[RAM] Alert search strategy fields for security (#165040)

## Summary Fix => #164769 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
elastic · Aug 29, 2023 · 6b20ca9 · 6b20ca9
1 parent b39d642
commit 6b20ca9
Show file tree

Hide file tree

Showing 13 changed files with 424 additions and 357 deletions.
diff --git a/packages/kbn-alerts-as-data-utils/index.ts b/packages/kbn-alerts-as-data-utils/index.ts
@@ -8,3 +8,4 @@
 
 export * from './src/field_maps';
 export * from './src/schemas';
+export * from './src/search';
diff --git a/packages/kbn-alerts-as-data-utils/jest.config.js b/packages/kbn-alerts-as-data-utils/jest.config.js
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../..',
+  roots: ['<rootDir>/packages/kbn-alerts-as-data-utils'],
+};
diff --git a/packages/kbn-alerts-as-data-utils/src/search/index.ts b/packages/kbn-alerts-as-data-utils/src/search/index.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+export { buildAlertFieldsRequest, ALERT_EVENTS_FIELDS } from './security';
diff --git a/...tory/helpers/build_fields_request.test.ts → ...rch/security/build_fields_request.test.ts b/...tory/helpers/build_fields_request.test.ts → ...rch/security/build_fields_request.test.ts
@@ -1,34 +1,36 @@
 /*
  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
  * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
  */
-import { buildFieldsRequest } from './build_fields_request';
-import { TIMELINE_EVENTS_FIELDS } from './constants';
+
+import { buildAlertFieldsRequest } from './build_fields_request';
+import { ALERT_EVENTS_FIELDS } from './fields';
 
 describe('buildFieldsRequest', () => {
   it('should include ecs fields by default', () => {
     const fields: string[] = [];
-    const fieldsRequest = buildFieldsRequest(fields);
-    expect(fieldsRequest).toHaveLength(TIMELINE_EVENTS_FIELDS.length);
+    const fieldsRequest = buildAlertFieldsRequest(fields);
+    expect(fieldsRequest).toHaveLength(ALERT_EVENTS_FIELDS.length);
   });
 
   it('should not show ecs fields', () => {
     const fields: string[] = [];
-    const fieldsRequest = buildFieldsRequest(fields, true);
+    const fieldsRequest = buildAlertFieldsRequest(fields, true);
     expect(fieldsRequest).toHaveLength(0);
   });
 
   it('should map the expected (non underscore prefixed) fields', () => {
     const fields = ['_dontShow1', '_dontShow2', 'showsup'];
-    const fieldsRequest = buildFieldsRequest(fields, true);
+    const fieldsRequest = buildAlertFieldsRequest(fields, true);
     expect(fieldsRequest).toEqual([{ field: 'showsup', include_unmapped: true }]);
   });
 
   it('should map provided fields with ecs fields', () => {
     const fields = ['showsup'];
-    const fieldsRequest = buildFieldsRequest(fields);
-    expect(fieldsRequest).toHaveLength(TIMELINE_EVENTS_FIELDS.length + fields.length);
+    const fieldsRequest = buildAlertFieldsRequest(fields);
+    expect(fieldsRequest).toHaveLength(ALERT_EVENTS_FIELDS.length + fields.length);
   });
 });
diff --git a/packages/kbn-alerts-as-data-utils/src/search/security/build_fields_request.ts b/packages/kbn-alerts-as-data-utils/src/search/security/build_fields_request.ts
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { uniq } from 'lodash/fp';
+import { ALERT_EVENTS_FIELDS } from './fields';
+
+export const buildAlertFieldsRequest = (fields: string[], excludeEcsData?: boolean) =>
+  uniq([
+    ...fields.filter((field) => !field.startsWith('_')),
+    ...(excludeEcsData ? [] : ALERT_EVENTS_FIELDS),
+  ]).map((field) => ({
+    field,
+    include_unmapped: true,
+    ...(field === '@timestamp'
+      ? {
+          format: 'strict_date_optional_time',
+        }
+      : {}),
+  }));
diff --git a/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts b/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts
@@ -0,0 +1,289 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import {
+  ALERT_RULE_CONSUMER,
+  ALERT_RISK_SCORE,
+  ALERT_SEVERITY,
+  ALERT_RULE_PARAMETERS,
+  ALERT_WORKFLOW_TAGS,
+} from '@kbn/rule-data-utils';
+
+const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments';
+
+const MATCHED_ATOMIC = 'matched.atomic';
+const MATCHED_FIELD = 'matched.field';
+const MATCHED_TYPE = 'matched.type';
+
+const INDICATOR_MATCHED_ATOMIC = `${ENRICHMENT_DESTINATION_PATH}.${MATCHED_ATOMIC}`;
+const INDICATOR_MATCHED_FIELD = `${ENRICHMENT_DESTINATION_PATH}.${MATCHED_FIELD}`;
+const INDICATOR_MATCHED_TYPE = `${ENRICHMENT_DESTINATION_PATH}.${MATCHED_TYPE}`;
+
+const PROVIDER = 'indicator.provider';
+const REFERENCE = 'indicator.reference';
+const FEED_NAME = 'feed.name';
+
+const INDICATOR_PROVIDER = `${ENRICHMENT_DESTINATION_PATH}.${PROVIDER}`;
+const INDICATOR_REFERENCE = `${ENRICHMENT_DESTINATION_PATH}.${REFERENCE}`;
+const FEED_NAME_REFERENCE = `${ENRICHMENT_DESTINATION_PATH}.${FEED_NAME}`;
+
+const CTI_ROW_RENDERER_FIELDS = [
+  INDICATOR_MATCHED_ATOMIC,
+  INDICATOR_MATCHED_FIELD,
+  INDICATOR_MATCHED_TYPE,
+  INDICATOR_REFERENCE,
+  INDICATOR_PROVIDER,
+  FEED_NAME_REFERENCE,
+];
+
+// TODO: update all of these fields to use the constants from technical field names
+export const ALERT_EVENTS_FIELDS = [
+  ALERT_RULE_CONSUMER,
+  '@timestamp',
+  'kibana.alert.ancestors.index',
+  'kibana.alert.workflow_status',
+  ALERT_WORKFLOW_TAGS,
+  'kibana.alert.group.id',
+  'kibana.alert.original_time',
+  'kibana.alert.reason',
+  'kibana.alert.rule.from',
+  'kibana.alert.rule.name',
+  'kibana.alert.rule.to',
+  'kibana.alert.rule.uuid',
+  'kibana.alert.rule.rule_id',
+  'kibana.alert.rule.type',
+  'kibana.alert.original_event.kind',
+  'kibana.alert.original_event.module',
+  'kibana.alert.rule.version',
+  ALERT_SEVERITY,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_PARAMETERS,
+  'kibana.alert.threshold_result',
+  'kibana.alert.building_block_type',
+  'kibana.alert.suppression.docs_count',
+  'event.code',
+  'event.module',
+  'event.action',
+  'event.category',
+  'host.name',
+  'user.name',
+  'source.ip',
+  'destination.ip',
+  'message',
+  'system.auth.ssh.signature',
+  'system.auth.ssh.method',
+  'system.audit.package.arch',
+  'system.audit.package.entity_id',
+  'system.audit.package.name',
+  'system.audit.package.size',
+  'system.audit.package.summary',
+  'system.audit.package.version',
+  'event.created',
+  'event.dataset',
+  'event.duration',
+  'event.end',
+  'event.hash',
+  'event.id',
+  'event.kind',
+  'event.original',
+  'event.outcome',
+  'event.risk_score',
+  'event.risk_score_norm',
+  'event.severity',
+  'event.start',
+  'event.timezone',
+  'event.type',
+  'agent.type',
+  'agent.id',
+  'auditd.result',
+  'auditd.session',
+  'auditd.data.acct',
+  'auditd.data.terminal',
+  'auditd.data.op',
+  'auditd.summary.actor.primary',
+  'auditd.summary.actor.secondary',
+  'auditd.summary.object.primary',
+  'auditd.summary.object.secondary',
+  'auditd.summary.object.type',
+  'auditd.summary.how',
+  'auditd.summary.message_type',
+  'auditd.summary.sequence',
+  'file.Ext.original.path',
+  'file.name',
+  'file.target_path',
+  'file.extension',
+  'file.type',
+  'file.device',
+  'file.inode',
+  'file.uid',
+  'file.owner',
+  'file.gid',
+  'file.group',
+  'file.mode',
+  'file.size',
+  'file.mtime',
+  'file.ctime',
+  'file.path',
+  // NOTE: 7.10+ file.Ext.code_signature populated
+  // as array of objects, prior to that populated as
+  // single object
+  'file.Ext.code_signature',
+  'file.Ext.code_signature.subject_name',
+  'file.Ext.code_signature.trusted',
+  'file.hash.sha256',
+  'host.os.family',
+  'host.os.name',
+  'host.id',
+  'host.ip',
+  'registry.key',
+  'registry.path',
+  'rule.reference',
+  'source.bytes',
+  'source.packets',
+  'source.port',
+  'source.geo.continent_name',
+  'source.geo.country_name',
+  'source.geo.country_iso_code',
+  'source.geo.city_name',
+  'source.geo.region_iso_code',
+  'source.geo.region_name',
+  'destination.bytes',
+  'destination.packets',
+  'destination.port',
+  'destination.geo.continent_name',
+  'destination.geo.country_name',
+  'destination.geo.country_iso_code',
+  'destination.geo.city_name',
+  'destination.geo.region_iso_code',
+  'destination.geo.region_name',
+  'dns.question.name',
+  'dns.question.type',
+  'dns.resolved_ip',
+  'dns.response_code',
+  'endgame.exit_code',
+  'endgame.file_name',
+  'endgame.file_path',
+  'endgame.logon_type',
+  'endgame.parent_process_name',
+  'endgame.pid',
+  'endgame.process_name',
+  'endgame.subject_domain_name',
+  'endgame.subject_logon_id',
+  'endgame.subject_user_name',
+  'endgame.target_domain_name',
+  'endgame.target_logon_id',
+  'endgame.target_user_name',
+  'kibana.alert.rule.timeline_id',
+  'kibana.alert.rule.timeline_title',
+  'kibana.alert.rule.note',
+  'kibana.alert.rule.exceptions_list',
+  'kibana.alert.rule.building_block_type',
+  'suricata.eve.proto',
+  'suricata.eve.flow_id',
+  'suricata.eve.alert.signature',
+  'suricata.eve.alert.signature_id',
+  'network.bytes',
+  'network.community_id',
+  'network.direction',
+  'network.packets',
+  'network.protocol',
+  'network.transport',
+  'http.version',
+  'http.request.method',
+  'http.request.body.bytes',
+  'http.request.body.content',
+  'http.request.referrer',
+  'http.response.status_code',
+  'http.response.body.bytes',
+  'http.response.body.content',
+  'tls.client_certificate.fingerprint.sha1',
+  'tls.fingerprints.ja3.hash',
+  'tls.server_certificate.fingerprint.sha1',
+  'user.domain',
+  'winlog.event_id',
+  'process.end',
+  'process.entry_leader.entry_meta.type',
+  'process.entry_leader.entry_meta.source.ip',
+  'process.exit_code',
+  'process.hash.md5',
+  'process.hash.sha1',
+  'process.hash.sha256',
+  'process.interactive',
+  'process.parent.name',
+  'process.parent.pid',
+  'process.pid',
+  'process.name',
+  'process.ppid',
+  'process.args',
+  'process.entity_id',
+  'process.executable',
+  'process.start',
+  'process.title',
+  'process.working_directory',
+  'process.entry_leader.entity_id',
+  'process.entry_leader.name',
+  'process.entry_leader.pid',
+  'process.entry_leader.start',
+  'process.session_leader.entity_id',
+  'process.session_leader.name',
+  'process.session_leader.pid',
+  'process.group_leader.entity_id',
+  'process.group_leader.name',
+  'process.group_leader.pid',
+  'zeek.session_id',
+  'zeek.connection.local_resp',
+  'zeek.connection.local_orig',
+  'zeek.connection.missed_bytes',
+  'zeek.connection.state',
+  'zeek.connection.history',
+  'zeek.notice.suppress_for',
+  'zeek.notice.msg',
+  'zeek.notice.note',
+  'zeek.notice.sub',
+  'zeek.notice.dst',
+  'zeek.notice.dropped',
+  'zeek.notice.peer_descr',
+  'zeek.dns.AA',
+  'zeek.dns.qclass_name',
+  'zeek.dns.RD',
+  'zeek.dns.qtype_name',
+  'zeek.dns.qtype',
+  'zeek.dns.query',
+  'zeek.dns.trans_id',
+  'zeek.dns.qclass',
+  'zeek.dns.RA',
+  'zeek.dns.TC',
+  'zeek.http.resp_mime_types',
+  'zeek.http.trans_depth',
+  'zeek.http.status_msg',
+  'zeek.http.resp_fuids',
+  'zeek.http.tags',
+  'zeek.files.session_ids',
+  'zeek.files.timedout',
+  'zeek.files.local_orig',
+  'zeek.files.tx_host',
+  'zeek.files.source',
+  'zeek.files.is_orig',
+  'zeek.files.overflow_bytes',
+  'zeek.files.sha1',
+  'zeek.files.duration',
+  'zeek.files.depth',
+  'zeek.files.analyzers',
+  'zeek.files.mime_type',
+  'zeek.files.rx_host',
+  'zeek.files.total_bytes',
+  'zeek.files.fuid',
+  'zeek.files.seen_bytes',
+  'zeek.files.missing_bytes',
+  'zeek.files.md5',
+  'zeek.ssl.cipher',
+  'zeek.ssl.established',
+  'zeek.ssl.resumed',
+  'zeek.ssl.version',
+  ...CTI_ROW_RENDERER_FIELDS,
+];
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8,3 +8,4 @@

		export * from './src/field_maps';
		export * from './src/schemas';
		export * from './src/search';