diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx index b961d700e8520..0abcbefc71954 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx @@ -20,7 +20,7 @@ describe('useHoverActionItems', () => { const defaultProps: UseHoverActionItemsProps = { dataProvider: [{} as DataProvider], defaultFocusedButtonRef: null, - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', handleHoverActionClicked: jest.fn(), hideTopN: false, isCaseView: false, @@ -97,7 +97,7 @@ describe('useHoverActionItems', () => { 'hover-actions-filter-out' ); expect(result.current.overflowActionItems[2].props['data-test-subj']).toEqual( - 'more-actions-signal.rule.name' + 'more-actions-kibana.alert.rule.name' ); expect(result.current.overflowActionItems[2].props.items[0].props['data-test-subj']).toEqual( 'hover-actions-toggle-column' diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts index 7e7e7a6bcdd1f..1bbe0e9caa11a 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts @@ -19,7 +19,7 @@ export const isAlertFromEndpointEvent = ({ }: { data: TimelineEventsDetailsItem[]; }): boolean => { - const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, data); + const isAlert = some({ category: 'kibana', field: 'kibana.alert.rule.uuid' }, data); if (!isAlert) { return false; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index a835628fae6cf..ff8dbc5d6ff9b 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -8,15 +8,15 @@ import type { AlertsStackByOption } from './types'; export const alertsStackByOptions: AlertsStackByOption[] = [ - { text: 'signal.rule.risk_score', value: 'signal.rule.risk_score' }, - { text: 'signal.rule.severity', value: 'signal.rule.severity' }, - { text: 'signal.rule.threat.tactic.name', value: 'signal.rule.threat.tactic.name' }, + { text: 'kibana.alert.rule.risk_score', value: 'kibana.alert.rule.risk_score' }, + { text: 'kibana.alert.rule.severity', value: 'kibana.alert.rule.severity' }, + { text: 'kibana.alert.rule.threat.tactic.name', value: 'kibana.alert.rule.threat.tactic.name' }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, { text: 'event.category', value: 'event.category' }, { text: 'host.name', value: 'host.name' }, - { text: 'signal.rule.type', value: 'signal.rule.type' }, - { text: 'signal.rule.name', value: 'signal.rule.name' }, + { text: 'kibana.alert.rule.type', value: 'kibana.alert.rule.type' }, + { text: 'kibana.alert.rule.name', value: 'kibana.alert.rule.name' }, { text: 'source.ip', value: 'source.ip' }, { text: 'user.name', value: 'user.name' }, { text: 'process.name', value: 'process.name' }, @@ -24,7 +24,7 @@ export const alertsStackByOptions: AlertsStackByOption[] = [ { text: 'hash.sha256', value: 'hash.sha256' }, ]; -export const DEFAULT_STACK_BY_FIELD = 'signal.rule.name'; +export const DEFAULT_STACK_BY_FIELD = 'kibana.alert.rule.name'; export const PANEL_HEIGHT = 300; export const MOBILE_PANEL_HEIGHT = 500; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index f561c3f6faa21..10b76410b8a46 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -11,15 +11,15 @@ export interface AlertsStackByOption { } export type AlertsStackByField = - | 'signal.rule.risk_score' - | 'signal.rule.severity' - | 'signal.rule.threat.tactic.name' + | 'kibana.alert.rule.risk_score' + | 'kibana.alert.rule.severity' + | 'kibana.alert.rule.threat.tactic.name' | 'destination.ip' | 'event.action' | 'event.category' | 'host.name' - | 'signal.rule.type' - | 'signal.rule.name' + | 'kibana.alert.rule.type' + | 'kibana.alert.rule.name' | 'source.ip' | 'user.name' | 'process.name' diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index fc2ba6641adcf..b2265cf00bc87 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -263,10 +263,10 @@ export const buildShowBuildingBlockFilterRuleRegistry = ( negate: true, disabled: false, type: 'exists', - key: 'kibana.rule.building_block_type', + key: 'kibana.alert.rule.building_block_type', value: 'exists', }, - query: { exists: { field: 'kibana.rule.building_block_type' } }, + query: { exists: { field: 'kibana.alert.rule.building_block_type' } }, }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index bf0801f276bdf..45433a39d8b97 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -26,20 +26,20 @@ export const columns: Array< }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.rule.name', + id: 'kibana.alert.rule.name', displayAsText: i18n.ALERTS_HEADERS_RULE_NAME, - linkField: 'signal.rule.id', + linkField: 'kibana.alert.rule.uuid', initialWidth: 212, }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.rule.severity', + id: 'kibana.alert.rule.severity', displayAsText: i18n.ALERTS_HEADERS_SEVERITY, initialWidth: 104, }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.reason', + id: 'kibana.alert.reason', displayAsText: i18n.ALERTS_HEADERS_REASON, }, ]; diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index b9d7e0a8c024f..07a0aeabcb998 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -108,10 +108,10 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, detailsData); + const isAlert = some({ category: 'kibana', field: 'kibana.alert.rule.uuid' }, detailsData); const ruleName = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.rule.name' }, detailsData), + () => getFieldValue({ category: 'kibana', field: 'kibana.alert.rule.name' }, detailsData), [detailsData] ); diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx index 4289b7d2c62da..2638635573aa6 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx @@ -38,7 +38,11 @@ export const getHostRulesColumns = (): HostRulesColumns => [ id, name: ruleName, kqlQuery: '', - queryMatch: { field: 'signal.rule.name', value: ruleName, operator: IS_OPERATOR }, + queryMatch: { + field: 'kibana.alert.rule.name', + value: ruleName, + operator: IS_OPERATOR, + }, }} render={(dataProvider, _, snapshot) => snapshot.isDragging ? ( @@ -73,7 +77,11 @@ export const getHostRulesColumns = (): HostRulesColumns => [ id, name: ruleType, kqlQuery: '', - queryMatch: { field: 'signal.rule.type', value: ruleType, operator: IS_OPERATOR }, + queryMatch: { + field: 'kibana.alert.rule.type', + value: ruleType, + operator: IS_OPERATOR, + }, }} render={(dataProvider, _, snapshot) => snapshot.isDragging ? ( @@ -109,7 +117,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts index 5ea588e233018..a4a8806fca36d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/open_close_signals_route.ts @@ -40,7 +40,7 @@ export const setSignalsStatusRoute = (router: SecuritySolutionPluginRouter) => { const siemClient = context.securitySolution?.getAppClient(); const siemResponse = buildSiemResponse(response); const validationErrors = setSignalStatusValidateTypeDependents(request.body); - const spaceId = context.securitySolution.getSpaceId(); + const spaceId = context.securitySolution?.getSpaceId() ?? 'default'; if (validationErrors.length) { return siemResponse.error({ statusCode: 400, body: validationErrors }); diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts index d2aeb63b743f5..2c9aabb3c2c92 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts @@ -39,12 +39,12 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_name: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', order: { risk_score: Direction.desc, }, @@ -52,19 +52,19 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_type: { terms: { - field: 'signal.rule.type', + field: 'kibana.alert.rule.type', }, }, }, }, rule_count: { cardinality: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts index d3111eed4aef8..6b12e3f329945 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts @@ -48,12 +48,12 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_name: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', order: { risk_score: Direction.desc, }, @@ -61,19 +61,19 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: 'kibana.alert.rule.risk_score', }, }, rule_type: { terms: { - field: 'signal.rule.type', + field: 'kibana.alert.rule.type', }, }, }, }, rule_count: { cardinality: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', }, }, }, diff --git a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts index 5d0c8b6fbd000..c32241cb876c4 100644 --- a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts @@ -144,7 +144,7 @@ const getAllFieldsByName = ( keyBy('name', getAllBrowserFields(browserFields)); const linkFields: Record = { - 'signal.rule.name': 'signal.rule.id', + 'kibana.alert.rule.name': 'kibana.alert.rule.uuid', 'event.module': 'rule.reference', }; diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index 30bb074807b0c..6ce093cf0761f 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -139,74 +139,74 @@ export const allowSorting = ({ const isAggregatable = browserField?.aggregatable ?? false; const isAllowlistedNonBrowserField = [ - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.reason', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', + 'kibana.alert.ancestors.depth', + 'kibana.alert.ancestors.id', + 'kibana.alert.ancestors.rule', + 'kibana.alert.ancestors.type', + 'kibana.alert.original_event.action', + 'kibana.alert.original_event.category', + 'kibana.alert.original_event.code', + 'kibana.alert.original_event.created', + 'kibana.alert.original_event.dataset', + 'kibana.alert.original_event.duration', + 'kibana.alert.original_event.end', + 'kibana.alert.original_event.hash', + 'kibana.alert.original_event.id', + 'kibana.alert.original_event.kind', + 'kibana.alert.original_event.module', + 'kibana.alert.original_event.original', + 'kibana.alert.original_event.outcome', + 'kibana.alert.original_event.provider', + 'kibana.alert.original_event.risk_score', + 'kibana.alert.original_event.risk_score_norm', + 'kibana.alert.original_event.sequence', + 'kibana.alert.original_event.severity', + 'kibana.alert.original_event.start', + 'kibana.alert.original_event.timezone', + 'kibana.alert.original_event.type', + 'kibana.alert.original_time', + 'kibana.alert.parent.depth', + 'kibana.alert.parent.id', + 'kibana.alert.parent.index', + 'kibana.alert.parent.rule', + 'kibana.alert.parent.type', + 'kibana.alert.reason', + 'kibana.alert.rule.created_by', + 'kibana.alert.rule.description', + 'kibana.alert.rule.enabled', + 'kibana.alert.rule.false_positives', + 'kibana.alert.rule.filters', + 'kibana.alert.rule.from', + 'kibana.alert.rule.uuid', + 'kibana.alert.rule.immutable', + 'kibana.alert.rule.index', + 'kibana.alert.rule.interval', + 'kibana.alert.rule.language', + 'kibana.alert.rule.max_signals', + 'kibana.alert.rule.name', + 'kibana.alert.rule.note', + 'kibana.alert.rule.output_index', + 'kibana.alert.rule.query', + 'kibana.alert.rule.references', + 'kibana.alert.rule.risk_score', + 'kibana.alert.rule.rule_id', + 'kibana.alert.rule.saved_id', + 'kibana.alert.rule.severity', + 'kibana.alert.rule.size', + 'kibana.alert.rule.tags', + 'kibana.alert.rule.threat', + 'kibana.alert.rule.threat.tactic.id', + 'kibana.alert.rule.threat.tactic.name', + 'kibana.alert.rule.threat.tactic.reference', + 'kibana.alert.rule.threat.technique.id', + 'kibana.alert.rule.threat.technique.name', + 'kibana.alert.rule.threat.technique.reference', + 'kibana.alert.rule.timeline_id', + 'kibana.alert.rule.timeline_title', + 'kibana.alert.rule.to', + 'kibana.alert.rule.type', + 'kibana.alert.rule.updated_by', + 'kibana.alert.rule.version', 'kibana.alert.workflow_status', ].includes(fieldName); diff --git a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts index afeb2287da739..d15b4e6980767 100644 --- a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts +++ b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts @@ -120,7 +120,7 @@ export const useAddToCase = ({ const isAlert = useMemo(() => { if (event !== undefined) { const data = [...event.data]; - return data.some(({ field }) => field === 'kibana.alert.uuid'); + return data.some(({ field }) => field === 'kibana.alert.rule.uuid'); } else { return false; } diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 4fb67cc3a7974..4c8f339d25c51 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -131,152 +131,154 @@ describe('#formatTimelineData', () => { _id: 'a77040f198355793c35bf22b900902371309be615381f0a2ec92c208b6132562', _score: 0, _source: { - signal: { - threshold_result: { - count: 10000, - value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - }, - parent: { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', - }, - depth: 1, - _meta: { - version: 14, - }, - rule: { - note: null, - throttle: null, - references: [], - severity_mapping: [], - description: 'asdasd', - created_at: '2021-01-09T11:25:45.046Z', - language: 'kuery', - threshold: { - field: '', - value: 200, - }, - building_block_type: null, - output_index: '.siem-signals-patrykkopycinski-default', - type: 'threshold', - rule_name_override: null, - enabled: true, - exceptions_list: [], - updated_at: '2021-01-09T13:36:39.204Z', - timestamp_override: null, - from: 'now-360s', - id: '696c24e0-526d-11eb-836c-e1620268b945', - timeline_id: null, - max_signals: 100, - severity: 'low', - risk_score: 21, - risk_score_mapping: [], - author: [], - query: '_id :*', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - ], - filters: [ - { - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: null, - disabled: false, - type: 'exists', - value: 'exists', - key: '_index', - }, - exists: { - field: '_index', - }, - }, - { - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: 'id_exists', - disabled: false, - type: 'exists', - value: 'exists', - key: '_id', - }, - exists: { - field: '_id', - }, - }, - ], - created_by: 'patryk_test_user', - version: 1, - saved_id: null, - tags: [], - rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - license: '', - immutable: false, - timeline_title: null, - meta: { - from: '1m', - kibana_siem_app_url: 'http://localhost:5601/app/security', + kibana: { + alert: { + threshold_result: { + count: 10000, + value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', }, - name: 'Threshold test', - updated_by: 'patryk_test_user', - interval: '5m', - false_positives: [], - to: 'now', - threat: [], - actions: [], - }, - original_time: '2021-01-09T13:39:32.595Z', - ancestors: [ - { + parent: { depth: 0, index: 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', id: '0268af90-d8da-576a-9747-2a191519416a', type: 'event', }, - ], - parents: [ - { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', + depth: 1, + _meta: { + version: 14, }, - ], - status: 'open', + rule: { + note: null, + throttle: null, + references: [], + severity_mapping: [], + description: 'asdasd', + created_at: '2021-01-09T11:25:45.046Z', + language: 'kuery', + threshold: { + field: '', + value: 200, + }, + building_block_type: null, + output_index: '.siem-signals-patrykkopycinski-default', + type: 'threshold', + rule_name_override: null, + enabled: true, + exceptions_list: [], + updated_at: '2021-01-09T13:36:39.204Z', + timestamp_override: null, + from: 'now-360s', + uuid: '696c24e0-526d-11eb-836c-e1620268b945', + timeline_id: null, + max_signals: 100, + severity: 'low', + risk_score: 21, + risk_score_mapping: [], + author: [], + query: '_id :*', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filters: [ + { + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: null, + disabled: false, + type: 'exists', + value: 'exists', + key: '_index', + }, + exists: { + field: '_index', + }, + }, + { + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: 'id_exists', + disabled: false, + type: 'exists', + value: 'exists', + key: '_id', + }, + exists: { + field: '_id', + }, + }, + ], + created_by: 'patryk_test_user', + version: 1, + saved_id: null, + tags: [], + rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', + license: '', + immutable: false, + timeline_title: null, + meta: { + from: '1m', + kibana_siem_app_url: 'http://localhost:5601/app/security', + }, + name: 'Threshold test', + updated_by: 'patryk_test_user', + interval: '5m', + false_positives: [], + to: 'now', + threat: [], + actions: [], + }, + original_time: '2021-01-09T13:39:32.595Z', + ancestors: [ + { + depth: 0, + index: + 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', + id: '0268af90-d8da-576a-9747-2a191519416a', + type: 'event', + }, + ], + parents: [ + { + depth: 0, + index: + 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', + id: '0268af90-d8da-576a-9747-2a191519416a', + type: 'event', + }, + ], + workflow_status: 'open', + }, }, }, fields: { - 'signal.rule.output_index': ['.siem-signals-patrykkopycinski-default'], - 'signal.rule.from': ['now-360s'], - 'signal.rule.language': ['kuery'], + 'kibana.alert.rule.output_index': ['.siem-signals-patrykkopycinski-default'], + 'kibana.alert.rule.from': ['now-360s'], + 'kibana.alert.rule.language': ['kuery'], '@timestamp': ['2021-01-09T13:41:40.517Z'], - 'signal.rule.query': ['_id :*'], - 'signal.rule.type': ['threshold'], - 'signal.rule.id': ['696c24e0-526d-11eb-836c-e1620268b945'], - 'signal.rule.risk_score': [21], - 'signal.status': ['open'], + 'kibana.alert.rule.query': ['_id :*'], + 'kibana.alert.rule.type': ['threshold'], + 'kibana.alert.rule.uuid': ['696c24e0-526d-11eb-836c-e1620268b945'], + 'kibana.alert.rule.risk_score': [21], + 'kibana.alert.workflow_status': ['open'], 'event.kind': ['signal'], - 'signal.original_time': ['2021-01-09T13:39:32.595Z'], - 'signal.rule.severity': ['low'], - 'signal.rule.version': ['1'], - 'signal.rule.index': [ + 'kibana.alert.original_time': ['2021-01-09T13:39:32.595Z'], + 'kibana.alert.rule.severity': ['low'], + 'kibana.alert.rule.version': ['1'], + 'kibana.alert.rule.index': [ 'apm-*-transaction*', 'traces-apm*', 'auditbeat-*', @@ -286,8 +288,8 @@ describe('#formatTimelineData', () => { 'packetbeat-*', 'winlogbeat-*', ], - 'signal.rule.name': ['Threshold test'], - 'signal.rule.to': ['now'], + 'kibana.alert.rule.name': ['Threshold test'], + 'kibana.alert.rule.to': ['now'], }, _type: '', sort: ['1610199700517'], @@ -321,78 +323,80 @@ describe('#formatTimelineData', () => { event: { kind: ['signal'], }, - signal: { - original_time: ['2021-01-09T13:39:32.595Z'], - status: ['open'], - threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], - rule: { - building_block_type: [], - exceptions_list: [], - from: ['now-360s'], - id: ['696c24e0-526d-11eb-836c-e1620268b945'], - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - ], - language: ['kuery'], - name: ['Threshold test'], - output_index: ['.siem-signals-patrykkopycinski-default'], - risk_score: ['21'], - query: ['_id :*'], - severity: ['low'], - to: ['now'], - type: ['threshold'], - version: ['1'], - timeline_id: [], - timeline_title: [], - saved_id: [], - note: [], - threshold: [ - JSON.stringify({ - field: '', - value: 200, - }), - ], - filters: [ - JSON.stringify({ - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: null, - disabled: false, - type: 'exists', - value: 'exists', - key: '_index', - }, - exists: { - field: '_index', - }, - }), - JSON.stringify({ - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: 'id_exists', - disabled: false, - type: 'exists', - value: 'exists', - key: '_id', - }, - exists: { - field: '_id', - }, - }), - ], + kibana: { + alert: { + original_time: ['2021-01-09T13:39:32.595Z'], + workflow_status: ['open'], + threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], + rule: { + building_block_type: [], + exceptions_list: [], + from: ['now-360s'], + uuid: ['696c24e0-526d-11eb-836c-e1620268b945'], + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + language: ['kuery'], + name: ['Threshold test'], + output_index: ['.siem-signals-patrykkopycinski-default'], + risk_score: ['21'], + query: ['_id :*'], + severity: ['low'], + to: ['now'], + type: ['threshold'], + version: ['1'], + timeline_id: [], + timeline_title: [], + saved_id: [], + note: [], + threshold: [ + JSON.stringify({ + field: '', + value: 200, + }), + ], + filters: [ + JSON.stringify({ + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: null, + disabled: false, + type: 'exists', + value: 'exists', + key: '_index', + }, + exists: { + field: '_index', + }, + }), + JSON.stringify({ + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: 'id_exists', + disabled: false, + type: 'exists', + value: 'exists', + key: '_id', + }, + exists: { + field: '_id', + }, + }), + ], + }, }, }, }, diff --git a/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts b/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts index d328044b1c96b..e94257f5f9fb6 100644 --- a/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts +++ b/x-pack/test/rule_registry/security_and_spaces/tests/basic/find_alerts.ts @@ -108,7 +108,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { alertsByGroupingCount: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', order: { _count: 'desc', }, @@ -117,7 +117,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { test: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', size: 10, script: { source: 'SCRIPT', @@ -142,7 +142,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { alertsByGroupingCount: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', order: { _count: 'desc', }, @@ -151,7 +151,7 @@ export default ({ getService }: FtrProviderContext) => { aggs: { test: { terms: { - field: 'signal.rule.name', + field: 'kibana.alert.rule.name', size: 10, }, },