uuid',
+  'kibana.alert.rule.saved_id': 'kibana.alert.rule.saved_id',
+  'kibana.alert.rule.timeline_id': 'kibana.alert.rule.timeline_id',
+  'kibana.alert.rule.timeline_title': 'kibana.alert.rule.timeline_title',
+  'kibana.alert.rule.output_index': 'kibana.alert.rule.output_index',
+  'kibana.alert.rule.from': 'kibana.alert.rule.from',
+  'kibana.alert.rule.index': 'kibana.alert.rule.index',
+  'kibana.alert.rule.language': 'kibana.alert.rule.language',
+  'kibana.alert.rule.query': 'kibana.alert.rule.query',
+  'kibana.alert.rule.to': 'kibana.alert.rule.to',
+  'kibana.alert.rule.filters': 'kibana.alert.rule.filters',
+  'kibana.alert.rule.rule_id': 'kibana.alert.rule.rule_id',
+  'kibana.alert.rule.false_positives': 'kibana.alert.rule.false_positives',
+  'kibana.alert.rule.max_signals': 'kibana.alert.rule.max_signals',
+  'kibana.alert.rule.risk_score': 'kibana.alert.rule.risk_score',
+  'kibana.alert.rule.description': 'kibana.alert.rule.description',
+  'kibana.alert.rule.name': 'kibana.alert.rule.name',
+  'kibana.alert.rule.immutable': 'kibana.alert.rule.immutable',
+  'kibana.alert.rule.references': 'kibana.alert.rule.references',
+  'kibana.alert.rule.severity': 'kibana.alert.rule.severity',
+  'kibana.alert.rule.tags': 'kibana.alert.rule.tags',
+  'kibana.alert.rule.threat': 'kibana.alert.rule.threat',
+  'kibana.alert.rule.type': 'kibana.alert.rule.type',
+  'kibana.alert.rule.size': 'kibana.alert.rule.size',
+  'kibana.alert.rule.enabled': 'kibana.alert.rule.enabled',
+  'kibana.alert.rule.created_at': 'kibana.alert.rule.created_at',
+  'kibana.alert.rule.updated_at': 'kibana.alert.rule.updated_at',
+  'kibana.alert.rule.created_by': 'kibana.alert.rule.created_by',
+  'kibana.alert.rule.updated_by': 'kibana.alert.rule.updated_by',
+  'kibana.alert.rule.version': 'kibana.alert.rule.version',
+  'kibana.alert.rule.note': 'kibana.alert.rule.note',
+  'kibana.alert.rule.threshold': 'kibana.alert.rule.threshold',
+  'kibana.alert.rule.exceptions_list': 'kibana.alert.rule.exceptions_list',
 };
 
 export const ruleFieldsMap: Readonly<Record<string, string>> = {

diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
@@ -592,8 +592,8 @@ export class AlertsClient {
               source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) {
                 ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}'
               }
-              if (ctx._source.signal != null && ctx._source.signal.status != null) {
-                ctx._source.signal.status = '${status}'
+              if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) {
+                ctx._source.kibana.alert.workflow_status = '${status}'
               }`,
               lang: 'painless',
             } as InlineScript,

diff --git a/.../plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh b/.../plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh
@@ -9,7 +9,7 @@
 
 set -e
 
-QUERY=${1:-"signal.status: open"}
+QUERY=${1:-"kibana.alert.workflow_status: open"}
 STATUS=${2}
 
 echo $IDS

diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
@@ -291,7 +291,7 @@ export const showAllOthersBucket: string[] = [
   'event.category',
   'event.dataset',
   'event.module',
-  'signal.rule.threat.tactic.name',
+  'kibana.alert.rule.threat.tactic.name',
   'source.ip',
   'destination.ip',
   'user.name',

diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts
@@ -291,40 +291,40 @@ export const systemFieldsMap: Readonly<Record<string, string>> = {
 };
 
 export const signalFieldsMap: Readonly<Record<string, string>> = {
-  'signal.original_time': 'signal.original_time',
-  'signal.rule.id': 'signal.rule.id',
-  'signal.rule.saved_id': 'signal.rule.saved_id',
-  'signal.rule.timeline_id': 'signal.rule.timeline_id',
-  'signal.rule.timeline_title': 'signal.rule.timeline_title',
-  'signal.rule.output_index': 'signal.rule.output_index',
-  'signal.rule.from': 'signal.rule.from',
-  'signal.rule.index': 'signal.rule.index',
-  'signal.rule.language': 'signal.rule.language',
-  'signal.rule.query': 'signal.rule.query',
-  'signal.rule.to': 'signal.rule.to',
-  'signal.rule.filters': 'signal.rule.filters',
-  'signal.rule.rule_id': 'signal.rule.rule_id',
-  'signal.rule.false_positives': 'signal.rule.false_positives',
-  'signal.rule.max_signals': 'signal.rule.max_signals',
-  'signal.rule.risk_score': 'signal.rule.risk_score',
-  'signal.rule.description': 'signal.rule.description',
-  'signal.rule.name': 'signal.rule.name',
-  'signal.rule.immutable': 'signal.rule.immutable',
-  'signal.rule.references': 'signal.rule.references',
-  'signal.rule.severity': 'signal.rule.severity',
-  'signal.rule.tags': 'signal.rule.tags',
-  'signal.rule.threat': 'signal.rule.threat',
-  'signal.rule.type': 'signal.rule.type',
-  'signal.rule.size': 'signal.rule.size',
-  'signal.rule.enabled': 'signal.rule.enabled',
-  'signal.rule.created_at': 'signal.rule.created_at',
-  'signal.rule.updated_at': 'signal.rule.updated_at',
-  'signal.rule.created_by': 'signal.rule.created_by',
-  'signal.rule.updated_by': 'signal.rule.updated_by',
-  'signal.rule.version': 'signal.rule.version',
-  'signal.rule.note': 'signal.rule.note',
-  'signal.rule.threshold': 'signal.rule.threshold',
-  'signal.rule.exceptions_list': 'signal.rule.exceptions_list',
+  'kibana.alert.original_time': 'kibana.alert.original_time',
+  'kibana.alert.rule.uuid': 'kibana.alert.rule.uuid',
+  'kibana.alert.rule.saved_id': 'kibana.alert.rule.saved_id',
+  'kibana.alert.rule.timeline_id': 'kibana.alert.rule.timeline_id',
+  'kibana.alert.rule.timeline_title': 'kibana.alert.rule.timeline_title',
+  'kibana.alert.rule.output_index': 'kibana.alert.rule.output_index',
+  'kibana.alert.rule.from': 'kibana.alert.rule.from',
+  'kibana.alert.rule.index': 'kibana.alert.rule.index',
+  'kibana.alert.rule.language': 'kibana.alert.rule.language',
+  'kibana.alert.rule.query': 'kibana.alert.rule.query',
+  'kibana.alert.rule.to': 'kibana.alert.rule.to',
+  'kibana.alert.rule.filters': 'kibana.alert.rule.filters',
+  'kibana.alert.rule.rule_id': 'kibana.alert.rule.rule_id',
+  'kibana.alert.rule.false_positives': 'kibana.alert.rule.false_positives',
+  'kibana.alert.rule.max_signals': 'kibana.alert.rule.max_signals',
+  'kibana.alert.rule.risk_score': 'kibana.alert.rule.risk_score',
+  'kibana.alert.rule.description': 'kibana.alert.rule.description',
+  'kibana.alert.rule.name': 'kibana.alert.rule.name',
+  'kibana.alert.rule.immutable': 'kibana.alert.rule.immutable',
+  'kibana.alert.rule.references': 'kibana.alert.rule.references',
+  'kibana.alert.rule.severity': 'kibana.alert.rule.severity',
+  'kibana.alert.rule.tags': 'kibana.alert.rule.tags',
+  'kibana.alert.rule.threat': 'kibana.alert.rule.threat',
+  'kibana.alert.rule.type': 'kibana.alert.rule.type',
+  'kibana.alert.rule.size': 'kibana.alert.rule.size',
+  'kibana.alert.rule.enabled': 'kibana.alert.rule.enabled',
+  'kibana.alert.rule.created_at': 'kibana.alert.rule.created_at',
+  'kibana.alert.rule.updated_at': 'kibana.alert.rule.updated_at',
+  'kibana.alert.rule.created_by': 'kibana.alert.rule.created_by',
+  'kibana.alert.rule.updated_by': 'kibana.alert.rule.updated_by',
+  'kibana.alert.rule.version': 'kibana.alert.rule.version',
+  'kibana.alert.rule.note': 'kibana.alert.rule.note',
+  'kibana.alert.rule.threshold': 'kibana.alert.rule.threshold',
+  'kibana.alert.rule.exceptions_list': 'kibana.alert.rule.exceptions_list',
 };
 
 export const ruleFieldsMap: Readonly<Record<string, string>> = {

diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts
@@ -17,8 +17,6 @@ import { GeoEcs } from './geo';
 import { HostEcs } from './host';
 import { NetworkEcs } from './network';
 import { RegistryEcs } from './registry';
-import { RuleEcs } from './rule';
-import { SignalEcs } from './signal';
 import { SourceEcs } from './source';
 import { SuricataEcs } from './suricata';
 import { TlsEcs } from './tls';
@@ -47,8 +45,6 @@ export interface Ecs {
   host?: HostEcs;
   network?: NetworkEcs;
   registry?: RegistryEcs;
-  rule?: RuleEcs;
-  signal?: SignalEcs;
   source?: SourceEcs;
   suricata?: SuricataEcs;
   tls?: TlsEcs;