diff --git a/packages/kbn-securitysolution-rules/BUILD.bazel b/packages/kbn-securitysolution-rules/BUILD.bazel index d1f63022ed086..271c3e4d2fff4 100644 --- a/packages/kbn-securitysolution-rules/BUILD.bazel +++ b/packages/kbn-securitysolution-rules/BUILD.bazel @@ -29,15 +29,19 @@ NPM_MODULE_EXTRA_FILES = [ ] RUNTIME_DEPS = [ + "@npm//lodash", "@npm//tslib", "@npm//uuid", + "//packages/kbn-rule-data-utils" ] TYPES_DEPS = [ + "@npm//lodash", "@npm//tslib", "@npm//@types/jest", "@npm//@types/node", - "@npm//@types/uuid" + "@npm//@types/uuid", + "//packages/kbn-rule-data-utils" ] jsts_transpiler( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names.ts b/packages/kbn-securitysolution-rules/src/constants.ts similarity index 88% rename from x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names.ts rename to packages/kbn-securitysolution-rules/src/constants.ts index ec99666da474a..f8c4d135ae09b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names.ts +++ b/packages/kbn-securitysolution-rules/src/constants.ts @@ -1,8 +1,9 @@ /* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. */ import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; diff --git a/packages/kbn-securitysolution-rules/src/index.ts b/packages/kbn-securitysolution-rules/src/index.ts index 1d59b9842c90d..37fa3efbe6197 100644 --- a/packages/kbn-securitysolution-rules/src/index.ts +++ b/packages/kbn-securitysolution-rules/src/index.ts @@ -6,6 +6,7 @@ * Side Public License, v 1. */ +export * from './constants'; export * from './rule_type_constants'; export * from './rule_type_mappings'; export * from './utils'; diff --git a/packages/kbn-securitysolution-rules/src/types.ts b/packages/kbn-securitysolution-rules/src/types.ts new file mode 100644 index 0000000000000..4f9fc622fe31c --- /dev/null +++ b/packages/kbn-securitysolution-rules/src/types.ts @@ -0,0 +1,18 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +/** + * Copied from security_solution: + * + * Defines the search types you can have from Elasticsearch within a + * doc._source. It uses recursive types of "| SearchTypes[]" to designate + * anything can also be of a type array, and it uses the recursive type of + * "| { [property: string]: SearchTypes }" to designate you can can sub-objects + * or sub-sub-objects, etc... + */ +export type SearchTypes = string | number | boolean | object | SearchTypes[] | undefined; diff --git a/packages/kbn-securitysolution-rules/src/utils.ts b/packages/kbn-securitysolution-rules/src/utils.ts index 40a3698ab0675..d8f5d594c28fb 100644 --- a/packages/kbn-securitysolution-rules/src/utils.ts +++ b/packages/kbn-securitysolution-rules/src/utils.ts @@ -6,7 +6,10 @@ * Side Public License, v 1. */ +import { isPlainObject } from 'lodash'; + import { RuleType, RuleTypeId, ruleTypeMappings } from './rule_type_mappings'; +import { SearchTypes } from './types'; export const isRuleType = (ruleType: unknown): ruleType is RuleType => { return Object.keys(ruleTypeMappings).includes(ruleType as string); @@ -15,3 +18,24 @@ export const isRuleType = (ruleType: unknown): ruleType is RuleType => { export const isRuleTypeId = (ruleTypeId: unknown): ruleTypeId is RuleTypeId => { return Object.values(ruleTypeMappings).includes(ruleTypeId as RuleTypeId); }; + +export const flattenWithPrefix = ( + prefix: string, + maybeObj: unknown +): Record => { + if (maybeObj != null && isPlainObject(maybeObj)) { + return Object.keys(maybeObj as Record).reduce( + (acc: Record, key) => { + return { + ...acc, + ...flattenWithPrefix(`${prefix}.${key}`, (maybeObj as Record)[key]), + }; + }, + {} + ); + } else { + return { + [prefix]: maybeObj as SearchTypes, + }; + } +}; diff --git a/x-pack/plugins/cases/public/components/connectors/case/alert_fields.tsx b/x-pack/plugins/cases/public/components/connectors/case/alert_fields.tsx index 8fb34e0cdcbf5..7c3fab73576d4 100644 --- a/x-pack/plugins/cases/public/components/connectors/case/alert_fields.tsx +++ b/x-pack/plugins/cases/public/components/connectors/case/alert_fields.tsx @@ -30,7 +30,7 @@ const Container = styled.div` const defaultAlertComment = { type: CommentType.generatedAlert, - alerts: `[{{#context.alerts}}{"_id": "{{_id}}", "_index": "{{_index}}", "ruleId": "{{signal.rule.id}}", "ruleName": "{{signal.rule.name}}"}__SEPARATOR__{{/context.alerts}}]`, + alerts: `[{{#context.alerts}}{"_id": "{{_id}}", "_index": "{{_index}}", "ruleId": "{{kibana.alert.rule.uuid}}", "ruleName": "{{kibana.alert.rule.name}}"}__SEPARATOR__{{/context.alerts}}]`, }; const CaseParamsFields: React.FunctionComponent> = ({ diff --git a/x-pack/plugins/cases/server/services/alerts/index.test.ts b/x-pack/plugins/cases/server/services/alerts/index.test.ts index d7dd44b33628b..97dd7b179c084 100644 --- a/x-pack/plugins/cases/server/services/alerts/index.test.ts +++ b/x-pack/plugins/cases/server/services/alerts/index.test.ts @@ -39,8 +39,8 @@ describe('updateAlertsStatus', () => { source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) { ctx._source['${ALERT_WORKFLOW_STATUS}'] = 'closed' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'closed' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'closed' }`, lang: 'painless', }, @@ -75,8 +75,8 @@ describe('updateAlertsStatus', () => { source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) { ctx._source['${ALERT_WORKFLOW_STATUS}'] = 'closed' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'closed' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'closed' }`, lang: 'painless', }, @@ -116,8 +116,8 @@ describe('updateAlertsStatus', () => { "source": "if (ctx._source['kibana.alert.workflow_status'] != null) { ctx._source['kibana.alert.workflow_status'] = 'acknowledged' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'acknowledged' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'acknowledged' }", }, }, @@ -159,8 +159,8 @@ describe('updateAlertsStatus', () => { "source": "if (ctx._source['kibana.alert.workflow_status'] != null) { ctx._source['kibana.alert.workflow_status'] = 'closed' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'closed' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'closed' }", }, }, @@ -188,8 +188,8 @@ describe('updateAlertsStatus', () => { "source": "if (ctx._source['kibana.alert.workflow_status'] != null) { ctx._source['kibana.alert.workflow_status'] = 'open' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'open' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'open' }", }, }, @@ -231,8 +231,8 @@ describe('updateAlertsStatus', () => { "source": "if (ctx._source['kibana.alert.workflow_status'] != null) { ctx._source['kibana.alert.workflow_status'] = 'closed' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'closed' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'closed' }", }, }, @@ -260,8 +260,8 @@ describe('updateAlertsStatus', () => { "source": "if (ctx._source['kibana.alert.workflow_status'] != null) { ctx._source['kibana.alert.workflow_status'] = 'open' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = 'open' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = 'open' }", }, }, diff --git a/x-pack/plugins/cases/server/services/alerts/index.ts b/x-pack/plugins/cases/server/services/alerts/index.ts index 6bb2fb3ee3c56..68df743912d92 100644 --- a/x-pack/plugins/cases/server/services/alerts/index.ts +++ b/x-pack/plugins/cases/server/services/alerts/index.ts @@ -196,8 +196,8 @@ async function updateByQuery( source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) { ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = '${status}' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = '${status}' }`, lang: 'painless', }, diff --git a/x-pack/plugins/osquery/common/ecs/ecs_fields/index.ts b/x-pack/plugins/osquery/common/ecs/ecs_fields/index.ts index 292822019fc9c..c7e3d58b3546c 100644 --- a/x-pack/plugins/osquery/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/osquery/common/ecs/ecs_fields/index.ts @@ -291,40 +291,40 @@ export const systemFieldsMap: Readonly> = { }; export const signalFieldsMap: Readonly> = { - 'signal.original_time': 'signal.original_time', - 'signal.rule.id': 'signal.rule.id', - 'signal.rule.saved_id': 'signal.rule.saved_id', - 'signal.rule.timeline_id': 'signal.rule.timeline_id', - 'signal.rule.timeline_title': 'signal.rule.timeline_title', - 'signal.rule.output_index': 'signal.rule.output_index', - 'signal.rule.from': 'signal.rule.from', - 'signal.rule.index': 'signal.rule.index', - 'signal.rule.language': 'signal.rule.language', - 'signal.rule.query': 'signal.rule.query', - 'signal.rule.to': 'signal.rule.to', - 'signal.rule.filters': 'signal.rule.filters', - 'signal.rule.rule_id': 'signal.rule.rule_id', - 'signal.rule.false_positives': 'signal.rule.false_positives', - 'signal.rule.max_signals': 'signal.rule.max_signals', - 'signal.rule.risk_score': 'signal.rule.risk_score', - 'signal.rule.description': 'signal.rule.description', - 'signal.rule.name': 'signal.rule.name', - 'signal.rule.immutable': 'signal.rule.immutable', - 'signal.rule.references': 'signal.rule.references', - 'signal.rule.severity': 'signal.rule.severity', - 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threat': 'signal.rule.threat', - 'signal.rule.type': 'signal.rule.type', - 'signal.rule.size': 'signal.rule.size', - 'signal.rule.enabled': 'signal.rule.enabled', - 'signal.rule.created_at': 'signal.rule.created_at', - 'signal.rule.updated_at': 'signal.rule.updated_at', - 'signal.rule.created_by': 'signal.rule.created_by', - 'signal.rule.updated_by': 'signal.rule.updated_by', - 'signal.rule.version': 'signal.rule.version', - 'signal.rule.note': 'signal.rule.note', - 'signal.rule.threshold': 'signal.rule.threshold', - 'signal.rule.exceptions_list': 'signal.rule.exceptions_list', + 'kibana.alert.original_time': 'kibana.alert.original_time', + 'kibana.alert.rule.uuid': 'kibana.alert.rule.uuid', + 'kibana.alert.rule.saved_id': 'kibana.alert.rule.saved_id', + 'kibana.alert.rule.timeline_id': 'kibana.alert.rule.timeline_id', + 'kibana.alert.rule.timeline_title': 'kibana.alert.rule.timeline_title', + 'kibana.alert.rule.output_index': 'kibana.alert.rule.output_index', + 'kibana.alert.rule.from': 'kibana.alert.rule.from', + 'kibana.alert.rule.index': 'kibana.alert.rule.index', + 'kibana.alert.rule.language': 'kibana.alert.rule.language', + 'kibana.alert.rule.query': 'kibana.alert.rule.query', + 'kibana.alert.rule.to': 'kibana.alert.rule.to', + 'kibana.alert.rule.filters': 'kibana.alert.rule.filters', + 'kibana.alert.rule.rule_id': 'kibana.alert.rule.rule_id', + 'kibana.alert.rule.false_positives': 'kibana.alert.rule.false_positives', + 'kibana.alert.rule.max_signals': 'kibana.alert.rule.max_signals', + 'kibana.alert.rule.risk_score': 'kibana.alert.rule.risk_score', + 'kibana.alert.rule.description': 'kibana.alert.rule.description', + 'kibana.alert.rule.name': 'kibana.alert.rule.name', + 'kibana.alert.rule.immutable': 'kibana.alert.rule.immutable', + 'kibana.alert.rule.references': 'kibana.alert.rule.references', + 'kibana.alert.rule.severity': 'kibana.alert.rule.severity', + 'kibana.alert.rule.tags': 'kibana.alert.rule.tags', + 'kibana.alert.rule.threat': 'kibana.alert.rule.threat', + 'kibana.alert.rule.type': 'kibana.alert.rule.type', + 'kibana.alert.rule.size': 'kibana.alert.rule.size', + 'kibana.alert.rule.enabled': 'kibana.alert.rule.enabled', + 'kibana.alert.rule.created_at': 'kibana.alert.rule.created_at', + 'kibana.alert.rule.updated_at': 'kibana.alert.rule.updated_at', + 'kibana.alert.rule.created_by': 'kibana.alert.rule.created_by', + 'kibana.alert.rule.updated_by': 'kibana.alert.rule.updated_by', + 'kibana.alert.rule.version': 'kibana.alert.rule.version', + 'kibana.alert.rule.note': 'kibana.alert.rule.note', + 'kibana.alert.rule.threshold': 'kibana.alert.rule.threshold', + 'kibana.alert.rule.exceptions_list': 'kibana.alert.rule.exceptions_list', }; export const ruleFieldsMap: Readonly> = { diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts index 5f65cda456a16..13d954171b69e 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts @@ -592,8 +592,8 @@ export class AlertsClient { source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) { ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = '${status}' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = '${status}' }`, lang: 'painless', } as InlineScript, diff --git a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh index 8725e791d8efa..8fb2e54f92143 100755 --- a/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh +++ b/x-pack/plugins/rule_registry/server/scripts/bulk_update_old_security_solution_alert_by_query.sh @@ -9,7 +9,7 @@ set -e -QUERY=${1:-"signal.status: open"} +QUERY=${1:-"kibana.alert.workflow_status: open"} STATUS=${2} echo $IDS diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 976d5b6869d48..d72f9cb5e7900 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -291,7 +291,7 @@ export const showAllOthersBucket: string[] = [ 'event.category', 'event.dataset', 'event.module', - 'signal.rule.threat.tactic.name', + 'kibana.alert.rule.threat.tactic.name', 'source.ip', 'destination.ip', 'user.name', diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts index 292822019fc9c..c7e3d58b3546c 100644 --- a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts @@ -291,40 +291,40 @@ export const systemFieldsMap: Readonly> = { }; export const signalFieldsMap: Readonly> = { - 'signal.original_time': 'signal.original_time', - 'signal.rule.id': 'signal.rule.id', - 'signal.rule.saved_id': 'signal.rule.saved_id', - 'signal.rule.timeline_id': 'signal.rule.timeline_id', - 'signal.rule.timeline_title': 'signal.rule.timeline_title', - 'signal.rule.output_index': 'signal.rule.output_index', - 'signal.rule.from': 'signal.rule.from', - 'signal.rule.index': 'signal.rule.index', - 'signal.rule.language': 'signal.rule.language', - 'signal.rule.query': 'signal.rule.query', - 'signal.rule.to': 'signal.rule.to', - 'signal.rule.filters': 'signal.rule.filters', - 'signal.rule.rule_id': 'signal.rule.rule_id', - 'signal.rule.false_positives': 'signal.rule.false_positives', - 'signal.rule.max_signals': 'signal.rule.max_signals', - 'signal.rule.risk_score': 'signal.rule.risk_score', - 'signal.rule.description': 'signal.rule.description', - 'signal.rule.name': 'signal.rule.name', - 'signal.rule.immutable': 'signal.rule.immutable', - 'signal.rule.references': 'signal.rule.references', - 'signal.rule.severity': 'signal.rule.severity', - 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threat': 'signal.rule.threat', - 'signal.rule.type': 'signal.rule.type', - 'signal.rule.size': 'signal.rule.size', - 'signal.rule.enabled': 'signal.rule.enabled', - 'signal.rule.created_at': 'signal.rule.created_at', - 'signal.rule.updated_at': 'signal.rule.updated_at', - 'signal.rule.created_by': 'signal.rule.created_by', - 'signal.rule.updated_by': 'signal.rule.updated_by', - 'signal.rule.version': 'signal.rule.version', - 'signal.rule.note': 'signal.rule.note', - 'signal.rule.threshold': 'signal.rule.threshold', - 'signal.rule.exceptions_list': 'signal.rule.exceptions_list', + 'kibana.alert.original_time': 'kibana.alert.original_time', + 'kibana.alert.rule.uuid': 'kibana.alert.rule.uuid', + 'kibana.alert.rule.saved_id': 'kibana.alert.rule.saved_id', + 'kibana.alert.rule.timeline_id': 'kibana.alert.rule.timeline_id', + 'kibana.alert.rule.timeline_title': 'kibana.alert.rule.timeline_title', + 'kibana.alert.rule.output_index': 'kibana.alert.rule.output_index', + 'kibana.alert.rule.from': 'kibana.alert.rule.from', + 'kibana.alert.rule.index': 'kibana.alert.rule.index', + 'kibana.alert.rule.language': 'kibana.alert.rule.language', + 'kibana.alert.rule.query': 'kibana.alert.rule.query', + 'kibana.alert.rule.to': 'kibana.alert.rule.to', + 'kibana.alert.rule.filters': 'kibana.alert.rule.filters', + 'kibana.alert.rule.rule_id': 'kibana.alert.rule.rule_id', + 'kibana.alert.rule.false_positives': 'kibana.alert.rule.false_positives', + 'kibana.alert.rule.max_signals': 'kibana.alert.rule.max_signals', + 'kibana.alert.rule.risk_score': 'kibana.alert.rule.risk_score', + 'kibana.alert.rule.description': 'kibana.alert.rule.description', + 'kibana.alert.rule.name': 'kibana.alert.rule.name', + 'kibana.alert.rule.immutable': 'kibana.alert.rule.immutable', + 'kibana.alert.rule.references': 'kibana.alert.rule.references', + 'kibana.alert.rule.severity': 'kibana.alert.rule.severity', + 'kibana.alert.rule.tags': 'kibana.alert.rule.tags', + 'kibana.alert.rule.threat': 'kibana.alert.rule.threat', + 'kibana.alert.rule.type': 'kibana.alert.rule.type', + 'kibana.alert.rule.size': 'kibana.alert.rule.size', + 'kibana.alert.rule.enabled': 'kibana.alert.rule.enabled', + 'kibana.alert.rule.created_at': 'kibana.alert.rule.created_at', + 'kibana.alert.rule.updated_at': 'kibana.alert.rule.updated_at', + 'kibana.alert.rule.created_by': 'kibana.alert.rule.created_by', + 'kibana.alert.rule.updated_by': 'kibana.alert.rule.updated_by', + 'kibana.alert.rule.version': 'kibana.alert.rule.version', + 'kibana.alert.rule.note': 'kibana.alert.rule.note', + 'kibana.alert.rule.threshold': 'kibana.alert.rule.threshold', + 'kibana.alert.rule.exceptions_list': 'kibana.alert.rule.exceptions_list', }; export const ruleFieldsMap: Readonly> = { diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts index fbeb323157367..ab7929468c04d 100644 --- a/x-pack/plugins/security_solution/common/ecs/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/index.ts @@ -17,8 +17,6 @@ import { GeoEcs } from './geo'; import { HostEcs } from './host'; import { NetworkEcs } from './network'; import { RegistryEcs } from './registry'; -import { RuleEcs } from './rule'; -import { SignalEcs } from './signal'; import { SourceEcs } from './source'; import { SuricataEcs } from './suricata'; import { TlsEcs } from './tls'; @@ -47,8 +45,6 @@ export interface Ecs { host?: HostEcs; network?: NetworkEcs; registry?: RegistryEcs; - rule?: RuleEcs; - signal?: SignalEcs; source?: SourceEcs; suricata?: SuricataEcs; tls?: TlsEcs; diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index 64d4f2986903a..bd94aee8bd3ca 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -135,8 +135,8 @@ describe('Events Details Helpers', () => { it('#getDataFromSourceHits', () => { const _source: EventSource = { '@timestamp': '2021-02-24T00:41:06.527Z', - 'signal.status': 'open', - 'signal.rule.name': 'Rawr', + 'kibana.alert.workflow_status': 'open', + 'kibana.alert.rule.name': 'Rawr', 'threat.indicator': [ { provider: 'yourself', @@ -162,14 +162,14 @@ describe('Events Details Helpers', () => { }, { category: 'signal', - field: 'signal.status', + field: 'kibana.alert.workflow_status', values: ['open'], originalValue: ['open'], isObjectArray: false, }, { category: 'signal', - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', values: ['Rawr'], originalValue: ['Rawr'], isObjectArray: false, diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index cd3f645a8f5ed..7e9c4e03c072f 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -139,7 +139,7 @@ describe('Detection rules, override', () => { getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore); getDetails(RISK_SCORE_OVERRIDE_DETAILS).should( 'have.text', - `${this.rule.riskOverride}signal.rule.risk_score` + `${this.rule.riskOverride}kibana.alert.rule.risk_score` ); getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride); getDetails(REFERENCE_URLS_DETAILS).should((details) => { diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts index 675a25641a2bd..6b1bf21132dfa 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts @@ -19,13 +19,14 @@ export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]'; export const ALERT_ID = '[data-test-subj="draggable-content-_id"]'; export const ALERT_RISK_SCORE_HEADER = - '[data-test-subj="dataGridHeaderCell-signal.rule.risk_score"]'; + '[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]'; -export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-signal.rule.name"]'; +export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]'; -export const ALERT_RULE_RISK_SCORE = '[data-test-subj="formatted-field-signal.rule.risk_score"]'; +export const ALERT_RULE_RISK_SCORE = + '[data-test-subj="formatted-field-kibana.alert.rule.risk_score"]'; -export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-signal.rule.severity"]'; +export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]'; export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts index ad83f2762c0f0..7dfb23c1f84b9 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts @@ -664,7 +664,7 @@ describe('helpers', () => { expect( allowTopN({ browserField: undefined, - fieldName: 'signal.rule.name', + fieldName: 'kibana.alert.rule.name', hideTopN: false, }) ).toBe(true); diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index bca6c15d86140..9c8abc6d84ec3 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -113,74 +113,74 @@ export const allowTopN = ({ // TODO: remove this explicit allowlist when the ECS documentation includes alerts const isAllowlistedNonBrowserField = [ - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', - 'signal.status', + 'kibana.alert.ancestors.depth', + 'kibana.alert.ancestors.id', + 'kibana.alert.ancestors.rule', + 'kibana.alert.ancestors.type', + 'kibana.alert.original_event.action', + 'kibana.alert.original_event.category', + 'kibana.alert.original_event.code', + 'kibana.alert.original_event.created', + 'kibana.alert.original_event.dataset', + 'kibana.alert.original_event.duration', + 'kibana.alert.original_event.end', + 'kibana.alert.original_event.hash', + 'kibana.alert.original_event.id', + 'kibana.alert.original_event.kind', + 'kibana.alert.original_event.module', + 'kibana.alert.original_event.original', + 'kibana.alert.original_event.outcome', + 'kibana.alert.original_event.provider', + 'kibana.alert.original_event.risk_score', + 'kibana.alert.original_event.risk_score_norm', + 'kibana.alert.original_event.sequence', + 'kibana.alert.original_event.severity', + 'kibana.alert.original_event.start', + 'kibana.alert.original_event.timezone', + 'kibana.alert.original_event.type', + 'kibana.alert.original_time', + 'kibana.alert.parent.depth', + 'kibana.alert.ancestors.id', + 'kibana.alert.parent.index', + 'kibana.alert.parent.rule', + 'kibana.alert.parent.type', + 'kibana.alert.rule.created_by', + 'kibana.alert.rule.description', + 'kibana.alert.rule.enabled', + 'kibana.alert.rule.false_positives', + 'kibana.alert.rule.filters', + 'kibana.alert.rule.from', + 'kibana.alert.rule.uuid', + 'kibana.alert.rule.immutable', + 'kibana.alert.rule.index', + 'kibana.alert.rule.interval', + 'kibana.alert.rule.language', + 'kibana.alert.rule.max_signals', + 'kibana.alert.rule.name', + 'kibana.alert.rule.note', + 'kibana.alert.rule.output_index', + 'kibana.alert.rule.query', + 'kibana.alert.rule.references', + 'kibana.alert.rule.risk_score', + 'kibana.alert.rule.rule_id', + 'kibana.alert.rule.saved_id', + 'kibana.alert.rule.severity', + 'kibana.alert.rule.size', + 'kibana.alert.rule.tags', + 'kibana.alert.rule.threat', + 'kibana.alert.rule.threat.tactic.id', + 'kibana.alert.rule.threat.tactic.name', + 'kibana.alert.rule.threat.tactic.reference', + 'kibana.alert.rule.threat.technique.id', + 'kibana.alert.rule.threat.technique.name', + 'kibana.alert.rule.threat.technique.reference', + 'kibana.alert.rule.timeline_id', + 'kibana.alert.rule.timeline_title', + 'kibana.alert.rule.to', + 'kibana.alert.rule.type', + 'kibana.alert.rule.updated_by', + 'kibana.alert.rule.version', + 'kibana.alert.status', ].includes(fieldName); if (hideTopN) { diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index 9dd5a611352f4..f29536114b8b0 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -334,7 +334,7 @@ export const mockAlertDetailsData = [ { category: 'user', field: 'user.id', values: ['S-1-0-0'], originalValue: 'S-1-0-0' }, { category: 'signal', - field: 'signal.parents', + field: 'kibana.alert.ancestors', values: [ '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}', ], @@ -349,61 +349,61 @@ export const mockAlertDetailsData = [ }, { category: 'signal', - field: 'signal.ancestors', - values: [ - '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}', - ], - originalValue: [ - { - id: '688MAHYB7WTwW_Glsi_d', - type: 'event', - index: 'winlogbeat-7.10.0-2020.11.12-000001', - depth: 0, - }, - ], + field: 'kibana.alert.workflow_status', + values: ['open'], + originalValue: 'open', }, - { category: 'signal', field: 'signal.status', values: ['open'], originalValue: 'open' }, { category: 'signal', - field: 'signal.rule.id', + field: 'kibana.alert.rule.uuid', values: ['b69d086c-325a-4f46-b17b-fb6d227006ba'], originalValue: 'b69d086c-325a-4f46-b17b-fb6d227006ba', }, { category: 'signal', - field: 'signal.rule.rule_id', + field: 'kibana.alert.rule.rule_id', values: ['e7cd9a53-ac62-44b5-bdec-9c94d85bb1a5'], originalValue: 'e7cd9a53-ac62-44b5-bdec-9c94d85bb1a5', }, - { category: 'signal', field: 'signal.rule.actions', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.author', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.false_positives', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.meta.from', values: ['1m'], originalValue: '1m' }, + { category: 'signal', field: 'kibana.alert.rule.actions', values: [], originalValue: [] }, + { category: 'signal', field: 'kibana.alert.rule.author', values: [], originalValue: [] }, + { category: 'signal', field: 'kibana.alert.rule.false_positives', values: [], originalValue: [] }, + { category: 'signal', field: 'kibana.alert.rule.meta.from', values: ['1m'], originalValue: '1m' }, { category: 'signal', - field: 'signal.rule.meta.kibana_siem_app_url', + field: 'kibana.alert.rule.meta.kibana_siem_app_url', values: ['http://localhost:5601/app/security'], originalValue: 'http://localhost:5601/app/security', }, - { category: 'signal', field: 'signal.rule.max_signals', values: [100], originalValue: 100 }, - { category: 'signal', field: 'signal.rule.risk_score', values: [21], originalValue: 21 }, - { category: 'signal', field: 'signal.rule.risk_score_mapping', values: [], originalValue: [] }, + { category: 'signal', field: 'kibana.alert.rule.max_signals', values: [100], originalValue: 100 }, + { category: 'signal', field: 'kibana.alert.rule.risk_score', values: [21], originalValue: 21 }, { category: 'signal', - field: 'signal.rule.output_index', + field: 'kibana.alert.rule.risk_score_mapping', + values: [], + originalValue: [], + }, + { + category: 'signal', + field: 'kibana.alert.rule.output_index', values: ['.siem-signals-angelachuang-default'], originalValue: '.siem-signals-angelachuang-default', }, - { category: 'signal', field: 'signal.rule.description', values: ['xxx'], originalValue: 'xxx' }, { category: 'signal', - field: 'signal.rule.from', + field: 'kibana.alert.rule.description', + values: ['xxx'], + originalValue: 'xxx', + }, + { + category: 'signal', + field: 'kibana.alert.rule.from', values: ['now-360s'], originalValue: 'now-360s', }, { category: 'signal', - field: 'signal.rule.index', + field: 'kibana.alert.rule.index', values: [ 'apm-*-transaction*', 'traces-apm*', @@ -425,25 +425,45 @@ export const mockAlertDetailsData = [ 'winlogbeat-*', ], }, - { category: 'signal', field: 'signal.rule.interval', values: ['5m'], originalValue: '5m' }, - { category: 'signal', field: 'signal.rule.language', values: ['kuery'], originalValue: 'kuery' }, - { category: 'signal', field: 'signal.rule.license', values: [''], originalValue: '' }, - { category: 'signal', field: 'signal.rule.name', values: ['xxx'], originalValue: 'xxx' }, + { category: 'signal', field: 'kibana.alert.rule.interval', values: ['5m'], originalValue: '5m' }, { category: 'signal', - field: 'signal.rule.query', + field: 'kibana.alert.rule.language', + values: ['kuery'], + originalValue: 'kuery', + }, + { category: 'signal', field: 'kibana.alert.rule.license', values: [''], originalValue: '' }, + { category: 'signal', field: 'kibana.alert.rule.name', values: ['xxx'], originalValue: 'xxx' }, + { + category: 'signal', + field: 'kibana.alert.rule.query', values: ['@timestamp : * '], originalValue: '@timestamp : * ', }, - { category: 'signal', field: 'signal.rule.references', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.severity', values: ['low'], originalValue: 'low' }, - { category: 'signal', field: 'signal.rule.severity_mapping', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.tags', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.type', values: ['query'], originalValue: 'query' }, - { category: 'signal', field: 'signal.rule.to', values: ['now'], originalValue: 'now' }, + { category: 'signal', field: 'kibana.alert.rule.references', values: [], originalValue: [] }, + { + category: 'signal', + field: 'kibana.alert.rule.severity', + values: ['low'], + originalValue: 'low', + }, + { + category: 'signal', + field: 'kibana.alert.rule.severity_mapping', + values: [], + originalValue: [], + }, + { category: 'signal', field: 'kibana.alert.rule.tags', values: [], originalValue: [] }, + { + category: 'signal', + field: 'kibana.alert.rule.type', + values: ['query'], + originalValue: 'query', + }, + { category: 'signal', field: 'kibana.alert.rule.to', values: ['now'], originalValue: 'now' }, { category: 'signal', - field: 'signal.rule.filters', + field: 'kibana.alert.rule.filters', values: [ '{"meta":{"alias":null,"negate":false,"disabled":false,"type":"exists","key":"message","value":"exists"},"exists":{"field":"message"},"$state":{"store":"appState"}}', ], @@ -464,122 +484,132 @@ export const mockAlertDetailsData = [ }, { category: 'signal', - field: 'signal.rule.created_by', + field: 'kibana.alert.rule.created_by', values: ['angela'], originalValue: 'angela', }, { category: 'signal', - field: 'signal.rule.updated_by', + field: 'kibana.alert.rule.updated_by', values: ['angela'], originalValue: 'angela', }, - { category: 'signal', field: 'signal.rule.threat', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.version', values: [2], originalValue: 2 }, + { category: 'signal', field: 'kibana.alert.rule.threat', values: [], originalValue: [] }, + { category: 'signal', field: 'kibana.alert.rule.version', values: [2], originalValue: 2 }, { category: 'signal', - field: 'signal.rule.created_at', + field: 'kibana.alert.rule.created_at', values: ['2020-11-24T10:30:33.660Z'], originalValue: '2020-11-24T10:30:33.660Z', }, { category: 'signal', - field: 'signal.rule.updated_at', + field: 'kibana.alert.rule.updated_at', values: ['2020-11-25T15:37:40.939Z'], originalValue: '2020-11-25T15:37:40.939Z', }, - { category: 'signal', field: 'signal.rule.exceptions_list', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.depth', values: [1], originalValue: 1 }, + { category: 'signal', field: 'kibana.alert.rule.exceptions_list', values: [], originalValue: [] }, + { category: 'signal', field: 'kibana.alert.depth', values: [1], originalValue: 1 }, { category: 'signal', - field: 'signal.parent.id', + field: 'kibana.alert.ancestors.id', values: ['688MAHYB7WTwW_Glsi_d'], originalValue: '688MAHYB7WTwW_Glsi_d', }, - { category: 'signal', field: 'signal.parent.type', values: ['event'], originalValue: 'event' }, { category: 'signal', - field: 'signal.parent.index', + field: 'kibana.alert.parent.type', + values: ['event'], + originalValue: 'event', + }, + { + category: 'signal', + field: 'kibana.alert.parent.index', values: ['winlogbeat-7.10.0-2020.11.12-000001'], originalValue: 'winlogbeat-7.10.0-2020.11.12-000001', }, - { category: 'signal', field: 'signal.parent.depth', values: [0], originalValue: 0 }, + { category: 'signal', field: 'kibana.alert.parent.depth', values: [0], originalValue: 0 }, { category: 'signal', - field: 'signal.original_time', + field: 'kibana.alert.original_time', values: ['2020-11-25T15:36:38.847Z'], originalValue: '2020-11-25T15:36:38.847Z', }, { category: 'signal', - field: 'signal.original_event.ingested', + field: 'kibana.alert.original_event.ingested', values: ['2020-11-25T15:36:40.924914552Z'], originalValue: '2020-11-25T15:36:40.924914552Z', }, - { category: 'signal', field: 'signal.original_event.code', values: [4625], originalValue: 4625 }, { category: 'signal', - field: 'signal.original_event.lag.total', + field: 'kibana.alert.original_event.code', + values: [4625], + originalValue: 4625, + }, + { + category: 'signal', + field: 'kibana.alert.original_event.lag.total', values: [2077], originalValue: 2077, }, { category: 'signal', - field: 'signal.original_event.lag.read', + field: 'kibana.alert.original_event.lag.read', values: [1075], originalValue: 1075, }, { category: 'signal', - field: 'signal.original_event.lag.ingest', + field: 'kibana.alert.original_event.lag.ingest', values: [1002], originalValue: 1002, }, { category: 'signal', - field: 'signal.original_event.provider', + field: 'kibana.alert.original_event.provider', values: ['Microsoft-Windows-Security-Auditing'], originalValue: 'Microsoft-Windows-Security-Auditing', }, { category: 'signal', - field: 'signal.original_event.created', + field: 'kibana.alert.original_event.created', values: ['2020-11-25T15:36:39.922Z'], originalValue: '2020-11-25T15:36:39.922Z', }, { category: 'signal', - field: 'signal.original_event.kind', + field: 'kibana.alert.original_event.kind', values: ['event'], originalValue: 'event', }, { category: 'signal', - field: 'signal.original_event.module', + field: 'kibana.alert.original_event.module', values: ['security'], originalValue: 'security', }, { category: 'signal', - field: 'signal.original_event.action', + field: 'kibana.alert.original_event.action', values: ['logon-failed'], originalValue: 'logon-failed', }, { category: 'signal', - field: 'signal.original_event.type', + field: 'kibana.alert.original_event.type', values: ['start'], originalValue: 'start', }, { category: 'signal', - field: 'signal.original_event.category', + field: 'kibana.alert.original_event.category', values: ['authentication'], originalValue: 'authentication', }, { category: 'signal', - field: 'signal.original_event.outcome', + field: 'kibana.alert.original_event.outcome', values: ['failure'], originalValue: 'failure', }, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap index f11150908375f..1e15e613f06b4 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap @@ -157,7 +157,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.status. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.workflow_status. Press tab to navigate options. Press escape to exit.

@@ -289,7 +289,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.rule.name. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.name. Press tab to navigate options. Press escape to exit.

@@ -353,7 +353,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.

@@ -417,7 +417,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.

@@ -962,7 +962,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.status. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.workflow_status. Press tab to navigate options. Press escape to exit.

@@ -1094,7 +1094,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.rule.name. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.name. Press tab to navigate options. Press escape to exit.

@@ -1158,7 +1158,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.

@@ -1222,7 +1222,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx index e7816fd1daaa8..20bd047e6dc8c 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx @@ -61,23 +61,23 @@ interface EventSummaryField { } const defaultDisplayFields: EventSummaryField[] = [ - { id: 'signal.status', label: SIGNAL_STATUS }, + { id: 'kibana.alert.workflow_status', label: SIGNAL_STATUS }, { id: '@timestamp', label: TIMESTAMP }, { id: SIGNAL_RULE_NAME_FIELD_NAME, - linkField: 'signal.rule.id', + linkField: 'kibana.alert.rule.uuid', label: ALERTS_HEADERS_RULE, }, - { id: 'signal.rule.severity', label: ALERTS_HEADERS_SEVERITY }, - { id: 'signal.rule.risk_score', label: ALERTS_HEADERS_RISK_SCORE }, + { id: 'kibana.alert.rule.severity', label: ALERTS_HEADERS_SEVERITY }, + { id: 'kibana.alert.rule.risk_score', label: ALERTS_HEADERS_RISK_SCORE }, { id: 'host.name' }, { id: 'agent.id', overrideField: AGENT_STATUS_FIELD_NAME, label: i18n.AGENT_STATUS }, { id: 'user.name' }, { id: SOURCE_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE }, { id: DESTINATION_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE }, - { id: 'signal.threshold_result.count', label: ALERTS_HEADERS_THRESHOLD_COUNT }, - { id: 'signal.threshold_result.terms', label: ALERTS_HEADERS_THRESHOLD_TERMS }, - { id: 'signal.threshold_result.cardinality', label: ALERTS_HEADERS_THRESHOLD_CARDINALITY }, + { id: 'kibana.alert.threshold_result.count', label: ALERTS_HEADERS_THRESHOLD_COUNT }, + { id: 'kibana.alert.threshold_result.terms', label: ALERTS_HEADERS_THRESHOLD_TERMS }, + { id: 'kibana.alert.threshold_result.cardinality', label: ALERTS_HEADERS_THRESHOLD_CARDINALITY }, ]; const processCategoryFields: EventSummaryField[] = [ @@ -253,7 +253,7 @@ export const getSummaryRows = ({ return acc; } - if (item.id === 'signal.threshold_result.terms') { + if (item.id === 'kibana.alert.threshold_result.terms') { try { const terms = getOr(null, 'originalValue', field); const parsedValue = terms.map((term: string) => JSON.parse(term)); @@ -274,7 +274,7 @@ export const getSummaryRows = ({ } } - if (item.id === 'signal.threshold_result.cardinality') { + if (item.id === 'kibana.alert.threshold_result.cardinality') { try { const parsedValue = JSON.parse(value); return [ @@ -319,7 +319,7 @@ const AlertSummaryViewComponent: React.FC<{ ); const ruleId = useMemo(() => { - const item = data.find((d) => d.field === 'signal.rule.id'); + const item = data.find((d) => d.field === 'kibana.alert.rule.uuid'); return Array.isArray(item?.originalValue) ? item?.originalValue[0] : item?.originalValue ?? null; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx index aab0e86681783..8d783a84cfa12 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx @@ -34,12 +34,12 @@ export const ReasonComponent: React.FC = ({ eventId, data }) => { const { formatUrl } = useFormatUrl(SecurityPageName.rules); const reason = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.reason' }, data), + () => getFieldValue({ category: 'signal', field: 'kibana.alert.reason' }, data), [data] ); const ruleId = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.rule.id' }, data), + () => getFieldValue({ category: 'signal', field: 'kibana.alert.rule.uuid' }, data), [data] ); diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx index a90ec21f992f8..ca854e67ae7d9 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx @@ -9,6 +9,9 @@ import React from 'react'; import { mount } from 'enzyme'; import moment from 'moment-timezone'; +import { IndexPatternBase } from '@kbn/es-query'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; + import { getFormattedComments, formatOperatingSystems, @@ -42,7 +45,6 @@ import { getCommentsArrayMock } from '../../../../../lists/common/schemas/types/ import { fields } from '../../../../../../../src/plugins/data/common/mocks'; import { ENTRIES, OLD_DATE_RELATIVE_TO_DATE_NOW } from '../../../../../lists/common/constants.mock'; import { CodeSignature } from '../../../../common/ecs/file'; -import { IndexPatternBase } from '@kbn/es-query'; jest.mock('uuid', () => ({ v4: jest.fn().mockReturnValue('123'), @@ -432,7 +434,7 @@ describe('Exception helpers', () => { entries: [ { ...getEntryMatchMock(), - field: 'signal.original_event.kind', + field: 'kibana.alert.original_event.kind', }, getEntryMatchMock(), ], @@ -442,7 +444,7 @@ describe('Exception helpers', () => { entries: [ { ...getEntryMatchMock(), - field: 'signal.original_event.module', + field: 'kibana.alert.original_event.module', }, ], }, @@ -1182,9 +1184,7 @@ describe('Exception helpers', () => { test('it should return pre-populated behavior protection items', () => { const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', { _id: '123', - rule: { - id: '123', - }, + [ALERT_RULE_UUID]: '123', process: { command_line: 'command_line', executable: 'some file path', diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 58da977fcb8f0..d0ee756c50bd9 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -131,7 +131,7 @@ export const formatExceptionItemForUpdate = ( }; /** - * Maps "event." fields to "signal.original_event.". This is because when a rule is created + * Maps "event." fields to "kibana.alert.original_event.". This is because when a rule is created * the "event" field is copied over to "original_event". When the user creates an exception, * they expect it to match against the original_event's fields, not the signal event's. * @param exceptionItems new or existing ExceptionItem[] @@ -145,7 +145,7 @@ export const prepareExceptionItemsForBulkClose = ( return { ...itemEntry, field: itemEntry.field.startsWith('event.') - ? itemEntry.field.replace(/^event./, 'signal.original_event.') + ? itemEntry.field.replace(/^event./, 'kibana.alert.original_event.') : itemEntry.field, }; }); @@ -633,10 +633,10 @@ export const getPrepopulatedBehaviorException = ({ const { process } = alertEcsData; const entries = filterEmptyExceptionEntries([ { - field: 'rule.id', + field: 'kibana.alert.rule.uuid', operator: 'included' as const, type: 'match' as const, - value: alertEcsData.rule?.id ?? '', + value: alertEcsData['kibana.alert.rule.uuid'] ?? '', }, { field: 'process.executable.caseless', diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx index 06b90a129136b..dcc0e82acd48b 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/actions/show_top_n.test.tsx @@ -12,7 +12,7 @@ import { ShowTopNButton } from './show_top_n'; describe('show topN button', () => { const defaultProps = { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', onClick: jest.fn(), ownFocus: false, showTopN: false, diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx index b961d700e8520..0abcbefc71954 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx @@ -20,7 +20,7 @@ describe('useHoverActionItems', () => { const defaultProps: UseHoverActionItemsProps = { dataProvider: [{} as DataProvider], defaultFocusedButtonRef: null, - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', handleHoverActionClicked: jest.fn(), hideTopN: false, isCaseView: false, @@ -97,7 +97,7 @@ describe('useHoverActionItems', () => { 'hover-actions-filter-out' ); expect(result.current.overflowActionItems[2].props['data-test-subj']).toEqual( - 'more-actions-signal.rule.name' + 'more-actions-kibana.alert.rule.name' ); expect(result.current.overflowActionItems[2].props.items[0].props['data-test-subj']).toEqual( 'hover-actions-toggle-column' diff --git a/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx index 6962ed03e81d4..78e4552e85156 100644 --- a/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/top_n/index.test.tsx @@ -169,14 +169,14 @@ describe('StatefulTopN', () => { negate: false, disabled: false, type: 'phrase', - key: 'signal.rule.id', + key: 'kibana.alert.rule.uuid', params: { query: 'd62249f0-1632-11ec-b035-19607969bc20', }, }, query: { match_phrase: { - 'signal.rule.id': 'd62249f0-1632-11ec-b035-19607969bc20', + 'kibana.alert.rule.uuid': 'd62249f0-1632-11ec-b035-19607969bc20', }, }, }, @@ -199,14 +199,14 @@ describe('StatefulTopN', () => { negate: false, disabled: false, type: 'phrase', - key: 'signal.rule.id', + key: 'kibana.alert.rule.uuid', params: { query: 'd62249f0-1632-11ec-b035-19607969bc20', }, }, query: { match_phrase: { - 'signal.rule.id': 'd62249f0-1632-11ec-b035-19607969bc20', + 'kibana.alert.rule.uuid': 'd62249f0-1632-11ec-b035-19607969bc20', }, }, }, diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts index cfa73da6368cd..0f4804d203517 100644 --- a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts +++ b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts @@ -5,6 +5,8 @@ * 2.0. */ +import { flattenWithPrefix } from '@kbn/securitysolution-rules'; + import { Ecs } from '../../../common/ecs'; import { TimelineNonEcsData } from '../../../common/search_strategy'; @@ -38,40 +40,38 @@ export const mockEcsDataWithAlert: Ecs = { region_name: ['xx'], country_iso_code: ['xx'], }, - signal: { - rule: { - created_at: ['2020-01-10T21:11:45.839Z'], - updated_at: ['2020-01-10T21:11:45.839Z'], - created_by: ['elastic'], - description: ['24/7'], - enabled: [true], - false_positives: ['test-1'], - filters: [], - from: ['now-300s'], - id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'], - immutable: [false], - index: ['auditbeat-*'], - interval: ['5m'], - rule_id: ['rule-id-1'], - language: ['kuery'], - output_index: ['.siem-signals-default'], - max_signals: [100], - risk_score: ['21'], - query: ['user.name: root or user.name: admin'], - references: ['www.test.co'], - saved_id: ["Garrett's IP"], - timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'], - timeline_title: ['Untitled timeline'], - severity: ['low'], - updated_by: ['elastic'], - tags: [], - to: ['now'], - type: ['saved_query'], - threat: [], - note: ['# this is some markdown documentation'], - version: ['1'], - }, - }, + ...flattenWithPrefix('rule', { + created_at: ['2020-01-10T21:11:45.839Z'], + updated_at: ['2020-01-10T21:11:45.839Z'], + created_by: ['elastic'], + description: ['24/7'], + enabled: [true], + false_positives: ['test-1'], + filters: [], + from: ['now-300s'], + immutable: [false], + index: ['auditbeat-*'], + interval: ['5m'], + rule_id: ['rule-id-1'], + language: ['kuery'], + output_index: ['.siem-signals-default'], + max_signals: [100], + risk_score: ['21'], + query: ['user.name: root or user.name: admin'], + references: ['www.test.co'], + saved_id: ["Garrett's IP"], + timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'], + timeline_title: ['Untitled timeline'], + severity: ['low'], + updated_by: ['elastic'], + tags: [], + to: ['now'], + type: ['saved_query'], + threat: [], + note: ['# this is some markdown documentation'], + uuid: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'], + version: ['1'], + }), }; export const getDetectionAlertMock = (overrides: Partial = {}): Ecs => ({ @@ -81,14 +81,8 @@ export const getDetectionAlertMock = (overrides: Partial = {}): Ecs => ({ export const getThreatMatchDetectionAlert = (overrides: Partial = {}): Ecs => ({ ...mockEcsDataWithAlert, - signal: { - ...mockEcsDataWithAlert.signal, - rule: { - ...mockEcsDataWithAlert.rule, - name: ['mock threat_match rule'], - type: ['threat_match'], - }, - }, + 'kibana.alert.rule.name': ['mock_threat_match rule'], + 'kibana.alert.rule.type': ['threat_match'], threat: { enrichments: [ { @@ -107,6 +101,6 @@ export const getDetectionAlertFieldsMock = ( fields: TimelineNonEcsData[] = [] ): TimelineNonEcsData[] => [ { field: '@timestamp', value: ['2021-03-27T06:28:47.292Z'] }, - { field: 'signal.rule.type', value: ['threat_match'] }, + { field: 'kibana.alert.rule.type', value: ['threat_match'] }, ...fields, ]; diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts index d0a03d62a682b..02e6d21435d44 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts @@ -22,7 +22,7 @@ describe('isAlertFromEndpointEvent', () => { mockDetailItemData.push( // Must be an Alert { - field: 'signal.rule.id', + field: 'kibana.alert.rule.uuid', category: 'signal', originalValue: 'endpoint', values: ['endpoint'], @@ -43,7 +43,7 @@ describe('isAlertFromEndpointEvent', () => { }); it('should return false if it is not an Alert (ex. maybe an event)', () => { - _.remove(mockDetailItemData, { field: 'signal.rule.id' }); + _.remove(mockDetailItemData, { field: 'kibana.alert.rule.uuid' }); expect(isAlertFromEndpointEvent({ data: mockDetailItemData })).toBeFalsy(); }); @@ -57,8 +57,8 @@ describe('isAlertFromEndpointAlert', () => { it('should return true if detections data comes from an endpoint rule', () => { const mockEcsData = { _id: 'mockId', - 'signal.original_event.module': ['endpoint'], - 'signal.original_event.kind': ['alert'], + 'kibana.alert.original_event.module': ['endpoint'], + 'kibana.alert.original_event.kind': ['alert'], } as Ecs; expect(isAlertFromEndpointAlert({ ecsData: mockEcsData })).toBe(true); }); @@ -70,7 +70,7 @@ describe('isAlertFromEndpointAlert', () => { it('should return false if it is not an Alert', () => { const mockEcsData = { _id: 'mockId', - 'signal.original_event.module': ['endpoint'], + 'kibana.alert.original_event.module': ['endpoint'], } as Ecs; expect(isAlertFromEndpointAlert({ ecsData: mockEcsData })).toBeFalsy(); }); @@ -78,7 +78,7 @@ describe('isAlertFromEndpointAlert', () => { it('should return false if it is not an endpoint module', () => { const mockEcsData = { _id: 'mockId', - 'signal.original_event.kind': ['alert'], + 'kibana.alert.original_event.kind': ['alert'], } as Ecs; expect(isAlertFromEndpointAlert({ ecsData: mockEcsData })).toBeFalsy(); }); diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts index 7e7e7a6bcdd1f..de974fa10036c 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts @@ -19,7 +19,7 @@ export const isAlertFromEndpointEvent = ({ }: { data: TimelineEventsDetailsItem[]; }): boolean => { - const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, data); + const isAlert = some({ category: 'signal', field: 'kibana.alert.rule.uuid' }, data); if (!isAlert) { return false; @@ -38,8 +38,8 @@ export const isAlertFromEndpointAlert = ({ return false; } - const eventModules = getOr([], 'signal.original_event.module', ecsData); - const kinds = getOr([], 'signal.original_event.kind', ecsData); + const eventModules = getOr([], 'kibana.alert.original_event.module', ecsData); + const kinds = getOr([], 'kibana.alert.original_event.kind', ecsData); return eventModules.includes('endpoint') && kinds.includes('alert'); }; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts index 4b8a911bf1cd8..704afb5dc464c 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts @@ -8,7 +8,10 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { const queryFilter = [ { - bool: { should: [{ match: { 'signal.status': 'open' } }], minimum_should_match: 1 }, + bool: { + should: [{ match: { 'kibana.alert.workflow_status': 'open' } }], + minimum_should_match: 1, + }, }, ]; @@ -24,7 +27,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { ...queryFilter, { bool: { - should: [{ match: { 'signal.rule.id': ruleId } }], + should: [{ match: { 'kibana.alert.rule.uuid': ruleId } }], minimum_should_match: 1, }, }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx index 484cd66575005..9a90253c2776d 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx @@ -170,7 +170,7 @@ describe('AlertsHistogramPanel', () => { await waitFor(() => { expect(mockGetAlertsHistogramQuery.mock.calls[0]).toEqual([ - 'signal.rule.name', + 'kibana.alert.rule.name', '2020-07-07T08:20:18.966Z', '2020-07-08T08:20:18.966Z', [ @@ -196,7 +196,7 @@ describe('AlertsHistogramPanel', () => { meta: { alias: null, disabled: false, - key: 'signal.status', + key: 'kibana.alert.workflow_status', negate: false, params: { query: 'open', @@ -205,7 +205,7 @@ describe('AlertsHistogramPanel', () => { }, query: { term: { - 'signal.status': 'open', + 'kibana.alert.workflow_status': 'open', }, }, }; @@ -223,13 +223,13 @@ describe('AlertsHistogramPanel', () => { await waitFor(() => { expect(mockGetAlertsHistogramQuery.mock.calls[1]).toEqual([ - 'signal.rule.name', + 'kibana.alert.rule.name', '2020-07-07T08:20:18.966Z', '2020-07-08T08:20:18.966Z', [ { bool: { - filter: [{ term: { 'signal.status': 'open' } }], + filter: [{ term: { 'kibana.alert.workflow_status': 'open' } }], must: [], must_not: [], should: [], diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index cb5a23e711974..ac316bee5dd76 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -8,20 +8,20 @@ import type { AlertsStackByOption } from './types'; export const alertsStackByOptions: AlertsStackByOption[] = [ - { text: 'signal.rule.risk_score', value: 'signal.rule.risk_score' }, - { text: 'signal.rule.severity', value: 'signal.rule.severity' }, - { text: 'signal.rule.threat.tactic.name', value: 'signal.rule.threat.tactic.name' }, + { text: 'kibana.alert.rule.risk_score', value: 'kibana.alert.rule.risk_score' }, + { text: 'kibana.alert.rule.severity', value: 'kibana.alert.rule.severity' }, + { text: 'kibana.alert.rule.threat.tactic.name', value: 'kibana.alert.rule.threat.tactic.name' }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, { text: 'event.category', value: 'event.category' }, { text: 'host.name', value: 'host.name' }, - { text: 'signal.rule.type', value: 'signal.rule.type' }, - { text: 'signal.rule.name', value: 'signal.rule.name' }, + { text: 'kibana.alert.rule.type', value: 'kibana.alert.rule.type' }, + { text: 'kibana.alert.rule.name', value: 'kibana.alert.rule.name' }, { text: 'source.ip', value: 'source.ip' }, { text: 'user.name', value: 'user.name' }, ]; -export const DEFAULT_STACK_BY_FIELD = 'signal.rule.name'; +export const DEFAULT_STACK_BY_FIELD = 'kibana.alert.rule.name'; export const PANEL_HEIGHT = 300; export const MOBILE_PANEL_HEIGHT = 500; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index 833c05bfc7a79..e2d21f7742732 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -11,14 +11,14 @@ export interface AlertsStackByOption { } export type AlertsStackByField = - | 'signal.rule.risk_score' - | 'signal.rule.severity' - | 'signal.rule.threat.tactic.name' + | 'kibana.alert.rule.risk_score' + | 'kibana.alert.rule.severity' + | 'kibana.alert.rule.threat.tactic.name' | 'destination.ip' | 'event.action' | 'event.category' | 'host.name' - | 'signal.rule.type' - | 'signal.rule.name' + | 'kibana.alert.rule.type' + | 'kibana.alert.rule.name' | 'source.ip' | 'user.name'; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx index 261ac8cfee1a6..70a5d796007a4 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx @@ -8,6 +8,8 @@ import sinon from 'sinon'; import moment from 'moment'; +import { ALERT_GROUP_ID } from '@kbn/securitysolution-rules'; + import { sendAlertToTimelineAction, determineToAndFrom } from './actions'; import { mockEcsDataWithAlert, @@ -288,13 +290,7 @@ describe('alert actions', () => { test('it invokes createTimeline with timelineDefaults', async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - // @ts-expect-error - timeline_id: null, - }, - }, + 'kibana.alert.rule.timeline_id': null, }; await sendAlertToTimelineAction({ @@ -338,19 +334,12 @@ describe('alert actions', () => { }); describe('Eql', () => { - test(' with signal.group.id', async () => { + test(' with kibana.alert.group.id', async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - type: ['eql'], - timeline_id: [''], - }, - group: { - id: ['my-group-id'], - }, - }, + ['kibana.alert.rule.type']: ['eql'], + ['kibana.alert.rule.timeline_id']: [''], + [ALERT_GROUP_ID]: 'my-group-id', }; await sendAlertToTimelineAction({ @@ -375,23 +364,18 @@ describe('alert actions', () => { id: 'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-alert-id-my-group-id', kqlQuery: '', name: '1', - queryMatch: { field: 'signal.group.id', operator: ':', value: 'my-group-id' }, + queryMatch: { field: 'kibana.alert.group.id', operator: ':', value: 'my-group-id' }, }, ], }, }); }); - test(' with NO signal.group.id', async () => { + test(' with NO kibana.alert.group.id', async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - type: ['eql'], - timeline_id: [''], - }, - }, + 'kibana.alert.rule.type': ['eql'], + 'kibana.alert.rule.timeline_id': [''], }; await sendAlertToTimelineAction({ diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx index d48bc95f5d480..7bd05d6ec296c 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx @@ -68,10 +68,13 @@ export const getUpdateAlertsQuery = (eventIds: Readonly) => { export const getFilterAndRuleBounds = ( data: TimelineNonEcsData[][] ): [string[], number, number] => { - const stringFilter = data?.[0].filter((d) => d.field === 'signal.rule.filters')?.[0]?.value ?? []; + const stringFilter = + data?.[0].filter((d) => d.field === 'kibana.alert.rule.filters')?.[0]?.value ?? []; const eventTimes = data - .flatMap((alert) => alert.filter((d) => d.field === 'signal.original_time')?.[0]?.value ?? []) + .flatMap( + (alert) => alert.filter((d) => d.field === 'kibana.alert.original_time')?.[0]?.value ?? [] + ) .map((d) => moment(d)); return [stringFilter, moment.min(eventTimes).valueOf(), moment.max(eventTimes).valueOf()]; @@ -136,7 +139,9 @@ export const determineToAndFrom = ({ ecs }: { ecs: Ecs[] | Ecs }) => { const ecsData = ecs as Ecs; const elapsedTimeRule = moment.duration( moment().diff( - dateMath.parse(ecsData?.signal?.rule?.from != null ? ecsData.signal?.rule?.from[0] : 'now-0s') + dateMath.parse( + ecsData['kibana.alert.rule.from'] != null ? ecsData['kibana.alert.rule.from'][0] : 'now-0s' + ) ) ); const from = moment(ecsData?.timestamp ?? new Date()) @@ -164,7 +169,7 @@ export const getThresholdAggregationData = ( const thresholdEcsData: Ecs[] = Array.isArray(ecsData) ? ecsData : [ecsData]; return thresholdEcsData.reduce( (outerAcc, thresholdData) => { - const threshold = thresholdData.signal?.rule?.threshold as string[]; + const threshold = thresholdData['kibana.alert.rule.threshold'] as string[]; let aggField: string[] = []; let thresholdResult: { @@ -177,24 +182,26 @@ export const getThresholdAggregationData = ( }; try { - thresholdResult = JSON.parse((thresholdData.signal?.threshold_result as string[])[0]); + thresholdResult = JSON.parse( + (thresholdData['kibana.alert.threshold_result'] as string[])[0] + ); aggField = JSON.parse(threshold[0]).field; } catch (err) { thresholdResult = { terms: [ { - field: (thresholdData.rule?.threshold as { field: string }).field, - value: (thresholdData.signal?.threshold_result as { value: string }).value, + field: (thresholdData['kibana.alert.rule.threshold'] as { field: string }).field, + value: (thresholdData['kibana.alert.threshold_result'] as { value: string }).value, }, ], - count: (thresholdData.signal?.threshold_result as { count: number }).count, - from: (thresholdData.signal?.threshold_result as { from: string }).from, + count: (thresholdData['kibana.alert.threshold_result'] as { count: number }).count, + from: (thresholdData['kibana.alert.threshold_result'] as { from: string }).from, }; } - const originalTime = moment(thresholdData.signal?.original_time![0]); + const originalTime = moment(thresholdData['kibana.alert.original_time']![0]); const now = moment(); - const ruleFrom = dateMath.parse(thresholdData.signal?.rule?.from![0]!); + const ruleFrom = dateMath.parse(thresholdData['kibana.alert.rule.from']![0]!); const ruleInterval = moment.duration(now.diff(ruleFrom)); const fromOriginalTime = originalTime.clone().subtract(ruleInterval); // This is the default... can overshoot const aggregationFields = Array.isArray(aggField) ? aggField : [aggField]; @@ -254,15 +261,15 @@ export const getThresholdAggregationData = ( }; export const isEqlRuleWithGroupId = (ecsData: Ecs) => - ecsData.signal?.rule?.type?.length && - ecsData.signal?.rule?.type[0] === 'eql' && - ecsData.signal?.group?.id?.length; + ecsData['kibana.alert.rule.type'].length && + ecsData['kibana.alert.rule.type'][0] === 'eql' && + ecsData['kibana.alert.group.id'].length; export const isThresholdRule = (ecsData: Ecs) => - ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'threshold'; + ecsData['kibana.alert.rule.type'].length && ecsData['kibana.alert.rule.type'][0] === 'threshold'; export const buildAlertsKqlFilter = ( - key: '_id' | 'signal.group.id', + key: '_id' | 'kibana.alert.group.id', alertIds: string[] ): Filter[] => { return [ @@ -330,10 +337,10 @@ export const buildEqlDataProviderOrFilter = ( return { dataProviders: [], filters: buildAlertsKqlFilter( - 'signal.group.id', + 'kibana.alert.group.id', ecs.reduce((acc, ecsData) => { - const signalGroupId = ecsData.signal?.group?.id?.length - ? ecsData.signal?.group?.id[0] + const signalGroupId = ecsData['kibana.alert.group.id'].length + ? ecsData['kibana.alert.group.id'][0] : 'unknown-signal-group-id'; if (!acc.includes(signalGroupId)) { return [...acc, signalGroupId]; @@ -343,8 +350,8 @@ export const buildEqlDataProviderOrFilter = ( ), }; } else if (!Array.isArray(ecs)) { - const signalGroupId = ecs.signal?.group?.id?.length - ? ecs.signal?.group?.id[0] + const signalGroupId = ecs['kibana.alert.group.id'].length + ? ecs['kibana.alert.group.id'][0] : 'unknown-signal-group-id'; return { dataProviders: [ @@ -356,7 +363,7 @@ export const buildEqlDataProviderOrFilter = ( excluded: false, kqlQuery: '', queryMatch: { - field: 'signal.group.id', + field: 'kibana.alert.group.id', value: signalGroupId, operator: ':' as const, }, @@ -381,9 +388,12 @@ export const sendAlertToTimelineAction = async ({ */ const ecsData: Ecs = Array.isArray(ecs) && ecs.length > 0 ? ecs[0] : (ecs as Ecs); const alertIds = Array.isArray(ecs) ? ecs.map((d) => d._id) : []; - const noteContent = ecsData.signal?.rule?.note != null ? ecsData.signal?.rule?.note[0] : ''; + const noteContent = + ecsData['kibana.alert.rule.note'] != null ? ecsData['kibana.alert.rule.note'][0] : ''; const timelineId = - ecsData.signal?.rule?.timeline_id != null ? ecsData.signal?.rule?.timeline_id[0] : ''; + ecsData['kibana.alert.rule.timeline_id'] != null + ? ecsData['kibana.alert.rule.timeline_id'][0] + : ''; const { to, from } = determineToAndFrom({ ecs }); // For now we do not want to populate the template timeline if we have alertIds @@ -477,7 +487,7 @@ export const sendAlertToTimelineAction = async ({ timeline: { ...timelineDefaults, description: `_id: ${ecsData._id}`, - filters: getFiltersFromRule(ecsData.signal?.rule?.filters as string[]), + filters: getFiltersFromRule(ecsData['kibana.alert.rule.filters'] as string[]), dataProviders, id: TimelineId.active, indexNames: [], @@ -489,13 +499,15 @@ export const sendAlertToTimelineAction = async ({ kqlQuery: { filterQuery: { kuery: { - kind: ecsData.signal?.rule?.language?.length - ? (ecsData.signal?.rule?.language[0] as KueryFilterQueryKind) + kind: ecsData['kibana.alert.rule.language'].length + ? (ecsData['kibana.alert.rule.language'][0] as KueryFilterQueryKind) : 'kuery', - expression: ecsData.signal?.rule?.query?.length ? ecsData.signal?.rule?.query[0] : '', + expression: ecsData['kibana.alert.rule.query'].length + ? ecsData['kibana.alert.rule.query'][0] + : '', }, - serializedQuery: ecsData.signal?.rule?.query?.length - ? ecsData.signal?.rule?.query[0] + serializedQuery: ecsData['kibana.alert.rule.query'].length + ? ecsData['kibana.alert.rule.query'][0] : '', }, }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx index 9c6954a6898a6..0b27816d6c197 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx @@ -25,14 +25,14 @@ describe('alerts default_config', () => { negate: false, disabled: false, type: 'phrase', - key: 'signal.rule.id', + key: 'kibana.alert.rule.uuid', params: { query: 'rule-id-1', }, }, query: { match_phrase: { - 'signal.rule.id': 'rule-id-1', + 'kibana.alert.rule.uuid': 'rule-id-1', }, }, }; @@ -48,12 +48,12 @@ describe('alerts default_config', () => { alias: null, disabled: false, negate: false, - key: 'signal.rule.threat_mapping', + key: 'kibana.alert.rule.threat_mapping', type: 'exists', value: 'exists', }, exists: { - field: 'signal.rule.threat_mapping', + field: 'kibana.alert.rule.threat_mapping', }, }; expect(filters).toHaveLength(1); @@ -73,7 +73,7 @@ describe('alerts default_config', () => { meta: { alias: null, disabled: false, - key: 'signal.status', + key: 'kibana.alert.workflow_status', negate: false, params: { query: 'acknowledged', @@ -85,12 +85,12 @@ describe('alerts default_config', () => { should: [ { term: { - 'signal.status': 'acknowledged', + 'kibana.alert.workflow_status': 'acknowledged', }, }, { term: { - 'signal.status': 'in-progress', + 'kibana.alert.workflow_status': 'in-progress', }, }, ], @@ -107,7 +107,7 @@ describe('alerts default_config', () => { meta: { alias: null, disabled: false, - key: 'signal.status', + key: 'kibana.alert.workflow_status', negate: false, params: { query: 'open', @@ -116,7 +116,7 @@ describe('alerts default_config', () => { }, query: { term: { - 'signal.status': 'open', + 'kibana.alert.workflow_status': 'open', }, }, }; @@ -139,17 +139,17 @@ describe('alerts default_config', () => { should: [ { term: { - 'signal.status': 'open', + 'kibana.alert.workflow_status': 'open', }, }, { term: { - 'signal.status': 'acknowledged', + 'kibana.alert.workflow_status': 'acknowledged', }, }, { term: { - 'signal.status': 'in-progress', + 'kibana.alert.workflow_status': 'in-progress', }, }, ], diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 3bc229273bc83..cfd06b600aac3 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -34,12 +34,12 @@ export const buildAlertStatusFilter = (status: Status): Filter[] => { should: [ { term: { - 'signal.status': status, + 'kibana.alert.status': status, }, }, { term: { - 'signal.status': 'in-progress', + 'kibana.alert.status': 'in-progress', }, }, ], @@ -47,7 +47,7 @@ export const buildAlertStatusFilter = (status: Status): Filter[] => { } : { term: { - 'signal.status': status, + 'kibana.alert.status': status, }, }; @@ -58,7 +58,7 @@ export const buildAlertStatusFilter = (status: Status): Filter[] => { negate: false, disabled: false, type: 'phrase', - key: 'signal.status', + key: 'kibana.alert.status', params: { query: status, }, @@ -76,7 +76,7 @@ export const buildAlertStatusesFilter = (statuses: Status[]): Filter[] => { bool: { should: statuses.map((status) => ({ term: { - 'signal.status': status, + 'kibana.alert.status': status, }, })), }, @@ -103,14 +103,14 @@ export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] => negate: false, disabled: false, type: 'phrase', - key: 'signal.rule.id', + key: 'kibana.alert.rule.uuid', params: { query: ruleId, }, }, query: { match_phrase: { - 'signal.rule.id': ruleId, + 'kibana.alert.rule.uuid': ruleId, }, }, }, @@ -127,11 +127,11 @@ export const buildShowBuildingBlockFilter = (showBuildingBlockAlerts: boolean): negate: true, disabled: false, type: 'exists', - key: 'signal.rule.building_block_type', + key: 'kibana.alert.rule.building_block_type', value: 'exists', }, // @ts-expect-error TODO: Rework parent typings to support ExistsFilter[] - exists: { field: 'signal.rule.building_block_type' }, + exists: { field: 'kibana.alert.rule.building_block_type' }, }, ]; @@ -143,12 +143,12 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean): alias: null, disabled: false, negate: false, - key: 'signal.rule.threat_mapping', + key: 'kibana.alert.rule.threat_mapping', type: 'exists', value: 'exists', }, // @ts-expect-error TODO: Rework parent typings to support ExistsFilter[] - exists: { field: 'signal.rule.threat_mapping' }, + exists: { field: 'kibana.alert.rule.threat_mapping' }, }, ] : []; @@ -162,21 +162,21 @@ export const alertsDefaultModel: SubsetTimelineModel = { export const requiredFieldsForActions = [ '@timestamp', - 'signal.status', - 'signal.group.id', - 'signal.original_time', - 'signal.rule.building_block_type', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.language', - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', - 'signal.rule.index', - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', + 'kibana.alert.status', + 'kibana.alert.group.id', + 'kibana.alert.original_time', + 'kibana.alert.rule.building_block_type', + 'kibana.alert.rule.filters', + 'kibana.alert.rule.from', + 'kibana.alert.rule.language', + 'kibana.alert.rule.query', + 'kibana.alert.rule.name', + 'kibana.alert.rule.to', + 'kibana.alert.rule.uuid', + 'kibana.alert.rule.index', + 'kibana.alert.rule.type', + 'kibana.alert.original_event.kind', + 'kibana.alert.original_event.module', // Endpoint exception fields 'file.path', 'file.Ext.code_signature.subject_name', diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index 305e0fcd46ef8..e1c7cfe5bf023 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -350,7 +350,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt - {'signal.rule.risk_score'} + {'kibana.alert.rule.risk_score'} ), }; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx index 5e88b44b9e192..6d8ea92861df9 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx @@ -24,7 +24,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate( export const RISK_SCORE_FIELD = i18n.translate( 'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle', { - defaultMessage: 'signal.rule.risk_score', + defaultMessage: 'kibana.alert.rule.risk_score', } ); diff --git a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx index 200b21bbecc4b..53b30e8b3521c 100644 --- a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx @@ -71,9 +71,9 @@ export const TakeActionDropdownComponent = React.memo( const actionsData = useMemo( () => [ - { category: 'signal', field: 'signal.rule.id', name: 'ruleId' }, - { category: 'signal', field: 'signal.rule.name', name: 'ruleName' }, - { category: 'signal', field: 'signal.status', name: 'alertStatus' }, + { category: 'signal', field: 'kibana.alert.rule.uuid', name: 'ruleId' }, + { category: 'signal', field: 'kibana.alert.rule.name', name: 'ruleName' }, + { category: 'signal', field: 'kibana.alert.status', name: 'alertStatus' }, { category: 'event', field: 'event.kind', name: 'eventKind' }, { category: '_id', field: '_id', name: 'eventId' }, ].reduce( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts index ae9285f85501b..d33e1ca2a2e58 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts @@ -42,12 +42,12 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, - id: 'signal.rule.severity', + id: 'kibana.alert.rule.severity', initialWidth: 102, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_REASON, - id: 'signal.reason', + id: 'kibana.alert.reason', }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx index a4826445b23cf..57589f8fa0fad 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx @@ -81,7 +81,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); @@ -93,7 +93,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx index 12e0a5486b3a2..9adbbfb9b85d4 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx @@ -54,9 +54,9 @@ export const RenderCellValue: React.FC{moment().fromNow(true)}; - case 'signal.rule.severity': + case 'kibana.alert.rule.severity': return ; - case 'signal.reason': + case 'kibana.alert.reason': return ( {reason} diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index bf0801f276bdf..45433a39d8b97 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -26,20 +26,20 @@ export const columns: Array< }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.rule.name', + id: 'kibana.alert.rule.name', displayAsText: i18n.ALERTS_HEADERS_RULE_NAME, - linkField: 'signal.rule.id', + linkField: 'kibana.alert.rule.uuid', initialWidth: 212, }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.rule.severity', + id: 'kibana.alert.rule.severity', displayAsText: i18n.ALERTS_HEADERS_SEVERITY, initialWidth: 104, }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.reason', + id: 'kibana.alert.reason', displayAsText: i18n.ALERTS_HEADERS_REASON, }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx index ccd71404a2216..4159a6aa76797 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx @@ -55,7 +55,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); @@ -67,7 +67,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx index 6475ef5bef970..4992b04781eb6 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx @@ -45,7 +45,7 @@ export const RenderCellValue: React.FC ); - case 'signal.reason': + case 'kibana.alert.reason': return {reason}; default: return ( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts index beeed344c31ef..72aba6e186fcb 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts @@ -31,26 +31,26 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_RULE, - id: 'signal.rule.name', + id: 'kibana.alert.rule.name', initialWidth: DEFAULT_COLUMN_MIN_WIDTH, - linkField: 'signal.rule.id', + linkField: 'kibana.alert.rule.uuid', }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, - id: 'signal.rule.severity', + id: 'kibana.alert.rule.severity', initialWidth: 105, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_RISK_SCORE, - id: 'signal.rule.risk_score', + id: 'kibana.alert.rule.risk_score', initialWidth: 100, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_REASON, - id: 'signal.reason', + id: 'kibana.alert.reason', initialWidth: 450, }, { diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts index fa850ce6b36ea..4759eb00c8c85 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts @@ -42,7 +42,7 @@ describe('Detections Alerts API', () => { test('check parameter url, body', async () => { await fetchQueryAlerts({ query: mockAlertsQuery, signal: abortCtrl.signal }); expect(fetchMock).toHaveBeenCalledWith('/api/detection_engine/signals/search', { - body: '{"aggs":{"alertsByGrouping":{"terms":{"field":"signal.rule.risk_score","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}', + body: '{"aggs":{"alertsByGrouping":{"terms":{"field":"kibana.alert.rule.risk_score","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}', method: 'POST', signal: abortCtrl.signal, }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts index 7aba8fa4ac10f..da9f76bd28ade 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts @@ -949,7 +949,7 @@ export const mockAlertsQuery: object = { aggs: { alertsByGrouping: { terms: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', missing: 'All others', order: { _count: 'desc' }, size: 10, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx index da56275280f65..c8307c311bdbc 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx @@ -41,7 +41,7 @@ const useFetchRule = () => useAsync(fetchWithOptionslSignal); const buildLastAlertQuery = (ruleId: string) => ({ query: { bool: { - filter: [{ match: { 'signal.rule.id': ruleId } }], + filter: [{ match: { 'kibana.alert.rule.uuid': ruleId } }], }, }, size: 1, @@ -77,7 +77,9 @@ export const useRuleWithFallback = (ruleId: string): UseRuleWithFallback => { }, [addError, error]); const rule = useMemo(() => { - const result = isExistingRule ? ruleData : alertsData?.hits.hits[0]?._source.signal.rule; + const result = isExistingRule + ? ruleData + : alertsData?.hits.hits[0]?._source['kibana.alert.rule']; if (result) { return transformInput(result); } diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts index f1e1c42539eff..3c522eb8a39d6 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts @@ -194,7 +194,7 @@ export const mockTemplate = { description: null, example: null, indexes: null, - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', name: null, searchable: null, type: null, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx index 32c3f5a885346..62b54f032b480 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx @@ -52,16 +52,16 @@ export const EventDetailsFooter = React.memo( timelineId, }: EventDetailsFooterProps) => { const ruleIndex = useMemo( - () => find({ category: 'signal', field: 'signal.rule.index' }, detailsData)?.values, + () => find({ category: 'signal', field: 'kibana.alert.rule.index' }, detailsData)?.values, [detailsData] ); const addExceptionModalWrapperData = useMemo( () => [ - { category: 'signal', field: 'signal.rule.id', name: 'ruleId' }, - { category: 'signal', field: 'signal.rule.name', name: 'ruleName' }, - { category: 'signal', field: 'signal.status', name: 'alertStatus' }, + { category: 'signal', field: 'kibana.alert.rule.uuid', name: 'ruleId' }, + { category: 'signal', field: 'kibana.alert.rule.name', name: 'ruleName' }, + { category: 'signal', field: 'kibana.alert.status', name: 'alertStatus' }, { category: '_id', field: '_id', name: 'eventId' }, ].reduce( (acc, curr) => ({ diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index ba58e8a084067..32fb2d185f6a6 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -107,10 +107,10 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, detailsData); + const isAlert = some({ category: 'signal', field: 'kibana.alert.rule.uuid' }, detailsData); const ruleName = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.rule.name' }, detailsData), + () => getFieldValue({ category: 'signal', field: 'kibana.alert.rule.name' }, detailsData), [detailsData] ); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx index 3a7a43da2aedc..03b894e8461ef 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx @@ -14,7 +14,7 @@ export const EVENT_MODULE_FIELD_NAME = 'event.module'; export const RULE_REFERENCE_FIELD_NAME = 'rule.reference'; export const REFERENCE_URL_FIELD_NAME = 'reference.url'; export const EVENT_URL_FIELD_NAME = 'event.url'; -export const SIGNAL_RULE_NAME_FIELD_NAME = 'signal.rule.name'; -export const SIGNAL_STATUS_FIELD_NAME = 'signal.status'; +export const SIGNAL_RULE_NAME_FIELD_NAME = 'kibana.alert.rule.name'; +export const SIGNAL_STATUS_FIELD_NAME = 'kibana.alert.workflow_status'; export const AGENT_STATUS_FIELD_NAME = 'agent.status'; -export const REASON_FIELD_NAME = 'signal.reason'; +export const REASON_FIELD_NAME = 'kibana.alert.reason'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.test.tsx index ee8a275279607..20c829cf6a58a 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.test.tsx @@ -81,7 +81,7 @@ describe('reasonColumnRenderer', () => { }); describe('isIntance', () => { - it('returns true when columnName is `signal.reason`', () => { + it('returns true when columnName is `kibana.alert.reason`', () => { expect(reasonColumnRenderer.isInstance(REASON_FIELD_NAME, [])).toBeTruthy(); }); }); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx index 5282276f8bb51..032b7b8a1a091 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx @@ -26,7 +26,7 @@ const mockImplementation = { }; describe('DefaultCellRenderer', () => { - const columnId = 'signal.rule.risk_score'; + const columnId = 'kibana.alert.rule.risk_score'; const eventId = '_id-123'; const isDetails = true; const isExpandable = true; diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx index 4289b7d2c62da..2638635573aa6 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx @@ -38,7 +38,11 @@ export const getHostRulesColumns = (): HostRulesColumns => [ id, name: ruleName, kqlQuery: '', - queryMatch: { field: 'signal.rule.name', value: ruleName, operator: IS_OPERATOR }, + queryMatch: { + field: 'kibana.alert.rule.name', + value: ruleName, + operator: IS_OPERATOR, + }, }} render={(dataProvider, _, snapshot) => snapshot.isDragging ? ( @@ -73,7 +77,11 @@ export const getHostRulesColumns = (): HostRulesColumns => [ id, name: ruleType, kqlQuery: '', - queryMatch: { field: 'signal.rule.type', value: ruleType, operator: IS_OPERATOR }, + queryMatch: { + field: 'kibana.alert.rule.type', + value: ruleType, + operator: IS_OPERATOR, + }, }} render={(dataProvider, _, snapshot) => snapshot.isDragging ? ( @@ -109,7 +117,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx index 19516ad6fcafa..ab7d14b990ee4 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx @@ -39,7 +39,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: tactic, kqlQuery: '', queryMatch: { - field: 'signal.rule.threat.tactic.name', + field: 'kibana.alert.rule.threat.tactic.name', value: tactic, operator: IS_OPERATOR, }, @@ -78,7 +78,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: technique, kqlQuery: '', queryMatch: { - field: 'signal.rule.threat.technique.name', + field: 'kibana.alert.rule.threat.technique.name', value: technique, operator: IS_OPERATOR, }, @@ -117,7 +117,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/create_migration.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/create_migration.ts index f9693c87631b7..7487cef53430e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/create_migration.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/create_migration.ts @@ -54,6 +54,7 @@ export const createMigration = async ({ source: { index, size }, script: { lang: 'painless', + // TODO: how to handle? source: ` if (ctx._source.signal._meta == null) { ctx._source.signal._meta = [:]; @@ -78,7 +79,7 @@ export const createMigration = async ({ // migrate status if(ctx._source.signal?.status == "in-progress") { - ctx._source.signal.status = "acknowledged"; + ctx._source.kibana.alert.workflow_status = "acknowledged"; } `, params: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/get_signal_versions_by_index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/get_signal_versions_by_index.ts index decde16d77a38..607bda96f37e3 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/get_signal_versions_by_index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/migrations/get_signal_versions_by_index.ts @@ -62,6 +62,7 @@ export const getSignalVersionsByIndex = async ({ aggs: { signal_versions: { terms: { + // TODO: how to handle? field: 'signal._meta.version', missing: 0, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts index 6feae924c6381..390a7ad094d6c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts @@ -31,7 +31,7 @@ describe('buildSignalsSearchQuery', () => { bool: { should: { match: { - 'signal.rule.rule_id': ruleId, + 'kibana.alert.rule.rule_id': ruleId, }, }, minimum_should_match: 1, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts index ac9a6b73c71fd..b9ded36fb2c01 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts @@ -30,7 +30,7 @@ export const buildSignalsSearchQuery = ({ bool: { should: { match: { - 'signal.rule.rule_id': ruleId, + 'kibana.alert.rule.rule_id': ruleId, }, }, minimum_should_match: 1, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts index e54cc94b886f6..36a72ce0d57cb 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts @@ -70,8 +70,8 @@ export const setSignalsStatusRoute = (router: SecuritySolutionPluginRouter) => { source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) { ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}' } - if (ctx._source.signal != null && ctx._source.signal.status != null) { - ctx._source.signal.status = '${status}' + if (ctx._source.signal != null && ctx._source.kibana.alert.workflow_status != null) { + ctx._source.kibana.alert.workflow_status = '${status}' }`, lang: 'painless', }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts index 554672806c12e..a1ba96aacd5e0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts @@ -21,18 +21,18 @@ import { ALERT_RULE_UUID, ALERT_RULE_NAME, } from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_ORIGINAL_TIME, + ALERT_ORIGINAL_EVENT, + flattenWithPrefix, +} from '@kbn/securitysolution-rules'; import { TypeOfFieldMap } from '../../../../../../rule_registry/common/field_map'; import { SERVER_APP_ID } from '../../../../../common/constants'; import { ANCHOR_DATE } from '../../../../../common/detection_engine/schemas/response/rules_schema.mocks'; import { getListArrayMock } from '../../../../../common/detection_engine/schemas/types/lists.mock'; import { sampleDocNoSortId } from '../../signals/__mocks__/es_results'; -import { flattenWithPrefix } from '../factories/utils/flatten_with_prefix'; import { RulesFieldMap } from '../field_maps'; -import { - ALERT_ANCESTORS, - ALERT_ORIGINAL_TIME, - ALERT_ORIGINAL_EVENT, -} from '../field_maps/field_names'; import { WrappedRACAlert } from '../types'; export const mockThresholdResults = { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts index dcd08df2074d0..9aa674c606a4d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts @@ -20,9 +20,15 @@ import { SPACE_IDS, TIMESTAMP, } from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_DEPTH, + flattenWithPrefix, + ALERT_ORIGINAL_TIME, + ALERT_ORIGINAL_EVENT, +} from '@kbn/securitysolution-rules'; import { sampleDocNoSortIdWithTimestamp } from '../../../signals/__mocks__/es_results'; -import { flattenWithPrefix } from './flatten_with_prefix'; import { buildAlert, buildParent, buildAncestors, additionalAlertFields } from './build_alert'; import { Ancestor, SignalSourceHit } from '../../../signals/types'; import { @@ -30,12 +36,6 @@ import { ANCHOR_DATE, } from '../../../../../../common/detection_engine/schemas/response/rules_schema.mocks'; import { getListArrayMock } from '../../../../../../common/detection_engine/schemas/types/lists.mock'; -import { - ALERT_ANCESTORS, - ALERT_DEPTH, - ALERT_ORIGINAL_EVENT, - ALERT_ORIGINAL_TIME, -} from '../../field_maps/field_names'; import { SERVER_APP_ID } from '../../../../../../common/constants'; import { EVENT_DATASET } from '../../../../../../common/cti/constants'; import { v4 } from 'uuid'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts index 6f463f7dc02df..d57af1ddfd936 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts @@ -16,6 +16,13 @@ import { SPACE_IDS, TIMESTAMP, } from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_DEPTH, + flattenWithPrefix, + ALERT_ORIGINAL_TIME, + ALERT_ORIGINAL_EVENT, +} from '@kbn/securitysolution-rules'; import { createHash } from 'crypto'; @@ -28,13 +35,6 @@ import { isWrappedSignalHit, } from '../../../signals/utils'; import { RACAlert } from '../../types'; -import { flattenWithPrefix } from './flatten_with_prefix'; -import { - ALERT_ANCESTORS, - ALERT_DEPTH, - ALERT_ORIGINAL_EVENT, - ALERT_ORIGINAL_TIME, -} from '../../field_maps/field_names'; import { SERVER_APP_ID } from '../../../../../../common/constants'; import { SearchTypes } from '../../../../telemetry/types'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts index 6daafbfae40f2..4130dd4e78db7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.test.ts @@ -8,16 +8,16 @@ import { Logger } from 'kibana/server'; import { ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; - -import { sampleDocNoSortId } from '../../../signals/__mocks__/es_results'; -import { buildAlertGroupFromSequence } from './build_alert_group_from_sequence'; -import { getRulesSchemaMock } from '../../../../../../common/detection_engine/schemas/response/rules_schema.mocks'; import { ALERT_ANCESTORS, ALERT_BUILDING_BLOCK_TYPE, ALERT_DEPTH, ALERT_GROUP_ID, -} from '../../field_maps/field_names'; +} from '@kbn/securitysolution-rules'; + +import { sampleDocNoSortId } from '../../../signals/__mocks__/es_results'; +import { buildAlertGroupFromSequence } from './build_alert_group_from_sequence'; +import { getRulesSchemaMock } from '../../../../../../common/detection_engine/schemas/response/rules_schema.mocks'; import { SERVER_APP_ID } from '../../../../../../common/constants'; import { getQueryRuleParams } from '../../../schemas/rule_schemas.mock'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts index f95f747ff9403..1e4c9758f9745 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts @@ -6,6 +6,11 @@ */ import { ALERT_INSTANCE_ID } from '@kbn/rule-data-utils'; +import { + ALERT_BUILDING_BLOCK_TYPE, + ALERT_GROUP_ID, + ALERT_GROUP_INDEX, +} from '@kbn/securitysolution-rules'; import { Logger } from 'kibana/server'; @@ -20,16 +25,11 @@ import { EqlSequence } from '../../../../../../common/detection_engine/types'; import { generateBuildingBlockIds } from './generate_building_block_ids'; import { objectArrayIntersection } from '../../../signals/build_bulk_body'; import { BuildReasonMessage } from '../../../signals/reason_formatters'; -import { - ALERT_BUILDING_BLOCK_TYPE, - ALERT_GROUP_ID, - ALERT_GROUP_INDEX, -} from '../../field_maps/field_names'; /** * Takes N raw documents from ES that form a sequence and builds them into N+1 signals ready to be indexed - * one signal for each event in the sequence, and a "shell" signal that ties them all together. All N+1 signals - * share the same signal.group.id to make it easy to query them. + * share the same kibana.alert.group.id to make it easy to query them. * @param sequence The raw ES documents that make up the sequence * @param ruleSO SavedObject representing the rule that found the sequence */ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts index 965a16859b0df..09328b5170754 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts @@ -22,7 +22,6 @@ import { import { RACAlert } from '../../types'; import { additionalAlertFields, buildAlert } from './build_alert'; import { filterSource } from './filter_source'; -import { flattenWithPrefix } from './flatten_with_prefix'; const isSourceDoc = ( hit: SignalSourceHit diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten_with_prefix.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten_with_prefix.ts deleted file mode 100644 index 02f418a151888..0000000000000 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten_with_prefix.ts +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { isPlainObject } from 'lodash'; -import { SearchTypes } from '../../../../../../common/detection_engine/types'; - -export const flattenWithPrefix = ( - prefix: string, - maybeObj: unknown -): Record => { - if (maybeObj != null && isPlainObject(maybeObj)) { - return Object.keys(maybeObj as Record).reduce( - (acc: Record, key) => { - return { - ...acc, - ...flattenWithPrefix(`${prefix}.${key}`, (maybeObj as Record)[key]), - }; - }, - {} - ); - } else { - return { - [prefix]: maybeObj as SearchTypes, - }; - } -}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/generate_building_block_ids.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/generate_building_block_ids.ts index 84e7f9e3ecef2..17005ca75a7f7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/generate_building_block_ids.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/generate_building_block_ids.ts @@ -6,9 +6,9 @@ */ import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import { ALERT_ANCESTORS } from '@kbn/securitysolution-rules'; import { createHash } from 'crypto'; import { Ancestor } from '../../../signals/types'; -import { ALERT_ANCESTORS } from '../../field_maps/field_names'; import { RACAlert } from '../../types'; /** diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/README.md index 1b8516ee16012..113330c8ea542 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/README.md +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/README.md @@ -29,7 +29,7 @@ - echo '{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"590eb946a7fdbacaa587ed0f6b1a16f5ad3d659ec47ef35ad0826c47af133bde","queryMatch":{"displayValue":null,"field":"_id","displayField":null,"value":"590eb946a7fdbacaa587ed0f6b1a16f5ad3d659ec47ef35ad0826c47af133bde","operator":":"},"id":"send-signal-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-signal-id-590eb946a7fdbacaa587ed0f6b1a16f5ad3d659ec47ef35ad0826c47af133bde","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1588162404153,"createdBy":"Elastic","updated":1588604767818,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"timelineType":"template","status":"immutable","templateTimelineId":"2c7e0663-5a91-0004-aa15-26bf756d2c40","templateTimelineVersion":1}' > my_new_template.json``` + echo '{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"590eb946a7fdbacaa587ed0f6b1a16f5ad3d659ec47ef35ad0826c47af133bde","queryMatch":{"displayValue":null,"field":"_id","displayField":null,"value":"590eb946a7fdbacaa587ed0f6b1a16f5ad3d659ec47ef35ad0826c47af133bde","operator":":"},"id":"send-signal-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-signal-id-590eb946a7fdbacaa587ed0f6b1a16f5ad3d659ec47ef35ad0826c47af133bde","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1588162404153,"createdBy":"Elastic","updated":1588604767818,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"timelineType":"template","status":"immutable","templateTimelineId":"2c7e0663-5a91-0004-aa15-26bf756d2c40","templateTimelineVersion":1}' > my_new_template.json``` #### Note that the json has to be minified. #### Fields to hightlight for on boarding a new prepackaged timeline: diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/endpoint.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/endpoint.json index acc5f69358798..71039b929d75a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/endpoint.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/endpoint.json @@ -1 +1 @@ -{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"","queryMatch":{"displayValue":"endpoint","field":"agent.type","displayField":"agent.type","value":"endpoint","operator":":"},"id":"timeline-1-4685da24-35c1-43f3-892d-1f926dbf5568","type":"default","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"db366523-f1c6-4c1f-8731-6ce5ed9e5717","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735857110,"createdBy":"Elastic","updated":1611609999115,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"","queryMatch":{"displayValue":"endpoint","field":"agent.type","displayField":"agent.type","value":"endpoint","operator":":"},"id":"timeline-1-4685da24-35c1-43f3-892d-1f926dbf5568","type":"default","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"db366523-f1c6-4c1f-8731-6ce5ed9e5717","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735857110,"createdBy":"Elastic","updated":1611609999115,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson index a02951e55580c..66c1406e4c292 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/index.ndjson @@ -8,7 +8,7 @@ // Auto generated file from scripts/regen_prepackage_timelines_index.sh // Do not hand edit. Run that script to regenerate package information instead -{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"","queryMatch":{"displayValue":"endpoint","field":"agent.type","displayField":"agent.type","value":"endpoint","operator":":"},"id":"timeline-1-4685da24-35c1-43f3-892d-1f926dbf5568","type":"default","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"db366523-f1c6-4c1f-8731-6ce5ed9e5717","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735857110,"createdBy":"Elastic","updated":1611609999115,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} -{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.port","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null}],"dataProviders":[{"and":[{"enabled":true,"excluded":false,"id":"timeline-1-e37e37c5-a6e7-4338-af30-47bfbc3c0e1e","kqlQuery":"","name":"{destination.ip}","queryMatch":{"displayField":"destination.ip","displayValue":"{destination.ip}","field":"destination.ip","operator":":","value":"{destination.ip}"},"type":"template"}],"enabled":true,"excluded":false,"id":"timeline-1-ec778f01-1802-40f0-9dfb-ed8de1f656cb","kqlQuery":"","name":"{source.ip}","queryMatch":{"displayField":"source.ip","displayValue":"{source.ip}","field":"source.ip","operator":":","value":"{source.ip}"},"type":"template"}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Network Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"91832785-286d-4ebe-b884-1a208d111a70","dateRange":{"start":1588255858373,"end":1588256218373},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735573866,"createdBy":"Elastic","updated":1611609960850,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} -{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"{process.name}","queryMatch":{"displayValue":null,"field":"process.name","displayField":null,"value":"{process.name}","operator":":"},"id":"timeline-1-8622010a-61fb-490d-b162-beac9c36a853","type":"template","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"76e52245-7519-4251-91ab-262fb1a1728c","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735629389,"createdBy":"Elastic","updated":1611609848602,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} -{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"signal.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"","queryMatch":{"displayValue":"endpoint","field":"agent.type","displayField":"agent.type","value":"endpoint","operator":":"},"id":"timeline-1-4685da24-35c1-43f3-892d-1f926dbf5568","type":"default","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"db366523-f1c6-4c1f-8731-6ce5ed9e5717","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735857110,"createdBy":"Elastic","updated":1611609999115,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.port","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null}],"dataProviders":[{"and":[{"enabled":true,"excluded":false,"id":"timeline-1-e37e37c5-a6e7-4338-af30-47bfbc3c0e1e","kqlQuery":"","name":"{destination.ip}","queryMatch":{"displayField":"destination.ip","displayValue":"{destination.ip}","field":"destination.ip","operator":":","value":"{destination.ip}"},"type":"template"}],"enabled":true,"excluded":false,"id":"timeline-1-ec778f01-1802-40f0-9dfb-ed8de1f656cb","kqlQuery":"","name":"{source.ip}","queryMatch":{"displayField":"source.ip","displayValue":"{source.ip}","field":"source.ip","operator":":","value":"{source.ip}"},"type":"template"}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Network Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"91832785-286d-4ebe-b884-1a208d111a70","dateRange":{"start":1588255858373,"end":1588256218373},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735573866,"createdBy":"Elastic","updated":1611609960850,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"{process.name}","queryMatch":{"displayValue":null,"field":"process.name","displayField":null,"value":"{process.name}","operator":":"},"id":"timeline-1-8622010a-61fb-490d-b162-beac9c36a853","type":"template","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"76e52245-7519-4251-91ab-262fb1a1728c","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735629389,"createdBy":"Elastic","updated":1611609848602,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/network.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/network.json index 6e93387579d22..ef79a83853293 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/network.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/network.json @@ -1 +1 @@ -{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.port","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null}],"dataProviders":[{"and":[{"enabled":true,"excluded":false,"id":"timeline-1-e37e37c5-a6e7-4338-af30-47bfbc3c0e1e","kqlQuery":"","name":"{destination.ip}","queryMatch":{"displayField":"destination.ip","displayValue":"{destination.ip}","field":"destination.ip","operator":":","value":"{destination.ip}"},"type":"template"}],"enabled":true,"excluded":false,"id":"timeline-1-ec778f01-1802-40f0-9dfb-ed8de1f656cb","kqlQuery":"","name":"{source.ip}","queryMatch":{"displayField":"source.ip","displayValue":"{source.ip}","field":"source.ip","operator":":","value":"{source.ip}"},"type":"template"}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Network Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"91832785-286d-4ebe-b884-1a208d111a70","dateRange":{"start":1588255858373,"end":1588256218373},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735573866,"createdBy":"Elastic","updated":1611609960850,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.port","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null}],"dataProviders":[{"and":[{"enabled":true,"excluded":false,"id":"timeline-1-e37e37c5-a6e7-4338-af30-47bfbc3c0e1e","kqlQuery":"","name":"{destination.ip}","queryMatch":{"displayField":"destination.ip","displayValue":"{destination.ip}","field":"destination.ip","operator":":","value":"{destination.ip}"},"type":"template"}],"enabled":true,"excluded":false,"id":"timeline-1-ec778f01-1802-40f0-9dfb-ed8de1f656cb","kqlQuery":"","name":"{source.ip}","queryMatch":{"displayField":"source.ip","displayValue":"{source.ip}","field":"source.ip","operator":":","value":"{source.ip}"},"type":"template"}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Network Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"91832785-286d-4ebe-b884-1a208d111a70","dateRange":{"start":1588255858373,"end":1588256218373},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735573866,"createdBy":"Elastic","updated":1611609960850,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/process.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/process.json index c25873746a9e9..b876ef16379ff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/process.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/process.json @@ -1 +1 @@ -{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"{process.name}","queryMatch":{"displayValue":null,"field":"process.name","displayField":null,"value":"{process.name}","operator":":"},"id":"timeline-1-8622010a-61fb-490d-b162-beac9c36a853","type":"template","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"76e52245-7519-4251-91ab-262fb1a1728c","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735629389,"createdBy":"Elastic","updated":1611609848602,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.name","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The working directory of the process.","columnHeaderType":"not-filtered","id":"process.working_directory","category":"process","type":"string","searchable":null,"example":"/home/alice"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","searchable":null,"example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"process.pid","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"Absolute path to the process executable.","columnHeaderType":"not-filtered","id":"process.parent.executable","category":"process","type":"string","searchable":null,"example":"/usr/bin/ssh"},{"indexes":null,"aggregatable":true,"name":null,"description":"Array of process arguments.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.parent.args","category":"process","type":"string","searchable":null,"example":"[\"ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"indexes":null,"aggregatable":true,"name":null,"description":"Process id.","columnHeaderType":"not-filtered","id":"process.parent.pid","category":"process","type":"number","searchable":null,"example":"4242"},{"indexes":null,"aggregatable":true,"name":null,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","searchable":null,"example":"albert"},{"indexes":null,"aggregatable":true,"name":null,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string","searchable":null}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"{process.name}","queryMatch":{"displayValue":null,"field":"process.name","displayField":null,"value":"{process.name}","operator":":"},"id":"timeline-1-8622010a-61fb-490d-b162-beac9c36a853","type":"template","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Process Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"76e52245-7519-4251-91ab-262fb1a1728c","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1594735629389,"createdBy":"Elastic","updated":1611609848602,"updatedBy":"Elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json index d777fdf17d657..169d04a23a118 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json @@ -1 +1 @@ -{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"signal.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} +{"savedObjectId":null,"version":null,"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description"},{"aggregatable":true,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","example":"user-password-change"},{"aggregatable":true,"description":"Array of process arguments, starting with the absolute path to\nthe executable.\n\nMay be filtered to protect sensitive information.","columnHeaderType":"not-filtered","id":"process.args","category":"process","type":"string","example":"[\"/usr/bin/ssh\",\"-l\",\"user\",\"10.0.0.16\"]"},{"columnHeaderType":"not-filtered","id":"process.pid"},{"aggregatable":true,"description":"IP address of the source (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"source.ip","category":"source","type":"ip"},{"aggregatable":true,"description":"Port of the source.","columnHeaderType":"not-filtered","id":"source.port","category":"source","type":"number"},{"aggregatable":true,"description":"IP address of the destination (IPv4 or IPv6).","columnHeaderType":"not-filtered","id":"destination.ip","category":"destination","type":"ip"},{"columnHeaderType":"not-filtered","id":"destination.port"},{"aggregatable":true,"description":"Short name or login of the user.","columnHeaderType":"not-filtered","id":"user.name","category":"user","type":"string","example":"albert"},{"columnHeaderType":"not-filtered","id":"host.name"}],"dataProviders":[{"excluded":false,"and":[{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.type}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.type","displayField":null,"value":"{threat.enrichments.matched.type}","operator":":"},"id":"timeline-1-ae18ef4b-f690-4122-a24d-e13b6818fba8","type":"template","enabled":true},{"excluded":false,"kqlQuery":"","name":"{threat.enrichments.matched.field}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.field","displayField":null,"value":"{threat.enrichments.matched.field}","operator":":"},"id":"timeline-1-7b4cf27e-6788-4d8e-9188-7687f0eba0f2","type":"template","enabled":true}],"kqlQuery":"","name":"{threat.enrichments.matched.atomic}","queryMatch":{"displayValue":null,"field":"threat.enrichments.matched.atomic","displayField":null,"value":"{threat.enrichments.matched.atomic}","operator":":"},"id":"timeline-1-7db7d278-a80a-4853-971a-904319c50777","type":"template","enabled":true}],"description":"This Timeline template is for alerts generated by Indicator Match detection rules.","eqlOptions":{"eventCategoryField":"event.category","tiebreakerField":"","timestampField":"@timestamp","query":"","size":100},"eventType":"alert","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"indexNames":[".siem-signals-default"],"title":"Generic Threat Match Timeline","timelineType":"template","templateTimelineVersion":2,"templateTimelineId":"495ad7a7-316e-4544-8a0f-9c098daee76e","dateRange":{"start":1588161020848,"end":1588162280848},"savedQueryId":null,"sort":[{"sortDirection":"desc","columnId":"@timestamp"}],"created":1616696609311,"createdBy":"elastic","updated":1616788372794,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"status":"immutable"} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md index 7cf7d11e4c1f8..e961a6a957817 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/README.md @@ -22,7 +22,7 @@ which will write a single signal document into the signals index by searching fo signal_on_signal_depth_1.json ``` -which has this key part of its query: `"query": "signal.depth: 1 and _id: *"` which will only create signals +which has this key part of its query: `"query": "kibana.alert.depth: 1 and _id: *"` which will only create signals from all signals that point directly to an event (signal -> event). Then a second rule called @@ -34,7 +34,7 @@ signal_on_signal_depth_2.json which will only create signals from all signals that point directly to another signal (signal -> signal) with this query ```json -"query": "signal.depth: 2 and _id: *" +"query": "kibana.alert.depth: 2 and _id: *" ``` ## Setup @@ -56,7 +56,7 @@ Then get your current signal index: } ``` -And edit the `signal_on_signal.json` and add that index to the key of `index` so we are running that rule against the signals index: +And edit the `signal_on_kibana.alert.json` and add that index to the key of `index` so we are running that rule against the signals index: ```json "index": ".siem-signals-default" @@ -122,10 +122,10 @@ rule -> The id of the rule, if the parent was generated by a rule. You can view id -> The original _id of the document type -> The type of the document, it will be either event or signal index -> The original location of the index -depth -> The depth of the parent event/signal. It will be 0 if the parent is an event, or 1+ if the parent is another signal. +depth -> The depth of the parent event/kibana.alert. It will be 0 if the parent is an event, or 1+ if the parent is another kibana.alert. ``` -The ancestors structure has the same fields as parents, but is an array of all ancestors (parents, grandparents, etc) of the signal. +The ancestors structure has the same fields as parents, but is an array of all ancestors (parents, grandparents, etc) of the kibana.alert. This is indicating that you have a single parent of an event from the signal (signal -> event) and this document has a single ancestor of that event. Each 30 seconds that goes it will use de-duplication technique to ensure that this signal is not re-inserted. If after @@ -198,7 +198,7 @@ and the second document is a signal on top of a signal like so: } ``` -Notice that the depth indicates it is at level 2 and its parent is that of a signal. Also notice that the ancestors is an array of size 2 +Notice that the depth indicates it is at level 2 and its parent is that of a kibana.alert. Also notice that the ancestors is an array of size 2 indicating that this signal terminates at an event. Each and every signal ancestors array should terminate at an event and should ONLY contain 1 event and NEVER 2 or more events for KQL query based rules. EQL query based rules that use sequences may have multiple parents at the same level. After 30+ seconds you should NOT see any new documents being created and you should be stable at 2. Otherwise we have AND/OR a de-duplication issue, signal on signal issue. diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_1.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_1.json index c9132ddb0a590..29a6db19b3e8b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_1.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_1.json @@ -7,7 +7,7 @@ "from": "now-1d", "interval": "30s", "to": "now", - "query": "signal.depth: 1 and _id: *", + "query": "kibana.alert.depth: 1 and _id: *", "enabled": true, "index": [".siem-signals-default"] } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_2.json b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_2.json index d1a2749792686..3c25c79a52de0 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_2.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/test_cases/signals_on_signals/depth_test/signal_on_signal_depth_2.json @@ -7,7 +7,7 @@ "from": "now-1d", "interval": "30s", "to": "now", - "query": "signal.depth: 2 and _id: *", + "query": "kibana.alert.depth: 2 and _id: *", "enabled": true, "index": [".siem-signals-default"] } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/signals/aggs_signals.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/signals/aggs_signals.sh index de32ce74b7d9c..ea2515e9cc766 100755 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/signals/aggs_signals.sh +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/signals/aggs_signals.sh @@ -16,5 +16,5 @@ set -e -H 'kbn-xsrf: 123' \ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/signals/search \ - -d '{"aggs": {"statuses": {"terms": {"field": "signal.status", "size": 10 }}}}' \ + -d '{"aggs": {"statuses": {"terms": {"field": "kibana.alert.workflow_status", "size": 10 }}}}' \ | jq . diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.test.ts index 8362942af15b9..618792c26289e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_ORIGINAL_TIME } from '../../rule_types/field_maps/field_names'; +import { ALERT_ORIGINAL_TIME } from '@kbn/securitysolution-rules'; import { sampleThresholdAlert } from '../../rule_types/__mocks__/threshold'; import { buildThresholdSignalHistory } from './build_signal_history'; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.ts index 81b12d2d4f229..df91a8950acff 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/build_signal_history.ts @@ -6,10 +6,7 @@ */ import { SearchHit } from '@elastic/elasticsearch/api/types'; -import { - ALERT_ORIGINAL_TIME, - ALERT_RULE_THRESHOLD_FIELD, -} from '../../rule_types/field_maps/field_names'; +import { ALERT_ORIGINAL_TIME, ALERT_RULE_THRESHOLD_FIELD } from '@kbn/securitysolution-rules'; import { SimpleHit, ThresholdSignalHistory } from '../types'; import { getThresholdTermsHash, isWrappedRACAlert, isWrappedSignalHit } from '../utils'; diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts index d03b445da26d0..153d906305530 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts @@ -17,7 +17,7 @@ export const mockTemplate = { { columnHeaderType: 'not-filtered', indexes: null, - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', name: null, searchable: null, }, diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts index d7098556c9c3a..7b5a5454c850e 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts @@ -271,7 +271,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { @@ -387,7 +387,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { @@ -550,7 +550,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { @@ -738,7 +738,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { @@ -906,7 +906,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { @@ -1089,7 +1089,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { @@ -1202,10 +1202,7 @@ export const mockSavedObject = { type: 'siem-ui-timeline', id: '79deb4c0-6bc1-11ea-a90b-f5341fb7a189', attributes: { - savedQueryId: null, - status: 'immutable', - excludedRowRendererIds: [], ...mockGetTemplateTimelineValue, }, diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/prepackaged_timelines.ndjson b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/prepackaged_timelines.ndjson index f7113a4ac395e..dd64f9b0ec685 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/prepackaged_timelines.ndjson +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/prepackaged_timelines.ndjson @@ -1 +1 @@ -{"savedObjectId":"mocked-timeline-id-1","version":"WzExNzEyLDFd","columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"signal.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"endgame.data.rule_name","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"rule.reference","searchable":null},{"aggregatable":true,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string"},{"aggregatable":true,"description":"Operating system name, without the version.","columnHeaderType":"not-filtered","id":"host.os.name","category":"host","type":"string","example":"Mac OS X"}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"3c322ed995865f642c1a269d54cbd177bd4b0e6efcf15a589f4f8582efbe7509","queryMatch":{"displayValue":null,"field":"_id","displayField":null,"value":"3c322ed995865f642c1a269d54cbd177bd4b0e6efcf15a589f4f8582efbe7509","operator":":"},"id":"send-signal-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-signal-id-3c322ed995865f642c1a269d54cbd177bd4b0e6efcf15a589f4f8582efbe7509","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","dateRange":{"start":1588257731065,"end":1588258391065},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1588258576517,"createdBy":"elastic","updated":1588261039030,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"timelineType":"template"} +{"savedObjectId":"mocked-timeline-id-1","version":"WzExNzEyLDFd","columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"kibana.alert.rule.description","searchable":null},{"indexes":null,"aggregatable":true,"name":null,"description":"The action captured by the event.\n\nThis describes the information in the event. It is more specific than `event.category`.\nExamples are `group-add`, `process-started`, `file-created`. The value is\nnormally defined by the implementer.","columnHeaderType":"not-filtered","id":"event.action","category":"event","type":"string","searchable":null,"example":"user-password-change"},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"endgame.data.rule_name","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"rule.reference","searchable":null},{"aggregatable":true,"description":"Name of the host.\n\nIt can contain what `hostname` returns on Unix systems, the fully qualified\ndomain name, or a name specified by the user. The sender decides which value\nto use.","columnHeaderType":"not-filtered","id":"host.name","category":"host","type":"string"},{"aggregatable":true,"description":"Operating system name, without the version.","columnHeaderType":"not-filtered","id":"host.os.name","category":"host","type":"string","example":"Mac OS X"}],"dataProviders":[{"excluded":false,"and":[],"kqlQuery":"","name":"3c322ed995865f642c1a269d54cbd177bd4b0e6efcf15a589f4f8582efbe7509","queryMatch":{"displayValue":null,"field":"_id","displayField":null,"value":"3c322ed995865f642c1a269d54cbd177bd4b0e6efcf15a589f4f8582efbe7509","operator":":"},"id":"send-signal-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-signal-id-3c322ed995865f642c1a269d54cbd177bd4b0e6efcf15a589f4f8582efbe7509","enabled":true}],"description":"","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":""},"serializedQuery":""}},"title":"Generic Endpoint Timeline","dateRange":{"start":1588257731065,"end":1588258391065},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"created":1588258576517,"createdBy":"elastic","updated":1588261039030,"updatedBy":"elastic","eventNotes":[],"globalNotes":[],"pinnedEventIds":[],"timelineType":"template"} diff --git a/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md b/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md index defbf8be8b7c3..23c87dda8215f 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md +++ b/x-pack/plugins/security_solution/server/lib/timeline/routes/README.md @@ -1119,7 +1119,7 @@ kbn-version: 8.0.0 }, { "columnHeaderType": "not-filtered", - "id": "signal.rule.description" + "id": "kibana.alert.rule.description" }, { "columnHeaderType": "not-filtered", diff --git a/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts index 4e174f23d0746..d4425d17671a3 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts @@ -104,7 +104,7 @@ describe.each([ indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: 'kibana.alert.rule.description', searchable: null, }, { diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts index 4c116104b3e14..1648dda8df9c9 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts @@ -39,12 +39,12 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_name: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', order: { risk_score: Direction.desc, }, @@ -52,19 +52,19 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_type: { terms: { - field: 'signal.rule.type', + field: 'kibana.alert.rule.type', }, }, }, }, rule_count: { cardinality: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts index ec1afe247011b..78fc3825b9bd1 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts @@ -39,22 +39,22 @@ export const buildHostTacticsQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, tactic: { terms: { - field: 'signal.rule.threat.tactic.name', + field: 'kibana.alert.rule.threat.tactic.name', }, aggs: { technique: { terms: { - field: 'signal.rule.threat.technique.name', + field: 'kibana.alert.rule.threat.technique.name', }, aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, }, @@ -63,12 +63,12 @@ export const buildHostTacticsQuery = ({ }, tactic_count: { cardinality: { - field: 'signal.rule.threat.tactic.name', + field: 'kibana.alert.rule.threat.tactic.name', }, }, technique_count: { cardinality: { - field: 'signal.rule.threat.technique.name', + field: 'kibana.alert.rule.threat.technique.name', }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts index c2242ff00a6c1..9d04d6c63154e 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts @@ -48,12 +48,12 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_name: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', order: { risk_score: Direction.desc, }, @@ -61,19 +61,19 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_type: { terms: { - field: 'signal.rule.type', + field: 'kibana.alert.rule.type', }, }, }, }, rule_count: { cardinality: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', }, }, }, diff --git a/x-pack/plugins/security_solution/server/usage/detections/detection_rule_helpers.ts b/x-pack/plugins/security_solution/server/usage/detections/detection_rule_helpers.ts index a8e771893089d..6b45e973ee074 100644 --- a/x-pack/plugins/security_solution/server/usage/detections/detection_rule_helpers.ts +++ b/x-pack/plugins/security_solution/server/usage/detections/detection_rule_helpers.ts @@ -203,7 +203,7 @@ export const getDetectionRuleMetrics = async ( body: { aggs: { detectionAlerts: { - terms: { field: 'signal.rule.id.keyword' }, + terms: { field: 'kibana.alert.rule.uuid.keyword' }, }, }, query: { diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 239e295a1f8b1..5ef9ad588e003 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -291,41 +291,41 @@ export const systemFieldsMap: Readonly> = { }; export const signalFieldsMap: Readonly> = { - 'signal.original_time': 'signal.original_time', - 'signal.reason': 'signal.reason', - 'signal.rule.id': 'signal.rule.id', - 'signal.rule.saved_id': 'signal.rule.saved_id', - 'signal.rule.timeline_id': 'signal.rule.timeline_id', - 'signal.rule.timeline_title': 'signal.rule.timeline_title', - 'signal.rule.output_index': 'signal.rule.output_index', - 'signal.rule.from': 'signal.rule.from', - 'signal.rule.index': 'signal.rule.index', - 'signal.rule.language': 'signal.rule.language', - 'signal.rule.query': 'signal.rule.query', - 'signal.rule.to': 'signal.rule.to', - 'signal.rule.filters': 'signal.rule.filters', - 'signal.rule.rule_id': 'signal.rule.rule_id', - 'signal.rule.false_positives': 'signal.rule.false_positives', - 'signal.rule.max_signals': 'signal.rule.max_signals', - 'signal.rule.risk_score': 'signal.rule.risk_score', - 'signal.rule.description': 'signal.rule.description', - 'signal.rule.name': 'signal.rule.name', - 'signal.rule.immutable': 'signal.rule.immutable', - 'signal.rule.references': 'signal.rule.references', - 'signal.rule.severity': 'signal.rule.severity', - 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threat': 'signal.rule.threat', - 'signal.rule.type': 'signal.rule.type', - 'signal.rule.size': 'signal.rule.size', - 'signal.rule.enabled': 'signal.rule.enabled', - 'signal.rule.created_at': 'signal.rule.created_at', - 'signal.rule.updated_at': 'signal.rule.updated_at', - 'signal.rule.created_by': 'signal.rule.created_by', - 'signal.rule.updated_by': 'signal.rule.updated_by', - 'signal.rule.version': 'signal.rule.version', - 'signal.rule.note': 'signal.rule.note', - 'signal.rule.threshold': 'signal.rule.threshold', - 'signal.rule.exceptions_list': 'signal.rule.exceptions_list', + 'kibana.alert.original_time': 'kibana.alert.original_time', + 'kibana.alert.reason': 'kibana.alert.reason', + 'kibana.alert.rule.uuid': 'kibana.alert.rule.uuid', + 'kibana.alert.rule.saved_id': 'kibana.alert.rule.saved_id', + 'kibana.alert.rule.timeline_id': 'kibana.alert.rule.timeline_id', + 'kibana.alert.rule.timeline_title': 'kibana.alert.rule.timeline_title', + 'kibana.alert.rule.output_index': 'kibana.alert.rule.output_index', + 'kibana.alert.rule.from': 'kibana.alert.rule.from', + 'kibana.alert.rule.index': 'kibana.alert.rule.index', + 'kibana.alert.rule.language': 'kibana.alert.rule.language', + 'kibana.alert.rule.query': 'kibana.alert.rule.query', + 'kibana.alert.rule.to': 'kibana.alert.rule.to', + 'kibana.alert.rule.filters': 'kibana.alert.rule.filters', + 'kibana.alert.rule.rule_id': 'kibana.alert.rule.rule_id', + 'kibana.alert.rule.false_positives': 'kibana.alert.rule.false_positives', + 'kibana.alert.rule.max_signals': 'kibana.alert.rule.max_signals', + 'kibana.alert.rule.risk_score': 'kibana.alert.rule.risk_score', + 'kibana.alert.rule.description': 'kibana.alert.rule.description', + 'kibana.alert.rule.name': 'kibana.alert.rule.name', + 'kibana.alert.rule.immutable': 'kibana.alert.rule.immutable', + 'kibana.alert.rule.references': 'kibana.alert.rule.references', + 'kibana.alert.rule.severity': 'kibana.alert.rule.severity', + 'kibana.alert.rule.tags': 'kibana.alert.rule.tags', + 'kibana.alert.rule.threat': 'kibana.alert.rule.threat', + 'kibana.alert.rule.type': 'kibana.alert.rule.type', + 'kibana.alert.rule.size': 'kibana.alert.rule.size', + 'kibana.alert.rule.enabled': 'kibana.alert.rule.enabled', + 'kibana.alert.rule.created_at': 'kibana.alert.rule.created_at', + 'kibana.alert.rule.updated_at': 'kibana.alert.rule.updated_at', + 'kibana.alert.rule.created_by': 'kibana.alert.rule.created_by', + 'kibana.alert.rule.updated_by': 'kibana.alert.rule.updated_by', + 'kibana.alert.rule.version': 'kibana.alert.rule.version', + 'kibana.alert.rule.note': 'kibana.alert.rule.note', + 'kibana.alert.rule.threshold': 'kibana.alert.rule.threshold', + 'kibana.alert.rule.exceptions_list': 'kibana.alert.rule.exceptions_list', }; export const ruleFieldsMap: Readonly> = { diff --git a/x-pack/plugins/timelines/common/ecs/index.ts b/x-pack/plugins/timelines/common/ecs/index.ts index 8054b3c8521db..55335a89120e1 100644 --- a/x-pack/plugins/timelines/common/ecs/index.ts +++ b/x-pack/plugins/timelines/common/ecs/index.ts @@ -16,8 +16,6 @@ import { GeoEcs } from './geo'; import { HostEcs } from './host'; import { NetworkEcs } from './network'; import { RegistryEcs } from './registry'; -import { RuleEcs } from './rule'; -import { SignalEcs } from './signal'; import { SourceEcs } from './source'; import { SuricataEcs } from './suricata'; import { TlsEcs } from './tls'; @@ -44,8 +42,44 @@ export interface Ecs { host?: HostEcs; network?: NetworkEcs; registry?: RegistryEcs; - rule?: RuleEcs; - signal?: SignalEcs; + 'kibana.alert.building_block_type'?: string[]; + 'kibana.alert.original_time'?: string[]; + 'kibana.alert.workflow_status'?: string[]; + 'kibana.alert.group.id'?: string[]; + 'kibana.alert.threshold_result'?: string[]; + 'kibana.alert.rule.rule_id'?: string[]; + 'kibana.alert.rule.name'?: string[]; + 'kibana.alert.rule.false_positives'?: string[]; + 'kibana.alert.rule.saved_id'?: string[]; + 'kibana.alert.rule.timeline_id'?: string[]; + 'kibana.alert.rule.timeline_title'?: string[]; + 'kibana.alert.rule.max_signals'?: number[]; + 'kibana.alert.rule.risk_score'?: string[]; + 'kibana.alert.rule.output_index'?: string[]; + 'kibana.alert.rule.description'?: string[]; + 'kibana.alert.rule.from'?: string[]; + 'kibana.alert.rule.immutable'?: boolean[]; + 'kibana.alert.rule.index'?: string[]; + 'kibana.alert.rule.interval'?: string[]; + 'kibana.alert.rule.language'?: string[]; + 'kibana.alert.rule.query'?: string[]; + 'kibana.alert.rule.references'?: string[]; + 'kibana.alert.rule.severity'?: string[]; + 'kibana.alert.rule.tags'?: string[]; + 'kibana.alert.rule.threat'?: unknown; + 'kibana.alert.rule.threshold'?: unknown; + 'kibana.alert.rule.type'?: string[]; + 'kibana.alert.rule.size'?: string[]; + 'kibana.alert.rule.to'?: string[]; + 'kibana.alert.rule.enabled'?: boolean[]; + 'kibana.alert.rule.filters'?: unknown; + 'kibana.alert.rule.created_at'?: string[]; + 'kibana.alert.rule.updated_at'?: string[]; + 'kibana.alert.rule.created_by'?: string[]; + 'kibana.alert.rule.updated_by'?: string[]; + 'kibana.alert.rule.uuid'?: string[]; + 'kibana.alert.rule.version'?: string[]; + 'kibana.alert.rule.note'?: string[]; source?: SourceEcs; suricata?: SuricataEcs; tls?: TlsEcs; diff --git a/x-pack/plugins/timelines/common/ecs/rule/index.ts b/x-pack/plugins/timelines/common/ecs/rule/index.ts deleted file mode 100644 index ae7e5064a8ece..0000000000000 --- a/x-pack/plugins/timelines/common/ecs/rule/index.ts +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -export interface RuleEcs { - id?: string[]; - rule_id?: string[]; - name?: string[]; - false_positives?: string[]; - saved_id?: string[]; - timeline_id?: string[]; - timeline_title?: string[]; - max_signals?: number[]; - risk_score?: string[]; - output_index?: string[]; - description?: string[]; - from?: string[]; - immutable?: boolean[]; - index?: string[]; - interval?: string[]; - language?: string[]; - query?: string[]; - references?: string[]; - severity?: string[]; - tags?: string[]; - threat?: unknown; - threshold?: unknown; - type?: string[]; - size?: string[]; - to?: string[]; - enabled?: boolean[]; - filters?: unknown; - created_at?: string[]; - updated_at?: string[]; - created_by?: string[]; - updated_by?: string[]; - version?: string[]; - note?: string[]; - building_block_type?: string[]; -} diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 50a3117e53b9b..7a7d99731d76c 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -135,8 +135,8 @@ describe('Events Details Helpers', () => { it('#getDataFromSourceHits', () => { const _source: EventSource = { '@timestamp': '2021-02-24T00:41:06.527Z', - 'signal.status': 'open', - 'signal.rule.name': 'Rawr', + 'kibana.alert.workflow_status': 'open', + 'kibana.alert.rule.name': 'Rawr', 'threat.indicator': [ { provider: 'yourself', @@ -162,14 +162,14 @@ describe('Events Details Helpers', () => { }, { category: 'signal', - field: 'signal.status', + field: 'kibana.alert.workflow_status', values: ['open'], originalValue: ['open'], isObjectArray: false, }, { category: 'signal', - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', values: ['Rawr'], originalValue: ['Rawr'], isObjectArray: false, diff --git a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts index 5d0c8b6fbd000..c32241cb876c4 100644 --- a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts @@ -144,7 +144,7 @@ const getAllFieldsByName = ( keyBy('name', getAllBrowserFields(browserFields)); const linkFields: Record = { - 'signal.rule.name': 'signal.rule.id', + 'kibana.alert.rule.name': 'kibana.alert.rule.uuid', 'event.module': 'rule.reference', }; diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx index eb185792c152f..d4a0fe393a37a 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx @@ -353,7 +353,7 @@ describe('helpers', () => { expect( allowSorting({ browserField: undefined, // no BrowserField metadata for this field - fieldName: 'signal.rule.name', // an allow-listed field name + fieldName: 'kibana.alert.rule.name', // an allow-listed field name }) ).toBe(true); }); diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index 8781a88c630df..c0a1965c88a80 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -5,7 +5,20 @@ * 2.0. */ -import { ALERT_RULE_CONSUMER, ALERT_RULE_PRODUCER } from '@kbn/rule-data-utils'; +import { + ALERT_REASON, + ALERT_RULE_CONSUMER, + ALERT_RULE_NAMESPACE, + ALERT_RULE_PRODUCER, + ALERT_RULE_RULE_ID, + ALERT_WORKFLOW_STATUS, +} from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_BUILDING_BLOCK_TYPE, + ALERT_ORIGINAL_EVENT, + ALERT_ORIGINAL_TIME, +} from '@kbn/securitysolution-rules'; import { isEmpty } from 'lodash/fp'; import { EuiDataGridCellValueElementProps } from '@elastic/eui'; @@ -75,7 +88,7 @@ export const getEventIdToDataMapping = ( }, {}); export const isEventBuildingBlockType = (event: Ecs): boolean => - !isEmpty(event.signal?.rule?.building_block_type); + !isEmpty(event[ALERT_BUILDING_BLOCK_TYPE]); export const isEvenEqlSequence = (event: Ecs): boolean => { if (!isEmpty(event.eql?.sequenceNumber)) { @@ -90,7 +103,7 @@ export const isEvenEqlSequence = (event: Ecs): boolean => { }; /** Return eventType raw or signal or eql */ export const getEventType = (event: Ecs): Omit => { - if (!isEmpty(event.signal?.rule?.id)) { + if (!isEmpty(event[ALERT_RULE_RULE_ID])) { return 'signal'; } else if (!isEmpty(event.eql?.parentId)) { return 'eql'; @@ -139,75 +152,71 @@ export const allowSorting = ({ const isAggregatable = browserField?.aggregatable ?? false; const isAllowlistedNonBrowserField = [ - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.reason', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', + ALERT_ORIGINAL_TIME, + ALERT_REASON, + `${ALERT_ANCESTORS}.depth`, + `${ALERT_ANCESTORS}.id`, + `${ALERT_ANCESTORS}.rule`, + `${ALERT_ANCESTORS}.type`, + `${ALERT_ORIGINAL_EVENT}.action`, + `${ALERT_ORIGINAL_EVENT}.category`, + `${ALERT_ORIGINAL_EVENT}.code`, + `${ALERT_ORIGINAL_EVENT}.created`, + `${ALERT_ORIGINAL_EVENT}.dataset`, + `${ALERT_ORIGINAL_EVENT}.duration`, + `${ALERT_ORIGINAL_EVENT}.end`, + `${ALERT_ORIGINAL_EVENT}.hash`, + `${ALERT_ORIGINAL_EVENT}.id`, + `${ALERT_ORIGINAL_EVENT}.kind`, + `${ALERT_ORIGINAL_EVENT}.module`, + `${ALERT_ORIGINAL_EVENT}.original`, + `${ALERT_ORIGINAL_EVENT}.outcome`, + `${ALERT_ORIGINAL_EVENT}.provider`, + `${ALERT_ORIGINAL_EVENT}.risk_score`, + `${ALERT_ORIGINAL_EVENT}.risk_score_norm`, + `${ALERT_ORIGINAL_EVENT}.sequence`, + `${ALERT_ORIGINAL_EVENT}.severity`, + `${ALERT_ORIGINAL_EVENT}.start`, + `${ALERT_ORIGINAL_EVENT}.timezone`, + `${ALERT_ORIGINAL_EVENT}.type`, + `${ALERT_RULE_NAMESPACE}.created_by`, + `${ALERT_RULE_NAMESPACE}.description`, + `${ALERT_RULE_NAMESPACE}.enabled`, + `${ALERT_RULE_NAMESPACE}.false_positives`, + `${ALERT_RULE_NAMESPACE}.filters`, + `${ALERT_RULE_NAMESPACE}.from`, + `${ALERT_RULE_NAMESPACE}.immutable`, + `${ALERT_RULE_NAMESPACE}.index`, + `${ALERT_RULE_NAMESPACE}.interval`, + `${ALERT_RULE_NAMESPACE}.language`, + `${ALERT_RULE_NAMESPACE}.max_signals`, + `${ALERT_RULE_NAMESPACE}.name`, + `${ALERT_RULE_NAMESPACE}.note`, + `${ALERT_RULE_NAMESPACE}.output_index`, + `${ALERT_RULE_NAMESPACE}.query`, + `${ALERT_RULE_NAMESPACE}.references`, + `${ALERT_RULE_NAMESPACE}.risk_score`, + `${ALERT_RULE_NAMESPACE}.rule_id`, + `${ALERT_RULE_NAMESPACE}.saved_id`, + `${ALERT_RULE_NAMESPACE}.severity`, + `${ALERT_RULE_NAMESPACE}.size`, + `${ALERT_RULE_NAMESPACE}.tags`, + `${ALERT_RULE_NAMESPACE}.threat`, + `${ALERT_RULE_NAMESPACE}.threat.tactic.id`, + `${ALERT_RULE_NAMESPACE}.threat.tactic.name`, + `${ALERT_RULE_NAMESPACE}.threat.tactic.reference`, + `${ALERT_RULE_NAMESPACE}.threat.technique.id`, + `${ALERT_RULE_NAMESPACE}.threat.technique.name`, + `${ALERT_RULE_NAMESPACE}.threat.technique.reference`, + `${ALERT_RULE_NAMESPACE}.timeline_id`, + `${ALERT_RULE_NAMESPACE}.timeline_title`, + `${ALERT_RULE_NAMESPACE}.to`, + `${ALERT_RULE_NAMESPACE}.type`, + `${ALERT_RULE_NAMESPACE}.updated_by`, + `${ALERT_RULE_NAMESPACE}.uuid`, + `${ALERT_RULE_NAMESPACE}.version`, 'signal.status', + ALERT_WORKFLOW_STATUS, ].includes(fieldName); return isAllowlistedNonBrowserField || isAggregatable; diff --git a/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx index c04cc58f453c3..c21b06bee459f 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx @@ -164,8 +164,8 @@ const EventRenderedViewComponent = ({ hideForMobile: false, // eslint-disable-next-line react/display-name render: (name: unknown, item: TimelineItem) => { - const ruleName = get(item, `ecs.signal.rule.name`); /* `ecs.${ALERT_RULE_NAME}`*/ - const ruleId = get(item, `ecs.signal.rule.id`); /* `ecs.${ALERT_RULE_ID}`*/ + const ruleName = get(item, `ecs.kibana.alert.rule.name`); /* `ecs.${ALERT_RULE_NAME}`*/ + const ruleId = get(item, `ecs.kibana.alert.rule.uuid`); /* `ecs.${ALERT_RULE_UUID}`*/ return ; }, }, @@ -179,7 +179,7 @@ const EventRenderedViewComponent = ({ // eslint-disable-next-line react/display-name render: (name: unknown, item: TimelineItem) => { const ecsData = get(item, 'ecs'); - const reason = get(item, `ecs.signal.reason`); /* `ecs.${ALERT_REASON}`*/ + const reason = get(item, `ecs.kibana.alert.reason`); /* `ecs.${ALERT_REASON}`*/ const rowRenderersValid = rowRenderers.filter((rowRenderer) => rowRenderer.isInstance(ecsData) ); diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx index 789aeeeb187fd..b2cc0e5cb409a 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx @@ -199,14 +199,14 @@ describe('field_items', () => { ...mockBrowserFields, signal: { fields: { - 'signal.rule.name': { + 'kibana.alert.rule.name': { aggregatable: true, category: 'signal', description: 'rule name', example: '', format: '', indexes: ['auditbeat', 'filebeat', 'packetbeat'], - name: 'signal.rule.name', + name: 'kibana.alert.rule.name', searchable: true, type: 'string', }, @@ -235,7 +235,7 @@ describe('field_items', () => { ); wrapper - .find(`[data-test-subj="field-signal.rule.name-checkbox"]`) + .find(`[data-test-subj="field-kibana.alert.rule.name-checkbox"]`) .last() .simulate('change', { target: { checked: true }, @@ -244,7 +244,7 @@ describe('field_items', () => { await waitFor(() => { expect(toggleColumn).toBeCalledWith({ columnHeaderType: 'not-filtered', - id: 'signal.rule.name', + id: 'kibana.alert.rule.name', initialWidth: 180, }); }); diff --git a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts index afeb2287da739..e48661eee43b7 100644 --- a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts +++ b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts @@ -120,13 +120,13 @@ export const useAddToCase = ({ const isAlert = useMemo(() => { if (event !== undefined) { const data = [...event.data]; - return data.some(({ field }) => field === 'kibana.alert.uuid'); + return data.some(({ field }) => field === 'kibana.alert.instance.id'); } else { return false; } }, [event]); const isSecurityAlert = useMemo(() => { - return !isEmpty(event?.ecs.signal?.rule?.id); + return !isEmpty(event?.ecs[ALERT_RULE_UUID]); }, [event]); const isEventSupported = isSecurityAlert || isAlert; const userCanCrud = casePermissions?.crud ?? false; @@ -251,12 +251,12 @@ export function normalizedEventFields(event?: TimelineItem) { const ruleUuid = ruleUuidValueData ?? get(`ecs.${ALERT_RULE_UUID}[0]`, event) ?? - get(`ecs.signal.rule.id[0]`, event) ?? + get(`ecs.kibana.alert.rule.uuid[0]`, event) ?? null; const ruleName = ruleNameValueData ?? get(`ecs.${ALERT_RULE_NAME}[0]`, event) ?? - get(`ecs.signal.rule.name[0]`, event) ?? + get(`ecs.kibana.alert.rule.name[0]`, event) ?? null; return { diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 8e8798d89a64c..52dae4fd7c0e6 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -43,25 +43,25 @@ export const CTI_ROW_RENDERER_FIELDS = [ export const TIMELINE_EVENTS_FIELDS = [ ALERT_RULE_CONSUMER, '@timestamp', - 'signal.status', - 'signal.group.id', - 'signal.original_time', - 'signal.reason', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.language', - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', - 'signal.rule.index', - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.rule.version', - 'signal.rule.severity', - 'signal.rule.risk_score', - 'signal.threshold_result', + 'kibana.alert.status', + 'kibana.alert.group.id', + 'kibana.alert.original_time', + 'kibana.alert.reason', + 'kibana.alert.rule.filters', + 'kibana.alert.rule.from', + 'kibana.alert.rule.language', + 'kibana.alert.rule.query', + 'kibana.alert.rule.name', + 'kibana.alert.rule.to', + 'kibana.alert.rule.index', + 'kibana.alert.rule.type', + 'kibana.alert.rule.uuid', + 'kibana.alert.original_event.kind', + 'kibana.alert.original_event.module', + 'kibana.alert.rule.version', + 'kibana.alert.rule.severity', + 'kibana.alert.rule.risk_score', + 'kibana.alert.threshold_result', 'event.code', 'event.module', 'event.action', @@ -172,14 +172,14 @@ export const TIMELINE_EVENTS_FIELDS = [ 'endgame.target_domain_name', 'endgame.target_logon_id', 'endgame.target_user_name', - 'signal.rule.saved_id', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.output_index', - 'signal.rule.note', - 'signal.rule.threshold', - 'signal.rule.exceptions_list', - 'signal.rule.building_block_type', + 'kibana.alert.rule.saved_id', + 'kibana.alert.rule.timeline_id', + 'kibana.alert.rule.timeline_title', + 'kibana.alert.rule.output_index', + 'kibana.alert.rule.note', + 'kibana.alert.rule.threshold', + 'kibana.alert.rule.exceptions_list', + 'kibana.alert.rule.building_block_type', 'suricata.eve.proto', 'suricata.eve.flow_id', 'suricata.eve.alert.signature', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 4fb67cc3a7974..a49b3535df5e6 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -5,7 +5,19 @@ * 2.0. */ +import { + ALERT_RULE_NAMESPACE, + ALERT_WORKFLOW_STATUS, + EVENT_KIND, + TIMESTAMP, +} from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_ORIGINAL_TIME, + flattenWithPrefix, +} from '@kbn/securitysolution-rules'; import { eventHit } from '@kbn/securitysolution-t-grid'; + import { EventHit } from '../../../../../../common/search_strategy'; import { TIMELINE_EVENTS_FIELDS } from './constants'; import { buildObjectForFieldPath, formatTimelineData } from './helpers'; @@ -14,7 +26,7 @@ describe('#formatTimelineData', () => { it('happy path', async () => { const res = await formatTimelineData( [ - '@timestamp', + TIMESTAMP, 'host.name', 'destination.ip', 'source.ip', @@ -34,7 +46,7 @@ describe('#formatTimelineData', () => { _index: 'auditbeat-7.8.0-2020.11.05-000003', data: [ { - field: '@timestamp', + field: TIMESTAMP, value: ['2020-11-17T14:48:08.922Z'], }, { @@ -51,7 +63,7 @@ describe('#formatTimelineData', () => { }, ], ecs: { - '@timestamp': ['2020-11-17T14:48:08.922Z'], + [TIMESTAMP]: ['2020-11-17T14:48:08.922Z'], _id: 'tkCt1nUBaEgqnrVSZ8R_', _index: 'auditbeat-7.8.0-2020.11.05-000003', agent: { @@ -131,152 +143,131 @@ describe('#formatTimelineData', () => { _id: 'a77040f198355793c35bf22b900902371309be615381f0a2ec92c208b6132562', _score: 0, _source: { - signal: { - threshold_result: { - count: 10000, - value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - }, - parent: { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', - }, - depth: 1, - _meta: { - version: 14, + threshold_result: { + count: 10000, + value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', + }, + depth: 1, + rule: flattenWithPrefix(ALERT_RULE_NAMESPACE, { + note: null, + throttle: null, + references: [], + severity_mapping: [], + description: 'asdasd', + created_at: '2021-01-09T11:25:45.046Z', + language: 'kuery', + threshold: { + field: '', + value: 200, }, - rule: { - note: null, - throttle: null, - references: [], - severity_mapping: [], - description: 'asdasd', - created_at: '2021-01-09T11:25:45.046Z', - language: 'kuery', - threshold: { - field: '', - value: 200, - }, - building_block_type: null, - output_index: '.siem-signals-patrykkopycinski-default', - type: 'threshold', - rule_name_override: null, - enabled: true, - exceptions_list: [], - updated_at: '2021-01-09T13:36:39.204Z', - timestamp_override: null, - from: 'now-360s', - id: '696c24e0-526d-11eb-836c-e1620268b945', - timeline_id: null, - max_signals: 100, - severity: 'low', - risk_score: 21, - risk_score_mapping: [], - author: [], - query: '_id :*', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - ], - filters: [ - { - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: null, - disabled: false, - type: 'exists', - value: 'exists', - key: '_index', - }, - exists: { - field: '_index', - }, + building_block_type: null, + output_index: '.siem-signals-patrykkopycinski-default', + type: 'threshold', + rule_name_override: null, + enabled: true, + exceptions_list: [], + updated_at: '2021-01-09T13:36:39.204Z', + timestamp_override: null, + from: 'now-360s', + uuid: '696c24e0-526d-11eb-836c-e1620268b945', + timeline_id: null, + max_signals: 100, + severity: 'low', + risk_score: 21, + risk_score_mapping: [], + author: [], + query: '_id :*', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filters: [ + { + $state: { + store: 'appState', }, - { - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: 'id_exists', - disabled: false, - type: 'exists', - value: 'exists', - key: '_id', - }, - exists: { - field: '_id', - }, + meta: { + negate: false, + alias: null, + disabled: false, + type: 'exists', + value: 'exists', + key: '_index', + }, + exists: { + field: '_index', }, - ], - created_by: 'patryk_test_user', - version: 1, - saved_id: null, - tags: [], - rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - license: '', - immutable: false, - timeline_title: null, - meta: { - from: '1m', - kibana_siem_app_url: 'http://localhost:5601/app/security', - }, - name: 'Threshold test', - updated_by: 'patryk_test_user', - interval: '5m', - false_positives: [], - to: 'now', - threat: [], - actions: [], - }, - original_time: '2021-01-09T13:39:32.595Z', - ancestors: [ - { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', }, - ], - parents: [ { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: 'id_exists', + disabled: false, + type: 'exists', + value: 'exists', + key: '_id', + }, + exists: { + field: '_id', + }, }, ], - status: 'open', - }, + created_by: 'patryk_test_user', + version: 1, + saved_id: null, + tags: [], + rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', + license: '', + immutable: false, + timeline_title: null, + meta: { + from: '1m', + kibana_siem_app_url: 'http://localhost:5601/app/security', + }, + name: 'Threshold test', + updated_by: 'patryk_test_user', + interval: '5m', + false_positives: [], + to: 'now', + threat: [], + actions: [], + }), + [ALERT_ORIGINAL_TIME]: '2021-01-09T13:39:32.595Z', + [ALERT_ANCESTORS]: [ + { + depth: 0, + index: + 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', + id: '0268af90-d8da-576a-9747-2a191519416a', + type: 'event', + }, + ], + [ALERT_WORKFLOW_STATUS]: 'open', }, fields: { - 'signal.rule.output_index': ['.siem-signals-patrykkopycinski-default'], - 'signal.rule.from': ['now-360s'], - 'signal.rule.language': ['kuery'], - '@timestamp': ['2021-01-09T13:41:40.517Z'], - 'signal.rule.query': ['_id :*'], - 'signal.rule.type': ['threshold'], - 'signal.rule.id': ['696c24e0-526d-11eb-836c-e1620268b945'], - 'signal.rule.risk_score': [21], - 'signal.status': ['open'], - 'event.kind': ['signal'], - 'signal.original_time': ['2021-01-09T13:39:32.595Z'], - 'signal.rule.severity': ['low'], - 'signal.rule.version': ['1'], - 'signal.rule.index': [ + [`${ALERT_RULE_NAMESPACE}.output_index`]: ['.siem-signals-patrykkopycinski-default'], + [`${ALERT_RULE_NAMESPACE}.from`]: ['now-360s'], + [`${ALERT_RULE_NAMESPACE}.language`]: ['kuery'], + [TIMESTAMP]: ['2021-01-09T13:41:40.517Z'], + [`${ALERT_RULE_NAMESPACE}.query`]: ['_id :*'], + [`${ALERT_RULE_NAMESPACE}.type`]: ['threshold'], + [`${ALERT_RULE_NAMESPACE}.id`]: ['696c24e0-526d-11eb-836c-e1620268b945'], + [`${ALERT_RULE_NAMESPACE}.risk_score`]: [21], + [ALERT_WORKFLOW_STATUS]: ['open'], + [EVENT_KIND]: ['signal'], + [ALERT_ORIGINAL_TIME]: ['2021-01-09T13:39:32.595Z'], + [`${ALERT_RULE_NAMESPACE}.severity`]: ['low'], + [`${ALERT_RULE_NAMESPACE}.version`]: ['1'], + [`${ALERT_RULE_NAMESPACE}.index`]: [ 'apm-*-transaction*', 'traces-apm*', 'auditbeat-*', @@ -286,8 +277,8 @@ describe('#formatTimelineData', () => { 'packetbeat-*', 'winlogbeat-*', ], - 'signal.rule.name': ['Threshold test'], - 'signal.rule.to': ['now'], + [`${ALERT_RULE_NAMESPACE}.name`]: ['Threshold test'], + [`${ALERT_RULE_NAMESPACE}.to`]: ['now'], }, _type: '', sort: ['1610199700517'], @@ -295,7 +286,7 @@ describe('#formatTimelineData', () => { expect( await formatTimelineData( - ['@timestamp', 'host.name', 'destination.ip', 'source.ip'], + [TIMESTAMP, 'host.name', 'destination.ip', 'source.ip'], TIMELINE_EVENTS_FIELDS, response ) @@ -309,12 +300,12 @@ describe('#formatTimelineData', () => { _index: '.siem-signals-patrykkopycinski-default-000007', data: [ { - field: '@timestamp', + field: TIMESTAMP, value: ['2021-01-09T13:41:40.517Z'], }, ], ecs: { - '@timestamp': ['2021-01-09T13:41:40.517Z'], + [TIMESTAMP]: ['2021-01-09T13:41:40.517Z'], timestamp: '2021-01-09T13:41:40.517Z', _id: 'a77040f198355793c35bf22b900902371309be615381f0a2ec92c208b6132562', _index: '.siem-signals-patrykkopycinski-default-000007', @@ -402,16 +393,16 @@ describe('#formatTimelineData', () => { describe('buildObjectForFieldPath', () => { it('builds an object from a single non-nested field', () => { - expect(buildObjectForFieldPath('@timestamp', eventHit)).toEqual({ - '@timestamp': ['2020-11-17T14:48:08.922Z'], + expect(buildObjectForFieldPath(TIMESTAMP, eventHit)).toEqual({ + [TIMESTAMP]: ['2020-11-17T14:48:08.922Z'], }); }); it('builds an object with no fields response', () => { const { fields, ...fieldLessHit } = eventHit; // @ts-expect-error fieldLessHit is intentionally missing fields - expect(buildObjectForFieldPath('@timestamp', fieldLessHit)).toEqual({ - '@timestamp': [], + expect(buildObjectForFieldPath(TIMESTAMP, fieldLessHit)).toEqual({ + [TIMESTAMP]: [], }); }); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts index 72a7d6e2692e8..3f964320a7169 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts @@ -83,7 +83,7 @@ export const buildTimelineEventsAllQuery = ({ track_total_hits: true, sort: getSortField(sort), fields, - _source: ['signal.*'], + _source: ['kibana.alert.*'], }, }; diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 990a42ffe7a5f..8962a242199d5 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -20610,7 +20610,7 @@ "xpack.securitySolution.alerts.riskScoreMapping.defaultRiskScoreTitle": "デフォルトリスクスコア", "xpack.securitySolution.alerts.riskScoreMapping.mappingDescriptionLabel": "ソースイベント値を使用して、デフォルトリスクスコアを上書きします。", "xpack.securitySolution.alerts.riskScoreMapping.mappingDetailsLabel": "値が境界外の場合、またはフィールドがない場合は、デフォルトリスクスコアが使用されます。", - "xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle": "signal.rule.risk_score", + "xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle": "kibana.alert.rule.risk_score", "xpack.securitySolution.alerts.riskScoreMapping.riskScoreMappingTitle": "リスクスコア無効化", "xpack.securitySolution.alerts.riskScoreMapping.riskScoreTitle": "リスクスコア", "xpack.securitySolution.alerts.riskScoreMapping.sourceFieldTitle": "ソースフィールド", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index e150b474be207..b943dc6880b19 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -20917,7 +20917,7 @@ "xpack.securitySolution.alerts.riskScoreMapping.defaultRiskScoreTitle": "默认风险分数", "xpack.securitySolution.alerts.riskScoreMapping.mappingDescriptionLabel": "使用源事件值覆盖默认风险分数。", "xpack.securitySolution.alerts.riskScoreMapping.mappingDetailsLabel": "如果值超出范围,或字段不存在,将使用默认风险分数。", - "xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle": "signal.rule.risk_score", + "xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle": "kibana.alert.rule.risk_score", "xpack.securitySolution.alerts.riskScoreMapping.riskScoreMappingTitle": "风险分数覆盖", "xpack.securitySolution.alerts.riskScoreMapping.riskScoreTitle": "风险分数", "xpack.securitySolution.alerts.riskScoreMapping.sourceFieldTitle": "源字段", diff --git a/x-pack/test/api_integration/apis/security_solution/utils.ts b/x-pack/test/api_integration/apis/security_solution/utils.ts index 79d5ef499deb2..16efc1d08dc8c 100644 --- a/x-pack/test/api_integration/apis/security_solution/utils.ts +++ b/x-pack/test/api_integration/apis/security_solution/utils.ts @@ -7,6 +7,14 @@ import { ApiResponse, estypes } from '@elastic/elasticsearch'; import { KibanaClient } from '@elastic/elasticsearch/api/kibana'; +import { + ALERT_BUILDING_BLOCK_TYPE, + ALERT_GROUP_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_TIME, +} from '@kbn/securitysolution-rules'; +import { ALERT_RULE_NAMESPACE, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { JsonObject, JsonArray } from '@kbn/utility-types'; export async function getSavedObjectFromES( @@ -76,21 +84,21 @@ export const getFieldsToRequest = (): string[] => [ 'destination.ip', 'user.name', '@timestamp', - 'signal.status', - 'signal.group.id', - 'signal.original_time', - 'signal.rule.building_block_type', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.language', - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', - 'signal.rule.index', - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', + ALERT_WORKFLOW_STATUS, + ALERT_GROUP_ID, + ALERT_ORIGINAL_TIME, + ALERT_BUILDING_BLOCK_TYPE, + `${ALERT_RULE_NAMESPACE}.filters`, + `${ALERT_RULE_NAMESPACE}.from`, + `${ALERT_RULE_NAMESPACE}.language`, + `${ALERT_RULE_NAMESPACE}.query`, + `${ALERT_RULE_NAMESPACE}.name`, + `${ALERT_RULE_NAMESPACE}.to`, + `${ALERT_RULE_NAMESPACE}.id`, + `${ALERT_RULE_NAMESPACE}.index`, + `${ALERT_RULE_NAMESPACE}.type`, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, 'file.path', 'file.Ext.code_signature.subject_name', 'file.Ext.code_signature.trusted', diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts index 2b0efd84aa8f5..49ea1e3bde1ed 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/patch_cases.ts @@ -592,10 +592,10 @@ export default ({ getService }: FtrProviderContext): void => { }); // There should be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( + expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS]).to.be( CaseStatuses.open ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( + expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS]).to.be( CaseStatuses.open ); @@ -626,10 +626,10 @@ export default ({ getService }: FtrProviderContext): void => { }); // There should still be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( + expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS]).to.be( CaseStatuses.open ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( + expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS]).to.be( CaseStatuses.open ); @@ -655,10 +655,10 @@ export default ({ getService }: FtrProviderContext): void => { }); // alerts should be updated now that the - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( + expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS]).to.be( CaseStatuses.closed ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( + expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS]).to.be( 'acknowledged' ); }); @@ -727,10 +727,10 @@ export default ({ getService }: FtrProviderContext): void => { let signals = await getSignals(); // There should be no change in their status since syncing is disabled expect( - signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source?.signal.status + signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.open); expect( - signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source?.signal.status + signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.open); const updatedIndWithStatus: CasesResponse = (await setStatus({ @@ -751,10 +751,10 @@ export default ({ getService }: FtrProviderContext): void => { // There should still be no change in their status since syncing is disabled expect( - signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source?.signal.status + signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.open); expect( - signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source?.signal.status + signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.open); // turn on the sync settings @@ -776,15 +776,15 @@ export default ({ getService }: FtrProviderContext): void => { // alerts should be updated now that the expect( - signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source?.signal.status + signals.get(defaultSignalsIndex)?.get(signalIDInFirstIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.closed); expect( - signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source?.signal.status + signals.get(signalsIndex2)?.get(signalIDInSecondIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.closed); // the duplicate signal id in the other index should not be affect (so its status should be open) expect( - signals.get(defaultSignalsIndex)?.get(signalIDInSecondIndex)?._source?.signal.status + signals.get(defaultSignalsIndex)?.get(signalIDInSecondIndex)?._source?.[ALERT_WORKFLOW_STATUS] ).to.be(CaseStatuses.open); }); }); @@ -852,7 +852,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('acknowledged'); + expect(updatedAlert.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS]).eql('acknowledged'); }); it('does NOT updates alert status when the status is updated and syncAlerts=false', async () => { @@ -905,7 +905,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('open'); + expect(updatedAlert.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS]).eql('open'); }); it('it updates alert status when syncAlerts is turned on', async () => { @@ -976,7 +976,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source?.signal.status).eql('acknowledged'); + expect(updatedAlert.hits.hits[0]._source?.[ALERT_WORKFLOW_STATUS]).eql('acknowledged'); }); it('it does NOT updates alert status when syncAlerts is turned off', async () => { @@ -1040,7 +1040,7 @@ export default ({ getService }: FtrProviderContext): void => { .send(getQuerySignalIds([alert._id])) .expect(200); - expect(updatedAlert.hits.hits[0]._source.signal.status).eql('open'); + expect(updatedAlert.hits.hits[0]._source.[ALERT_WORKFLOW_STATUS]).eql('open'); }); }); }); diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts index d2949c9728989..8f9a61305149c 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/client/update_alert_status.ts @@ -6,6 +6,7 @@ */ import expect from '@kbn/expect'; +import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { FtrProviderContext } from '../../../../common/ftr_provider_context'; import { postCaseReq } from '../../../../common/lib/mock'; @@ -86,12 +87,12 @@ export default ({ getService }: FtrProviderContext): void => { }); // There should be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); // does NOT updates alert status when the status is updated and syncAlerts=false // this performs the cases update through the test plugin that leverages the cases client instead @@ -124,12 +125,12 @@ export default ({ getService }: FtrProviderContext): void => { }); // There should still be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); // it updates alert status when syncAlerts is turned on // turn on the sync settings @@ -156,12 +157,12 @@ export default ({ getService }: FtrProviderContext): void => { }); // alerts should be updated now that the - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.closed - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - 'acknowledged' - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.closed); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be('acknowledged'); }); }); }; diff --git a/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts b/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts index 340fdfbf77de1..a0066b1c6b7c0 100644 --- a/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts +++ b/x-pack/test/case_api_integration/security_and_spaces/tests/common/sub_cases/patch_sub_cases.ts @@ -5,6 +5,7 @@ * 2.0. */ import expect from '@kbn/expect'; +import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { FtrProviderContext } from '../../../../../common/ftr_provider_context'; import { @@ -108,9 +109,9 @@ export default function ({ getService }: FtrProviderContext) { let signals = await getSignalsWithES({ es, indices: defaultSignalsIndex, ids: signalID }); - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); await setStatus({ supertest, @@ -128,9 +129,9 @@ export default function ({ getService }: FtrProviderContext) { signals = await getSignalsWithES({ es, indices: defaultSignalsIndex, ids: signalID }); - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - 'acknowledged' - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be('acknowledged'); }); it('should update the status of multiple alerts attached to a sub case', async () => { @@ -169,12 +170,12 @@ export default function ({ getService }: FtrProviderContext) { ids: [signalID, signalID2], }); - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); await setStatus({ supertest, @@ -196,12 +197,12 @@ export default function ({ getService }: FtrProviderContext) { ids: [signalID, signalID2], }); - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses['in-progress'] - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - 'acknowledged' - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses['in-progress']); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be('acknowledged'); }); it('should update the status of multiple alerts attached to multiple sub cases in one collection', async () => { @@ -259,12 +260,12 @@ export default function ({ getService }: FtrProviderContext) { }); // There should be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); await setStatus({ supertest, @@ -287,12 +288,12 @@ export default function ({ getService }: FtrProviderContext) { }); // There still should be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); // Turn sync alerts on await supertest @@ -317,12 +318,12 @@ export default function ({ getService }: FtrProviderContext) { ids: [signalID, signalID2], }); - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.closed - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - 'acknowledged' - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.closed); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be('acknowledged'); }); it('should update the status of alerts attached to a case and sub case when sync settings is turned on', async () => { @@ -382,12 +383,12 @@ export default function ({ getService }: FtrProviderContext) { }); // There should be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); await setStatus({ supertest, @@ -424,12 +425,12 @@ export default function ({ getService }: FtrProviderContext) { }); // There should still be no change in their status since syncing is disabled - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - CaseStatuses.open - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.open - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.open); // Turn sync alerts on await supertest @@ -469,12 +470,12 @@ export default function ({ getService }: FtrProviderContext) { }); // alerts should be updated now that the - expect(signals.get(defaultSignalsIndex)?.get(signalID)?._source?.signal.status).to.be( - 'acknowledged' - ); - expect(signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.signal.status).to.be( - CaseStatuses.closed - ); + expect( + signals.get(defaultSignalsIndex)?.get(signalID)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be('acknowledged'); + expect( + signals.get(defaultSignalsIndex)?.get(signalID2)?._source?.[ALERT_WORKFLOW_STATUS] + ).to.be(CaseStatuses.closed); }); it('404s when sub case id is invalid', async () => { diff --git a/x-pack/test/detection_engine_api_integration/basic/tests/query_signals.ts b/x-pack/test/detection_engine_api_integration/basic/tests/query_signals.ts index 53225e4ea2ce0..f571f2f7b8d0d 100644 --- a/x-pack/test/detection_engine_api_integration/basic/tests/query_signals.ts +++ b/x-pack/test/detection_engine_api_integration/basic/tests/query_signals.ts @@ -6,6 +6,8 @@ */ import expect from '@kbn/expect'; +import { ALERT_RULE_RULE_ID, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_BUILDING_BLOCK_TYPE } from '@kbn/securitysolution-rules'; import { DETECTION_ENGINE_QUERY_SIGNALS_URL, @@ -92,7 +94,7 @@ export default ({ getService }: FtrProviderContext) => { const query = { query: { bool: { - should: [{ match_phrase: { 'kibana.alert.workflow_status': 'open' } }], + should: [{ match_phrase: { [ALERT_WORKFLOW_STATUS]: 'open' } }], }, }, }; @@ -186,13 +188,13 @@ export default ({ getService }: FtrProviderContext) => { filter: [ { match_phrase: { - 'signal.rule.id': 'c76f1a10-ffb6-11eb-8914-9b237bf6808c', + [ALERT_RULE_RULE_ID]: 'c76f1a10-ffb6-11eb-8914-9b237bf6808c', }, }, - { term: { 'signal.status': 'open' } }, + { term: { [ALERT_WORKFLOW_STATUS]: 'open' } }, ], should: [], - must_not: [{ exists: { field: 'signal.rule.building_block_type' } }], + must_not: [{ exists: { field: ALERT_BUILDING_BLOCK_TYPE } }], }, }, { diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts index 253a58c7ca867..337e5bced309c 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts @@ -12,6 +12,12 @@ import { ALERT_RULE_UPDATED_AT, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_DEPTH, + ALERT_ORIGINAL_TIME, + flattenWithPrefix, +} from '@kbn/securitysolution-rules'; import { MachineLearningCreateSchema } from '../../../../plugins/security_solution/common/detection_engine/schemas/request'; import { FtrProviderContext } from '../../common/ftr_provider_context'; @@ -29,12 +35,6 @@ import { deleteListsIndex, importFile, } from '../../../lists_api_integration/utils'; -import { flattenWithPrefix } from '../../../../plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten_with_prefix'; -import { - ALERT_ANCESTORS, - ALERT_DEPTH, - ALERT_ORIGINAL_TIME, -} from '../../../../plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names'; // eslint-disable-next-line import/no-default-export export default ({ getService }: FtrProviderContext) => { diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts index ad1e51a90a8e3..b55db50316a89 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts @@ -8,6 +8,12 @@ import { get, isEqual } from 'lodash'; import expect from '@kbn/expect'; import { ALERT_REASON, ALERT_RULE_UUID, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_DEPTH, + ALERT_ORIGINAL_EVENT, + ALERT_ORIGINAL_TIME, +} from '@kbn/securitysolution-rules'; import { CreateRulesSchema } from '../../../../plugins/security_solution/common/detection_engine/schemas/request'; import { DETECTION_ENGINE_RULES_STATUS_URL } from '../../../../plugins/security_solution/common/constants'; @@ -26,12 +32,6 @@ import { import { getCreateThreatMatchRulesSchemaMock } from '../../../../plugins/security_solution/common/detection_engine/schemas/request/rule_schemas.mock'; import { getThreatMatchingSchemaPartialMock } from '../../../../plugins/security_solution/common/detection_engine/schemas/response/rules_schema.mocks'; import { ENRICHMENT_TYPES } from '../../../../plugins/security_solution/common/cti/constants'; -import { - ALERT_ANCESTORS, - ALERT_DEPTH, - ALERT_ORIGINAL_EVENT, - ALERT_ORIGINAL_TIME, -} from '../../../../plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names'; import { Ancestor } from '../../../../plugins/security_solution/server/lib/detection_engine/signals/types'; const format = (value: unknown): string => JSON.stringify(value, null, 2); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts index 659d17e00dd06..9d1ae1c9106eb 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts @@ -20,6 +20,15 @@ import { EVENT_ACTION, EVENT_KIND, } from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_DEPTH, + ALERT_ORIGINAL_TIME, + flattenWithPrefix, + ALERT_ORIGINAL_EVENT, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_GROUP_ID, +} from '@kbn/securitysolution-rules'; import { orderBy, get } from 'lodash'; @@ -29,6 +38,7 @@ import { SavedQueryCreateSchema, ThresholdCreateSchema, } from '../../../../plugins/security_solution/common/detection_engine/schemas/request'; +import { Ancestor } from '../../../../plugins/security_solution/server/lib/detection_engine/signals/types'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { createRule, @@ -45,16 +55,6 @@ import { waitForRuleSuccessOrStatus, waitForSignalsToBePresent, } from '../../utils'; -import { - ALERT_ANCESTORS, - ALERT_DEPTH, - ALERT_GROUP_ID, - ALERT_ORIGINAL_EVENT, - ALERT_ORIGINAL_EVENT_CATEGORY, - ALERT_ORIGINAL_TIME, -} from '../../../../plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names'; -import { Ancestor } from '../../../../plugins/security_solution/server/lib/detection_engine/signals/types'; -import { flattenWithPrefix } from '../../../../plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten_with_prefix'; /** * Specific _id to use for some of the tests. If the archiver changes and you see errors @@ -954,7 +954,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForSignalsToBePresent(supertest, 4, [id]); const signalsResponse = await getSignalsByIds(supertest, [id]); const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + const signalsOrderedByEventId = orderBy(signals, 'kibana.alert.ancestors.id', 'asc'); return signalsOrderedByEventId; }; @@ -1117,7 +1117,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForSignalsToBePresent(supertest, 1, [id]); const signalsResponse = await getSignalsByIds(supertest, [id], 1); const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + const signalsOrderedByEventId = orderBy(signals, 'kibana.alert.ancestors.id', 'asc'); const fullSignal = signalsOrderedByEventId[0]; if (!fullSignal) { return expect(fullSignal).to.be.ok(); diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/timestamps.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/timestamps.ts index d83d61723ced6..7d591a079c558 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/timestamps.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/timestamps.ts @@ -6,12 +6,12 @@ */ import expect from '@kbn/expect'; +import { ALERT_ORIGINAL_TIME } from '@kbn/securitysolution-rules'; import { orderBy } from 'lodash'; import { EqlCreateSchema, QueryCreateSchema, } from '../../../../plugins/security_solution/common/detection_engine/schemas/request'; -import { ALERT_ORIGINAL_TIME } from '../../../../plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names'; import { FtrProviderContext } from '../../common/ftr_provider_context'; import { @@ -33,7 +33,7 @@ export default ({ getService }: FtrProviderContext) => { /** * Tests around timestamps within signals such as the copying of timestamps correctly into - * the "signal.original_time" field, ensuring that timestamp overrides operate, and ensuring that + * the "kibana.alert.original_time" field, ensuring that timestamp overrides operate, and ensuring that * partial errors happen correctly */ describe('timestamp tests', () => { @@ -172,7 +172,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForSignalsToBePresent(supertest, 3, [id]); const signalsResponse = await getSignalsByIds(supertest, [id], 3); const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + const signalsOrderedByEventId = orderBy(signals, 'kibana.alert.ancestors.id', 'asc'); expect(signalsOrderedByEventId.length).equal(3); }); @@ -186,7 +186,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForSignalsToBePresent(supertest, 2, [id]); const signalsResponse = await getSignalsByIds(supertest, [id]); const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + const signalsOrderedByEventId = orderBy(signals, 'kibana.alert.ancestors.id', 'asc'); expect(signalsOrderedByEventId.length).equal(2); }); @@ -202,7 +202,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForSignalsToBePresent(supertest, 2, [id]); const signalsResponse = await getSignalsByIds(supertest, [id, id]); const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + const signalsOrderedByEventId = orderBy(signals, 'kibana.alert.ancestors.id', 'asc'); expect(signalsOrderedByEventId.length).equal(2); }); @@ -240,7 +240,7 @@ export default ({ getService }: FtrProviderContext) => { await waitForSignalsToBePresent(supertest, 2, [id]); const signalsResponse = await getSignalsByIds(supertest, [id]); const signals = signalsResponse.hits.hits.map((hit) => hit._source); - const signalsOrderedByEventId = orderBy(signals, 'signal.parent.id', 'asc'); + const signalsOrderedByEventId = orderBy(signals, 'kibana.alert.ancestors.id', 'asc'); expect(signalsOrderedByEventId.length).equal(2); }); diff --git a/x-pack/test/detection_engine_api_integration/utils.ts b/x-pack/test/detection_engine_api_integration/utils.ts index 225d97dc45a07..fe79f92489892 100644 --- a/x-pack/test/detection_engine_api_integration/utils.ts +++ b/x-pack/test/detection_engine_api_integration/utils.ts @@ -10,7 +10,7 @@ import type { ApiResponse } from '@elastic/elasticsearch'; import { Context } from '@elastic/elasticsearch/lib/Transport'; import type { estypes } from '@elastic/elasticsearch'; import type { KibanaClient } from '@elastic/elasticsearch/api/kibana'; -import { ALERT_RULE_RULE_ID, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_RULE_ID, ALERT_RULE_UUID, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import type SuperTest from 'supertest'; import type { @@ -241,7 +241,7 @@ export const getSimpleMlRuleUpdate = (ruleId = 'rule-1', enabled = false): Updat }); export const getSignalStatus = () => ({ - aggs: { statuses: { terms: { field: 'signal.status', size: 10 } } }, + aggs: { statuses: { terms: { field: ALERT_WORKFLOW_STATUS, size: 10 } } }, }); export const getQueryAllSignals = () => ({ diff --git a/x-pack/test/functional/es_archives/cases/signals/default/mappings.json b/x-pack/test/functional/es_archives/cases/signals/default/mappings.json index 83d67d913f589..a0148deb4438f 100644 --- a/x-pack/test/functional/es_archives/cases/signals/default/mappings.json +++ b/x-pack/test/functional/es_archives/cases/signals/default/mappings.json @@ -1572,135 +1572,135 @@ "ancestors": { "properties": { "depth": { - "path": "signal.ancestors.depth", + "path": "kibana.alert.ancestors.depth", "type": "alias" }, "id": { - "path": "signal.ancestors.id", + "path": "kibana.alert.ancestors.id", "type": "alias" }, "index": { - "path": "signal.ancestors.index", + "path": "kibana.alert.ancestors.index", "type": "alias" }, "type": { - "path": "signal.ancestors.type", + "path": "kibana.alert.ancestors.type", "type": "alias" } } }, "depth": { - "path": "signal.depth", + "path": "kibana.alert.depth", "type": "alias" }, "original_event": { "properties": { "action": { - "path": "signal.original_event.action", + "path": "kibana.alert.original_event.action", "type": "alias" }, "category": { - "path": "signal.original_event.category", + "path": "kibana.alert.original_event.category", "type": "alias" }, "code": { - "path": "signal.original_event.code", + "path": "kibana.alert.original_event.code", "type": "alias" }, "created": { - "path": "signal.original_event.created", + "path": "kibana.alert.original_event.created", "type": "alias" }, "dataset": { - "path": "signal.original_event.dataset", + "path": "kibana.alert.original_event.dataset", "type": "alias" }, "duration": { - "path": "signal.original_event.duration", + "path": "kibana.alert.original_event.duration", "type": "alias" }, "end": { - "path": "signal.original_event.end", + "path": "kibana.alert.original_event.end", "type": "alias" }, "hash": { - "path": "signal.original_event.hash", + "path": "kibana.alert.original_event.hash", "type": "alias" }, "id": { - "path": "signal.original_event.id", + "path": "kibana.alert.original_event.id", "type": "alias" }, "kind": { - "path": "signal.original_event.kind", + "path": "kibana.alert.original_event.kind", "type": "alias" }, "module": { - "path": "signal.original_event.module", + "path": "kibana.alert.original_event.module", "type": "alias" }, "outcome": { - "path": "signal.original_event.outcome", + "path": "kibana.alert.original_event.outcome", "type": "alias" }, "provider": { - "path": "signal.original_event.provider", + "path": "kibana.alert.original_event.provider", "type": "alias" }, "reason": { - "path": "signal.original_event.reason", + "path": "kibana.alert.original_event.reason", "type": "alias" }, "risk_score": { - "path": "signal.original_event.risk_score", + "path": "kibana.alert.original_event.risk_score", "type": "alias" }, "risk_score_norm": { - "path": "signal.original_event.risk_score_norm", + "path": "kibana.alert.original_event.risk_score_norm", "type": "alias" }, "sequence": { - "path": "signal.original_event.sequence", + "path": "kibana.alert.original_event.sequence", "type": "alias" }, "severity": { - "path": "signal.original_event.severity", + "path": "kibana.alert.original_event.severity", "type": "alias" }, "start": { - "path": "signal.original_event.start", + "path": "kibana.alert.original_event.start", "type": "alias" }, "timezone": { - "path": "signal.original_event.timezone", + "path": "kibana.alert.original_event.timezone", "type": "alias" }, "type": { - "path": "signal.original_event.type", + "path": "kibana.alert.original_event.type", "type": "alias" } } }, "original_time": { - "path": "signal.original_time", + "path": "kibana.alert.original_time", "type": "alias" }, "reason": { - "path": "signal.reason", + "path": "kibana.alert.reason", "type": "alias" }, "risk_score": { - "path": "signal.rule.risk_score", + "path": "kibana.alert.rule.risk_score", "type": "alias" }, "rule": { "properties": { "author": { - "path": "signal.rule.author", + "path": "kibana.alert.rule.author", "type": "alias" }, "building_block_type": { - "path": "signal.rule.building_block_type", + "path": "kibana.alert.rule.building_block_type", "type": "alias" }, "consumer": { @@ -1708,63 +1708,63 @@ "value": "siem" }, "created_at": { - "path": "signal.rule.created_at", + "path": "kibana.alert.rule.created_at", "type": "alias" }, "created_by": { - "path": "signal.rule.created_by", + "path": "kibana.alert.rule.created_by", "type": "alias" }, "description": { - "path": "signal.rule.description", + "path": "kibana.alert.rule.description", "type": "alias" }, "enabled": { - "path": "signal.rule.enabled", + "path": "kibana.alert.rule.enabled", "type": "alias" }, "false_positives": { - "path": "signal.rule.false_positives", + "path": "kibana.alert.rule.false_positives", "type": "alias" }, "from": { - "path": "signal.rule.from", + "path": "kibana.alert.rule.from", "type": "alias" }, "id": { - "path": "signal.rule.id", + "path": "kibana.alert.rule.uuid", "type": "alias" }, "immutable": { - "path": "signal.rule.immutable", + "path": "kibana.alert.rule.immutable", "type": "alias" }, "index": { - "path": "signal.rule.index", + "path": "kibana.alert.rule.index", "type": "alias" }, "interval": { - "path": "signal.rule.interval", + "path": "kibana.alert.rule.interval", "type": "alias" }, "language": { - "path": "signal.rule.language", + "path": "kibana.alert.rule.language", "type": "alias" }, "license": { - "path": "signal.rule.license", + "path": "kibana.alert.rule.license", "type": "alias" }, "max_signals": { - "path": "signal.rule.max_signals", + "path": "kibana.alert.rule.max_signals", "type": "alias" }, "name": { - "path": "signal.rule.name", + "path": "kibana.alert.rule.name", "type": "alias" }, "note": { - "path": "signal.rule.note", + "path": "kibana.alert.rule.note", "type": "alias" }, "producer": { @@ -1772,35 +1772,35 @@ "value": "siem" }, "query": { - "path": "signal.rule.query", + "path": "kibana.alert.rule.query", "type": "alias" }, "references": { - "path": "signal.rule.references", + "path": "kibana.alert.rule.references", "type": "alias" }, "risk_score_mapping": { "properties": { "field": { - "path": "signal.rule.risk_score_mapping.field", + "path": "kibana.alert.rule.risk_score_mapping.field", "type": "alias" }, "operator": { - "path": "signal.rule.risk_score_mapping.operator", + "path": "kibana.alert.rule.risk_score_mapping.operator", "type": "alias" }, "value": { - "path": "signal.rule.risk_score_mapping.value", + "path": "kibana.alert.rule.risk_score_mapping.value", "type": "alias" } } }, "rule_id": { - "path": "signal.rule.rule_id", + "path": "kibana.alert.rule.rule_id", "type": "alias" }, "rule_name_override": { - "path": "signal.rule.rule_name_override", + "path": "kibana.alert.rule.rule_name_override", "type": "alias" }, "rule_type_id": { @@ -1808,51 +1808,51 @@ "value": "siem.signals" }, "saved_id": { - "path": "signal.rule.saved_id", + "path": "kibana.alert.rule.saved_id", "type": "alias" }, "severity_mapping": { "properties": { "field": { - "path": "signal.rule.severity_mapping.field", + "path": "kibana.alert.rule.severity_mapping.field", "type": "alias" }, "operator": { - "path": "signal.rule.severity_mapping.operator", + "path": "kibana.alert.rule.severity_mapping.operator", "type": "alias" }, "severity": { - "path": "signal.rule.severity_mapping.severity", + "path": "kibana.alert.rule.severity_mapping.severity", "type": "alias" }, "value": { - "path": "signal.rule.severity_mapping.value", + "path": "kibana.alert.rule.severity_mapping.value", "type": "alias" } } }, "tags": { - "path": "signal.rule.tags", + "path": "kibana.alert.rule.tags", "type": "alias" }, "threat": { "properties": { "framework": { - "path": "signal.rule.threat.framework", + "path": "kibana.alert.rule.threat.framework", "type": "alias" }, "tactic": { "properties": { "id": { - "path": "signal.rule.threat.tactic.id", + "path": "kibana.alert.rule.threat.tactic.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.tactic.name", + "path": "kibana.alert.rule.threat.tactic.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.tactic.reference", + "path": "kibana.alert.rule.threat.tactic.reference", "type": "alias" } } @@ -1860,29 +1860,29 @@ "technique": { "properties": { "id": { - "path": "signal.rule.threat.technique.id", + "path": "kibana.alert.rule.threat.technique.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.technique.name", + "path": "kibana.alert.rule.threat.technique.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.technique.reference", + "path": "kibana.alert.rule.threat.technique.reference", "type": "alias" }, "subtechnique": { "properties": { "id": { - "path": "signal.rule.threat.technique.subtechnique.id", + "path": "kibana.alert.rule.threat.technique.subtechnique.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.technique.subtechnique.name", + "path": "kibana.alert.rule.threat.technique.subtechnique.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.technique.subtechnique.reference", + "path": "kibana.alert.rule.threat.technique.subtechnique.reference", "type": "alias" } } @@ -1892,15 +1892,15 @@ } }, "threat_index": { - "path": "signal.rule.threat_index", + "path": "kibana.alert.rule.threat_index", "type": "alias" }, "threat_indicator_path": { - "path": "signal.rule.threat_indicator_path", + "path": "kibana.alert.rule.threat_indicator_path", "type": "alias" }, "threat_language": { - "path": "signal.rule.threat_language", + "path": "kibana.alert.rule.threat_language", "type": "alias" }, "threat_mapping": { @@ -1908,15 +1908,15 @@ "entries": { "properties": { "field": { - "path": "signal.rule.threat_mapping.entries.field", + "path": "kibana.alert.rule.threat_mapping.entries.field", "type": "alias" }, "type": { - "path": "signal.rule.threat_mapping.entries.type", + "path": "kibana.alert.rule.threat_mapping.entries.type", "type": "alias" }, "value": { - "path": "signal.rule.threat_mapping.entries.value", + "path": "kibana.alert.rule.threat_mapping.entries.value", "type": "alias" } } @@ -1924,53 +1924,53 @@ } }, "threat_query": { - "path": "signal.rule.threat_query", + "path": "kibana.alert.rule.threat_query", "type": "alias" }, "threshold": { "properties": { "field": { - "path": "signal.rule.threshold.field", + "path": "kibana.alert.rule.threshold.field", "type": "alias" }, "value": { - "path": "signal.rule.threshold.value", + "path": "kibana.alert.rule.threshold.value", "type": "alias" } } }, "timeline_id": { - "path": "signal.rule.timeline_id", + "path": "kibana.alert.rule.timeline_id", "type": "alias" }, "timeline_title": { - "path": "signal.rule.timeline_title", + "path": "kibana.alert.rule.timeline_title", "type": "alias" }, "to": { - "path": "signal.rule.to", + "path": "kibana.alert.rule.to", "type": "alias" }, "type": { - "path": "signal.rule.type", + "path": "kibana.alert.rule.type", "type": "alias" }, "updated_at": { - "path": "signal.rule.updated_at", + "path": "kibana.alert.rule.updated_at", "type": "alias" }, "updated_by": { - "path": "signal.rule.updated_by", + "path": "kibana.alert.rule.updated_by", "type": "alias" }, "version": { - "path": "signal.rule.version", + "path": "kibana.alert.rule.version", "type": "alias" } } }, "severity": { - "path": "signal.rule.severity", + "path": "kibana.alert.rule.severity", "type": "alias" }, "threshold_result": { @@ -1978,31 +1978,31 @@ "cardinality": { "properties": { "field": { - "path": "signal.threshold_result.cardinality.field", + "path": "kibana.alert.threshold_result.cardinality.field", "type": "alias" }, "value": { - "path": "signal.threshold_result.cardinality.value", + "path": "kibana.alert.threshold_result.cardinality.value", "type": "alias" } } }, "count": { - "path": "signal.threshold_result.count", + "path": "kibana.alert.threshold_result.count", "type": "alias" }, "from": { - "path": "signal.threshold_result.from", + "path": "kibana.alert.threshold_result.from", "type": "alias" }, "terms": { "properties": { "field": { - "path": "signal.threshold_result.terms.field", + "path": "kibana.alert.threshold_result.terms.field", "type": "alias" }, "value": { - "path": "signal.threshold_result.terms.value", + "path": "kibana.alert.threshold_result.terms.value", "type": "alias" } } @@ -2010,7 +2010,7 @@ } }, "workflow_status": { - "path": "signal.status", + "path": "kibana.alert.status", "type": "alias" } } diff --git a/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json index 6ec0622bfce71..2d1ff00a4c119 100644 --- a/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json +++ b/x-pack/test/functional/es_archives/cases/signals/duplicate_ids/mappings.json @@ -1572,135 +1572,135 @@ "ancestors": { "properties": { "depth": { - "path": "signal.ancestors.depth", + "path": "kibana.alert.ancestors.depth", "type": "alias" }, "id": { - "path": "signal.ancestors.id", + "path": "kibana.alert.ancestors.id", "type": "alias" }, "index": { - "path": "signal.ancestors.index", + "path": "kibana.alert.ancestors.index", "type": "alias" }, "type": { - "path": "signal.ancestors.type", + "path": "kibana.alert.ancestors.type", "type": "alias" } } }, "depth": { - "path": "signal.depth", + "path": "kibana.alert.depth", "type": "alias" }, "original_event": { "properties": { "action": { - "path": "signal.original_event.action", + "path": "kibana.alert.original_event.action", "type": "alias" }, "category": { - "path": "signal.original_event.category", + "path": "kibana.alert.original_event.category", "type": "alias" }, "code": { - "path": "signal.original_event.code", + "path": "kibana.alert.original_event.code", "type": "alias" }, "created": { - "path": "signal.original_event.created", + "path": "kibana.alert.original_event.created", "type": "alias" }, "dataset": { - "path": "signal.original_event.dataset", + "path": "kibana.alert.original_event.dataset", "type": "alias" }, "duration": { - "path": "signal.original_event.duration", + "path": "kibana.alert.original_event.duration", "type": "alias" }, "end": { - "path": "signal.original_event.end", + "path": "kibana.alert.original_event.end", "type": "alias" }, "hash": { - "path": "signal.original_event.hash", + "path": "kibana.alert.original_event.hash", "type": "alias" }, "id": { - "path": "signal.original_event.id", + "path": "kibana.alert.original_event.id", "type": "alias" }, "kind": { - "path": "signal.original_event.kind", + "path": "kibana.alert.original_event.kind", "type": "alias" }, "module": { - "path": "signal.original_event.module", + "path": "kibana.alert.original_event.module", "type": "alias" }, "outcome": { - "path": "signal.original_event.outcome", + "path": "kibana.alert.original_event.outcome", "type": "alias" }, "provider": { - "path": "signal.original_event.provider", + "path": "kibana.alert.original_event.provider", "type": "alias" }, "reason": { - "path": "signal.original_event.reason", + "path": "kibana.alert.original_event.reason", "type": "alias" }, "risk_score": { - "path": "signal.original_event.risk_score", + "path": "kibana.alert.original_event.risk_score", "type": "alias" }, "risk_score_norm": { - "path": "signal.original_event.risk_score_norm", + "path": "kibana.alert.original_event.risk_score_norm", "type": "alias" }, "sequence": { - "path": "signal.original_event.sequence", + "path": "kibana.alert.original_event.sequence", "type": "alias" }, "severity": { - "path": "signal.original_event.severity", + "path": "kibana.alert.original_event.severity", "type": "alias" }, "start": { - "path": "signal.original_event.start", + "path": "kibana.alert.original_event.start", "type": "alias" }, "timezone": { - "path": "signal.original_event.timezone", + "path": "kibana.alert.original_event.timezone", "type": "alias" }, "type": { - "path": "signal.original_event.type", + "path": "kibana.alert.original_event.type", "type": "alias" } } }, "original_time": { - "path": "signal.original_time", + "path": "kibana.alert.original_time", "type": "alias" }, "reason": { - "path": "signal.reason", + "path": "kibana.alert.reason", "type": "alias" }, "risk_score": { - "path": "signal.rule.risk_score", + "path": "kibana.alert.rule.risk_score", "type": "alias" }, "rule": { "properties": { "author": { - "path": "signal.rule.author", + "path": "kibana.alert.rule.author", "type": "alias" }, "building_block_type": { - "path": "signal.rule.building_block_type", + "path": "kibana.alert.rule.building_block_type", "type": "alias" }, "consumer": { @@ -1708,63 +1708,63 @@ "value": "siem" }, "created_at": { - "path": "signal.rule.created_at", + "path": "kibana.alert.rule.created_at", "type": "alias" }, "created_by": { - "path": "signal.rule.created_by", + "path": "kibana.alert.rule.created_by", "type": "alias" }, "description": { - "path": "signal.rule.description", + "path": "kibana.alert.rule.description", "type": "alias" }, "enabled": { - "path": "signal.rule.enabled", + "path": "kibana.alert.rule.enabled", "type": "alias" }, "false_positives": { - "path": "signal.rule.false_positives", + "path": "kibana.alert.rule.false_positives", "type": "alias" }, "from": { - "path": "signal.rule.from", + "path": "kibana.alert.rule.from", "type": "alias" }, - "id": { - "path": "signal.rule.id", + "uuid": { + "path": "kibana.alert.rule.uuid", "type": "alias" }, "immutable": { - "path": "signal.rule.immutable", + "path": "kibana.alert.rule.immutable", "type": "alias" }, "index": { - "path": "signal.rule.index", + "path": "kibana.alert.rule.index", "type": "alias" }, "interval": { - "path": "signal.rule.interval", + "path": "kibana.alert.rule.interval", "type": "alias" }, "language": { - "path": "signal.rule.language", + "path": "kibana.alert.rule.language", "type": "alias" }, "license": { - "path": "signal.rule.license", + "path": "kibana.alert.rule.license", "type": "alias" }, "max_signals": { - "path": "signal.rule.max_signals", + "path": "kibana.alert.rule.max_signals", "type": "alias" }, "name": { - "path": "signal.rule.name", + "path": "kibana.alert.rule.name", "type": "alias" }, "note": { - "path": "signal.rule.note", + "path": "kibana.alert.rule.note", "type": "alias" }, "producer": { @@ -1772,35 +1772,35 @@ "value": "siem" }, "query": { - "path": "signal.rule.query", + "path": "kibana.alert.rule.query", "type": "alias" }, "references": { - "path": "signal.rule.references", + "path": "kibana.alert.rule.references", "type": "alias" }, "risk_score_mapping": { "properties": { "field": { - "path": "signal.rule.risk_score_mapping.field", + "path": "kibana.alert.rule.risk_score_mapping.field", "type": "alias" }, "operator": { - "path": "signal.rule.risk_score_mapping.operator", + "path": "kibana.alert.rule.risk_score_mapping.operator", "type": "alias" }, "value": { - "path": "signal.rule.risk_score_mapping.value", + "path": "kibana.alert.rule.risk_score_mapping.value", "type": "alias" } } }, "rule_id": { - "path": "signal.rule.rule_id", + "path": "kibana.alert.rule.rule_id", "type": "alias" }, "rule_name_override": { - "path": "signal.rule.rule_name_override", + "path": "kibana.alert.rule.rule_name_override", "type": "alias" }, "rule_type_id": { @@ -1808,51 +1808,51 @@ "value": "siem.signals" }, "saved_id": { - "path": "signal.rule.saved_id", + "path": "kibana.alert.rule.saved_id", "type": "alias" }, "severity_mapping": { "properties": { "field": { - "path": "signal.rule.severity_mapping.field", + "path": "kibana.alert.rule.severity_mapping.field", "type": "alias" }, "operator": { - "path": "signal.rule.severity_mapping.operator", + "path": "kibana.alert.rule.severity_mapping.operator", "type": "alias" }, "severity": { - "path": "signal.rule.severity_mapping.severity", + "path": "kibana.alert.rule.severity_mapping.severity", "type": "alias" }, "value": { - "path": "signal.rule.severity_mapping.value", + "path": "kibana.alert.rule.severity_mapping.value", "type": "alias" } } }, "tags": { - "path": "signal.rule.tags", + "path": "kibana.alert.rule.tags", "type": "alias" }, "threat": { "properties": { "framework": { - "path": "signal.rule.threat.framework", + "path": "kibana.alert.rule.threat.framework", "type": "alias" }, "tactic": { "properties": { "id": { - "path": "signal.rule.threat.tactic.id", + "path": "kibana.alert.rule.threat.tactic.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.tactic.name", + "path": "kibana.alert.rule.threat.tactic.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.tactic.reference", + "path": "kibana.alert.rule.threat.tactic.reference", "type": "alias" } } @@ -1860,29 +1860,29 @@ "technique": { "properties": { "id": { - "path": "signal.rule.threat.technique.id", + "path": "kibana.alert.rule.threat.technique.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.technique.name", + "path": "kibana.alert.rule.threat.technique.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.technique.reference", + "path": "kibana.alert.rule.threat.technique.reference", "type": "alias" }, "subtechnique": { "properties": { "id": { - "path": "signal.rule.threat.technique.subtechnique.id", + "path": "kibana.alert.rule.threat.technique.subtechnique.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.technique.subtechnique.name", + "path": "kibana.alert.rule.threat.technique.subtechnique.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.technique.subtechnique.reference", + "path": "kibana.alert.rule.threat.technique.subtechnique.reference", "type": "alias" } } @@ -1892,15 +1892,15 @@ } }, "threat_index": { - "path": "signal.rule.threat_index", + "path": "kibana.alert.rule.threat_index", "type": "alias" }, "threat_indicator_path": { - "path": "signal.rule.threat_indicator_path", + "path": "kibana.alert.rule.threat_indicator_path", "type": "alias" }, "threat_language": { - "path": "signal.rule.threat_language", + "path": "kibana.alert.rule.threat_language", "type": "alias" }, "threat_mapping": { @@ -1908,15 +1908,15 @@ "entries": { "properties": { "field": { - "path": "signal.rule.threat_mapping.entries.field", + "path": "kibana.alert.rule.threat_mapping.entries.field", "type": "alias" }, "type": { - "path": "signal.rule.threat_mapping.entries.type", + "path": "kibana.alert.rule.threat_mapping.entries.type", "type": "alias" }, "value": { - "path": "signal.rule.threat_mapping.entries.value", + "path": "kibana.alert.rule.threat_mapping.entries.value", "type": "alias" } } @@ -1924,53 +1924,53 @@ } }, "threat_query": { - "path": "signal.rule.threat_query", + "path": "kibana.alert.rule.threat_query", "type": "alias" }, "threshold": { "properties": { "field": { - "path": "signal.rule.threshold.field", + "path": "kibana.alert.rule.threshold.field", "type": "alias" }, "value": { - "path": "signal.rule.threshold.value", + "path": "kibana.alert.rule.threshold.value", "type": "alias" } } }, "timeline_id": { - "path": "signal.rule.timeline_id", + "path": "kibana.alert.rule.timeline_id", "type": "alias" }, "timeline_title": { - "path": "signal.rule.timeline_title", + "path": "kibana.alert.rule.timeline_title", "type": "alias" }, "to": { - "path": "signal.rule.to", + "path": "kibana.alert.rule.to", "type": "alias" }, "type": { - "path": "signal.rule.type", + "path": "kibana.alert.rule.type", "type": "alias" }, "updated_at": { - "path": "signal.rule.updated_at", + "path": "kibana.alert.rule.updated_at", "type": "alias" }, "updated_by": { - "path": "signal.rule.updated_by", + "path": "kibana.alert.rule.updated_by", "type": "alias" }, "version": { - "path": "signal.rule.version", + "path": "kibana.alert.rule.version", "type": "alias" } } }, "severity": { - "path": "signal.rule.severity", + "path": "kibana.alert.rule.severity", "type": "alias" }, "threshold_result": { @@ -1978,31 +1978,31 @@ "cardinality": { "properties": { "field": { - "path": "signal.threshold_result.cardinality.field", + "path": "kibana.alert.threshold_result.cardinality.field", "type": "alias" }, "value": { - "path": "signal.threshold_result.cardinality.value", + "path": "kibana.alert.threshold_result.cardinality.value", "type": "alias" } } }, "count": { - "path": "signal.threshold_result.count", + "path": "kibana.alert.threshold_result.count", "type": "alias" }, "from": { - "path": "signal.threshold_result.from", + "path": "kibana.alert.threshold_result.from", "type": "alias" }, "terms": { "properties": { "field": { - "path": "signal.threshold_result.terms.field", + "path": "kibana.alert.threshold_result.terms.field", "type": "alias" }, "value": { - "path": "signal.threshold_result.terms.value", + "path": "kibana.alert.threshold_result.terms.value", "type": "alias" } } @@ -2010,7 +2010,7 @@ } }, "workflow_status": { - "path": "signal.status", + "path": "kibana.alert.status", "type": "alias" } } @@ -6564,135 +6564,135 @@ "ancestors": { "properties": { "depth": { - "path": "signal.ancestors.depth", + "path": "kibana.alert.ancestors.depth", "type": "alias" }, "id": { - "path": "signal.ancestors.id", + "path": "kibana.alert.ancestors.id", "type": "alias" }, "index": { - "path": "signal.ancestors.index", + "path": "kibana.alert.ancestors.index", "type": "alias" }, "type": { - "path": "signal.ancestors.type", + "path": "kibana.alert.ancestors.type", "type": "alias" } } }, "depth": { - "path": "signal.depth", + "path": "kibana.alert.depth", "type": "alias" }, "original_event": { "properties": { "action": { - "path": "signal.original_event.action", + "path": "kibana.alert.original_event.action", "type": "alias" }, "category": { - "path": "signal.original_event.category", + "path": "kibana.alert.original_event.category", "type": "alias" }, "code": { - "path": "signal.original_event.code", + "path": "kibana.alert.original_event.code", "type": "alias" }, "created": { - "path": "signal.original_event.created", + "path": "kibana.alert.original_event.created", "type": "alias" }, "dataset": { - "path": "signal.original_event.dataset", + "path": "kibana.alert.original_event.dataset", "type": "alias" }, "duration": { - "path": "signal.original_event.duration", + "path": "kibana.alert.original_event.duration", "type": "alias" }, "end": { - "path": "signal.original_event.end", + "path": "kibana.alert.original_event.end", "type": "alias" }, "hash": { - "path": "signal.original_event.hash", + "path": "kibana.alert.original_event.hash", "type": "alias" }, "id": { - "path": "signal.original_event.id", + "path": "kibana.alert.original_event.id", "type": "alias" }, "kind": { - "path": "signal.original_event.kind", + "path": "kibana.alert.original_event.kind", "type": "alias" }, "module": { - "path": "signal.original_event.module", + "path": "kibana.alert.original_event.module", "type": "alias" }, "outcome": { - "path": "signal.original_event.outcome", + "path": "kibana.alert.original_event.outcome", "type": "alias" }, "provider": { - "path": "signal.original_event.provider", + "path": "kibana.alert.original_event.provider", "type": "alias" }, "reason": { - "path": "signal.original_event.reason", + "path": "kibana.alert.original_event.reason", "type": "alias" }, "risk_score": { - "path": "signal.original_event.risk_score", + "path": "kibana.alert.original_event.risk_score", "type": "alias" }, "risk_score_norm": { - "path": "signal.original_event.risk_score_norm", + "path": "kibana.alert.original_event.risk_score_norm", "type": "alias" }, "sequence": { - "path": "signal.original_event.sequence", + "path": "kibana.alert.original_event.sequence", "type": "alias" }, "severity": { - "path": "signal.original_event.severity", + "path": "kibana.alert.original_event.severity", "type": "alias" }, "start": { - "path": "signal.original_event.start", + "path": "kibana.alert.original_event.start", "type": "alias" }, "timezone": { - "path": "signal.original_event.timezone", + "path": "kibana.alert.original_event.timezone", "type": "alias" }, "type": { - "path": "signal.original_event.type", + "path": "kibana.alert.original_event.type", "type": "alias" } } }, "original_time": { - "path": "signal.original_time", + "path": "kibana.alert.original_time", "type": "alias" }, "reason": { - "path": "signal.reason", + "path": "kibana.alert.reason", "type": "alias" }, "risk_score": { - "path": "signal.rule.risk_score", + "path": "kibana.alert.rule.risk_score", "type": "alias" }, "rule": { "properties": { "author": { - "path": "signal.rule.author", + "path": "kibana.alert.rule.author", "type": "alias" }, "building_block_type": { - "path": "signal.rule.building_block_type", + "path": "kibana.alert.rule.building_block_type", "type": "alias" }, "consumer": { @@ -6700,63 +6700,63 @@ "value": "siem" }, "created_at": { - "path": "signal.rule.created_at", + "path": "kibana.alert.rule.created_at", "type": "alias" }, "created_by": { - "path": "signal.rule.created_by", + "path": "kibana.alert.rule.created_by", "type": "alias" }, "description": { - "path": "signal.rule.description", + "path": "kibana.alert.rule.description", "type": "alias" }, "enabled": { - "path": "signal.rule.enabled", + "path": "kibana.alert.rule.enabled", "type": "alias" }, "false_positives": { - "path": "signal.rule.false_positives", + "path": "kibana.alert.rule.false_positives", "type": "alias" }, "from": { - "path": "signal.rule.from", + "path": "kibana.alert.rule.from", "type": "alias" }, - "id": { - "path": "signal.rule.id", + "uuid": { + "path": "kibana.alert.rule.uuid", "type": "alias" }, "immutable": { - "path": "signal.rule.immutable", + "path": "kibana.alert.rule.immutable", "type": "alias" }, "index": { - "path": "signal.rule.index", + "path": "kibana.alert.rule.index", "type": "alias" }, "interval": { - "path": "signal.rule.interval", + "path": "kibana.alert.rule.interval", "type": "alias" }, "language": { - "path": "signal.rule.language", + "path": "kibana.alert.rule.language", "type": "alias" }, "license": { - "path": "signal.rule.license", + "path": "kibana.alert.rule.license", "type": "alias" }, "max_signals": { - "path": "signal.rule.max_signals", + "path": "kibana.alert.rule.max_signals", "type": "alias" }, "name": { - "path": "signal.rule.name", + "path": "kibana.alert.rule.name", "type": "alias" }, "note": { - "path": "signal.rule.note", + "path": "kibana.alert.rule.note", "type": "alias" }, "producer": { @@ -6764,35 +6764,35 @@ "value": "siem" }, "query": { - "path": "signal.rule.query", + "path": "kibana.alert.rule.query", "type": "alias" }, "references": { - "path": "signal.rule.references", + "path": "kibana.alert.rule.references", "type": "alias" }, "risk_score_mapping": { "properties": { "field": { - "path": "signal.rule.risk_score_mapping.field", + "path": "kibana.alert.rule.risk_score_mapping.field", "type": "alias" }, "operator": { - "path": "signal.rule.risk_score_mapping.operator", + "path": "kibana.alert.rule.risk_score_mapping.operator", "type": "alias" }, "value": { - "path": "signal.rule.risk_score_mapping.value", + "path": "kibana.alert.rule.risk_score_mapping.value", "type": "alias" } } }, "rule_id": { - "path": "signal.rule.rule_id", + "path": "kibana.alert.rule.rule_id", "type": "alias" }, "rule_name_override": { - "path": "signal.rule.rule_name_override", + "path": "kibana.alert.rule.rule_name_override", "type": "alias" }, "rule_type_id": { @@ -6800,51 +6800,51 @@ "value": "siem.signals" }, "saved_id": { - "path": "signal.rule.saved_id", + "path": "kibana.alert.rule.saved_id", "type": "alias" }, "severity_mapping": { "properties": { "field": { - "path": "signal.rule.severity_mapping.field", + "path": "kibana.alert.rule.severity_mapping.field", "type": "alias" }, "operator": { - "path": "signal.rule.severity_mapping.operator", + "path": "kibana.alert.rule.severity_mapping.operator", "type": "alias" }, "severity": { - "path": "signal.rule.severity_mapping.severity", + "path": "kibana.alert.rule.severity_mapping.severity", "type": "alias" }, "value": { - "path": "signal.rule.severity_mapping.value", + "path": "kibana.alert.rule.severity_mapping.value", "type": "alias" } } }, "tags": { - "path": "signal.rule.tags", + "path": "kibana.alert.rule.tags", "type": "alias" }, "threat": { "properties": { "framework": { - "path": "signal.rule.threat.framework", + "path": "kibana.alert.rule.threat.framework", "type": "alias" }, "tactic": { "properties": { "id": { - "path": "signal.rule.threat.tactic.id", + "path": "kibana.alert.rule.threat.tactic.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.tactic.name", + "path": "kibana.alert.rule.threat.tactic.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.tactic.reference", + "path": "kibana.alert.rule.threat.tactic.reference", "type": "alias" } } @@ -6852,29 +6852,29 @@ "technique": { "properties": { "id": { - "path": "signal.rule.threat.technique.id", + "path": "kibana.alert.rule.threat.technique.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.technique.name", + "path": "kibana.alert.rule.threat.technique.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.technique.reference", + "path": "kibana.alert.rule.threat.technique.reference", "type": "alias" }, "subtechnique": { "properties": { "id": { - "path": "signal.rule.threat.technique.subtechnique.id", + "path": "kibana.alert.rule.threat.technique.subtechnique.id", "type": "alias" }, "name": { - "path": "signal.rule.threat.technique.subtechnique.name", + "path": "kibana.alert.rule.threat.technique.subtechnique.name", "type": "alias" }, "reference": { - "path": "signal.rule.threat.technique.subtechnique.reference", + "path": "kibana.alert.rule.threat.technique.subtechnique.reference", "type": "alias" } } @@ -6884,15 +6884,15 @@ } }, "threat_index": { - "path": "signal.rule.threat_index", + "path": "kibana.alert.rule.threat_index", "type": "alias" }, "threat_indicator_path": { - "path": "signal.rule.threat_indicator_path", + "path": "kibana.alert.rule.threat_indicator_path", "type": "alias" }, "threat_language": { - "path": "signal.rule.threat_language", + "path": "kibana.alert.rule.threat_language", "type": "alias" }, "threat_mapping": { @@ -6900,15 +6900,15 @@ "entries": { "properties": { "field": { - "path": "signal.rule.threat_mapping.entries.field", + "path": "kibana.alert.rule.threat_mapping.entries.field", "type": "alias" }, "type": { - "path": "signal.rule.threat_mapping.entries.type", + "path": "kibana.alert.rule.threat_mapping.entries.type", "type": "alias" }, "value": { - "path": "signal.rule.threat_mapping.entries.value", + "path": "kibana.alert.rule.threat_mapping.entries.value", "type": "alias" } } @@ -6916,53 +6916,53 @@ } }, "threat_query": { - "path": "signal.rule.threat_query", + "path": "kibana.alert.rule.threat_query", "type": "alias" }, "threshold": { "properties": { "field": { - "path": "signal.rule.threshold.field", + "path": "kibana.alert.rule.threshold.field", "type": "alias" }, "value": { - "path": "signal.rule.threshold.value", + "path": "kibana.alert.rule.threshold.value", "type": "alias" } } }, "timeline_id": { - "path": "signal.rule.timeline_id", + "path": "kibana.alert.rule.timeline_id", "type": "alias" }, "timeline_title": { - "path": "signal.rule.timeline_title", + "path": "kibana.alert.rule.timeline_title", "type": "alias" }, "to": { - "path": "signal.rule.to", + "path": "kibana.alert.rule.to", "type": "alias" }, "type": { - "path": "signal.rule.type", + "path": "kibana.alert.rule.type", "type": "alias" }, "updated_at": { - "path": "signal.rule.updated_at", + "path": "kibana.alert.rule.updated_at", "type": "alias" }, "updated_by": { - "path": "signal.rule.updated_by", + "path": "kibana.alert.rule.updated_by", "type": "alias" }, "version": { - "path": "signal.rule.version", + "path": "kibana.alert.rule.version", "type": "alias" } } }, "severity": { - "path": "signal.rule.severity", + "path": "kibana.alert.rule.severity", "type": "alias" }, "threshold_result": { @@ -6970,31 +6970,31 @@ "cardinality": { "properties": { "field": { - "path": "signal.threshold_result.cardinality.field", + "path": "kibana.alert.threshold_result.cardinality.field", "type": "alias" }, "value": { - "path": "signal.threshold_result.cardinality.value", + "path": "kibana.alert.threshold_result.cardinality.value", "type": "alias" } } }, "count": { - "path": "signal.threshold_result.count", + "path": "kibana.alert.threshold_result.count", "type": "alias" }, "from": { - "path": "signal.threshold_result.from", + "path": "kibana.alert.threshold_result.from", "type": "alias" }, "terms": { "properties": { "field": { - "path": "signal.threshold_result.terms.field", + "path": "kibana.alert.threshold_result.terms.field", "type": "alias" }, "value": { - "path": "signal.threshold_result.terms.value", + "path": "kibana.alert.threshold_result.terms.value", "type": "alias" } } @@ -7002,7 +7002,7 @@ } }, "workflow_status": { - "path": "signal.status", + "path": "kibana.alert.status", "type": "alias" } } diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts index d328044b1c96b..14415155f409a 100644 --- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts +++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts @@ -6,7 +6,10 @@ */ import expect from '@kbn/expect'; -import { ALERT_WORKFLOW_STATUS } from '../../../../../plugins/rule_registry/common/technical_rule_data_field_names'; +import { + ALERT_RULE_NAME, + ALERT_WORKFLOW_STATUS, +} from '../../../../../plugins/rule_registry/common/technical_rule_data_field_names'; import { superUser, globalRead, @@ -108,7 +111,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { alertsByGroupingCount: { terms: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, order: { _count: 'desc', }, @@ -117,7 +120,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { test: { terms: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, size: 10, script: { source: 'SCRIPT', @@ -142,7 +145,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { alertsByGroupingCount: { terms: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, order: { _count: 'desc', }, @@ -151,7 +154,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { test: { terms: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, size: 10, }, },