[Cloud Security] [Alerts] Workflow enhancements for Alerts in Cloud S…

…ecurity (#164902) Co-authored-by: Maxim Kholod <[email protected]>
elastic · Sep 11, 2023 · 5e12611 · 5e12611
1 parent e72780a
commit 5e12611
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/x-pack/plugins/cloud_security_posture/public/common/types.ts b/x-pack/plugins/cloud_security_posture/public/common/types.ts
@@ -74,6 +74,10 @@ export interface RuleCreateProps {
   description: string;
   tags: string[];
   max_signals: number;
+  investigation_fields?: {
+    field_names: string[];
+  };
+  note?: string;
 }
 
 export interface RuleResponse extends RuleCreateProps {

diff --git a/x-pack/plugins/cloud_security_posture/public/components/detection_rule_counter.tsx b/x-pack/plugins/cloud_security_posture/public/components/detection_rule_counter.tsx
@@ -111,8 +111,8 @@ export const DetectionRuleCounter = ({ tags, createRuleFn }: DetectionRuleCounte
           />{' '}
           <EuiLink onClick={rulePageNavigation}>
             <FormattedMessage
-              id="xpack.csp.findingsFlyout.alerts.ruleCount"
-              defaultMessage="{ruleCount, plural, one {# rule} other {# rules}}"
+              id="xpack.csp.findingsFlyout.alerts.detectionRuleCount"
+              defaultMessage="{ruleCount, plural, one {# detection rule} other {# detection rules}}"
               values={{ ruleCount: rulesData?.total || 0 }}
             />
           </EuiLink>

diff --git a/..._security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/..._security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts
@@ -21,6 +21,9 @@ const DEFAULT_RULE_LICENSE = 'Elastic License v2';
 const DEFAULT_MAX_ALERTS_PER_RULE = 100;
 const ALERT_SUPPRESSION_FIELD = 'resource.id';
 const ALERT_TIMESTAMP_FIELD = 'event.ingested';
+const DEFAULT_INVESTIGATION_FIELDS = {
+  field_names: ['resource.name', 'resource.id', 'resource.type', 'resource.sub_type'],
+};
 
 enum AlertSuppressionMissingFieldsStrategy {
   // per each document a separate alert will be created
@@ -126,6 +129,8 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C
       name: finding.rule.name,
       description: finding.rule.rationale,
       tags: generateFindingsTags(finding),
+      investigation_fields: DEFAULT_INVESTIGATION_FIELDS,
+      note: finding.rule.remediation,
     },
   });
 };
diff --git a/...ty_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/...ty_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts
@@ -25,6 +25,9 @@ const DEFAULT_MAX_ALERTS_PER_RULE = 100;
 const ALERT_SUPPRESSION_FIELD = 'resource.id';
 const ALERT_TIMESTAMP_FIELD = 'event.ingested';
 const ALERT_SEVERITY_MAP_FIELD = 'vulnerability.severity';
+const DEFAULT_INVESTIGATION_FIELDS = {
+  field_names: ['resource.name', 'resource.id'],
+};
 
 enum RuleSeverityMapping {
   Low = 'low',
@@ -145,6 +148,7 @@ export const createDetectionRuleFromVulnerabilityFinding = async (
       name: getVulnerabilityRuleName(vulnerability),
       description: vulnerability.description,
       tags: generateVulnerabilitiesTags(vulnerability),
+      investigation_fields: DEFAULT_INVESTIGATION_FIELDS,
     },
   });
 };