[Security Solution][Detections] Fixes Rule Details when viewing delet…

…ed Rule from Alert with flattened structure (#122619) (#122893) ## Summary Resolves #122013 by transforming flattened `alertHit` back to a `Rule` using the existing `expandDottedObject` utility (which was moved to `security_solution/common/utils` for global use). Also fixed margins on deleted badge (and ensured no overlap when title overflows). <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/148868172-f8af8340-f49c-46e3-8cd6-4ebb38d7d76f.png" /> </p> ## Test Instructions: * Create Rule with all available fields filled out * Generate alerts for Rule * Delete Rule and navigate to Rule Details from Alert Details * Verify `Deleted` badge is present and Rule Details are filled out again Test with 7.x and 8.x alerts (as backwards compatibility was kept) (cherry picked from commit 6392a05) Co-authored-by: Garrett Spong <[email protected]>
elastic · Jan 12, 2022 · d7155d4 · d7155d4
1 parent 9a83d49
commit d7155d4
Show file tree

Hide file tree

Showing 9 changed files with 476 additions and 19 deletions.
diff --git a/...ne/rule_types/utils/expand_dotted.test.ts → ...lution/common/utils/expand_dotted.test.ts b/...ne/rule_types/utils/expand_dotted.test.ts → ...lution/common/utils/expand_dotted.test.ts
diff --git a/..._engine/rule_types/utils/expand_dotted.ts → ...ty_solution/common/utils/expand_dotted.ts b/..._engine/rule_types/utils/expand_dotted.ts → ...ty_solution/common/utils/expand_dotted.ts
diff --git a/x-pack/plugins/security_solution/public/common/components/header_page/index.tsx b/x-pack/plugins/security_solution/public/common/components/header_page/index.tsx
@@ -5,13 +5,7 @@
  * 2.0.
  */
 
-import {
-  EuiBadge,
-  EuiProgress,
-  EuiPageHeader,
-  EuiPageHeaderSection,
-  EuiSpacer,
-} from '@elastic/eui';
+import { EuiProgress, EuiPageHeader, EuiPageHeaderSection, EuiSpacer } from '@elastic/eui';
 import React from 'react';
 import styled, { css } from 'styled-components';
 
@@ -47,11 +41,6 @@ const LinkBack = styled.div.attrs({
 `;
 LinkBack.displayName = 'LinkBack';
 
-const Badge = styled(EuiBadge)`
-  letter-spacing: 0;
-` as unknown as typeof EuiBadge;
-Badge.displayName = 'Badge';
-
 const HeaderSection = styled(EuiPageHeaderSection)`
   // Without  min-width: 0, as a flex child, it wouldn't shrink properly
   // and could overflow its parent.

diff --git a/x-pack/plugins/security_solution/public/common/components/header_page/title.tsx b/x-pack/plugins/security_solution/public/common/components/header_page/title.tsx
@@ -21,6 +21,7 @@ StyledEuiBetaBadge.displayName = 'StyledEuiBetaBadge';
 
 const Badge = styled(EuiBadge)`
   letter-spacing: 0;
+  margin-left: 10px;
 ` as unknown as typeof EuiBadge;
 Badge.displayName = 'Badge';
 

diff --git a/...ck/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts b/...ck/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts
@@ -945,6 +945,289 @@ export const alertsMock: AlertSearchResponse<unknown, unknown> = {
   },
 };
 
+export const alertsMock8x: AlertSearchResponse<unknown, unknown> = {
+  took: 3,
+  timeout: false,
+  _shards: {
+    total: 1,
+    successful: 1,
+    skipped: 1,
+    failed: 0,
+  },
+  hits: {
+    total: {
+      value: 10000,
+      relation: 'gte',
+    },
+    hits: [
+      {
+        _index: '.internal.alerts-security.alerts-default-000001',
+        _id: 'f8946a2cb00640d079dcf3d1007f792a794974674cedfd7a42c047ba029f311d',
+        _score: null,
+        _source: {
+          'kibana.alert.severity': 'low',
+          'kibana.alert.rule.updated_by': 'elastic',
+          'kibana.alert.rule.references': ['http://www.example.com/1'],
+          'kibana.alert.rule.threat': [
+            {
+              framework: 'MITRE ATT&CK',
+              technique: [
+                {
+                  reference: 'https://attack.mitre.org/techniques/T1217',
+                  name: 'Browser Bookmark Discovery',
+                  subtechnique: [],
+                  id: 'T1217',
+                },
+                {
+                  reference: 'https://attack.mitre.org/techniques/T1580',
+                  name: 'Cloud Infrastructure Discovery',
+                  subtechnique: [],
+                  id: 'T1580',
+                },
+                {
+                  reference: 'https://attack.mitre.org/techniques/T1033',
+                  name: 'System Owner/User Discovery',
+                  subtechnique: [],
+                  id: 'T1033',
+                },
+              ],
+              tactic: {
+                reference: 'https://attack.mitre.org/tactics/TA0007',
+                name: 'Discovery',
+                id: 'TA0007',
+              },
+            },
+            {
+              framework: 'MITRE ATT&CK',
+              technique: [],
+              tactic: {
+                reference: 'https://attack.mitre.org/tactics/TA0007',
+                name: 'Discovery',
+                id: 'TA0007',
+              },
+            },
+          ],
+          'kibana.alert.rule.rule_name_override': 'host.id',
+          'kibana.alert.rule.description': '8.1: To Be Deleted',
+          'kibana.alert.rule.tags': ['8.0-tag'],
+          'kibana.alert.rule.producer': 'siem',
+          'kibana.alert.rule.to': 'now',
+          'kibana.alert.rule.created_by': 'elastic',
+          'kibana.alert.original_event.ingested': '2022-01-11T22:43:03Z',
+          'kibana.alert.risk_score': 37,
+          'kibana.alert.rule.name': '944edf04-ea2d-44f9-b89a-574e9a9301da',
+          'kibana.alert.original_event.id': '751afb02-94ee-46b7-9aea-1a7529374df9',
+          'kibana.alert.workflow_status': 'open',
+          'kibana.alert.rule.uuid': '63136880-7335-11ec-9f1b-9db9315083e9',
+          'kibana.alert.original_event.category': 'driver',
+          'kibana.alert.rule.risk_score_mapping': [
+            {
+              field: 'Responses.process.pid',
+              value: '',
+              operator: 'equals',
+            },
+          ],
+          'kibana.alert.rule.interval': '5m',
+          'kibana.alert.reason':
+            'driver event with process powershell.exe, by 6nmm77jt8p on Host-7luvv0bmdn created low alert 944edf04-ea2d-44f9-b89a-574e9a9301da.',
+          'kibana.alert.rule.type': 'query',
+          'kibana.alert.rule.immutable': false,
+          'kibana.alert.original_event.type': 'start',
+          'kibana.alert.depth': 1,
+          'kibana.alert.rule.enabled': true,
+          'kibana.alert.rule.version': 1,
+          'kibana.alert.rule.from': 'now-360s',
+          'kibana.alert.rule.parameters': {
+            note: 'Investigation guuuide',
+            severity_mapping: [
+              {
+                severity: 'low',
+                field: 'host.name',
+                value: '',
+                operator: 'equals',
+              },
+            ],
+            references: ['http://www.example.com/1'],
+            description: '8.1: To Be Deleted',
+            language: 'kuery',
+            type: 'query',
+            rule_name_override: 'host.id',
+            exceptions_list: [],
+            from: 'now-360s',
+            severity: 'low',
+            max_signals: 100,
+            risk_score: 37,
+            risk_score_mapping: [
+              {
+                field: 'Responses.process.pid',
+                value: '',
+                operator: 'equals',
+              },
+            ],
+            author: ['author'],
+            query: 'host.name:*',
+            index: [
+              'apm-*-transaction*',
+              'traces-apm*',
+              'auditbeat-*',
+              'endgame-*',
+              'filebeat-*',
+              'logs-*',
+              'packetbeat-*',
+              'winlogbeat-*',
+            ],
+            filters: [],
+            version: 1,
+            rule_id: 'a2490dbb-33f6-4b03-88d8-b7d009ef58db',
+            license: 'license',
+            immutable: false,
+            meta: {
+              from: '1m',
+              kibana_siem_app_url: 'http://localhost:5601/kbn/app/security',
+            },
+            false_positives: ['fp'],
+            threat: [
+              {
+                framework: 'MITRE ATT&CK',
+                technique: [
+                  {
+                    reference: 'https://attack.mitre.org/techniques/T1217',
+                    name: 'Browser Bookmark Discovery',
+                    subtechnique: [],
+                    id: 'T1217',
+                  },
+                  {
+                    reference: 'https://attack.mitre.org/techniques/T1580',
+                    name: 'Cloud Infrastructure Discovery',
+                    subtechnique: [],
+                    id: 'T1580',
+                  },
+                  {
+                    reference: 'https://attack.mitre.org/techniques/T1033',
+                    name: 'System Owner/User Discovery',
+                    subtechnique: [],
+                    id: 'T1033',
+                  },
+                ],
+                tactic: {
+                  reference: 'https://attack.mitre.org/tactics/TA0007',
+                  name: 'Discovery',
+                  id: 'TA0007',
+                },
+              },
+              {
+                framework: 'MITRE ATT&CK',
+                technique: [],
+                tactic: {
+                  reference: 'https://attack.mitre.org/tactics/TA0007',
+                  name: 'Discovery',
+                  id: 'TA0007',
+                },
+              },
+            ],
+            to: 'now',
+          },
+          'kibana.alert.status': 'active',
+          'kibana.alert.ancestors': [
+            {
+              depth: 0,
+              index: '.ds-logs-endpoint.events.process-default-2022.01.11-000001',
+              id: 'VWxPS34B7OkM56GXH627',
+              type: 'event',
+            },
+          ],
+          'kibana.alert.rule.exceptions_list': [],
+          'kibana.alert.rule.actions': [],
+          'kibana.alert.rule.rule_type_id': 'siem.queryRule',
+          'kibana.alert.rule.license': 'license',
+          'kibana.alert.original_event.kind': 'event',
+          'kibana.alert.rule.note': 'Investigation guuuide',
+          'kibana.alert.rule.severity_mapping': [
+            {
+              severity: 'low',
+              field: 'host.name',
+              value: '',
+              operator: 'equals',
+            },
+          ],
+          'kibana.alert.rule.max_signals': 100,
+          'kibana.alert.rule.updated_at': '2022-01-11T23:22:47.678Z',
+          'kibana.alert.rule.risk_score': 37,
+          'kibana.alert.rule.author': ['author'],
+          'kibana.alert.rule.false_positives': ['fp'],
+          'kibana.alert.rule.consumer': 'siem',
+          'kibana.alert.rule.category': 'Custom Query Rule',
+          'kibana.alert.original_event.sequence': 20,
+          'kibana.alert.rule.created_at': '2022-01-11T23:22:47.678Z',
+          'kibana.alert.rule.severity': 'low',
+          'kibana.alert.original_event.agent_id_status': 'auth_metadata_missing',
+          'kibana.alert.rule.meta.kibana_siem_app_url': 'http://localhost:5601/kbn/app/security',
+          'kibana.alert.uuid': 'f8946a2cb00640d079dcf3d1007f792a794974674cedfd7a42c047ba029f311d',
+          'kibana.alert.rule.meta.from': '1m',
+          'kibana.alert.rule.rule_id': 'a2490dbb-33f6-4b03-88d8-b7d009ef58db',
+          'kibana.alert.original_time': '2022-01-11T23:18:39.714Z',
+        },
+        fields: {
+          'kibana.alert.severity': ['low'],
+          'process.hash.md5': ['33d3568e-cf11-42fb-b36e-08aec99570e9'],
+          'event.category': ['driver'],
+          'user.name': ['6nmm77jt8p'],
+          'process.parent.pid': [1975],
+          'process.pid': [2121],
+          'kibana.alert.rule.producer': ['siem'],
+          'kibana.alert.rule.to': ['now'],
+          'process.entity_id': ['3fadfesdk0'],
+          'host.ip': ['10.248.183.44'],
+          'agent.type': ['endpoint'],
+          'kibana.alert.risk_score': [37],
+          'kibana.alert.rule.name': ['944edf04-ea2d-44f9-b89a-574e9a9301da'],
+          'host.name': ['Host-7luvv0bmdn'],
+          'user.domain': ['epjr8uvmrj'],
+          'event.kind': ['signal'],
+          'kibana.alert.original_event.kind': ['event'],
+          'host.id': ['944edf04-ea2d-44f9-b89a-574e9a9301da'],
+          'process.executable': ['C:\\powershell.exe'],
+          'kibana.alert.rule.note': ['Investigation guuuide'],
+          'kibana.alert.workflow_status': ['open'],
+          'kibana.alert.rule.uuid': ['63136880-7335-11ec-9f1b-9db9315083e9'],
+          'kibana.alert.rule.risk_score': [37],
+          'process.args': ['"C:\\powershell.exe" \\fzw'],
+          'kibana.alert.reason': [
+            'driver event with process powershell.exe, by 6nmm77jt8p on Host-7luvv0bmdn created low alert 944edf04-ea2d-44f9-b89a-574e9a9301da.',
+          ],
+          'kibana.alert.rule.type': ['query'],
+          'kibana.alert.rule.consumer': ['siem'],
+          'kibana.alert.rule.category': ['Custom Query Rule'],
+          'process.name': ['powershell.exe'],
+          '@timestamp': ['2022-01-11T23:22:52.034Z'],
+          'kibana.alert.rule.severity': ['low'],
+          'event.type': ['start'],
+          'kibana.alert.uuid': ['f8946a2cb00640d079dcf3d1007f792a794974674cedfd7a42c047ba029f311d'],
+          'kibana.alert.rule.version': ['1'],
+          'event.id': ['751afb02-94ee-46b7-9aea-1a7529374df9'],
+          'host.os.family': ['windows'],
+          'kibana.alert.rule.from': ['now-360s'],
+          'kibana.alert.rule.rule_id': ['a2490dbb-33f6-4b03-88d8-b7d009ef58db'],
+          'kibana.alert.original_time': ['2022-01-11T23:18:39.714Z'],
+        },
+        sort: [1641943372034],
+      },
+    ],
+  },
+  aggregations: {
+    producers: {
+      doc_count_error_upper_bound: 0,
+      sum_other_doc_count: 0,
+      buckets: [
+        {
+          key: 'siem',
+          doc_count: 3,
+        },
+      ],
+    },
+  },
+};
+
 export const mockAlertsQuery: object = {
   aggs: {
     alertsByGrouping: {