[SIEM] Use ECS categorisation for Authentication widgets (#60734) (#6…

…0890) * Update the Authentication histogram to use categorization fields * linting * Use categorization fields for the Authentications table * Use event.outcome for authentications KPIs * Adjust mock to fix unit test Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Elastic Machine <[email protected]>
elastic · Mar 24, 2020 · a524c00 · a524c00
1 parent 4f18236
commit a524c00
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 17 deletions.
diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx
@@ -25,15 +25,15 @@ const AuthenticationTableManage = manageQuery(AuthenticationTable);
 const ID = 'authenticationsOverTimeQuery';
 const authStackByOptions: MatrixHistogramOption[] = [
   {
-    text: 'event.type',
-    value: 'event.type',
+    text: 'event.outcome',
+    value: 'event.outcome',
   },
 ];
-const DEFAULT_STACK_BY = 'event.type';
+const DEFAULT_STACK_BY = 'event.outcome';
 
 enum AuthMatrixDataGroup {
-  authSuccess = 'authentication_success',
-  authFailure = 'authentication_failure',
+  authSuccess = 'success',
+  authFailure = 'failure',
 }
 
 export const authMatrixDataMappingFields: MatrixHistogramMappingTypes = {

diff --git a/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts
@@ -70,7 +70,7 @@ export const buildQuery = ({
             failures: {
               filter: {
                 term: {
-                  'event.type': 'authentication_failure',
+                  'event.outcome': 'failure',
                 },
               },
               aggs: {
@@ -86,7 +86,7 @@ export const buildQuery = ({
             successes: {
               filter: {
                 term: {
-                  'event.type': 'authentication_success',
+                  'event.outcome': 'success',
                 },
               },
               aggs: {

diff --git a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts
@@ -356,15 +356,15 @@ export const mockKpiHostDetailsUniqueIpsQuery = [
 ];
 
 const mockAuthAggs = {
-  authentication_success: { filter: { term: { 'event.type': 'authentication_success' } } },
+  authentication_success: { filter: { term: { 'event.outcome': 'success' } } },
   authentication_success_histogram: {
     auto_date_histogram: { field: '@timestamp', buckets: '6' },
-    aggs: { count: { filter: { term: { 'event.type': 'authentication_success' } } } },
+    aggs: { count: { filter: { term: { 'event.outcome': 'success' } } } },
   },
-  authentication_failure: { filter: { term: { 'event.type': 'authentication_failure' } } },
+  authentication_failure: { filter: { term: { 'event.outcome': 'failure' } } },
   authentication_failure_histogram: {
     auto_date_histogram: { field: '@timestamp', buckets: '6' },
-    aggs: { count: { filter: { term: { 'event.type': 'authentication_failure' } } } },
+    aggs: { count: { filter: { term: { 'event.outcome': 'failure' } } } },
   },
 };
 

diff --git a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts
@@ -49,7 +49,7 @@ export const buildAuthQuery = ({
         authentication_success: {
           filter: {
             term: {
-              'event.type': 'authentication_success',
+              'event.outcome': 'success',
             },
           },
         },
@@ -62,7 +62,7 @@ export const buildAuthQuery = ({
             count: {
               filter: {
                 term: {
-                  'event.type': 'authentication_success',
+                  'event.outcome': 'success',
                 },
               },
             },
@@ -71,7 +71,7 @@ export const buildAuthQuery = ({
         authentication_failure: {
           filter: {
             term: {
-              'event.type': 'authentication_failure',
+              'event.outcome': 'failure',
             },
           },
         },
@@ -84,7 +84,7 @@ export const buildAuthQuery = ({
             count: {
               filter: {
                 term: {
-                  'event.type': 'authentication_failure',
+                  'event.outcome': 'failure',
                 },
               },
             },

diff --git a/...ck/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts b/...ck/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts
@@ -13,10 +13,21 @@ export const buildAuthenticationsOverTimeQuery = ({
   sourceConfiguration: {
     fields: { timestamp },
   },
-  stackByField = 'event.type',
+  stackByField = 'event.outcome',
 }: MatrixHistogramRequestOptions) => {
   const filter = [
     ...createQueryFilterClauses(filterQuery),
+    {
+      bool: {
+        must: [
+          {
+            term: {
+              'event.category': 'authentication',
+            },
+          },
+        ],
+      },
+    },
     {
       range: {
         [timestamp]: {
@@ -45,7 +56,7 @@ export const buildAuthenticationsOverTimeQuery = ({
       eventActionGroup: {
         terms: {
           field: stackByField,
-          include: ['authentication_success', 'authentication_failure'],
+          include: ['success', 'failure'],
           order: {
             _count: 'desc',
           },