From 774a4751ac01406acc534af76f6003086a8253bf Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Wed, 4 Aug 2021 12:56:53 -0400 Subject: [PATCH 01/26] Replace signals indices with constants --- .../src/technical_field_names.ts | 4 +- .../common/alert_constants.ts | 139 ++++++++++++ .../security_solution/common/constants.ts | 3 +- .../common/ecs/ecs_fields/index.ts | 110 ++++++---- .../security_solution/common/ecs/index.ts | 4 +- .../common/ecs/kibana/index.ts | 20 ++ .../common/experimental_features.ts | 2 +- .../common/utils/field_formatters.test.ts | 11 +- .../detection_rules/override.spec.ts | 2 +- .../cypress/screens/alerts.ts | 15 +- .../components/drag_and_drop/helpers.test.ts | 3 +- .../components/drag_and_drop/helpers.ts | 200 ++++++++++++------ .../event_details/__mocks__/index.ts | 164 ++++++++------ .../event_details/alert_summary_view.tsx | 35 +-- .../table/use_action_cell_data_provider.ts | 7 +- .../components/exceptions/helpers.test.tsx | 8 +- .../common/components/exceptions/helpers.tsx | 5 +- .../common/components/hover_actions/utils.ts | 200 ++++++++++++------ .../common/mock/mock_detection_alerts.ts | 84 ++++---- .../common/utils/endpoint_alert_check.test.ts | 5 +- .../common/utils/endpoint_alert_check.ts | 3 +- .../components/alerts_info/query.dsl.ts | 6 +- .../alerts_histogram_panel/index.test.tsx | 3 +- .../components/alerts_kpis/common/config.ts | 19 +- .../components/alerts_kpis/common/types.ts | 18 +- .../components/alerts_table/actions.test.tsx | 59 +++--- .../components/alerts_table/actions.tsx | 72 ++++--- .../alerts_table/default_config.test.tsx | 5 +- .../alerts_table/default_config.tsx | 55 +++-- .../timeline_actions/alert_context_menu.tsx | 16 +- .../rules/description_step/helpers.tsx | 3 +- .../rules/risk_score_mapping/translations.tsx | 3 +- .../components/take_action_dropdown/index.tsx | 7 +- .../examples/observablity_alerts/columns.ts | 11 +- .../render_cell_value.test.tsx | 13 +- .../observablity_alerts/render_cell_value.tsx | 11 +- .../examples/security_solution_rac/columns.ts | 14 +- .../render_cell_value.test.tsx | 5 +- .../render_cell_value.tsx | 5 +- .../security_solution_detections/columns.ts | 20 +- .../open_timeline/__mocks__/index.ts | 3 +- .../side_panel/event_details/footer.tsx | 10 +- .../side_panel/event_details/index.tsx | 5 +- .../components/timeline/body/helpers.tsx | 4 +- .../timeline/body/renderers/constants.tsx | 2 - .../body/renderers/formatted_field.tsx | 7 +- .../default_cell_renderer.test.tsx | 3 +- .../components/host_rules_table/columns.tsx | 7 +- .../components/host_tactics_table/columns.tsx | 11 +- .../rule_types/field_maps/alerts.ts | 182 ++++++++++------ .../find_previous_threshold_signals.ts | 3 +- .../timeline/__mocks__/create_timelines.ts | 4 +- .../timeline/__mocks__/import_timelines.ts | 13 +- .../helpers.test.ts | 3 +- .../ueba/host_rules/query.host_rules.dsl.ts | 11 +- .../host_tactics/query.host_tactics.dsl.ts | 17 +- .../ueba/user_rules/query.user_rules.dsl.ts | 11 +- .../apis/security_solution/utils.ts | 12 +- 58 files changed, 1123 insertions(+), 554 deletions(-) create mode 100644 x-pack/plugins/security_solution/common/alert_constants.ts create mode 100644 x-pack/plugins/security_solution/common/ecs/kibana/index.ts diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index a29c1023caf67..a3f42d350229e 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -10,8 +10,8 @@ import { ValuesType } from 'utility-types'; const KIBANA_NAMESPACE = 'kibana' as const; -const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const; -const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const; +export const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const; +export const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const; const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const; const ECS_VERSION = 'ecs.version' as const; diff --git a/x-pack/plugins/security_solution/common/alert_constants.ts b/x-pack/plugins/security_solution/common/alert_constants.ts new file mode 100644 index 0000000000000..ec3c2cba1a7ef --- /dev/null +++ b/x-pack/plugins/security_solution/common/alert_constants.ts @@ -0,0 +1,139 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; + +// could prefix these with SECURITY or similar, but matching the existing naming pattern with +// technical names could provide the advantage of preventing duplicates when attempting to import + +// TODO: DO NOT ADD RULE_TYPE_ID or CONSUMERS: will be in rule-data-utils +// @ts-ignore +const ALERT_RULE_TYPE_ID = 'do not do. Is in Marshalls PR'; +// @ts-ignore +const ALERT_RULE_CONSUMERS = 'do not do. Is in Marshalls PR'; + +// Cast to `as const` to preserve the exact string value when using as a type rather than a value +export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const; +export const ALERT_ANCESTORS_DEPTH = `${ALERT_ANCESTORS}.depth` as const; +export const ALERT_ANCESTORS_ID = `${ALERT_ANCESTORS}.id` as const; +export const ALERT_ANCESTORS_INDEX = `${ALERT_ANCESTORS}.index` as const; +export const ALERT_ANCESTORS_RULE = `${ALERT_ANCESTORS}.rule` as const; +export const ALERT_ANCESTORS_TYPE = `${ALERT_ANCESTORS}.type` as const; + +export const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth` as const; + +export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event` as const; +export const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT}.action` as const; +export const ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS = `${ALERT_ORIGINAL_EVENT}.agent_id_status` as const; +export const ALERT_ORIGINAL_EVENT_CATEGORY = `${ALERT_ORIGINAL_EVENT}.category` as const; +export const ALERT_ORIGINAL_EVENT_CODE = `${ALERT_ORIGINAL_EVENT}.code` as const; +export const ALERT_ORIGINAL_EVENT_CREATED = `${ALERT_ORIGINAL_EVENT}.created` as const; +export const ALERT_ORIGINAL_EVENT_DATASET = `${ALERT_ORIGINAL_EVENT}.dataset` as const; +export const ALERT_ORIGINAL_EVENT_DURATION = `${ALERT_ORIGINAL_EVENT}.duration` as const; +export const ALERT_ORIGINAL_EVENT_END = `${ALERT_ORIGINAL_EVENT}.end` as const; +export const ALERT_ORIGINAL_EVENT_HASH = `${ALERT_ORIGINAL_EVENT}.hash` as const; +export const ALERT_ORIGINAL_EVENT_ID = `${ALERT_ORIGINAL_EVENT}.id` as const; +export const ALERT_ORIGINAL_EVENT_INGESTED = `${ALERT_ORIGINAL_EVENT}.ingested` as const; +export const ALERT_ORIGINAL_EVENT_KIND = `${ALERT_ORIGINAL_EVENT}.kind` as const; +export const ALERT_ORIGINAL_EVENT_MODULE = `${ALERT_ORIGINAL_EVENT}.module` as const; +export const ALERT_ORIGINAL_EVENT_ORIGINAL = `${ALERT_ORIGINAL_EVENT}.original` as const; +export const ALERT_ORIGINAL_EVENT_OUTCOME = `${ALERT_ORIGINAL_EVENT}.outcome` as const; +export const ALERT_ORIGINAL_EVENT_PROVIDER = `${ALERT_ORIGINAL_EVENT}.provider` as const; +export const ALERT_ORIGINAL_EVENT_REASON = `${ALERT_ORIGINAL_EVENT}.reason` as const; +export const ALERT_ORIGINAL_EVENT_REFERENCE = `${ALERT_ORIGINAL_EVENT}.reference` as const; +export const ALERT_ORIGINAL_EVENT_RISK_SCORE = `${ALERT_ORIGINAL_EVENT}.risk_score` as const; +export const ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM = `${ALERT_ORIGINAL_EVENT}.risk_score_norm` as const; +export const ALERT_ORIGINAL_EVENT_SEQUENCE = `${ALERT_ORIGINAL_EVENT}.sequence` as const; +export const ALERT_ORIGINAL_EVENT_SEVERITY = `${ALERT_ORIGINAL_EVENT}.severity` as const; +export const ALERT_ORIGINAL_EVENT_START = `${ALERT_ORIGINAL_EVENT}.start` as const; +export const ALERT_ORIGINAL_EVENT_TIMEZONE = `${ALERT_ORIGINAL_EVENT}.timezone` as const; +export const ALERT_ORIGINAL_EVENT_TYPE = `${ALERT_ORIGINAL_EVENT}.type` as const; +export const ALERT_ORIGINAL_EVENT_URL = `${ALERT_ORIGINAL_EVENT}.url` as const; + +export const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time` as const; + +export const ALERT_GROUP = `${ALERT_NAMESPACE}.group` as const; +export const ALERT_GROUP_ID = `${ALERT_GROUP}.id` as const; +export const ALERT_GROUP_INDEX = `${ALERT_GROUP}.index` as const; + +export const ALERT_THREAT = `${ALERT_NAMESPACE}.threat` as const; +export const ALERT_THREAT_FRAMEWORK = `${ALERT_THREAT}.framework` as const; +export const ALERT_THREAT_TACTIC = `${ALERT_THREAT}.tactic` as const; +export const ALERT_THREAT_TACTIC_ID = `${ALERT_THREAT_TACTIC}.id` as const; +export const ALERT_THREAT_TACTIC_NAME = `${ALERT_THREAT_TACTIC}.name` as const; +export const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_THREAT_TACTIC}.reference` as const; + +export const ALERT_THREAT_TECHNIQUE = `${ALERT_THREAT}.technique` as const; + +export const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE}.id` as const; +export const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE}.name` as const; +export const ALERT_THREAT_TECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE}.reference` as const; + +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE = `${ALERT_THREAT_TECHNIQUE}.subtechnique` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.id` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.name` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.reference` as const; + +export const ALERT_THRESHOLD_RESULT = `${ALERT_NAMESPACE}.threshold_result` as const; +export const ALERT_THRESHOLD_RESULT_CARDINALITY = `${ALERT_THRESHOLD_RESULT}.cardinality` as const; +export const ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.field` as const; +export const ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.value` as const; + +export const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT}.count` as const; +export const ALERT_THRESHOLD_RESULT_FROM = `${ALERT_THRESHOLD_RESULT}.from` as const; +export const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT}.terms` as const; +export const ALERT_THRESHOLD_RESULT_TERMS_FIELD = `${ALERT_THRESHOLD_RESULT_TERMS}.field` as const; +export const ALERT_THRESHOLD_RESULT_TERMS_VALUE = `${ALERT_THRESHOLD_RESULT_TERMS}.value` as const; + +export const ALERT_RULE_BUILDING_BLOCK_TYPE = `${ALERT_RULE_NAMESPACE}.building_block_type` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; +export const ALERT_RULE_FALSE_POSITIVES = `${ALERT_RULE_NAMESPACE}.false_positives` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_FILTERS = `${ALERT_RULE_NAMESPACE}.filters` as const; +export const ALERT_RULE_IMMUTABLE = `${ALERT_RULE_NAMESPACE}.immutable` as const; +export const ALERT_RULE_INDEX = `${ALERT_RULE_NAMESPACE}.index` as const; +export const ALERT_RULE_LANGUAGE = `${ALERT_RULE_NAMESPACE}.language` as const; +export const ALERT_RULE_MAX_SIGNALS = `${ALERT_RULE_NAMESPACE}.max_signals` as const; +// TODO: Not supported in new RAC implementation. Can be removed +export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.ouput_index` as const; +export const ALERT_RULE_QUERY = `${ALERT_RULE_NAMESPACE}.query` as const; +// TODO: Could be depracated +export const ALERT_RULE_SAVED_ID = `${ALERT_RULE_NAMESPACE}.saved_id` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_SIZE = `${ALERT_RULE_NAMESPACE}.size` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_THRESHOLD = `${ALERT_RULE_NAMESPACE}.threshold` as const; +export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as const; +export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const; + +export const ALERT_RULE_THREAT = `${ALERT_RULE_NAMESPACE}.threat` as const; +export const ALERT_RULE_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT}.framework` as const; +export const ALERT_RULE_THREAT_TACTIC = `${ALERT_RULE_THREAT}.tactic` as const; +export const ALERT_RULE_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_TACTIC}.id` as const; +export const ALERT_RULE_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_TACTIC}.name` as const; +export const ALERT_RULE_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_TACTIC}.reference` as const; + +export const ALERT_RULE_THREAT_TECHNIQUE = `${ALERT_RULE_THREAT}.technique` as const; +export const ALERT_RULE_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_TECHNIQUE}.id` as const; +export const ALERT_RULE_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_TECHNIQUE}.name` as const; +export const ALERT_RULE_THREAT_TECHNIQUE_REFERENCE = `${ALERT_RULE_THREAT_TECHNIQUE}.reference` as const; + +/** + * TODO: OTHER signal.* not mentioned: + * signal.name + * signal.rule.actions? + * signal.rule.meta.* + * signal.original_event.lag.* + * signal.rule.id.keyword + * signal.rule.threat_mapping + */ + +/** + * TODO: + * DONE: Removed signal.parent.* references / replaced with signal.ancestors.* where not already existing + */ diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index 47e3b5b3ea364..97f5a58e8204c 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -8,6 +8,7 @@ import type { TransformConfigSchema } from './transforms/types'; import { ENABLE_CASE_CONNECTOR } from '../../cases/common'; import { metadataTransformPattern } from './endpoint/constants'; +import { ALERT_RULE_THREAT_TACTIC_NAME } from './alert_constants'; export const APP_ID = 'securitySolution'; export const SERVER_APP_ID = 'siem'; @@ -299,7 +300,7 @@ export const showAllOthersBucket: string[] = [ 'event.category', 'event.dataset', 'event.module', - 'signal.rule.threat.tactic.name', + ALERT_RULE_THREAT_TACTIC_NAME, 'source.ip', 'destination.ip', 'user.name', diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts index 292822019fc9c..270c02234a82c 100644 --- a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts @@ -5,6 +5,44 @@ * 2.0. */ +import { + ALERT_RULE_CREATED_AT, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_TAGS, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_AT, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, +} from '@kbn/rule-data-utils'; +import { + ALERT_ORIGINAL_TIME, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SIZE, + ALERT_RULE_THREAT, + ALERT_RULE_THRESHOLD, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, +} from '../../alert_constants'; import { extendMap } from './extend_map'; export const auditdMap: Readonly> = { @@ -290,41 +328,41 @@ export const systemFieldsMap: Readonly> = { 'system.auth.ssh.method': 'system.auth.ssh.method', }; -export const signalFieldsMap: Readonly> = { - 'signal.original_time': 'signal.original_time', - 'signal.rule.id': 'signal.rule.id', - 'signal.rule.saved_id': 'signal.rule.saved_id', - 'signal.rule.timeline_id': 'signal.rule.timeline_id', - 'signal.rule.timeline_title': 'signal.rule.timeline_title', - 'signal.rule.output_index': 'signal.rule.output_index', - 'signal.rule.from': 'signal.rule.from', - 'signal.rule.index': 'signal.rule.index', - 'signal.rule.language': 'signal.rule.language', - 'signal.rule.query': 'signal.rule.query', - 'signal.rule.to': 'signal.rule.to', - 'signal.rule.filters': 'signal.rule.filters', - 'signal.rule.rule_id': 'signal.rule.rule_id', - 'signal.rule.false_positives': 'signal.rule.false_positives', - 'signal.rule.max_signals': 'signal.rule.max_signals', - 'signal.rule.risk_score': 'signal.rule.risk_score', - 'signal.rule.description': 'signal.rule.description', - 'signal.rule.name': 'signal.rule.name', - 'signal.rule.immutable': 'signal.rule.immutable', - 'signal.rule.references': 'signal.rule.references', - 'signal.rule.severity': 'signal.rule.severity', - 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threat': 'signal.rule.threat', - 'signal.rule.type': 'signal.rule.type', - 'signal.rule.size': 'signal.rule.size', - 'signal.rule.enabled': 'signal.rule.enabled', - 'signal.rule.created_at': 'signal.rule.created_at', - 'signal.rule.updated_at': 'signal.rule.updated_at', - 'signal.rule.created_by': 'signal.rule.created_by', - 'signal.rule.updated_by': 'signal.rule.updated_by', - 'signal.rule.version': 'signal.rule.version', - 'signal.rule.note': 'signal.rule.note', - 'signal.rule.threshold': 'signal.rule.threshold', - 'signal.rule.exceptions_list': 'signal.rule.exceptions_list', +export const alertFieldsMap: Readonly> = { + [ALERT_ORIGINAL_TIME]: ALERT_ORIGINAL_TIME, + [ALERT_RULE_ID]: ALERT_RULE_ID, + [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, + [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, + [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE, + [ALERT_RULE_OUTPUT_INDEX]: ALERT_RULE_OUTPUT_INDEX, + [ALERT_RULE_FROM]: ALERT_RULE_FROM, + [ALERT_RULE_INDEX]: ALERT_RULE_INDEX, + [ALERT_RULE_LANGUAGE]: ALERT_RULE_LANGUAGE, + [ALERT_RULE_QUERY]: ALERT_RULE_QUERY, + [ALERT_RULE_TO]: ALERT_RULE_TO, + [ALERT_RULE_FILTERS]: ALERT_RULE_FILTERS, + [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID, + [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES, + [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS, + [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE, + [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION, + [ALERT_RULE_NAME]: ALERT_RULE_NAME, + [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE, + [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES, + [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY, + [ALERT_RULE_TAGS]: ALERT_RULE_TAGS, + [ALERT_RULE_THREAT]: ALERT_RULE_THREAT, + [ALERT_RULE_TYPE]: ALERT_RULE_TYPE, + [ALERT_RULE_SIZE]: ALERT_RULE_SIZE, + [ALERT_RULE_ENABLED]: ALERT_RULE_ENABLED, + [ALERT_RULE_CREATED_AT]: ALERT_RULE_CREATED_AT, + [ALERT_RULE_UPDATED_AT]: ALERT_RULE_UPDATED_AT, + [ALERT_RULE_CREATED_BY]: ALERT_RULE_CREATED_BY, + [ALERT_RULE_UPDATED_BY]: ALERT_RULE_UPDATED_BY, + [ALERT_RULE_VERSION]: ALERT_RULE_VERSION, + [ALERT_RULE_NOTE]: ALERT_RULE_NOTE, + [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD, + [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST, }; export const ruleFieldsMap: Readonly> = { @@ -336,6 +374,7 @@ export const eventFieldsMap: Readonly> = { '@timestamp': '@timestamp', message: 'message', ...{ ...agentFieldsMap }, + ...{ ...alertFieldsMap }, ...{ ...auditdMap }, ...{ ...destinationFieldsMap }, ...{ ...dnsFieldsMap }, @@ -346,7 +385,6 @@ export const eventFieldsMap: Readonly> = { ...{ ...hostFieldsMap }, ...{ ...networkFieldsMap }, ...{ ...ruleFieldsMap }, - ...{ ...signalFieldsMap }, ...{ ...sourceFieldsMap }, ...{ ...suricataFieldsMap }, ...{ ...systemFieldsMap }, diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts index 610a2fd1f6e9e..a5bb556f65d96 100644 --- a/x-pack/plugins/security_solution/common/ecs/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/index.ts @@ -14,6 +14,7 @@ import { EventEcs } from './event'; import { FileEcs } from './file'; import { GeoEcs } from './geo'; import { HostEcs } from './host'; +import { KibanaEcs } from './kibana'; import { NetworkEcs } from './network'; import { RegistryEcs } from './registry'; import { RuleEcs } from './rule'; @@ -44,10 +45,11 @@ export interface Ecs { event?: EventEcs; geo?: GeoEcs; host?: HostEcs; + kibana?: KibanaEcs; network?: NetworkEcs; registry?: RegistryEcs; rule?: RuleEcs; - signal?: SignalEcs; + signal?: SignalEcs; // TODO: Should remove? source?: SourceEcs; suricata?: SuricataEcs; tls?: TlsEcs; diff --git a/x-pack/plugins/security_solution/common/ecs/kibana/index.ts b/x-pack/plugins/security_solution/common/ecs/kibana/index.ts new file mode 100644 index 0000000000000..a582000631d24 --- /dev/null +++ b/x-pack/plugins/security_solution/common/ecs/kibana/index.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { RuleEcs } from '../rule'; + +export interface KibanaEcs { + alert?: { + rule?: RuleEcs; + original_time?: string[]; + status?: string[]; + group?: { + id?: string[]; + }; + threshold_result?: unknown; + }; +} diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index 0ae42d4baaec4..a474ae602fab2 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -14,7 +14,7 @@ export type ExperimentalFeatures = typeof allowedExperimentalValues; export const allowedExperimentalValues = Object.freeze({ metricsEntitiesEnabled: false, ruleRegistryEnabled: false, - tGridEnabled: false, + tGridEnabled: true, trustedAppsByPolicyEnabled: false, excludePoliciesInFilterEnabled: false, uebaEnabled: false, diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index 64d4f2986903a..b9e0d7639ef6c 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -5,9 +5,10 @@ * 2.0. */ +import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; +import { ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { EventHit, EventSource } from '../search_strategy'; import { getDataFromFieldsHits, getDataFromSourceHits, getDataSafety } from './field_formatters'; -import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; describe('Events Details Helpers', () => { const fields: EventHit['fields'] = eventHit.fields; @@ -135,8 +136,8 @@ describe('Events Details Helpers', () => { it('#getDataFromSourceHits', () => { const _source: EventSource = { '@timestamp': '2021-02-24T00:41:06.527Z', - 'signal.status': 'open', - 'signal.rule.name': 'Rawr', + [ALERT_STATUS]: 'open', + [ALERT_RULE_NAME]: 'Rawr', 'threat.indicator': [ { provider: 'yourself', @@ -162,14 +163,14 @@ describe('Events Details Helpers', () => { }, { category: 'signal', - field: 'signal.status', + field: ALERT_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, }, { category: 'signal', - field: 'signal.rule.name', + field: ALERT_RULE_NAME, values: ['Rawr'], originalValue: ['Rawr'], isObjectArray: false, diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index 24a56dd563e17..34788211d3f32 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -147,7 +147,7 @@ describe('Detection rules, override', () => { getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore); getDetails(RISK_SCORE_OVERRIDE_DETAILS).should( 'have.text', - `${this.rule.riskOverride}signal.rule.risk_score` + `${this.rule.riskOverride}${ALERT_RULE_RISK_SCORE}` ); getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride); getDetails(REFERENCE_URLS_DETAILS).should((details) => { diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts index e0430fb402769..b9435e8c2f767 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts @@ -16,17 +16,20 @@ export const ALERT_CHECKBOX = '[data-test-subj="select-event-container"] .euiChe export const ALERT_ID = '[data-test-subj="draggable-content-_id"]'; -export const ALERT_RISK_SCORE_HEADER = '[data-test-subj="header-text-signal.rule.risk_score"]'; +export const ALERT_RISK_SCORE_HEADER = + '[data-test-subj="header-text-kibana.alert.rule.risk_score"]'; -export const ALERT_RULE_METHOD = '[data-test-subj="draggable-content-signal.rule.type"]'; +export const ALERT_RULE_METHOD = '[data-test-subj="draggable-content-kibana.alert.rule.type"]'; -export const ALERT_RULE_NAME = '[data-test-subj="draggable-content-signal.rule.name"]'; +export const ALERT_RULE_NAME = '[data-test-subj="draggable-content-kibana.alert.rule.name"]'; -export const ALERT_RULE_RISK_SCORE = '[data-test-subj="draggable-content-signal.rule.risk_score"]'; +export const ALERT_RULE_RISK_SCORE = + '[data-test-subj="draggable-content-kibana.alert.rule.risk_score"]'; -export const ALERT_RULE_SEVERITY = '[data-test-subj="draggable-content-signal.rule.severity"]'; +export const ALERT_RULE_SEVERITY = + '[data-test-subj="draggable-content-kibana.alert.rule.severity"]'; -export const ALERT_RULE_VERSION = '[data-test-subj="draggable-content-signal.rule.version"]'; +export const ALERT_RULE_VERSION = '[data-test-subj="draggable-content-kibana.alert.rule.version"]'; export const CLOSE_ALERT_BTN = '[data-test-subj="close-alert-status"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts index a14a44cd9a68b..6f45b4a72ebaf 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.test.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { omit } from 'lodash/fp'; import { DropResult } from 'react-beautiful-dnd'; import { getTimelineIdFromColumnDroppableId } from '../../../../../timelines/public'; @@ -663,7 +664,7 @@ describe('helpers', () => { expect( allowTopN({ browserField: undefined, - fieldName: 'signal.rule.name', + fieldName: ALERT_RULE_NAME, }) ).toBe(true); }); diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index 9717e1e1eda91..ce409c0aaecc3 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -9,11 +9,79 @@ import { Dispatch } from 'redux'; import { ActionCreator } from 'typescript-fsa'; import { getProviderIdFromDraggable } from '@kbn/securitysolution-t-grid'; +import { + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_INTERVAL, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_TAGS, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; import { BrowserField } from '../../containers/source'; import { dragAndDropActions } from '../../store/actions'; import { IdToDataProvider } from '../../store/drag_and_drop/model'; import { addContentToTimeline } from '../../../timelines/components/timeline/data_providers/helpers'; import { DataProvider } from '../../../timelines/components/timeline/data_providers/data_provider'; +import { + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SIZE, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, +} from './../../../../common/alert_constants'; export { draggableIdPrefix, @@ -111,74 +179,70 @@ export const allowTopN = ({ // TODO: remove this explicit allowlist when the ECS documentation includes alerts const isAllowlistedNonBrowserField = [ - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', - 'signal.status', + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_INTERVAL, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_SIZE, + ALERT_RULE_TAGS, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, ].includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index 620c3991b0ad9..bcaab83985882 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -5,6 +5,59 @@ * 2.0. */ +import { + ALERT_RULE_AUTHOR, + ALERT_RULE_CREATED_AT, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_INTERVAL, + ALERT_RULE_LICENSE, + ALERT_RULE_NAME, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RISK_SCORE_MAPPING, + ALERT_RULE_RULE_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_SEVERITY_MAPPING, + ALERT_RULE_TAGS, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_AT, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; +import { + ALERT_ANCESTORS, + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_TYPE, + ALERT_DEPTH, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_INGESTED, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_THREAT, +} from './../../../../../common/alert_constants'; + export const mockAlertDetailsData = [ { category: 'process', field: 'process.name', values: ['-'], originalValue: '-' }, { category: 'process', field: 'process.pid', values: [0], originalValue: 0 }, @@ -334,22 +387,7 @@ export const mockAlertDetailsData = [ { category: 'user', field: 'user.id', values: ['S-1-0-0'], originalValue: 'S-1-0-0' }, { category: 'signal', - field: 'signal.parents', - values: [ - '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}', - ], - originalValue: [ - { - id: '688MAHYB7WTwW_Glsi_d', - type: 'event', - index: 'winlogbeat-7.10.0-2020.11.12-000001', - depth: 0, - }, - ], - }, - { - category: 'signal', - field: 'signal.ancestors', + field: ALERT_ANCESTORS, values: [ '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}', ], @@ -362,22 +400,22 @@ export const mockAlertDetailsData = [ }, ], }, - { category: 'signal', field: 'signal.status', values: ['open'], originalValue: 'open' }, + { category: 'signal', field: ALERT_STATUS, values: ['open'], originalValue: 'open' }, { category: 'signal', - field: 'signal.rule.id', + field: ALERT_RULE_ID, values: ['b69d086c-325a-4f46-b17b-fb6d227006ba'], originalValue: 'b69d086c-325a-4f46-b17b-fb6d227006ba', }, { category: 'signal', - field: 'signal.rule.rule_id', + field: ALERT_RULE_RULE_ID, values: ['e7cd9a53-ac62-44b5-bdec-9c94d85bb1a5'], originalValue: 'e7cd9a53-ac62-44b5-bdec-9c94d85bb1a5', }, { category: 'signal', field: 'signal.rule.actions', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.author', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.false_positives', values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_AUTHOR, values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_FALSE_POSITIVES, values: [], originalValue: [] }, { category: 'signal', field: 'signal.rule.meta.from', values: ['1m'], originalValue: '1m' }, { category: 'signal', @@ -385,25 +423,25 @@ export const mockAlertDetailsData = [ values: ['http://localhost:5601/app/security'], originalValue: 'http://localhost:5601/app/security', }, - { category: 'signal', field: 'signal.rule.max_signals', values: [100], originalValue: 100 }, - { category: 'signal', field: 'signal.rule.risk_score', values: [21], originalValue: 21 }, - { category: 'signal', field: 'signal.rule.risk_score_mapping', values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_MAX_SIGNALS, values: [100], originalValue: 100 }, + { category: 'signal', field: ALERT_RULE_RISK_SCORE, values: [21], originalValue: 21 }, + { category: 'signal', field: ALERT_RULE_RISK_SCORE_MAPPING, values: [], originalValue: [] }, { category: 'signal', - field: 'signal.rule.output_index', + field: ALERT_RULE_OUTPUT_INDEX, values: ['.siem-signals-angelachuang-default'], originalValue: '.siem-signals-angelachuang-default', }, - { category: 'signal', field: 'signal.rule.description', values: ['xxx'], originalValue: 'xxx' }, + { category: 'signal', field: ALERT_RULE_DESCRIPTION, values: ['xxx'], originalValue: 'xxx' }, { category: 'signal', - field: 'signal.rule.from', + field: ALERT_RULE_FROM, values: ['now-360s'], originalValue: 'now-360s', }, { category: 'signal', - field: 'signal.rule.index', + field: ALERT_RULE_INDEX, values: [ 'apm-*-transaction*', 'traces-apm*', @@ -425,25 +463,25 @@ export const mockAlertDetailsData = [ 'winlogbeat-*', ], }, - { category: 'signal', field: 'signal.rule.interval', values: ['5m'], originalValue: '5m' }, - { category: 'signal', field: 'signal.rule.language', values: ['kuery'], originalValue: 'kuery' }, - { category: 'signal', field: 'signal.rule.license', values: [''], originalValue: '' }, - { category: 'signal', field: 'signal.rule.name', values: ['xxx'], originalValue: 'xxx' }, + { category: 'signal', field: ALERT_RULE_INTERVAL, values: ['5m'], originalValue: '5m' }, + { category: 'signal', field: ALERT_RULE_LANGUAGE, values: ['kuery'], originalValue: 'kuery' }, + { category: 'signal', field: ALERT_RULE_LICENSE, values: [''], originalValue: '' }, + { category: 'signal', field: ALERT_RULE_NAME, values: ['xxx'], originalValue: 'xxx' }, { category: 'signal', - field: 'signal.rule.query', + field: ALERT_RULE_QUERY, values: ['@timestamp : * '], originalValue: '@timestamp : * ', }, - { category: 'signal', field: 'signal.rule.references', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.severity', values: ['low'], originalValue: 'low' }, - { category: 'signal', field: 'signal.rule.severity_mapping', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.tags', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.type', values: ['query'], originalValue: 'query' }, - { category: 'signal', field: 'signal.rule.to', values: ['now'], originalValue: 'now' }, + { category: 'signal', field: ALERT_RULE_REFERENCES, values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_SEVERITY, values: ['low'], originalValue: 'low' }, + { category: 'signal', field: ALERT_RULE_SEVERITY_MAPPING, values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_TAGS, values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_TYPE, values: ['query'], originalValue: 'query' }, + { category: 'signal', field: ALERT_RULE_TO, values: ['now'], originalValue: 'now' }, { category: 'signal', - field: 'signal.rule.filters', + field: ALERT_RULE_FILTERS, values: [ '{"meta":{"alias":null,"negate":false,"disabled":false,"type":"exists","key":"message","value":"exists"},"exists":{"field":"message"},"$state":{"store":"appState"}}', ], @@ -464,59 +502,59 @@ export const mockAlertDetailsData = [ }, { category: 'signal', - field: 'signal.rule.created_by', + field: ALERT_RULE_CREATED_BY, values: ['angela'], originalValue: 'angela', }, { category: 'signal', - field: 'signal.rule.updated_by', + field: ALERT_RULE_UPDATED_BY, values: ['angela'], originalValue: 'angela', }, - { category: 'signal', field: 'signal.rule.threat', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.rule.version', values: [2], originalValue: 2 }, + { category: 'signal', field: ALERT_RULE_THREAT, values: [], originalValue: [] }, + { category: 'signal', field: ALERT_RULE_VERSION, values: [2], originalValue: 2 }, { category: 'signal', - field: 'signal.rule.created_at', + field: ALERT_RULE_CREATED_AT, values: ['2020-11-24T10:30:33.660Z'], originalValue: '2020-11-24T10:30:33.660Z', }, { category: 'signal', - field: 'signal.rule.updated_at', + field: ALERT_RULE_UPDATED_AT, values: ['2020-11-25T15:37:40.939Z'], originalValue: '2020-11-25T15:37:40.939Z', }, - { category: 'signal', field: 'signal.rule.exceptions_list', values: [], originalValue: [] }, - { category: 'signal', field: 'signal.depth', values: [1], originalValue: 1 }, + { category: 'signal', field: ALERT_RULE_EXCEPTIONS_LIST, values: [], originalValue: [] }, + { category: 'signal', field: ALERT_DEPTH, values: [1], originalValue: 1 }, { category: 'signal', - field: 'signal.parent.id', + field: ALERT_ANCESTORS_ID, values: ['688MAHYB7WTwW_Glsi_d'], originalValue: '688MAHYB7WTwW_Glsi_d', }, - { category: 'signal', field: 'signal.parent.type', values: ['event'], originalValue: 'event' }, + { category: 'signal', field: ALERT_ANCESTORS_TYPE, values: ['event'], originalValue: 'event' }, { category: 'signal', - field: 'signal.parent.index', + field: ALERT_ANCESTORS_INDEX, values: ['winlogbeat-7.10.0-2020.11.12-000001'], originalValue: 'winlogbeat-7.10.0-2020.11.12-000001', }, - { category: 'signal', field: 'signal.parent.depth', values: [0], originalValue: 0 }, + { category: 'signal', field: ALERT_ANCESTORS_DEPTH, values: [0], originalValue: 0 }, { category: 'signal', - field: 'signal.original_time', + field: ALERT_ORIGINAL_TIME, values: ['2020-11-25T15:36:38.847Z'], originalValue: '2020-11-25T15:36:38.847Z', }, { category: 'signal', - field: 'signal.original_event.ingested', + field: ALERT_ORIGINAL_EVENT_INGESTED, values: ['2020-11-25T15:36:40.924914552Z'], originalValue: '2020-11-25T15:36:40.924914552Z', }, - { category: 'signal', field: 'signal.original_event.code', values: [4625], originalValue: 4625 }, + { category: 'signal', field: ALERT_ORIGINAL_EVENT_CODE, values: [4625], originalValue: 4625 }, { category: 'signal', field: 'signal.original_event.lag.total', @@ -537,49 +575,49 @@ export const mockAlertDetailsData = [ }, { category: 'signal', - field: 'signal.original_event.provider', + field: ALERT_ORIGINAL_EVENT_PROVIDER, values: ['Microsoft-Windows-Security-Auditing'], originalValue: 'Microsoft-Windows-Security-Auditing', }, { category: 'signal', - field: 'signal.original_event.created', + field: ALERT_ORIGINAL_EVENT_CREATED, values: ['2020-11-25T15:36:39.922Z'], originalValue: '2020-11-25T15:36:39.922Z', }, { category: 'signal', - field: 'signal.original_event.kind', + field: ALERT_ORIGINAL_EVENT_KIND, values: ['event'], originalValue: 'event', }, { category: 'signal', - field: 'signal.original_event.module', + field: ALERT_ORIGINAL_EVENT_MODULE, values: ['security'], originalValue: 'security', }, { category: 'signal', - field: 'signal.original_event.action', + field: ALERT_ORIGINAL_EVENT_ACTION, values: ['logon-failed'], originalValue: 'logon-failed', }, { category: 'signal', - field: 'signal.original_event.type', + field: ALERT_ORIGINAL_EVENT_TYPE, values: ['start'], originalValue: 'start', }, { category: 'signal', - field: 'signal.original_event.category', + field: ALERT_ORIGINAL_EVENT_CATEGORY, values: ['authentication'], originalValue: 'authentication', }, { category: 'signal', - field: 'signal.original_event.outcome', + field: ALERT_ORIGINAL_EVENT_OUTCOME, values: ['failure'], originalValue: 'failure', }, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx index 500f14aaa5317..571efee9d535a 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx @@ -10,6 +10,13 @@ import { get, getOr, find, isEmpty } from 'lodash/fp'; import React, { useMemo } from 'react'; import styled from 'styled-components'; +import { + ALERT_RULE_ID, + ALERT_RULE_NAME, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_SEVERITY, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; import * as i18n from './translations'; import { BrowserFields } from '../../../../common/search_strategy/index_fields'; import { @@ -25,7 +32,6 @@ import { import { AGENT_STATUS_FIELD_NAME, IP_FIELD_TYPE, - SIGNAL_RULE_NAME_FIELD_NAME, } from '../../../timelines/components/timeline/body/renderers/constants'; import { DESTINATION_IP_FIELD_NAME, SOURCE_IP_FIELD_NAME } from '../../../network/components/ip'; import { SummaryView } from './summary_view'; @@ -38,6 +44,11 @@ import { getEmptyValue } from '../empty_value'; import { ActionCell } from './table/action_cell'; import { FieldValueCell } from './table/field_value_cell'; import { TimelineEventsDetailsItem } from '../../../../common'; +import { + ALERT_THRESHOLD_RESULT_COUNT, + ALERT_THRESHOLD_RESULT_TERMS, + ALERT_THRESHOLD_RESULT_CARDINALITY, +} from '../../../../common/alert_constants'; export const Indent = styled.div` padding: 0 8px; @@ -49,23 +60,23 @@ const StyledEmptyComponent = styled.div` `; const fields = [ - { id: 'signal.status', label: SIGNAL_STATUS }, + { id: ALERT_STATUS, label: SIGNAL_STATUS }, { id: '@timestamp', label: TIMESTAMP }, { - id: SIGNAL_RULE_NAME_FIELD_NAME, - linkField: 'signal.rule.id', + id: ALERT_RULE_NAME, + linkField: ALERT_RULE_ID, label: ALERTS_HEADERS_RULE, }, - { id: 'signal.rule.severity', label: ALERTS_HEADERS_SEVERITY }, - { id: 'signal.rule.risk_score', label: ALERTS_HEADERS_RISK_SCORE }, + { id: ALERT_RULE_SEVERITY, label: ALERTS_HEADERS_SEVERITY }, + { id: ALERT_RULE_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE }, { id: 'host.name' }, { id: 'agent.id', overrideField: AGENT_STATUS_FIELD_NAME, label: i18n.AGENT_STATUS }, { id: 'user.name' }, { id: SOURCE_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE }, { id: DESTINATION_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE }, - { id: 'signal.threshold_result.count', label: ALERTS_HEADERS_THRESHOLD_COUNT }, - { id: 'signal.threshold_result.terms', label: ALERTS_HEADERS_THRESHOLD_TERMS }, - { id: 'signal.threshold_result.cardinality', label: ALERTS_HEADERS_THRESHOLD_CARDINALITY }, + { id: ALERT_THRESHOLD_RESULT_COUNT, label: ALERTS_HEADERS_THRESHOLD_COUNT }, + { id: ALERT_THRESHOLD_RESULT_TERMS, label: ALERTS_HEADERS_THRESHOLD_TERMS }, + { id: ALERT_THRESHOLD_RESULT_CARDINALITY, label: ALERTS_HEADERS_THRESHOLD_CARDINALITY }, ]; const processFields = [ @@ -189,7 +200,7 @@ const getSummaryRows = ({ return acc; } - if (item.id === 'signal.threshold_result.terms') { + if (item.id === ALERT_THRESHOLD_RESULT_TERMS) { try { const terms = getOr(null, 'originalValue', field); const parsedValue = terms.map((term: string) => JSON.parse(term)); @@ -210,7 +221,7 @@ const getSummaryRows = ({ } } - if (item.id === 'signal.threshold_result.cardinality') { + if (item.id === ALERT_THRESHOLD_RESULT_CARDINALITY) { try { const parsedValue = JSON.parse(value); return [ @@ -256,7 +267,7 @@ const AlertSummaryViewComponent: React.FC<{ ]); const ruleId = useMemo(() => { - const item = data.find((d) => d.field === 'signal.rule.id'); + const item = data.find((d) => d.field === ALERT_RULE_ID); return Array.isArray(item?.originalValue) ? item?.originalValue[0] : item?.originalValue ?? null; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts b/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts index 76ca5dfe53f4e..558c436bc69c8 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts @@ -10,6 +10,7 @@ import { escapeDataProviderId } from '@kbn/securitysolution-t-grid'; import { isArray, isEmpty, isString } from 'lodash/fp'; import { useMemo } from 'react'; +import { ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { AGENT_STATUS_FIELD_NAME, EVENT_MODULE_FIELD_NAME, @@ -20,8 +21,6 @@ import { MESSAGE_FIELD_NAME, REFERENCE_URL_FIELD_NAME, RULE_REFERENCE_FIELD_NAME, - SIGNAL_RULE_NAME_FIELD_NAME, - SIGNAL_STATUS_FIELD_NAME, } from '../../../../timelines/components/timeline/body/renderers/constants'; import { BYTES_FORMAT } from '../../../../timelines/components/timeline/body/renderers/bytes'; import { EVENT_DURATION_FIELD_NAME } from '../../../../timelines/components/duration'; @@ -112,11 +111,11 @@ export const useActionCellDataProvider = ({ id = `event-details-value-default-draggable-${appendedUniqueId}`; } else if (fieldFormat === BYTES_FORMAT) { id = `bytes-default-draggable-${appendedUniqueId}`; - } else if (field === SIGNAL_RULE_NAME_FIELD_NAME) { + } else if (field === ALERT_RULE_NAME) { id = `event-details-value-default-draggable-${appendedUniqueId}-${linkValue}`; } else if (field === EVENT_MODULE_FIELD_NAME) { id = `event-details-value-default-draggable-${appendedUniqueId}-${value}`; - } else if (field === SIGNAL_STATUS_FIELD_NAME) { + } else if (field === ALERT_STATUS) { id = `alert-details-value-default-draggable-${appendedUniqueId}`; } else if (field === AGENT_STATUS_FIELD_NAME) { const valueToUse = typeof value === 'string' ? value : ''; diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx index 83006f09a14be..fa4ad24551cd4 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx @@ -43,6 +43,10 @@ import { fields } from '../../../../../../../src/plugins/data/common/index_patte import { ENTRIES, OLD_DATE_RELATIVE_TO_DATE_NOW } from '../../../../../lists/common/constants.mock'; import { CodeSignature } from '../../../../common/ecs/file'; import { IndexPatternBase } from '@kbn/es-query'; +import { + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, +} from '../../../../common/alert_constants'; jest.mock('uuid', () => ({ v4: jest.fn().mockReturnValue('123'), @@ -432,7 +436,7 @@ describe('Exception helpers', () => { entries: [ { ...getEntryMatchMock(), - field: 'signal.original_event.kind', + field: ALERT_ORIGINAL_EVENT_KIND, }, getEntryMatchMock(), ], @@ -442,7 +446,7 @@ describe('Exception helpers', () => { entries: [ { ...getEntryMatchMock(), - field: 'signal.original_event.module', + field: ALERT_ORIGINAL_EVENT_MODULE, }, ], }, diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 62250a0933ffb..ccb23658725ba 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -44,6 +44,7 @@ import exceptionableLinuxFields from './exceptionable_linux_fields.json'; import exceptionableWindowsMacFields from './exceptionable_windows_mac_fields.json'; import exceptionableEndpointFields from './exceptionable_endpoint_fields.json'; import exceptionableEndpointEventFields from './exceptionable_endpoint_event_fields.json'; +import { ALERT_ORIGINAL_EVENT } from '../../../../common/alert_constants'; export const filterIndexPatterns = ( patterns: IndexPatternBase, @@ -131,7 +132,7 @@ export const formatExceptionItemForUpdate = ( }; /** - * Maps "event." fields to "signal.original_event.". This is because when a rule is created + * Maps "event." fields to "kibana.alert.original_event.". This is because when a rule is created * the "event" field is copied over to "original_event". When the user creates an exception, * they expect it to match against the original_event's fields, not the signal event's. * @param exceptionItems new or existing ExceptionItem[] @@ -145,7 +146,7 @@ export const prepareExceptionItemsForBulkClose = ( return { ...itemEntry, field: itemEntry.field.startsWith('event.') - ? itemEntry.field.replace(/^event./, 'signal.original_event.') + ? itemEntry.field.replace(/^event./, `${ALERT_ORIGINAL_EVENT}.`) : itemEntry.field, }; }); diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts index 9a6b0838c6685..34bcc2555803a 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts @@ -5,7 +5,75 @@ * 2.0. */ +import { + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_INTERVAL, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_TAGS, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; import { BrowserField } from '../../containers/source'; +import { + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SIZE, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, +} from './../../../../common/alert_constants'; export const getAdditionalScreenReaderOnlyContext = ({ field, @@ -43,74 +111,70 @@ export const allowTopN = ({ // TODO: remove this explicit allowlist when the ECS documentation includes alerts const isAllowlistedNonBrowserField = [ - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', - 'signal.status', + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_INTERVAL, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_SIZE, + ALERT_RULE_TAGS, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, ].includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts index 2d93e7e0dc3a7..f0b32d61d76e6 100644 --- a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts +++ b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { Ecs } from '../../../common/ecs'; import { TimelineNonEcsData } from '../../../common/search_strategy'; @@ -38,38 +39,40 @@ export const mockEcsDataWithAlert: Ecs = { region_name: ['xx'], country_iso_code: ['xx'], }, - signal: { - rule: { - created_at: ['2020-01-10T21:11:45.839Z'], - updated_at: ['2020-01-10T21:11:45.839Z'], - created_by: ['elastic'], - description: ['24/7'], - enabled: [true], - false_positives: ['test-1'], - filters: [], - from: ['now-300s'], - id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'], - immutable: [false], - index: ['auditbeat-*'], - interval: ['5m'], - rule_id: ['rule-id-1'], - language: ['kuery'], - output_index: ['.siem-signals-default'], - max_signals: [100], - risk_score: ['21'], - query: ['user.name: root or user.name: admin'], - references: ['www.test.co'], - saved_id: ["Garrett's IP"], - timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'], - timeline_title: ['Untitled timeline'], - severity: ['low'], - updated_by: ['elastic'], - tags: [], - to: ['now'], - type: ['saved_query'], - threat: [], - note: ['# this is some markdown documentation'], - version: ['1'], + kibana: { + alert: { + rule: { + created_at: ['2020-01-10T21:11:45.839Z'], + updated_at: ['2020-01-10T21:11:45.839Z'], + created_by: ['elastic'], + description: ['24/7'], + enabled: [true], + false_positives: ['test-1'], + filters: [], + from: ['now-300s'], + id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'], + immutable: [false], + index: ['auditbeat-*'], + interval: ['5m'], + rule_id: ['rule-id-1'], + language: ['kuery'], + output_index: ['.siem-signals-default'], + max_signals: [100], + risk_score: ['21'], + query: ['user.name: root or user.name: admin'], + references: ['www.test.co'], + saved_id: ["Garrett's IP"], + timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'], + timeline_title: ['Untitled timeline'], + severity: ['low'], + updated_by: ['elastic'], + tags: [], + to: ['now'], + type: ['saved_query'], + threat: [], + note: ['# this is some markdown documentation'], + version: ['1'], + }, }, }, }; @@ -81,12 +84,15 @@ export const getDetectionAlertMock = (overrides: Partial = {}): Ecs => ({ export const getThreatMatchDetectionAlert = (overrides: Partial = {}): Ecs => ({ ...mockEcsDataWithAlert, - signal: { - ...mockEcsDataWithAlert.signal, - rule: { - ...mockEcsDataWithAlert.rule, - name: ['mock threat_match rule'], - type: ['threat_match'], + kibana: { + ...mockEcsDataWithAlert.kibana, + alert: { + ...mockEcsDataWithAlert.kibana?.alert, + rule: { + ...mockEcsDataWithAlert.kibana?.alert?.rule, + name: ['mock threat_match rule'], + type: ['threat_match'], + }, }, }, threat: { @@ -107,6 +113,6 @@ export const getDetectionAlertFieldsMock = ( fields: TimelineNonEcsData[] = [] ): TimelineNonEcsData[] => [ { field: '@timestamp', value: ['2021-03-27T06:28:47.292Z'] }, - { field: 'signal.rule.type', value: ['threat_match'] }, + { field: ALERT_RULE_TYPE, value: ['threat_match'] }, ...fields, ]; diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts index e95f5c15d4ecb..b234b08b1fba1 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; import _ from 'lodash'; import { generateMockDetailItemData } from '../mock'; import { endpointAlertCheck } from './endpoint_alert_check'; @@ -21,7 +22,7 @@ describe('Endpoint Alert Check Utility', () => { mockDetailItemData.push( // Must be an Alert { - field: 'signal.rule.id', + field: ALERT_RULE_ID, category: 'signal', originalValue: 'endpoint', values: ['endpoint'], @@ -42,7 +43,7 @@ describe('Endpoint Alert Check Utility', () => { }); it('should return false if it is not an Alert (ex. maybe an event)', () => { - _.remove(mockDetailItemData, { field: 'signal.rule.id' }); + _.remove(mockDetailItemData, { field: ALERT_RULE_ID }); expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy(); }); diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts index 30c6e3fdeb672..86067c9b04ada 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; import { find, some } from 'lodash/fp'; import { TimelineEventsDetailsItem } from '../../../../timelines/common'; @@ -14,7 +15,7 @@ import { TimelineEventsDetailsItem } from '../../../../timelines/common'; * @param data */ export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] }): boolean => { - const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, data); + const isAlert = some({ category: 'signal', field: ALERT_RULE_ID }, data); if (!isAlert) { return false; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts index 4b8a911bf1cd8..9b01c1f854867 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts @@ -5,10 +5,12 @@ * 2.0. */ +import { ALERT_RULE_ID, ALERT_STATUS } from '@kbn/rule-data-utils'; + export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { const queryFilter = [ { - bool: { should: [{ match: { 'signal.status': 'open' } }], minimum_should_match: 1 }, + bool: { should: [{ match: { [ALERT_STATUS]: 'open' } }], minimum_should_match: 1 }, }, ]; @@ -24,7 +26,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { ...queryFilter, { bool: { - should: [{ match: { 'signal.rule.id': ruleId } }], + should: [{ match: { [ALERT_RULE_ID]: ruleId } }], minimum_should_match: 1, }, }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx index 0d6793eb2b886..94ea422418475 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx @@ -9,6 +9,7 @@ import React from 'react'; import { waitFor, act } from '@testing-library/react'; import { mount } from 'enzyme'; +import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { esQuery } from '../../../../../../../../src/plugins/data/public'; import { TestProviders } from '../../../../common/mock'; import { SecurityPageName } from '../../../../app/types'; @@ -165,7 +166,7 @@ describe('AlertsHistogramPanel', () => { await waitFor(() => { expect(mockGetAlertsHistogramQuery.mock.calls[0]).toEqual([ - 'signal.rule.name', + ALERT_RULE_NAME, '2020-07-07T08:20:18.966Z', '2020-07-08T08:20:18.966Z', [ diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index cb5a23e711974..a3fc98c9d446e 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -5,23 +5,30 @@ * 2.0. */ +import { + ALERT_RULE_NAME, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_SEVERITY, + ALERT_RULE_TYPE, +} from '@kbn/rule-data-utils'; import type { AlertsStackByOption } from './types'; +import { ALERT_RULE_THREAT_TACTIC_NAME } from './../../../../../common/alert_constants'; export const alertsStackByOptions: AlertsStackByOption[] = [ - { text: 'signal.rule.risk_score', value: 'signal.rule.risk_score' }, - { text: 'signal.rule.severity', value: 'signal.rule.severity' }, - { text: 'signal.rule.threat.tactic.name', value: 'signal.rule.threat.tactic.name' }, + { text: ALERT_RULE_RISK_SCORE, value: ALERT_RULE_RISK_SCORE }, + { text: ALERT_RULE_SEVERITY, value: ALERT_RULE_SEVERITY }, + { text: ALERT_RULE_THREAT_TACTIC_NAME, value: ALERT_RULE_THREAT_TACTIC_NAME }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, { text: 'event.category', value: 'event.category' }, { text: 'host.name', value: 'host.name' }, - { text: 'signal.rule.type', value: 'signal.rule.type' }, - { text: 'signal.rule.name', value: 'signal.rule.name' }, + { text: ALERT_RULE_TYPE, value: ALERT_RULE_TYPE }, + { text: ALERT_RULE_NAME, value: ALERT_RULE_NAME }, { text: 'source.ip', value: 'source.ip' }, { text: 'user.name', value: 'user.name' }, ]; -export const DEFAULT_STACK_BY_FIELD = 'signal.rule.name'; +export const DEFAULT_STACK_BY_FIELD = ALERT_RULE_NAME; export const PANEL_HEIGHT = 300; export const MOBILE_PANEL_HEIGHT = 500; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index 833c05bfc7a79..9ca2fbf3744b2 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -5,20 +5,28 @@ * 2.0. */ +import { + ALERT_RULE_NAME, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_SEVERITY, + ALERT_RULE_TYPE, +} from '@kbn/rule-data-utils'; +import { ALERT_RULE_THREAT_TACTIC_NAME } from './../../../../../common/alert_constants'; + export interface AlertsStackByOption { text: AlertsStackByField; value: AlertsStackByField; } export type AlertsStackByField = - | 'signal.rule.risk_score' - | 'signal.rule.severity' - | 'signal.rule.threat.tactic.name' + | typeof ALERT_RULE_RISK_SCORE + | typeof ALERT_RULE_SEVERITY + | typeof ALERT_RULE_THREAT_TACTIC_NAME | 'destination.ip' | 'event.action' | 'event.category' | 'host.name' - | 'signal.rule.type' - | 'signal.rule.name' + | typeof ALERT_RULE_TYPE + | typeof ALERT_RULE_NAME | 'source.ip' | 'user.name'; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx index 69160d90a011e..22763d7e50960 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx @@ -27,6 +27,7 @@ import { ISearchStart } from '../../../../../../../src/plugins/data/public'; import { dataPluginMock } from '../../../../../../../src/plugins/data/public/mocks'; import { getTimelineTemplate } from '../../../timelines/containers/api'; import { defaultHeaders } from '../../../timelines/components/timeline/body/column_headers/default_headers'; +import { ALERT_GROUP_ID } from '../../../../common/alert_constants'; jest.mock('../../../timelines/containers/api', () => ({ getTimelineTemplate: jest.fn(), @@ -285,11 +286,13 @@ describe('alert actions', () => { test('it invokes createTimeline with timelineDefaults', async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - // @ts-expect-error - timeline_id: null, + kibana: { + alert: { + rule: { + ...mockEcsDataWithAlert.kibana?.alert?.rule!, + // @ts-expect-error + timeline_id: null, + }, }, }, }; @@ -312,10 +315,12 @@ describe('alert actions', () => { test('it invokes createTimeline with timelineDefaults', async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - timeline_id: [''], + kibana: { + alert: { + rule: { + ...mockEcsDataWithAlert.kibana?.alert?.rule!, + timeline_id: [''], + }, }, }, }; @@ -335,17 +340,19 @@ describe('alert actions', () => { }); describe('Eql', () => { - test(' with signal.group.id', async () => { + test(' with kibana.alert.group.id', async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - type: ['eql'], - timeline_id: [''], - }, - group: { - id: ['my-group-id'], + kibana: { + alert: { + rule: { + ...mockEcsDataWithAlert.kibana?.alert?.rule!, + type: ['eql'], + timeline_id: [''], + }, + group: { + id: ['my-group-id'], + }, }, }, }; @@ -373,21 +380,23 @@ describe('alert actions', () => { 'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-alert-id-my-group-id', kqlQuery: '', name: '1', - queryMatch: { field: 'signal.group.id', operator: ':', value: 'my-group-id' }, + queryMatch: { field: ALERT_GROUP_ID, operator: ':', value: 'my-group-id' }, }, ], }, }); }); - test(' with NO signal.group.id', async () => { + test(`with NO ${ALERT_GROUP_ID}`, async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, - signal: { - rule: { - ...mockEcsDataWithAlert.signal?.rule!, - type: ['eql'], - timeline_id: [''], + kibana: { + alert: { + rule: { + ...mockEcsDataWithAlert.kibana?.alert?.rule!, + type: ['eql'], + timeline_id: [''], + }, }, }, }; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx index d48bc95f5d480..0b7db2e8a6547 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx @@ -50,6 +50,11 @@ import { QueryOperator, } from '../../../timelines/components/timeline/data_providers/data_provider'; import { getTimelineTemplate } from '../../../timelines/containers/api'; +import { + ALERT_GROUP_ID, + ALERT_ORIGINAL_TIME, + ALERT_RULE_FILTERS, +} from '../../../../common/alert_constants'; export const getUpdateAlertsQuery = (eventIds: Readonly) => { return { @@ -68,10 +73,10 @@ export const getUpdateAlertsQuery = (eventIds: Readonly) => { export const getFilterAndRuleBounds = ( data: TimelineNonEcsData[][] ): [string[], number, number] => { - const stringFilter = data?.[0].filter((d) => d.field === 'signal.rule.filters')?.[0]?.value ?? []; + const stringFilter = data?.[0].filter((d) => d.field === ALERT_RULE_FILTERS)?.[0]?.value ?? []; const eventTimes = data - .flatMap((alert) => alert.filter((d) => d.field === 'signal.original_time')?.[0]?.value ?? []) + .flatMap((alert) => alert.filter((d) => d.field === ALERT_ORIGINAL_TIME)?.[0]?.value ?? []) .map((d) => moment(d)); return [stringFilter, moment.min(eventTimes).valueOf(), moment.max(eventTimes).valueOf()]; @@ -136,7 +141,9 @@ export const determineToAndFrom = ({ ecs }: { ecs: Ecs[] | Ecs }) => { const ecsData = ecs as Ecs; const elapsedTimeRule = moment.duration( moment().diff( - dateMath.parse(ecsData?.signal?.rule?.from != null ? ecsData.signal?.rule?.from[0] : 'now-0s') + dateMath.parse( + ecsData?.kibana?.alert?.rule?.from != null ? ecsData.kibana?.alert?.rule?.from[0] : 'now-0s' + ) ) ); const from = moment(ecsData?.timestamp ?? new Date()) @@ -164,7 +171,7 @@ export const getThresholdAggregationData = ( const thresholdEcsData: Ecs[] = Array.isArray(ecsData) ? ecsData : [ecsData]; return thresholdEcsData.reduce( (outerAcc, thresholdData) => { - const threshold = thresholdData.signal?.rule?.threshold as string[]; + const threshold = thresholdData.kibana?.alert?.rule?.threshold as string[]; let aggField: string[] = []; let thresholdResult: { @@ -177,24 +184,26 @@ export const getThresholdAggregationData = ( }; try { - thresholdResult = JSON.parse((thresholdData.signal?.threshold_result as string[])[0]); + thresholdResult = JSON.parse( + (thresholdData.kibana?.alert?.threshold_result as string[])[0] + ); aggField = JSON.parse(threshold[0]).field; } catch (err) { thresholdResult = { terms: [ { field: (thresholdData.rule?.threshold as { field: string }).field, - value: (thresholdData.signal?.threshold_result as { value: string }).value, + value: (thresholdData.kibana?.alert?.threshold_result as { value: string }).value, }, ], - count: (thresholdData.signal?.threshold_result as { count: number }).count, - from: (thresholdData.signal?.threshold_result as { from: string }).from, + count: (thresholdData.kibana?.alert?.threshold_result as { count: number }).count, + from: (thresholdData.kibana?.alert?.threshold_result as { from: string }).from, }; } - const originalTime = moment(thresholdData.signal?.original_time![0]); + const originalTime = moment(thresholdData.kibana?.alert?.original_time![0]); const now = moment(); - const ruleFrom = dateMath.parse(thresholdData.signal?.rule?.from![0]!); + const ruleFrom = dateMath.parse(thresholdData.kibana?.alert?.rule?.from![0]!); const ruleInterval = moment.duration(now.diff(ruleFrom)); const fromOriginalTime = originalTime.clone().subtract(ruleInterval); // This is the default... can overshoot const aggregationFields = Array.isArray(aggField) ? aggField : [aggField]; @@ -254,15 +263,15 @@ export const getThresholdAggregationData = ( }; export const isEqlRuleWithGroupId = (ecsData: Ecs) => - ecsData.signal?.rule?.type?.length && - ecsData.signal?.rule?.type[0] === 'eql' && - ecsData.signal?.group?.id?.length; + ecsData.kibana?.alert?.rule?.type?.length && + ecsData.kibana?.alert?.rule?.type[0] === 'eql' && + ecsData.kibana?.alert?.group?.id?.length; export const isThresholdRule = (ecsData: Ecs) => - ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'threshold'; + ecsData.kibana?.alert?.rule?.type?.length && ecsData.kibana?.alert?.rule?.type[0] === 'threshold'; export const buildAlertsKqlFilter = ( - key: '_id' | 'signal.group.id', + key: '_id' | typeof ALERT_GROUP_ID, alertIds: string[] ): Filter[] => { return [ @@ -330,10 +339,10 @@ export const buildEqlDataProviderOrFilter = ( return { dataProviders: [], filters: buildAlertsKqlFilter( - 'signal.group.id', + ALERT_GROUP_ID, ecs.reduce((acc, ecsData) => { - const signalGroupId = ecsData.signal?.group?.id?.length - ? ecsData.signal?.group?.id[0] + const signalGroupId = ecsData.kibana?.alert?.group?.id?.length + ? ecsData.kibana?.alert?.group?.id[0] : 'unknown-signal-group-id'; if (!acc.includes(signalGroupId)) { return [...acc, signalGroupId]; @@ -343,8 +352,8 @@ export const buildEqlDataProviderOrFilter = ( ), }; } else if (!Array.isArray(ecs)) { - const signalGroupId = ecs.signal?.group?.id?.length - ? ecs.signal?.group?.id[0] + const signalGroupId = ecs.kibana?.alert?.group?.id?.length + ? ecs.kibana?.alert?.group?.id[0] : 'unknown-signal-group-id'; return { dataProviders: [ @@ -356,7 +365,7 @@ export const buildEqlDataProviderOrFilter = ( excluded: false, kqlQuery: '', queryMatch: { - field: 'signal.group.id', + field: ALERT_GROUP_ID, value: signalGroupId, operator: ':' as const, }, @@ -381,9 +390,12 @@ export const sendAlertToTimelineAction = async ({ */ const ecsData: Ecs = Array.isArray(ecs) && ecs.length > 0 ? ecs[0] : (ecs as Ecs); const alertIds = Array.isArray(ecs) ? ecs.map((d) => d._id) : []; - const noteContent = ecsData.signal?.rule?.note != null ? ecsData.signal?.rule?.note[0] : ''; + const noteContent = + ecsData.kibana?.alert?.rule?.note != null ? ecsData.kibana?.alert?.rule?.note[0] : ''; const timelineId = - ecsData.signal?.rule?.timeline_id != null ? ecsData.signal?.rule?.timeline_id[0] : ''; + ecsData.kibana?.alert?.rule?.timeline_id != null + ? ecsData.kibana?.alert?.rule?.timeline_id[0] + : ''; const { to, from } = determineToAndFrom({ ecs }); // For now we do not want to populate the template timeline if we have alertIds @@ -477,7 +489,7 @@ export const sendAlertToTimelineAction = async ({ timeline: { ...timelineDefaults, description: `_id: ${ecsData._id}`, - filters: getFiltersFromRule(ecsData.signal?.rule?.filters as string[]), + filters: getFiltersFromRule(ecsData.kibana?.alert?.rule?.filters as string[]), dataProviders, id: TimelineId.active, indexNames: [], @@ -489,13 +501,15 @@ export const sendAlertToTimelineAction = async ({ kqlQuery: { filterQuery: { kuery: { - kind: ecsData.signal?.rule?.language?.length - ? (ecsData.signal?.rule?.language[0] as KueryFilterQueryKind) + kind: ecsData.kibana?.alert?.rule?.language?.length + ? (ecsData.kibana?.alert?.rule?.language[0] as KueryFilterQueryKind) : 'kuery', - expression: ecsData.signal?.rule?.query?.length ? ecsData.signal?.rule?.query[0] : '', + expression: ecsData.kibana?.alert?.rule?.query?.length + ? ecsData.kibana?.alert?.rule?.query[0] + : '', }, - serializedQuery: ecsData.signal?.rule?.query?.length - ? ecsData.signal?.rule?.query[0] + serializedQuery: ecsData.kibana?.alert?.rule?.query?.length + ? ecsData.kibana?.alert?.rule?.query[0] : '', }, }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx index 79c2a45273c33..3d3c490095e3a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; import { Filter } from '../../../../../../../src/plugins/data/common/es_query'; import { buildAlertsRuleIdFilter, buildThreatMatchFilter } from './default_config'; @@ -20,14 +21,14 @@ describe('alerts default_config', () => { negate: false, disabled: false, type: 'phrase', - key: 'signal.rule.id', + key: ALERT_RULE_ID, params: { query: 'rule-id-1', }, }, query: { match_phrase: { - 'signal.rule.id': 'rule-id-1', + [ALERT_RULE_ID]: 'rule-id-1', }, }, }; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 7ff6f82d40bdc..a78e5a8b649f7 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -9,19 +9,29 @@ import { ALERT_DURATION, ALERT_ID, ALERT_PRODUCER, + ALERT_RULE_ID, + ALERT_RULE_NAME, + ALERT_RULE_TO, + ALERT_RULE_TYPE, ALERT_START, ALERT_STATUS, ALERT_UUID, } from '@kbn/rule-data-utils'; - import { defaultColumnHeaderType } from '../../../timelines/components/timeline/body/column_headers/default_headers'; import { ColumnHeaderOptions, RowRendererId } from '../../../../common/types/timeline'; import { Status } from '../../../../common/detection_engine/schemas/common/schemas'; import { Filter } from '../../../../../../../src/plugins/data/common/es_query'; - import { SubsetTimelineModel } from '../../../timelines/store/timeline/model'; import { timelineDefaults } from '../../../timelines/store/timeline/defaults'; import { columns } from '../../configurations/security_solution_detections/columns'; +import { + ALERT_ORIGINAL_TIME, + ALERT_RULE_BUILDING_BLOCK_TYPE, + ALERT_RULE_FILTERS, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_QUERY, +} from '../../../../common/alert_constants'; export const buildAlertStatusFilter = (status: Status): Filter[] => [ { @@ -30,14 +40,14 @@ export const buildAlertStatusFilter = (status: Status): Filter[] => [ negate: false, disabled: false, type: 'phrase', - key: 'signal.status', + key: ALERT_STATUS, params: { query: status, }, }, query: { term: { - 'signal.status': status, + [ALERT_STATUS]: status, }, }, }, @@ -52,14 +62,14 @@ export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] => negate: false, disabled: false, type: 'phrase', - key: 'signal.rule.id', + key: ALERT_RULE_ID, params: { query: ruleId, }, }, query: { match_phrase: { - 'signal.rule.id': ruleId, + [ALERT_RULE_ID]: ruleId, }, }, }, @@ -76,11 +86,11 @@ export const buildShowBuildingBlockFilter = (showBuildingBlockAlerts: boolean): negate: true, disabled: false, type: 'exists', - key: 'signal.rule.building_block_type', + key: ALERT_RULE_BUILDING_BLOCK_TYPE, value: 'exists', }, // @ts-expect-error TODO: Rework parent typings to support ExistsFilter[] - exists: { field: 'signal.rule.building_block_type' }, + exists: { field: ALERT_RULE_BUILDING_BLOCK_TYPE }, }, ]; @@ -111,21 +121,20 @@ export const alertsDefaultModel: SubsetTimelineModel = { export const requiredFieldsForActions = [ '@timestamp', - 'signal.status', - 'signal.group.id', - 'signal.original_time', - 'signal.rule.building_block_type', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.language', - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', - 'signal.rule.index', - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', + ALERT_STATUS, + ALERT_GROUP_ID, + ALERT_ORIGINAL_TIME, + ALERT_RULE_BUILDING_BLOCK_TYPE, + ALERT_RULE_FILTERS, + ALERT_RULE_LANGUAGE, + ALERT_RULE_QUERY, + ALERT_RULE_NAME, + ALERT_RULE_TO, + ALERT_RULE_ID, + ALERT_RULE_INDEX, + ALERT_RULE_TYPE, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, // Endpoint exception fields 'file.path', 'file.Ext.code_signature.subject_name', diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx index 3a9a4e875369e..3014e5711c177 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx @@ -33,6 +33,10 @@ import { useExceptionActions } from './use_add_exception_actions'; import { useEventFilterModal } from './use_event_filter_modal'; import { useEventFilterAction } from './use_event_filter_action'; import { Status } from '../../../../../common/detection_engine/schemas/common/schemas'; +import { + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_KIND, +} from '../../../../../common/alert_constants'; interface AlertContextMenuProps { ariaLabel?: string; @@ -53,10 +57,10 @@ const AlertContextMenuComponent: React.FC = ({ }) => { const [isPopoverOpen, setPopover] = useState(false); - const ruleId = get(0, ecsRowData?.signal?.rule?.id); - const ruleName = get(0, ecsRowData?.signal?.rule?.name); + const ruleId = get(0, ecsRowData?.kibana?.alert?.rule?.id); + const ruleName = get(0, ecsRowData?.kibana?.alert?.rule?.name); - const alertStatus = get(0, ecsRowData?.signal?.status) as Status; + const alertStatus = get(0, ecsRowData?.kibana?.alert?.status) as Status; const isEvent = useMemo(() => indexOf(ecsRowData.event?.kind, 'event') !== -1, [ecsRowData]); @@ -65,8 +69,8 @@ const AlertContextMenuComponent: React.FC = ({ return false; } - const eventModules = getOr([], 'signal.original_event.module', ecsRowData); - const kinds = getOr([], 'signal.original_event.kind', ecsRowData); + const eventModules = getOr([], ALERT_ORIGINAL_EVENT_MODULE, ecsRowData); + const kinds = getOr([], ALERT_ORIGINAL_EVENT_KIND, ecsRowData); return eventModules.includes('endpoint') && kinds.includes('alert'); }, [ecsRowData]); @@ -101,7 +105,7 @@ const AlertContextMenuComponent: React.FC = ({ onAddExceptionTypeClick, ruleIndices, } = useExceptionModal({ - ruleIndex: ecsRowData?.signal?.rule?.index, + ruleIndex: ecsRowData?.kibana?.alert?.rule?.index, refetch, timelineId, }); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index 17162a2206fc3..e53b78b8c482a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -23,6 +23,7 @@ import React from 'react'; import styled from 'styled-components'; import { ThreatMapping, Type } from '@kbn/securitysolution-io-ts-alerting-types'; +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; import { MATCHES, AND, OR } from '../../../../common/components/threat_match/translations'; import { assertUnreachable } from '../../../../../common/utility_types'; import * as i18nSeverity from '../severity_mapping/translations'; @@ -350,7 +351,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt - {'signal.rule.risk_score'} + {`${ALERT_RULE_RISK_SCORE}`} ), }; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx index 5e88b44b9e192..022658080cd3d 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx @@ -6,6 +6,7 @@ */ import { i18n } from '@kbn/i18n'; +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; export const RISK_SCORE = i18n.translate( 'xpack.securitySolution.alerts.riskScoreMapping.riskScoreTitle', @@ -24,7 +25,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate( export const RISK_SCORE_FIELD = i18n.translate( 'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle', { - defaultMessage: 'signal.rule.risk_score', + defaultMessage: ALERT_RULE_RISK_SCORE, } ); diff --git a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx index d0f26894bf7d2..b4e561578bd87 100644 --- a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx @@ -9,6 +9,7 @@ import React, { useState, useCallback, useMemo } from 'react'; import { EuiContextMenu, EuiButton, EuiPopover } from '@elastic/eui'; import type { ExceptionListType } from '@kbn/securitysolution-io-ts-list-types'; +import { ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TAKE_ACTION } from '../alerts_table/alerts_utility_bar/translations'; import { TimelineEventsDetailsItem, TimelineNonEcsData } from '../../../../common'; @@ -74,9 +75,9 @@ export const TakeActionDropdown = React.memo( const actionsData = useMemo( () => [ - { category: 'signal', field: 'signal.rule.id', name: 'ruleId' }, - { category: 'signal', field: 'signal.rule.name', name: 'ruleName' }, - { category: 'signal', field: 'signal.status', name: 'alertStatus' }, + { category: 'signal', field: ALERT_RULE_ID, name: 'ruleId' }, + { category: 'signal', field: ALERT_RULE_NAME, name: 'ruleName' }, + { category: 'signal', field: ALERT_STATUS, name: 'alertStatus' }, { category: 'event', field: 'event.kind', name: 'eventKind' }, { category: '_id', field: '_id', name: 'eventId' }, ].reduce( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts index ae9285f85501b..32060df813dcb 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts @@ -6,7 +6,12 @@ */ import { EuiDataGridColumn } from '@elastic/eui'; -import { ALERT_DURATION, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { + ALERT_DURATION, + ALERT_REASON, + ALERT_RULE_SEVERITY, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../../common'; import { defaultColumnHeaderType } from '../../../../timelines/components/timeline/body/column_headers/default_headers'; @@ -42,12 +47,12 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, - id: 'signal.rule.severity', + id: ALERT_RULE_SEVERITY, initialWidth: 102, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_REASON, - id: 'signal.reason', + id: ALERT_REASON, }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx index a4826445b23cf..a66e2b32758b6 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx @@ -8,9 +8,12 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; - -import { ALERT_DURATION, ALERT_STATUS } from '@kbn/rule-data-utils'; - +import { + ALERT_DURATION, + ALERT_REASON, + ALERT_RULE_SEVERITY, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; @@ -81,7 +84,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); @@ -93,7 +96,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx index 684680ea2e852..caf0d63c7fe05 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx @@ -9,7 +9,12 @@ import moment from 'moment'; import React from 'react'; import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui'; -import { ALERT_DURATION, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { + ALERT_DURATION, + ALERT_REASON, + ALERT_RULE_SEVERITY, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; import { TruncatableText } from '../../../../common/components/truncatable_text'; import { Severity } from '../../../components/severity'; @@ -55,9 +60,9 @@ export const RenderCellValue: React.FC< ); case ALERT_DURATION: return {moment().fromNow(true)}; - case 'signal.rule.severity': + case ALERT_RULE_SEVERITY: return ; - case 'signal.reason': + case ALERT_REASON: return ( {reason} diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index bf0801f276bdf..420543acc953e 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -6,6 +6,12 @@ */ import { EuiDataGridColumn } from '@elastic/eui'; +import { + ALERT_REASON, + ALERT_RULE_ID, + ALERT_RULE_NAME, + ALERT_RULE_SEVERITY, +} from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../../common'; import { defaultColumnHeaderType } from '../../../../timelines/components/timeline/body/column_headers/default_headers'; import { DEFAULT_DATE_COLUMN_MIN_WIDTH } from '../../../../timelines/components/timeline/body/constants'; @@ -26,20 +32,20 @@ export const columns: Array< }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.rule.name', + id: ALERT_RULE_NAME, displayAsText: i18n.ALERTS_HEADERS_RULE_NAME, - linkField: 'signal.rule.id', + linkField: ALERT_RULE_ID, initialWidth: 212, }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.rule.severity', + id: ALERT_RULE_SEVERITY, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, initialWidth: 104, }, { columnHeaderType: defaultColumnHeaderType, - id: 'signal.reason', + id: ALERT_REASON, displayAsText: i18n.ALERTS_HEADERS_REASON, }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx index ccd71404a2216..8af2c06ae942a 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx @@ -9,6 +9,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; +import { ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; @@ -55,7 +56,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); @@ -67,7 +68,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx index 879712c85327e..0d255eb95c754 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx @@ -8,6 +8,7 @@ import { EuiDataGridCellValueElementProps } from '@elastic/eui'; import React from 'react'; +import { ALERT_REASON, ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; import { DefaultDraggable } from '../../../../common/components/draggables'; import { TruncatableText } from '../../../../common/components/truncatable_text'; import { Severity } from '../../../components/severity'; @@ -46,7 +47,7 @@ export const RenderCellValue: React.FC< const draggableId = `${timelineId}-${eventId}-${columnId}-${value}`; switch (columnId) { - case 'signal.rule.severity': + case ALERT_RULE_SEVERITY: return ( ); - case 'signal.reason': + case ALERT_REASON: return {reason}; default: return ( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts index d6d3d829d3be5..ba91a169e6fdc 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts @@ -6,6 +6,14 @@ */ import { EuiDataGridColumn } from '@elastic/eui'; +import { + ALERT_RULE_ID, + ALERT_RULE_NAME, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_SEVERITY, + ALERT_RULE_TYPE, + ALERT_RULE_VERSION, +} from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../common'; import { defaultColumnHeaderType } from '../../../timelines/components/timeline/body/column_headers/default_headers'; @@ -31,32 +39,32 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_RULE, - id: 'signal.rule.name', + id: ALERT_RULE_NAME, initialWidth: DEFAULT_COLUMN_MIN_WIDTH, - linkField: 'signal.rule.id', + linkField: ALERT_RULE_ID, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_VERSION, - id: 'signal.rule.version', + id: ALERT_RULE_VERSION, initialWidth: 95, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_METHOD, - id: 'signal.rule.type', + id: ALERT_RULE_TYPE, initialWidth: 100, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, - id: 'signal.rule.severity', + id: ALERT_RULE_SEVERITY, initialWidth: 105, }, { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_RISK_SCORE, - id: 'signal.rule.risk_score', + id: ALERT_RULE_RISK_SCORE, initialWidth: 115, }, { diff --git a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts index f1e1c42539eff..3290ba0d8347e 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/timelines/components/open_timeline/__mocks__/index.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; import { TimelineStatus, TimelineType } from '../../../../../common/types/timeline'; export const mockTimeline = { @@ -194,7 +195,7 @@ export const mockTemplate = { description: null, example: null, indexes: null, - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, name: null, searchable: null, type: null, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx index cb8ed537543a0..db8d70afe86ee 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx @@ -8,6 +8,7 @@ import React, { useMemo } from 'react'; import { EuiFlyoutFooter, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { find, get } from 'lodash/fp'; +import { ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TakeActionDropdown } from '../../../../detections/components/take_action_dropdown'; import type { TimelineEventsDetailsItem } from '../../../../../common'; import { useExceptionModal } from '../../../../detections/components/alerts_table/timeline_actions/use_add_exception_modal'; @@ -17,6 +18,7 @@ import { useEventFilterModal } from '../../../../detections/components/alerts_ta import { getFieldValue } from '../../../../detections/components/host_isolation/helpers'; import { Status } from '../../../../../common/detection_engine/schemas/common/schemas'; import { useFetchEcsAlertsData } from '../../../../detections/containers/detection_engine/alerts/use_fetch_ecs_alerts_data'; +import { ALERT_RULE_INDEX } from '../../../../../common/alert_constants'; interface EventDetailsFooterProps { detailsData: TimelineEventsDetailsItem[] | null; @@ -50,16 +52,16 @@ export const EventDetailsFooter = React.memo( timelineId, }: EventDetailsFooterProps) => { const ruleIndex = useMemo( - () => find({ category: 'signal', field: 'signal.rule.index' }, detailsData)?.values, + () => find({ category: 'signal', field: ALERT_RULE_INDEX }, detailsData)?.values, [detailsData] ); const addExceptionModalWrapperData = useMemo( () => [ - { category: 'signal', field: 'signal.rule.id', name: 'ruleId' }, - { category: 'signal', field: 'signal.rule.name', name: 'ruleName' }, - { category: 'signal', field: 'signal.status', name: 'alertStatus' }, + { category: 'signal', field: ALERT_RULE_ID, name: 'ruleId' }, + { category: 'signal', field: ALERT_RULE_NAME, name: 'ruleName' }, + { category: 'signal', field: ALERT_STATUS, name: 'alertStatus' }, { category: '_id', field: '_id', name: 'eventId' }, ].reduce( (acc, curr) => ({ diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index 82e994802c650..9ab66024d110e 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -17,6 +17,7 @@ import { import React, { useState, useCallback, useMemo } from 'react'; import styled from 'styled-components'; import deepEqual from 'fast-deep-equal'; +import { ALERT_RULE_ID, ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { BrowserFields, DocValueFields } from '../../../../common/containers/source'; import { ExpandableEvent, ExpandableEventTitle } from './expandable_event'; import { useTimelineEventsDetails } from '../../../containers/details'; @@ -102,10 +103,10 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'signal', field: 'signal.rule.id' }, detailsData); + const isAlert = some({ category: 'signal', field: ALERT_RULE_ID }, detailsData); const ruleName = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.rule.name' }, detailsData), + () => getFieldValue({ category: 'signal', field: ALERT_RULE_NAME }, detailsData), [detailsData] ); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx index dd701aa284997..930e95e33a5c2 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx @@ -106,7 +106,7 @@ export const getEventIdToDataMapping = ( }, {}); export const isEventBuildingBlockType = (event: Ecs): boolean => - !isEmpty(event.signal?.rule?.building_block_type); + !isEmpty(event.kibana?.alert?.rule?.building_block_type); export const isEvenEqlSequence = (event: Ecs): boolean => { if (!isEmpty(event.eql?.sequenceNumber)) { @@ -121,7 +121,7 @@ export const isEvenEqlSequence = (event: Ecs): boolean => { }; /** Return eventType raw or signal or eql */ export const getEventType = (event: Ecs): Omit => { - if (!isEmpty(event.signal?.rule?.id)) { + if (!isEmpty(event.kibana?.alert?.rule?.id)) { return 'signal'; } else if (!isEmpty(event.eql?.parentId)) { return 'eql'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx index aeb40bed26c8e..f2316010debf6 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx @@ -14,6 +14,4 @@ export const EVENT_MODULE_FIELD_NAME = 'event.module'; export const RULE_REFERENCE_FIELD_NAME = 'rule.reference'; export const REFERENCE_URL_FIELD_NAME = 'reference.url'; export const EVENT_URL_FIELD_NAME = 'event.url'; -export const SIGNAL_RULE_NAME_FIELD_NAME = 'signal.rule.name'; -export const SIGNAL_STATUS_FIELD_NAME = 'signal.status'; export const AGENT_STATUS_FIELD_NAME = 'agent.status'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx index 06ed901110962..744f45846e24d 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx @@ -11,6 +11,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiToolTip } from '@elastic/eui'; import { isNumber, isEmpty } from 'lodash/fp'; import React from 'react'; +import { ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { INDICATOR_REFERENCE } from '../../../../../../common/cti/constants'; import { DefaultDraggable } from '../../../../../common/components/draggables'; import { Bytes, BYTES_FORMAT } from './bytes'; @@ -28,10 +29,8 @@ import { MESSAGE_FIELD_NAME, EVENT_MODULE_FIELD_NAME, RULE_REFERENCE_FIELD_NAME, - SIGNAL_RULE_NAME_FIELD_NAME, REFERENCE_URL_FIELD_NAME, EVENT_URL_FIELD_NAME, - SIGNAL_STATUS_FIELD_NAME, AGENT_STATUS_FIELD_NAME, GEO_FIELD_TYPE, } from './constants'; @@ -135,7 +134,7 @@ const FormattedFieldValueComponent: React.FC<{ value={`${value}`} /> ); - } else if (fieldName === SIGNAL_RULE_NAME_FIELD_NAME) { + } else if (fieldName === ALERT_RULE_NAME) { return ( { - const columnId = 'signal.rule.risk_score'; + const columnId = ALERT_RULE_RISK_SCORE; const eventId = '_id-123'; const isDetails = true; const isExpandable = true; diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx index 4289b7d2c62da..7f3033ec4b14e 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx @@ -6,6 +6,7 @@ */ import React from 'react'; +import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { DragEffects, DraggableWrapper, @@ -38,7 +39,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ id, name: ruleName, kqlQuery: '', - queryMatch: { field: 'signal.rule.name', value: ruleName, operator: IS_OPERATOR }, + queryMatch: { field: ALERT_RULE_NAME, value: ruleName, operator: IS_OPERATOR }, }} render={(dataProvider, _, snapshot) => snapshot.isDragging ? ( @@ -73,7 +74,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ id, name: ruleType, kqlQuery: '', - queryMatch: { field: 'signal.rule.type', value: ruleType, operator: IS_OPERATOR }, + queryMatch: { field: ALERT_RULE_TYPE, value: ruleType, operator: IS_OPERATOR }, }} render={(dataProvider, _, snapshot) => snapshot.isDragging ? ( @@ -109,7 +110,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx index 19516ad6fcafa..3534e932ee7cc 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx @@ -6,6 +6,7 @@ */ import React from 'react'; +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; import { DragEffects, DraggableWrapper, @@ -18,6 +19,10 @@ import { HostTacticsColumns } from './'; import * as i18n from './translations'; import { HostTacticsFields } from '../../../../common'; +import { + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TECHNIQUE_NAME, +} from '../../../../common/alert_constants'; export const getHostTacticsColumns = (): HostTacticsColumns => [ { @@ -39,7 +44,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: tactic, kqlQuery: '', queryMatch: { - field: 'signal.rule.threat.tactic.name', + field: ALERT_RULE_THREAT_TACTIC_NAME, value: tactic, operator: IS_OPERATOR, }, @@ -78,7 +83,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: technique, kqlQuery: '', queryMatch: { - field: 'signal.rule.threat.technique.name', + field: ALERT_RULE_THREAT_TECHNIQUE_NAME, value: technique, operator: IS_OPERATOR, }, @@ -117,7 +122,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts index 7ab998fe16074..8fc3b6bb82c09 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts @@ -6,304 +6,366 @@ */ import { FieldMap } from '../../../../../../rule_registry/common/field_map'; +import { + ALERT_ANCESTORS, + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_DEPTH, + ALERT_GROUP, + ALERT_GROUP_ID, + ALERT_GROUP_INDEX, + ALERT_ORIGINAL_EVENT, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_INGESTED, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_REASON, + ALERT_ORIGINAL_EVENT_REFERENCE, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_EVENT_URL, + ALERT_ORIGINAL_TIME, + ALERT_THREAT, + ALERT_THREAT_FRAMEWORK, + ALERT_THREAT_TACTIC, + ALERT_THREAT_TACTIC_ID, + ALERT_THREAT_TACTIC_NAME, + ALERT_THREAT_TACTIC_REFERENCE, + ALERT_THREAT_TECHNIQUE, + ALERT_THREAT_TECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_REFERENCE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + ALERT_THRESHOLD_RESULT, + ALERT_THRESHOLD_RESULT_CARDINALITY, + ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD, + ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE, + ALERT_THRESHOLD_RESULT_COUNT, + ALERT_THRESHOLD_RESULT_FROM, + ALERT_THRESHOLD_RESULT_TERMS, + ALERT_THRESHOLD_RESULT_TERMS_FIELD, + ALERT_THRESHOLD_RESULT_TERMS_VALUE, +} from './../../../../../common/alert_constants'; export const alertsFieldMap: FieldMap = { - 'kibana.alert.ancestors': { + [ALERT_ANCESTORS]: { type: 'object', array: true, required: true, }, - 'kibana.alert.ancestors.depth': { + [ALERT_ANCESTORS_DEPTH]: { type: 'long', array: false, required: true, }, - 'kibana.alert.ancestors.id': { + [ALERT_ANCESTORS_ID]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.ancestors.index': { + [ALERT_ANCESTORS_INDEX]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.ancestors.rule': { + [ALERT_ANCESTORS_RULE]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.ancestors.type': { + [ALERT_ANCESTORS_TYPE]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.depth': { + [ALERT_DEPTH]: { type: 'long', array: false, required: true, }, - 'kibana.alert.group': { + [ALERT_GROUP]: { type: 'object', array: false, required: false, }, - 'kibana.alert.group.id': { + [ALERT_GROUP_ID]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.group.index': { + [ALERT_GROUP_INDEX]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event': { + [ALERT_ORIGINAL_EVENT]: { type: 'object', array: false, required: false, }, - 'kibana.alert.original_event.action': { + [ALERT_ORIGINAL_EVENT_ACTION]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.agent_id_status': { + [ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.category': { + [ALERT_ORIGINAL_EVENT_CATEGORY]: { type: 'keyword', array: true, required: true, }, - 'kibana.alert.original_event.code': { + [ALERT_ORIGINAL_EVENT_CODE]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.created': { + [ALERT_ORIGINAL_EVENT_CREATED]: { type: 'date', array: false, required: true, }, - 'kibana.alert.original_event.dataset': { + [ALERT_ORIGINAL_EVENT_DATASET]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.duration': { + [ALERT_ORIGINAL_EVENT_DURATION]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.end': { + [ALERT_ORIGINAL_EVENT_END]: { type: 'date', array: false, required: false, }, - 'kibana.alert.original_event.hash': { + [ALERT_ORIGINAL_EVENT_HASH]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.id': { + [ALERT_ORIGINAL_EVENT_ID]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.ingested': { + [ALERT_ORIGINAL_EVENT_INGESTED]: { type: 'date', array: false, required: true, }, - 'kibana.alert.original_event.kind': { + [ALERT_ORIGINAL_EVENT_KIND]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.module': { + [ALERT_ORIGINAL_EVENT_MODULE]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.original': { + [ALERT_ORIGINAL_EVENT_ORIGINAL]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.outcome': { + [ALERT_ORIGINAL_EVENT_OUTCOME]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.provider': { + [ALERT_ORIGINAL_EVENT_PROVIDER]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.original_event.reason': { + [ALERT_ORIGINAL_EVENT_REASON]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.reference': { + [ALERT_ORIGINAL_EVENT_REFERENCE]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.risk_score': { + [ALERT_ORIGINAL_EVENT_RISK_SCORE]: { type: 'float', array: false, required: false, }, - 'kibana.alert.original_event.risk_score_norm': { + [ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM]: { type: 'float', array: false, required: false, }, - 'kibana.alert.original_event.sequence': { + [ALERT_ORIGINAL_EVENT_SEQUENCE]: { type: 'long', array: false, required: true, }, - 'kibana.alert.original_event.start': { + [ALERT_ORIGINAL_EVENT_START]: { type: 'date', array: false, required: false, }, - 'kibana.alert.original_event.timezone': { + [ALERT_ORIGINAL_EVENT_TIMEZONE]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_event.type': { + [ALERT_ORIGINAL_EVENT_TYPE]: { type: 'keyword', array: true, required: true, }, - 'kibana.alert.original_event.url': { + [ALERT_ORIGINAL_EVENT_URL]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.original_time': { + [ALERT_ORIGINAL_TIME]: { type: 'date', array: false, required: true, }, - 'kibana.alert.threat': { + [ALERT_THREAT]: { type: 'object', array: false, required: false, }, - 'kibana.alert.threat.framework': { + [ALERT_THREAT_FRAMEWORK]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.tactic': { + [ALERT_THREAT_TACTIC]: { type: 'object', array: false, required: true, }, - 'kibana.alert.threat.tactic.id': { + [ALERT_THREAT_TACTIC_ID]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.tactic.name': { + [ALERT_THREAT_TACTIC_NAME]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.tactic.reference': { + [ALERT_THREAT_TACTIC_REFERENCE]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.technique': { + [ALERT_THREAT_TECHNIQUE]: { type: 'object', array: false, required: true, }, - 'kibana.alert.threat.technique.id': { + [ALERT_THREAT_TECHNIQUE_ID]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.technique.name': { + [ALERT_THREAT_TECHNIQUE_NAME]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.technique.reference': { + [ALERT_THREAT_TECHNIQUE_REFERENCE]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.technique.subtechnique': { + [ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE]: { type: 'object', array: false, required: true, }, - 'kibana.alert.threat.technique.subtechnique.id': { + [ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.technique.subtechnique.name': { + [ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threat.technique.subtechnique.reference': { + [ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE]: { type: 'keyword', array: false, required: true, }, - 'kibana.alert.threshold_result': { + [ALERT_THRESHOLD_RESULT]: { type: 'object', array: false, required: false, }, - 'kibana.alert.threshold_result.cardinality': { + [ALERT_THRESHOLD_RESULT_CARDINALITY]: { type: 'object', array: false, required: false, }, - 'kibana.alert.threshold_result.cardinality.field': { + [ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.threshold_result.cardinality.value': { + [ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE]: { type: 'long', array: false, required: false, }, - 'kibana.alert.threshold_result.count': { + [ALERT_THRESHOLD_RESULT_COUNT]: { type: 'long', array: false, required: false, }, - 'kibana.alert.threshold_result.from': { + [ALERT_THRESHOLD_RESULT_FROM]: { type: 'date', array: false, required: false, }, - 'kibana.alert.threshold_result.terms': { + [ALERT_THRESHOLD_RESULT_TERMS]: { type: 'object', array: false, required: false, }, - 'kibana.alert.threshold_result.terms.field': { + [ALERT_THRESHOLD_RESULT_TERMS_FIELD]: { type: 'keyword', array: false, required: false, }, - 'kibana.alert.threshold_result.terms.value': { + [ALERT_THRESHOLD_RESULT_TERMS_VALUE]: { type: 'keyword', array: false, required: false, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts index 1a2bfbf3a962d..573bcddddd9d1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts @@ -6,6 +6,7 @@ */ import { TimestampOverrideOrUndefined } from '../../../../../common/detection_engine/schemas/common/schemas'; +import { ALERT_ORIGINAL_TIME } from '../../../../../common/alert_constants'; import { AlertInstanceContext, AlertInstanceState, @@ -54,7 +55,7 @@ export const findPreviousThresholdSignals = async ({ // We might find a signal that was generated on the interval for old data... make sure to exclude those. { range: { - 'signal.original_time': { + [ALERT_ORIGINAL_TIME]: { gte: from, }, }, diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts index d03b445da26d0..cff1bd6c600d4 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts @@ -5,6 +5,8 @@ * 2.0. */ +import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; + export const mockTemplate = { columns: [ { @@ -17,7 +19,7 @@ export const mockTemplate = { { columnHeaderType: 'not-filtered', indexes: null, - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, name: null, searchable: null, }, diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts index d7098556c9c3a..a799feea049f2 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; import { omit } from 'lodash/fp'; import { TimelineId, TimelineType, TimelineStatus } from '../../../../common/types/timeline'; @@ -271,7 +272,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { @@ -387,7 +388,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { @@ -550,7 +551,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { @@ -738,7 +739,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { @@ -906,7 +907,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { @@ -1089,7 +1090,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { diff --git a/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts index f30f80a4cf14c..3bbcb863171ac 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts @@ -25,6 +25,7 @@ import * as lib from './helpers'; import { importTimelines } from '../../timelines/import_timelines'; import { buildFrameworkRequest } from '../../../utils/common'; import { ImportTimelineResultSchema } from '../../../../../../common/types/timeline'; +import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; jest.mock('../../timelines/import_timelines'); @@ -105,7 +106,7 @@ describe('installPrepackagedTimelines', () => { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: 'signal.rule.description', + id: ALERT_RULE_DESCRIPTION, searchable: null, }, { diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts index 4c116104b3e14..e9fa0acda988d 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { Direction, HostRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -39,12 +40,12 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, }, }, rule_name: { terms: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, order: { risk_score: Direction.desc, }, @@ -52,19 +53,19 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, }, }, rule_type: { terms: { - field: 'signal.rule.type', + field: ALERT_RULE_TYPE, }, }, }, }, rule_count: { cardinality: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts index ec1afe247011b..4f57187f5bbee 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts @@ -5,7 +5,12 @@ * 2.0. */ +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; +import { + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TECHNIQUE_NAME, +} from '../../../../../../common/alert_constants'; import { HostTacticsRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -39,22 +44,22 @@ export const buildHostTacticsQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, }, }, tactic: { terms: { - field: 'signal.rule.threat.tactic.name', + field: ALERT_RULE_THREAT_TACTIC_NAME, }, aggs: { technique: { terms: { - field: 'signal.rule.threat.technique.name', + field: ALERT_RULE_THREAT_TECHNIQUE_NAME, }, aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, }, }, }, @@ -63,12 +68,12 @@ export const buildHostTacticsQuery = ({ }, tactic_count: { cardinality: { - field: 'signal.rule.threat.tactic.name', + field: ALERT_RULE_THREAT_TACTIC_NAME, }, }, technique_count: { cardinality: { - field: 'signal.rule.threat.technique.name', + field: ALERT_RULE_THREAT_TECHNIQUE_NAME, }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts index c2242ff00a6c1..62da0a7c6ec26 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { Direction, UserRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -48,12 +49,12 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, }, }, rule_name: { terms: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, order: { risk_score: Direction.desc, }, @@ -61,19 +62,19 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, }, }, rule_type: { terms: { - field: 'signal.rule.type', + field: ALERT_RULE_TYPE, }, }, }, }, rule_count: { cardinality: { - field: 'signal.rule.name', + field: ALERT_RULE_NAME, }, }, }, diff --git a/x-pack/test/api_integration/apis/security_solution/utils.ts b/x-pack/test/api_integration/apis/security_solution/utils.ts index 9265a0066d208..78b260ee32520 100644 --- a/x-pack/test/api_integration/apis/security_solution/utils.ts +++ b/x-pack/test/api_integration/apis/security_solution/utils.ts @@ -5,6 +5,11 @@ * 2.0. */ import { JsonObject, JsonArray } from '@kbn/common-utils'; +import { + ALERT_ORIGINAL_TIME, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, +} from './../../../../plugins/security_solution/common/alert_constants'; export const getFilterValue = (hostName: string, from: string, to: string): JsonObject => ({ bool: { @@ -37,6 +42,7 @@ export const getFilterValue = (hostName: string, from: string, to: string): Json }, }); +// TODO: Revert these to pure strings to avoid pulling in logic from other plugins export const getFieldsToRequest = (): string[] => [ '@timestamp', 'message', @@ -49,16 +55,16 @@ export const getFieldsToRequest = (): string[] => [ '@timestamp', 'signal.status', 'signal.group.id', - 'signal.original_time', + ALERT_ORIGINAL_TIME, 'signal.rule.building_block_type', 'signal.rule.filters', 'signal.rule.from', - 'signal.rule.language', + ALERT_RULE_LANGUAGE, 'signal.rule.query', 'signal.rule.name', 'signal.rule.to', 'signal.rule.id', - 'signal.rule.index', + ALERT_RULE_INDEX, 'signal.rule.type', 'signal.original_event.kind', 'signal.original_event.module', From c3710c0c2b3346492d29e053b69ac62e0e3e7661 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 5 Aug 2021 01:01:48 -0400 Subject: [PATCH 02/26] remove notes --- .../common/alert_constants.ts | 45 +++---------------- 1 file changed, 6 insertions(+), 39 deletions(-) diff --git a/x-pack/plugins/security_solution/common/alert_constants.ts b/x-pack/plugins/security_solution/common/alert_constants.ts index ec3c2cba1a7ef..9323df388c749 100644 --- a/x-pack/plugins/security_solution/common/alert_constants.ts +++ b/x-pack/plugins/security_solution/common/alert_constants.ts @@ -7,14 +7,9 @@ import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; -// could prefix these with SECURITY or similar, but matching the existing naming pattern with -// technical names could provide the advantage of preventing duplicates when attempting to import - -// TODO: DO NOT ADD RULE_TYPE_ID or CONSUMERS: will be in rule-data-utils -// @ts-ignore -const ALERT_RULE_TYPE_ID = 'do not do. Is in Marshalls PR'; -// @ts-ignore -const ALERT_RULE_CONSUMERS = 'do not do. Is in Marshalls PR'; +/** + * This file contains the security solution specific Alert fields not contained in the @kbn/rule-data-utils package + */ // Cast to `as const` to preserve the exact string value when using as a type rather than a value export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const; @@ -23,9 +18,10 @@ export const ALERT_ANCESTORS_ID = `${ALERT_ANCESTORS}.id` as const; export const ALERT_ANCESTORS_INDEX = `${ALERT_ANCESTORS}.index` as const; export const ALERT_ANCESTORS_RULE = `${ALERT_ANCESTORS}.rule` as const; export const ALERT_ANCESTORS_TYPE = `${ALERT_ANCESTORS}.type` as const; - export const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth` as const; - +export const ALERT_GROUP = `${ALERT_NAMESPACE}.group` as const; +export const ALERT_GROUP_ID = `${ALERT_GROUP}.id` as const; +export const ALERT_GROUP_INDEX = `${ALERT_GROUP}.index` as const; export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event` as const; export const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT}.action` as const; export const ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS = `${ALERT_ORIGINAL_EVENT}.agent_id_status` as const; @@ -53,42 +49,30 @@ export const ALERT_ORIGINAL_EVENT_START = `${ALERT_ORIGINAL_EVENT}.start` as con export const ALERT_ORIGINAL_EVENT_TIMEZONE = `${ALERT_ORIGINAL_EVENT}.timezone` as const; export const ALERT_ORIGINAL_EVENT_TYPE = `${ALERT_ORIGINAL_EVENT}.type` as const; export const ALERT_ORIGINAL_EVENT_URL = `${ALERT_ORIGINAL_EVENT}.url` as const; - export const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time` as const; - -export const ALERT_GROUP = `${ALERT_NAMESPACE}.group` as const; -export const ALERT_GROUP_ID = `${ALERT_GROUP}.id` as const; -export const ALERT_GROUP_INDEX = `${ALERT_GROUP}.index` as const; - export const ALERT_THREAT = `${ALERT_NAMESPACE}.threat` as const; export const ALERT_THREAT_FRAMEWORK = `${ALERT_THREAT}.framework` as const; export const ALERT_THREAT_TACTIC = `${ALERT_THREAT}.tactic` as const; export const ALERT_THREAT_TACTIC_ID = `${ALERT_THREAT_TACTIC}.id` as const; export const ALERT_THREAT_TACTIC_NAME = `${ALERT_THREAT_TACTIC}.name` as const; export const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_THREAT_TACTIC}.reference` as const; - export const ALERT_THREAT_TECHNIQUE = `${ALERT_THREAT}.technique` as const; - export const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE}.id` as const; export const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE}.name` as const; export const ALERT_THREAT_TECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE}.reference` as const; - export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE = `${ALERT_THREAT_TECHNIQUE}.subtechnique` as const; export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.id` as const; export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.name` as const; export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.reference` as const; - export const ALERT_THRESHOLD_RESULT = `${ALERT_NAMESPACE}.threshold_result` as const; export const ALERT_THRESHOLD_RESULT_CARDINALITY = `${ALERT_THRESHOLD_RESULT}.cardinality` as const; export const ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.field` as const; export const ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.value` as const; - export const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT}.count` as const; export const ALERT_THRESHOLD_RESULT_FROM = `${ALERT_THRESHOLD_RESULT}.from` as const; export const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT}.terms` as const; export const ALERT_THRESHOLD_RESULT_TERMS_FIELD = `${ALERT_THRESHOLD_RESULT_TERMS}.field` as const; export const ALERT_THRESHOLD_RESULT_TERMS_VALUE = `${ALERT_THRESHOLD_RESULT_TERMS}.value` as const; - export const ALERT_RULE_BUILDING_BLOCK_TYPE = `${ALERT_RULE_NAMESPACE}.building_block_type` as const; // TODO: not accounted for in the excel doc export const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; @@ -110,30 +94,13 @@ export const ALERT_RULE_SIZE = `${ALERT_RULE_NAMESPACE}.size` as const; export const ALERT_RULE_THRESHOLD = `${ALERT_RULE_NAMESPACE}.threshold` as const; export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as const; export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const; - export const ALERT_RULE_THREAT = `${ALERT_RULE_NAMESPACE}.threat` as const; export const ALERT_RULE_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT}.framework` as const; export const ALERT_RULE_THREAT_TACTIC = `${ALERT_RULE_THREAT}.tactic` as const; export const ALERT_RULE_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_TACTIC}.id` as const; export const ALERT_RULE_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_TACTIC}.name` as const; export const ALERT_RULE_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_TACTIC}.reference` as const; - export const ALERT_RULE_THREAT_TECHNIQUE = `${ALERT_RULE_THREAT}.technique` as const; export const ALERT_RULE_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_TECHNIQUE}.id` as const; export const ALERT_RULE_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_TECHNIQUE}.name` as const; export const ALERT_RULE_THREAT_TECHNIQUE_REFERENCE = `${ALERT_RULE_THREAT_TECHNIQUE}.reference` as const; - -/** - * TODO: OTHER signal.* not mentioned: - * signal.name - * signal.rule.actions? - * signal.rule.meta.* - * signal.original_event.lag.* - * signal.rule.id.keyword - * signal.rule.threat_mapping - */ - -/** - * TODO: - * DONE: Removed signal.parent.* references / replaced with signal.ancestors.* where not already existing - */ From d2f8e25d51f108f9abad5b335ce8e2346b30a820 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 5 Aug 2021 01:13:28 -0400 Subject: [PATCH 03/26] fix imports --- .../detections/components/alerts_table/default_config.tsx | 3 +++ 1 file changed, 3 insertions(+) diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index a78e5a8b649f7..b11acee94102f 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -25,6 +25,9 @@ import { SubsetTimelineModel } from '../../../timelines/store/timeline/model'; import { timelineDefaults } from '../../../timelines/store/timeline/defaults'; import { columns } from '../../configurations/security_solution_detections/columns'; import { + ALERT_GROUP_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, ALERT_ORIGINAL_TIME, ALERT_RULE_BUILDING_BLOCK_TYPE, ALERT_RULE_FILTERS, From 02123b2a2befe5fa3fdd8df05ba86cec7825583f Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 5 Aug 2021 01:18:27 -0400 Subject: [PATCH 04/26] fix type error --- .../plugins/security_solution/common/experimental_features.ts | 2 +- .../components/rules/risk_score_mapping/translations.tsx | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index a474ae602fab2..3a8cdcbc94824 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -13,7 +13,7 @@ export type ExperimentalFeatures = typeof allowedExperimentalValues; */ export const allowedExperimentalValues = Object.freeze({ metricsEntitiesEnabled: false, - ruleRegistryEnabled: false, + ruleRegistryEnabled: true, tGridEnabled: true, trustedAppsByPolicyEnabled: false, excludePoliciesInFilterEnabled: false, diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx index 022658080cd3d..6d8ea92861df9 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx @@ -6,7 +6,6 @@ */ import { i18n } from '@kbn/i18n'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; export const RISK_SCORE = i18n.translate( 'xpack.securitySolution.alerts.riskScoreMapping.riskScoreTitle', @@ -25,7 +24,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate( export const RISK_SCORE_FIELD = i18n.translate( 'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle', { - defaultMessage: ALERT_RULE_RISK_SCORE, + defaultMessage: 'kibana.alert.rule.risk_score', } ); From 9e83cd6b2a8922e2c41d0acff3f03f47615f4a3f Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 5 Aug 2021 08:20:18 -0400 Subject: [PATCH 05/26] fix errors --- .../public/common/components/drag_and_drop/helpers.ts | 1 + .../public/common/components/hover_actions/utils.ts | 1 + .../examples/security_solution_rac/render_cell_value.test.tsx | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index ce409c0aaecc3..db581faafff60 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -243,6 +243,7 @@ export const allowTopN = ({ ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, ALERT_STATUS, + // @ts-expect-error fieldName does not need to match the string literals above ].includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts index 34bcc2555803a..a3ecb125af8af 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts @@ -175,6 +175,7 @@ export const allowTopN = ({ ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, ALERT_STATUS, + // @ts-expect-error fieldName does not need to match the string literals above ].includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx index 8af2c06ae942a..26f4f4b919aff 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx @@ -9,7 +9,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; From bf0bcb46365337e41996c5ce0e428983edccd5a4 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 5 Aug 2021 08:27:07 -0400 Subject: [PATCH 06/26] fix merge errors --- packages/kbn-rule-data-utils/src/technical_field_names.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index a3f42d350229e..a29c1023caf67 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -10,8 +10,8 @@ import { ValuesType } from 'utility-types'; const KIBANA_NAMESPACE = 'kibana' as const; -export const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const; -export const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const; +const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const; +const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const; const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const; const ECS_VERSION = 'ecs.version' as const; From 8358664ca9f38b85d14930db53c2ae7d81449348 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Fri, 6 Aug 2021 09:24:49 -0400 Subject: [PATCH 07/26] update indices in timelines --- .../detection_engine/alerts/api.test.ts | 4 +- .../detection_engine/alerts/mock.ts | 3 +- .../rules/use_rule_with_fallback.tsx | 4 +- .../timelines/common/alert_constants.ts | 106 +++++++++ .../timelines/common/ecs/ecs_fields/index.ts | 106 ++++++--- .../common/utils/field_formatters.test.ts | 5 +- .../components/drag_and_drop/helpers.ts | 3 +- .../components/t_grid/body/helpers.test.tsx | 3 +- .../public/components/t_grid/body/helpers.tsx | 202 ++++++++++++------ .../fields_browser/field_items.test.tsx | 10 +- .../timeline/factory/events/all/constants.ts | 59 +++-- .../factory/events/all/helpers.test.ts | 46 ++-- 12 files changed, 404 insertions(+), 147 deletions(-) create mode 100644 x-pack/plugins/timelines/common/alert_constants.ts diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts index b944cb640b719..d4c0498ccbe7a 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; import { KibanaServices } from '../../../../common/lib/kibana'; import { alertsMock, @@ -42,8 +43,7 @@ describe('Detections Alerts API', () => { test('check parameter url, body', async () => { await fetchQueryAlerts({ query: mockAlertsQuery, signal: abortCtrl.signal }); expect(fetchMock).toHaveBeenCalledWith('/api/detection_engine/signals/search', { - body: - '{"aggs":{"alertsByGrouping":{"terms":{"field":"signal.rule.risk_score","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}', + body: `{"aggs":{"alertsByGrouping":{"terms":{"field":${ALERT_RULE_RISK_SCORE},"missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, method: 'POST', signal: abortCtrl.signal, }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts index 7aba8fa4ac10f..0d4a88e5e472b 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; import { HostIsolationResponse } from '../../../../../common/endpoint/types/actions'; import { AlertSearchResponse, AlertsIndex, Privilege, CasesFromAlertsResponse } from './types'; @@ -949,7 +950,7 @@ export const mockAlertsQuery: object = { aggs: { alertsByGrouping: { terms: { - field: 'signal.rule.risk_score', + field: ALERT_RULE_RISK_SCORE, missing: 'All others', order: { _count: 'desc' }, size: 10, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx index da56275280f65..7931da5d9f5e6 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx @@ -8,6 +8,7 @@ import { useCallback, useEffect, useMemo } from 'react'; import { isNotFoundError } from '@kbn/securitysolution-t-grid'; import { useAsync, withOptionalSignal } from '@kbn/securitysolution-hook-utils'; +import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; import { useAppToasts } from '../../../../common/hooks/use_app_toasts'; import { useQueryAlerts } from '../alerts/use_query'; import { fetchRuleById } from './api'; @@ -41,7 +42,7 @@ const useFetchRule = () => useAsync(fetchWithOptionslSignal); const buildLastAlertQuery = (ruleId: string) => ({ query: { bool: { - filter: [{ match: { 'signal.rule.id': ruleId } }], + filter: [{ match: { [ALERT_RULE_ID]: ruleId } }], }, }, size: 1, @@ -77,6 +78,7 @@ export const useRuleWithFallback = (ruleId: string): UseRuleWithFallback => { }, [addError, error]); const rule = useMemo(() => { + // TODO: Is this access still kosher? const result = isExistingRule ? ruleData : alertsData?.hits.hits[0]?._source.signal.rule; if (result) { return transformInput(result); diff --git a/x-pack/plugins/timelines/common/alert_constants.ts b/x-pack/plugins/timelines/common/alert_constants.ts new file mode 100644 index 0000000000000..9323df388c749 --- /dev/null +++ b/x-pack/plugins/timelines/common/alert_constants.ts @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; + +/** + * This file contains the security solution specific Alert fields not contained in the @kbn/rule-data-utils package + */ + +// Cast to `as const` to preserve the exact string value when using as a type rather than a value +export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const; +export const ALERT_ANCESTORS_DEPTH = `${ALERT_ANCESTORS}.depth` as const; +export const ALERT_ANCESTORS_ID = `${ALERT_ANCESTORS}.id` as const; +export const ALERT_ANCESTORS_INDEX = `${ALERT_ANCESTORS}.index` as const; +export const ALERT_ANCESTORS_RULE = `${ALERT_ANCESTORS}.rule` as const; +export const ALERT_ANCESTORS_TYPE = `${ALERT_ANCESTORS}.type` as const; +export const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth` as const; +export const ALERT_GROUP = `${ALERT_NAMESPACE}.group` as const; +export const ALERT_GROUP_ID = `${ALERT_GROUP}.id` as const; +export const ALERT_GROUP_INDEX = `${ALERT_GROUP}.index` as const; +export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event` as const; +export const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT}.action` as const; +export const ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS = `${ALERT_ORIGINAL_EVENT}.agent_id_status` as const; +export const ALERT_ORIGINAL_EVENT_CATEGORY = `${ALERT_ORIGINAL_EVENT}.category` as const; +export const ALERT_ORIGINAL_EVENT_CODE = `${ALERT_ORIGINAL_EVENT}.code` as const; +export const ALERT_ORIGINAL_EVENT_CREATED = `${ALERT_ORIGINAL_EVENT}.created` as const; +export const ALERT_ORIGINAL_EVENT_DATASET = `${ALERT_ORIGINAL_EVENT}.dataset` as const; +export const ALERT_ORIGINAL_EVENT_DURATION = `${ALERT_ORIGINAL_EVENT}.duration` as const; +export const ALERT_ORIGINAL_EVENT_END = `${ALERT_ORIGINAL_EVENT}.end` as const; +export const ALERT_ORIGINAL_EVENT_HASH = `${ALERT_ORIGINAL_EVENT}.hash` as const; +export const ALERT_ORIGINAL_EVENT_ID = `${ALERT_ORIGINAL_EVENT}.id` as const; +export const ALERT_ORIGINAL_EVENT_INGESTED = `${ALERT_ORIGINAL_EVENT}.ingested` as const; +export const ALERT_ORIGINAL_EVENT_KIND = `${ALERT_ORIGINAL_EVENT}.kind` as const; +export const ALERT_ORIGINAL_EVENT_MODULE = `${ALERT_ORIGINAL_EVENT}.module` as const; +export const ALERT_ORIGINAL_EVENT_ORIGINAL = `${ALERT_ORIGINAL_EVENT}.original` as const; +export const ALERT_ORIGINAL_EVENT_OUTCOME = `${ALERT_ORIGINAL_EVENT}.outcome` as const; +export const ALERT_ORIGINAL_EVENT_PROVIDER = `${ALERT_ORIGINAL_EVENT}.provider` as const; +export const ALERT_ORIGINAL_EVENT_REASON = `${ALERT_ORIGINAL_EVENT}.reason` as const; +export const ALERT_ORIGINAL_EVENT_REFERENCE = `${ALERT_ORIGINAL_EVENT}.reference` as const; +export const ALERT_ORIGINAL_EVENT_RISK_SCORE = `${ALERT_ORIGINAL_EVENT}.risk_score` as const; +export const ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM = `${ALERT_ORIGINAL_EVENT}.risk_score_norm` as const; +export const ALERT_ORIGINAL_EVENT_SEQUENCE = `${ALERT_ORIGINAL_EVENT}.sequence` as const; +export const ALERT_ORIGINAL_EVENT_SEVERITY = `${ALERT_ORIGINAL_EVENT}.severity` as const; +export const ALERT_ORIGINAL_EVENT_START = `${ALERT_ORIGINAL_EVENT}.start` as const; +export const ALERT_ORIGINAL_EVENT_TIMEZONE = `${ALERT_ORIGINAL_EVENT}.timezone` as const; +export const ALERT_ORIGINAL_EVENT_TYPE = `${ALERT_ORIGINAL_EVENT}.type` as const; +export const ALERT_ORIGINAL_EVENT_URL = `${ALERT_ORIGINAL_EVENT}.url` as const; +export const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time` as const; +export const ALERT_THREAT = `${ALERT_NAMESPACE}.threat` as const; +export const ALERT_THREAT_FRAMEWORK = `${ALERT_THREAT}.framework` as const; +export const ALERT_THREAT_TACTIC = `${ALERT_THREAT}.tactic` as const; +export const ALERT_THREAT_TACTIC_ID = `${ALERT_THREAT_TACTIC}.id` as const; +export const ALERT_THREAT_TACTIC_NAME = `${ALERT_THREAT_TACTIC}.name` as const; +export const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_THREAT_TACTIC}.reference` as const; +export const ALERT_THREAT_TECHNIQUE = `${ALERT_THREAT}.technique` as const; +export const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE}.id` as const; +export const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE}.name` as const; +export const ALERT_THREAT_TECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE}.reference` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE = `${ALERT_THREAT_TECHNIQUE}.subtechnique` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.id` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.name` as const; +export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.reference` as const; +export const ALERT_THRESHOLD_RESULT = `${ALERT_NAMESPACE}.threshold_result` as const; +export const ALERT_THRESHOLD_RESULT_CARDINALITY = `${ALERT_THRESHOLD_RESULT}.cardinality` as const; +export const ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.field` as const; +export const ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.value` as const; +export const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT}.count` as const; +export const ALERT_THRESHOLD_RESULT_FROM = `${ALERT_THRESHOLD_RESULT}.from` as const; +export const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT}.terms` as const; +export const ALERT_THRESHOLD_RESULT_TERMS_FIELD = `${ALERT_THRESHOLD_RESULT_TERMS}.field` as const; +export const ALERT_THRESHOLD_RESULT_TERMS_VALUE = `${ALERT_THRESHOLD_RESULT_TERMS}.value` as const; +export const ALERT_RULE_BUILDING_BLOCK_TYPE = `${ALERT_RULE_NAMESPACE}.building_block_type` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; +export const ALERT_RULE_FALSE_POSITIVES = `${ALERT_RULE_NAMESPACE}.false_positives` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_FILTERS = `${ALERT_RULE_NAMESPACE}.filters` as const; +export const ALERT_RULE_IMMUTABLE = `${ALERT_RULE_NAMESPACE}.immutable` as const; +export const ALERT_RULE_INDEX = `${ALERT_RULE_NAMESPACE}.index` as const; +export const ALERT_RULE_LANGUAGE = `${ALERT_RULE_NAMESPACE}.language` as const; +export const ALERT_RULE_MAX_SIGNALS = `${ALERT_RULE_NAMESPACE}.max_signals` as const; +// TODO: Not supported in new RAC implementation. Can be removed +export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.ouput_index` as const; +export const ALERT_RULE_QUERY = `${ALERT_RULE_NAMESPACE}.query` as const; +// TODO: Could be depracated +export const ALERT_RULE_SAVED_ID = `${ALERT_RULE_NAMESPACE}.saved_id` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_SIZE = `${ALERT_RULE_NAMESPACE}.size` as const; +// TODO: not accounted for in the excel doc +export const ALERT_RULE_THRESHOLD = `${ALERT_RULE_NAMESPACE}.threshold` as const; +export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as const; +export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const; +export const ALERT_RULE_THREAT = `${ALERT_RULE_NAMESPACE}.threat` as const; +export const ALERT_RULE_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT}.framework` as const; +export const ALERT_RULE_THREAT_TACTIC = `${ALERT_RULE_THREAT}.tactic` as const; +export const ALERT_RULE_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_TACTIC}.id` as const; +export const ALERT_RULE_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_TACTIC}.name` as const; +export const ALERT_RULE_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_TACTIC}.reference` as const; +export const ALERT_RULE_THREAT_TECHNIQUE = `${ALERT_RULE_THREAT}.technique` as const; +export const ALERT_RULE_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_TECHNIQUE}.id` as const; +export const ALERT_RULE_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_TECHNIQUE}.name` as const; +export const ALERT_RULE_THREAT_TECHNIQUE_REFERENCE = `${ALERT_RULE_THREAT_TECHNIQUE}.reference` as const; diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 292822019fc9c..585516f85a304 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -5,6 +5,44 @@ * 2.0. */ +import { + ALERT_RULE_ID, + ALERT_RULE_FROM, + ALERT_RULE_TO, + ALERT_RULE_RULE_ID, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_NAME, + ALERT_RULE_REFERENCES, + ALERT_RULE_SEVERITY, + ALERT_RULE_TAGS, + ALERT_RULE_TYPE, + ALERT_RULE_ENABLED, + ALERT_RULE_CREATED_AT, + ALERT_RULE_UPDATED_AT, + ALERT_RULE_CREATED_BY, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_RULE_NOTE, +} from '@kbn/rule-data-utils'; +import { + ALERT_ORIGINAL_TIME, + ALERT_RULE_SAVED_ID, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_QUERY, + ALERT_RULE_FILTERS, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_THREAT, + ALERT_RULE_SIZE, + ALERT_RULE_THRESHOLD, + ALERT_RULE_EXCEPTIONS_LIST, +} from '../../alert_constants'; import { extendMap } from './extend_map'; export const auditdMap: Readonly> = { @@ -291,40 +329,40 @@ export const systemFieldsMap: Readonly> = { }; export const signalFieldsMap: Readonly> = { - 'signal.original_time': 'signal.original_time', - 'signal.rule.id': 'signal.rule.id', - 'signal.rule.saved_id': 'signal.rule.saved_id', - 'signal.rule.timeline_id': 'signal.rule.timeline_id', - 'signal.rule.timeline_title': 'signal.rule.timeline_title', - 'signal.rule.output_index': 'signal.rule.output_index', - 'signal.rule.from': 'signal.rule.from', - 'signal.rule.index': 'signal.rule.index', - 'signal.rule.language': 'signal.rule.language', - 'signal.rule.query': 'signal.rule.query', - 'signal.rule.to': 'signal.rule.to', - 'signal.rule.filters': 'signal.rule.filters', - 'signal.rule.rule_id': 'signal.rule.rule_id', - 'signal.rule.false_positives': 'signal.rule.false_positives', - 'signal.rule.max_signals': 'signal.rule.max_signals', - 'signal.rule.risk_score': 'signal.rule.risk_score', - 'signal.rule.description': 'signal.rule.description', - 'signal.rule.name': 'signal.rule.name', - 'signal.rule.immutable': 'signal.rule.immutable', - 'signal.rule.references': 'signal.rule.references', - 'signal.rule.severity': 'signal.rule.severity', - 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threat': 'signal.rule.threat', - 'signal.rule.type': 'signal.rule.type', - 'signal.rule.size': 'signal.rule.size', - 'signal.rule.enabled': 'signal.rule.enabled', - 'signal.rule.created_at': 'signal.rule.created_at', - 'signal.rule.updated_at': 'signal.rule.updated_at', - 'signal.rule.created_by': 'signal.rule.created_by', - 'signal.rule.updated_by': 'signal.rule.updated_by', - 'signal.rule.version': 'signal.rule.version', - 'signal.rule.note': 'signal.rule.note', - 'signal.rule.threshold': 'signal.rule.threshold', - 'signal.rule.exceptions_list': 'signal.rule.exceptions_list', + [ALERT_ORIGINAL_TIME]: ALERT_ORIGINAL_TIME, + [ALERT_RULE_ID]: ALERT_RULE_ID, + [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, + [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, + [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE, + [ALERT_RULE_OUTPUT_INDEX]: ALERT_RULE_OUTPUT_INDEX, + [ALERT_RULE_FROM]: ALERT_RULE_FROM, + [ALERT_RULE_INDEX]: ALERT_RULE_INDEX, + [ALERT_RULE_LANGUAGE]: ALERT_RULE_LANGUAGE, + [ALERT_RULE_QUERY]: ALERT_RULE_QUERY, + [ALERT_RULE_TO]: ALERT_RULE_TO, + [ALERT_RULE_FILTERS]: ALERT_RULE_FILTERS, + [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID, + [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES, + [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS, + [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE, + [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION, + [ALERT_RULE_NAME]: ALERT_RULE_NAME, + [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE, + [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES, + [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY, + [ALERT_RULE_TAGS]: ALERT_RULE_TAGS, + [ALERT_RULE_THREAT]: ALERT_RULE_THREAT, + [ALERT_RULE_TYPE]: ALERT_RULE_TYPE, + [ALERT_RULE_SIZE]: ALERT_RULE_SIZE, + [ALERT_RULE_ENABLED]: ALERT_RULE_ENABLED, + [ALERT_RULE_CREATED_AT]: ALERT_RULE_CREATED_AT, + [ALERT_RULE_UPDATED_AT]: ALERT_RULE_UPDATED_AT, + [ALERT_RULE_CREATED_BY]: ALERT_RULE_CREATED_BY, + [ALERT_RULE_UPDATED_BY]: ALERT_RULE_UPDATED_BY, + [ALERT_RULE_VERSION]: ALERT_RULE_VERSION, + [ALERT_RULE_NOTE]: ALERT_RULE_NOTE, + [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD, + [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST, }; export const ruleFieldsMap: Readonly> = { diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 50a3117e53b9b..c47cfcceae544 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_STATUS, ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; import { EventHit, EventSource } from '../search_strategy'; import { getDataFromFieldsHits, getDataFromSourceHits, getDataSafety } from './field_formatters'; @@ -135,8 +136,8 @@ describe('Events Details Helpers', () => { it('#getDataFromSourceHits', () => { const _source: EventSource = { '@timestamp': '2021-02-24T00:41:06.527Z', - 'signal.status': 'open', - 'signal.rule.name': 'Rawr', + [ALERT_STATUS]: 'open', + [ALERT_RULE_NAME]: 'Rawr', 'threat.indicator': [ { provider: 'yourself', diff --git a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts index 5d0c8b6fbd000..cad8486fac7f3 100644 --- a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts @@ -10,6 +10,7 @@ import { KEYBOARD_DRAG_OFFSET, getFieldIdFromDraggable } from '@kbn/securitysolu import { Dispatch } from 'redux'; import { isString, keyBy } from 'lodash/fp'; +import { ALERT_RULE_ID, ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { stopPropagationAndPreventDefault, TimelineId } from '../../../common'; import type { BrowserField, BrowserFields, ColumnHeaderOptions } from '../../../common'; import { tGridActions } from '../../store/t_grid'; @@ -144,7 +145,7 @@ const getAllFieldsByName = ( keyBy('name', getAllBrowserFields(browserFields)); const linkFields: Record = { - 'signal.rule.name': 'signal.rule.id', + [ALERT_RULE_NAME]: ALERT_RULE_ID, 'event.module': 'rule.reference', }; diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx index fe9c5ea2bc332..d71e565eff58e 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { omit } from 'lodash/fp'; import { ColumnHeaderOptions } from '../../../../common'; @@ -349,7 +350,7 @@ describe('helpers', () => { expect( allowSorting({ browserField: undefined, // no BrowserField metadata for this field - fieldName: 'signal.rule.name', // an allow-listed field name + fieldName: ALERT_RULE_NAME, // an allow-listed field name }) ).toBe(true); }); diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index fb50d5ebabb8c..61d911c1295cd 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -5,7 +5,75 @@ * 2.0. */ -import { isEmpty } from 'lodash/fp'; +import { + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_INTERVAL, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_TAGS, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, +} from '@kbn/rule-data-utils'; +import { includes, isEmpty } from 'lodash/fp'; +import { + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SIZE, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, +} from '../../../../common/alert_constants'; import type { Ecs } from '../../../../common/ecs'; import type { @@ -113,74 +181,70 @@ export const allowSorting = ({ const isAggregatable = browserField?.aggregatable ?? false; const isAllowlistedNonBrowserField = [ - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', - 'signal.status', + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_TIME, + ALERT_RULE_CREATED_BY, + ALERT_RULE_DESCRIPTION, + ALERT_RULE_ENABLED, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_FROM, + ALERT_RULE_ID, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_INTERVAL, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_NAME, + ALERT_RULE_NOTE, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_REFERENCES, + ALERT_RULE_RISK_SCORE, + ALERT_RULE_RULE_ID, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SEVERITY, + ALERT_RULE_SIZE, + ALERT_RULE_TAGS, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UPDATED_BY, + ALERT_RULE_VERSION, + ALERT_STATUS, ].includes(fieldName); return isAllowlistedNonBrowserField || isAggregatable; diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx index 789aeeeb187fd..16e419ad439f4 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx @@ -8,6 +8,7 @@ import { omit } from 'lodash/fp'; import React from 'react'; import { waitFor } from '@testing-library/react'; +import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { mockBrowserFields, TestProviders } from '../../../../mock'; import { defaultColumnHeaderType } from '../../body/column_headers/default_headers'; import { DEFAULT_DATE_COLUMN_MIN_WIDTH } from '../../body/constants'; @@ -17,6 +18,7 @@ import { getFieldColumns, getFieldItems } from './field_items'; import { FIELDS_PANE_WIDTH } from './helpers'; import { useMountAppended } from '../../../utils/use_mount_appended'; import { ColumnHeaderOptions } from '../../../../../common'; +import { ALERT_RULE_THREAT_TECHNIQUE_NAME } from '../../../../../common/alert_constants'; const selectedCategoryId = 'base'; const selectedCategoryFields = mockBrowserFields[selectedCategoryId].fields; @@ -199,14 +201,14 @@ describe('field_items', () => { ...mockBrowserFields, signal: { fields: { - 'signal.rule.name': { + [ALERT_RULE_NAME]: { aggregatable: true, category: 'signal', description: 'rule name', example: '', format: '', indexes: ['auditbeat', 'filebeat', 'packetbeat'], - name: 'signal.rule.name', + name: ALERT_RULE_THREAT_TECHNIQUE_NAME, searchable: true, type: 'string', }, @@ -235,7 +237,7 @@ describe('field_items', () => { ); wrapper - .find(`[data-test-subj="field-signal.rule.name-checkbox"]`) + .find(`[data-test-subj="field-${ALERT_RULE_NAME}-checkbox"]`) .last() .simulate('change', { target: { checked: true }, @@ -244,7 +246,7 @@ describe('field_items', () => { await waitFor(() => { expect(toggleColumn).toBeCalledWith({ columnHeaderType: 'not-filtered', - id: 'signal.rule.name', + id: ALERT_RULE_THREAT_TECHNIQUE_NAME, initialWidth: 180, }); }); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index aae68dbcf86d1..97ee857778f79 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -5,6 +5,29 @@ * 2.0. */ +import { + ALERT_STATUS, + ALERT_RULE_FROM, + ALERT_RULE_NAME, + ALERT_RULE_TO, + ALERT_RULE_ID, + ALERT_RULE_TYPE, + ALERT_RULE_VERSION, + ALERT_RULE_SEVERITY, + ALERT_RULE_RISK_SCORE, +} from '@kbn/rule-data-utils'; +import { + ALERT_GROUP_ID, + ALERT_ORIGINAL_TIME, + ALERT_RULE_FILTERS, + ALERT_RULE_LANGUAGE, + ALERT_RULE_QUERY, + ALERT_RULE_INDEX, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_THRESHOLD_RESULT, +} from '../../../../../../common/alert_constants'; + // import { CTI_ROW_RENDERER_FIELDS } from '../../../../../../common/cti/constants'; // TODO: share with security_solution/common/cti/constants.ts @@ -42,24 +65,24 @@ export const CTI_ROW_RENDERER_FIELDS = [ export const TIMELINE_EVENTS_FIELDS = [ '@timestamp', - 'signal.status', - 'signal.group.id', - 'signal.original_time', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.language', - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', - 'signal.rule.index', - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.rule.version', - 'signal.rule.severity', - 'signal.rule.risk_score', - 'signal.threshold_result', + ALERT_STATUS, + ALERT_GROUP_ID, + ALERT_ORIGINAL_TIME, + ALERT_RULE_FILTERS, + ALERT_RULE_FROM, + ALERT_RULE_LANGUAGE, + ALERT_RULE_QUERY, + ALERT_RULE_NAME, + ALERT_RULE_TO, + ALERT_RULE_ID, + ALERT_RULE_INDEX, + ALERT_RULE_TYPE, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_RULE_VERSION, + ALERT_RULE_SEVERITY, + ALERT_RULE_RISK_SCORE, + ALERT_THRESHOLD_RESULT, 'event.code', 'event.module', 'event.action', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index c9be6582015f1..e38108557c628 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -5,7 +5,25 @@ * 2.0. */ +import { + ALERT_RULE_FROM, + ALERT_RULE_TYPE, + ALERT_RULE_ID, + ALERT_RULE_RISK_SCORE, + ALERT_STATUS, + ALERT_RULE_SEVERITY, + ALERT_RULE_VERSION, + ALERT_RULE_NAME, + ALERT_RULE_TO, +} from '@kbn/rule-data-utils'; import { eventHit } from '@kbn/securitysolution-t-grid'; +import { + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_QUERY, + ALERT_RULE_INDEX, + ALERT_ORIGINAL_TIME, +} from '../../../../../../common/alert_constants'; import { EventHit } from '../../../../../../common/search_strategy'; import { TIMELINE_EVENTS_FIELDS } from './constants'; import { buildObjectForFieldPath, formatTimelineData } from './helpers'; @@ -265,20 +283,20 @@ describe('#formatTimelineData', () => { }, }, fields: { - 'signal.rule.output_index': ['.siem-signals-patrykkopycinski-default'], - 'signal.rule.from': ['now-360s'], - 'signal.rule.language': ['kuery'], + [ALERT_RULE_OUTPUT_INDEX]: ['.siem-signals-patrykkopycinski-default'], + [ALERT_RULE_FROM]: ['now-360s'], + [ALERT_RULE_LANGUAGE]: ['kuery'], '@timestamp': ['2021-01-09T13:41:40.517Z'], - 'signal.rule.query': ['_id :*'], - 'signal.rule.type': ['threshold'], - 'signal.rule.id': ['696c24e0-526d-11eb-836c-e1620268b945'], - 'signal.rule.risk_score': [21], - 'signal.status': ['open'], + [ALERT_RULE_QUERY]: ['_id :*'], + [ALERT_RULE_TYPE]: ['threshold'], + [ALERT_RULE_ID]: ['696c24e0-526d-11eb-836c-e1620268b945'], + [ALERT_RULE_RISK_SCORE]: [21], + [ALERT_STATUS]: ['open'], 'event.kind': ['signal'], - 'signal.original_time': ['2021-01-09T13:39:32.595Z'], - 'signal.rule.severity': ['low'], - 'signal.rule.version': ['1'], - 'signal.rule.index': [ + [ALERT_ORIGINAL_TIME]: ['2021-01-09T13:39:32.595Z'], + [ALERT_RULE_SEVERITY]: ['low'], + [ALERT_RULE_VERSION]: ['1'], + [ALERT_RULE_INDEX]: [ 'apm-*-transaction*', 'traces-apm*', 'auditbeat-*', @@ -288,8 +306,8 @@ describe('#formatTimelineData', () => { 'packetbeat-*', 'winlogbeat-*', ], - 'signal.rule.name': ['Threshold test'], - 'signal.rule.to': ['now'], + [ALERT_RULE_NAME]: ['Threshold test'], + [ALERT_RULE_TO]: ['now'], }, _type: '', sort: ['1610199700517'], From ece0e16fe4b20dd309555889de3653e3c6ed0014 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Fri, 6 Aug 2021 10:10:42 -0400 Subject: [PATCH 08/26] make additional changes --- .../common/utils/field_formatters.test.ts | 4 ++-- .../public/components/t_grid/body/helpers.tsx | 2 +- .../timeline/factory/events/all/constants.ts | 24 ++++++++++++------- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index c47cfcceae544..59ec043ea73be 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -163,14 +163,14 @@ describe('Events Details Helpers', () => { }, { category: 'signal', - field: 'signal.status', + field: ALERT_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, }, { category: 'signal', - field: 'signal.rule.name', + field: ALERT_RULE_NAME, values: ['Rawr'], originalValue: ['Rawr'], isObjectArray: false, diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index 61d911c1295cd..6efbfe05ef141 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -25,7 +25,7 @@ import { ALERT_RULE_VERSION, ALERT_STATUS, } from '@kbn/rule-data-utils'; -import { includes, isEmpty } from 'lodash/fp'; +import { isEmpty } from 'lodash/fp'; import { ALERT_ANCESTORS_DEPTH, ALERT_ANCESTORS_ID, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 97ee857778f79..57bbdf79f6adc 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -15,6 +15,7 @@ import { ALERT_RULE_VERSION, ALERT_RULE_SEVERITY, ALERT_RULE_RISK_SCORE, + ALERT_RULE_NOTE, } from '@kbn/rule-data-utils'; import { ALERT_GROUP_ID, @@ -26,6 +27,13 @@ import { ALERT_ORIGINAL_EVENT_KIND, ALERT_ORIGINAL_EVENT_MODULE, ALERT_THRESHOLD_RESULT, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_SAVED_ID, + ALERT_RULE_THRESHOLD, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_BUILDING_BLOCK_TYPE, } from '../../../../../../common/alert_constants'; // import { CTI_ROW_RENDERER_FIELDS } from '../../../../../../common/cti/constants'; @@ -193,14 +201,14 @@ export const TIMELINE_EVENTS_FIELDS = [ 'endgame.target_domain_name', 'endgame.target_logon_id', 'endgame.target_user_name', - 'signal.rule.saved_id', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.output_index', - 'signal.rule.note', - 'signal.rule.threshold', - 'signal.rule.exceptions_list', - 'signal.rule.building_block_type', + ALERT_RULE_SAVED_ID, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_NOTE, + ALERT_RULE_THRESHOLD, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_BUILDING_BLOCK_TYPE, 'suricata.eve.proto', 'suricata.eve.flow_id', 'suricata.eve.alert.signature', From 3c3850a5ee39278cc9ab7de23c60c96fd81109c9 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Fri, 6 Aug 2021 11:03:02 -0400 Subject: [PATCH 09/26] disable rule-registry in experimental features --- .../plugins/security_solution/common/experimental_features.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index 3a8cdcbc94824..a474ae602fab2 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -13,7 +13,7 @@ export type ExperimentalFeatures = typeof allowedExperimentalValues; */ export const allowedExperimentalValues = Object.freeze({ metricsEntitiesEnabled: false, - ruleRegistryEnabled: true, + ruleRegistryEnabled: false, tGridEnabled: true, trustedAppsByPolicyEnabled: false, excludePoliciesInFilterEnabled: false, From ec9773a28003197f5392282198e6e03b4285ee3a Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Mon, 16 Aug 2021 22:07:41 -0400 Subject: [PATCH 10/26] alerts visible --- .../components/alerts_info/query.dsl.ts | 4 +- .../alerts_table/default_config.tsx | 5 +- .../timelines/common/alert_constants.ts | 7 + .../timelines/common/ecs/ecs_fields/index.ts | 41 +-- x-pack/plugins/timelines/common/ecs/index.ts | 2 + .../timelines/common/ecs/kibana/index.ts | 20 ++ .../cases/add_to_case_action.test.tsx | 6 +- .../components/t_grid/body/helpers.test.tsx | 2 +- .../public/components/t_grid/body/helpers.tsx | 80 +----- .../public/components/t_grid/helpers.tsx | 22 +- .../timeline/factory/events/all/constants.ts | 21 +- .../factory/events/all/helpers.test.ts | 246 +++++++++--------- 12 files changed, 180 insertions(+), 276 deletions(-) create mode 100644 x-pack/plugins/timelines/common/ecs/kibana/index.ts diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts index 9b01c1f854867..94d0107ff7463 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts @@ -5,12 +5,12 @@ * 2.0. */ -import { ALERT_RULE_ID, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_ID, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { const queryFilter = [ { - bool: { should: [{ match: { [ALERT_STATUS]: 'open' } }], minimum_should_match: 1 }, + bool: { should: [{ match: { [ALERT_WORKFLOW_STATUS]: 'open' } }], minimum_should_match: 1 }, }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index e2314cf1438a0..21e8695ba85dd 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -18,6 +18,7 @@ import { ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_RULE_CATEGORY, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { defaultColumnHeaderType } from '../../../timelines/components/timeline/body/column_headers/default_headers'; import { ColumnHeaderOptions, RowRendererId } from '../../../../common/types/timeline'; @@ -45,14 +46,14 @@ export const buildAlertStatusFilter = (status: Status): Filter[] => [ negate: false, disabled: false, type: 'phrase', - key: ALERT_STATUS, + key: ALERT_WORKFLOW_STATUS, params: { query: status, }, }, query: { term: { - [ALERT_STATUS]: status, + [ALERT_WORKFLOW_STATUS]: status, }, }, }, diff --git a/x-pack/plugins/timelines/common/alert_constants.ts b/x-pack/plugins/timelines/common/alert_constants.ts index 9323df388c749..3c6c1abc77f1c 100644 --- a/x-pack/plugins/timelines/common/alert_constants.ts +++ b/x-pack/plugins/timelines/common/alert_constants.ts @@ -7,6 +7,13 @@ import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; +// TODO: Replace the below located in: x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names.ts + +// export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors`; +// export const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth`; +// export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event`; +// export const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time`; + /** * This file contains the security solution specific Alert fields not contained in the @kbn/rule-data-utils package */ diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 78a7833161793..72c4e2ecb049b 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -24,6 +24,7 @@ import { ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, ALERT_RULE_NOTE, + ALERT_REASON, } from '@kbn/rule-data-utils'; import { ALERT_ORIGINAL_TIME, @@ -328,8 +329,9 @@ export const systemFieldsMap: Readonly> = { 'system.auth.ssh.method': 'system.auth.ssh.method', }; -export const signalFieldsMap: Readonly> = { +export const alertFieldsMap: Readonly> = { [ALERT_ORIGINAL_TIME]: ALERT_ORIGINAL_TIME, + [ALERT_REASON]: ALERT_REASON, [ALERT_RULE_ID]: ALERT_RULE_ID, [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, @@ -363,41 +365,6 @@ export const signalFieldsMap: Readonly> = { [ALERT_RULE_NOTE]: ALERT_RULE_NOTE, [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD, [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST, - 'signal.original_time': 'signal.original_time', - 'signal.reason': 'signal.reason', - 'signal.rule.id': 'signal.rule.id', - 'signal.rule.saved_id': 'signal.rule.saved_id', - 'signal.rule.timeline_id': 'signal.rule.timeline_id', - 'signal.rule.timeline_title': 'signal.rule.timeline_title', - 'signal.rule.output_index': 'signal.rule.output_index', - 'signal.rule.from': 'signal.rule.from', - 'signal.rule.index': 'signal.rule.index', - 'signal.rule.language': 'signal.rule.language', - 'signal.rule.query': 'signal.rule.query', - 'signal.rule.to': 'signal.rule.to', - 'signal.rule.filters': 'signal.rule.filters', - 'signal.rule.rule_id': 'signal.rule.rule_id', - 'signal.rule.false_positives': 'signal.rule.false_positives', - 'signal.rule.max_signals': 'signal.rule.max_signals', - 'signal.rule.risk_score': 'signal.rule.risk_score', - 'signal.rule.description': 'signal.rule.description', - 'signal.rule.name': 'signal.rule.name', - 'signal.rule.immutable': 'signal.rule.immutable', - 'signal.rule.references': 'signal.rule.references', - 'signal.rule.severity': 'signal.rule.severity', - 'signal.rule.tags': 'signal.rule.tags', - 'signal.rule.threat': 'signal.rule.threat', - 'signal.rule.type': 'signal.rule.type', - 'signal.rule.size': 'signal.rule.size', - 'signal.rule.enabled': 'signal.rule.enabled', - 'signal.rule.created_at': 'signal.rule.created_at', - 'signal.rule.updated_at': 'signal.rule.updated_at', - 'signal.rule.created_by': 'signal.rule.created_by', - 'signal.rule.updated_by': 'signal.rule.updated_by', - 'signal.rule.version': 'signal.rule.version', - 'signal.rule.note': 'signal.rule.note', - 'signal.rule.threshold': 'signal.rule.threshold', - 'signal.rule.exceptions_list': 'signal.rule.exceptions_list', }; export const ruleFieldsMap: Readonly> = { @@ -409,6 +376,7 @@ export const eventFieldsMap: Readonly> = { '@timestamp': '@timestamp', message: 'message', ...{ ...agentFieldsMap }, + ...{ ...alertFieldsMap }, ...{ ...auditdMap }, ...{ ...destinationFieldsMap }, ...{ ...dnsFieldsMap }, @@ -419,7 +387,6 @@ export const eventFieldsMap: Readonly> = { ...{ ...hostFieldsMap }, ...{ ...networkFieldsMap }, ...{ ...ruleFieldsMap }, - ...{ ...signalFieldsMap }, ...{ ...sourceFieldsMap }, ...{ ...suricataFieldsMap }, ...{ ...systemFieldsMap }, diff --git a/x-pack/plugins/timelines/common/ecs/index.ts b/x-pack/plugins/timelines/common/ecs/index.ts index 8054b3c8521db..427ed18a0c1ee 100644 --- a/x-pack/plugins/timelines/common/ecs/index.ts +++ b/x-pack/plugins/timelines/common/ecs/index.ts @@ -14,6 +14,7 @@ import { EventEcs } from './event'; import { FileEcs } from './file'; import { GeoEcs } from './geo'; import { HostEcs } from './host'; +import { KibanaEcs } from './kibana'; import { NetworkEcs } from './network'; import { RegistryEcs } from './registry'; import { RuleEcs } from './rule'; @@ -42,6 +43,7 @@ export interface Ecs { event?: EventEcs; geo?: GeoEcs; host?: HostEcs; + kibana?: KibanaEcs; network?: NetworkEcs; registry?: RegistryEcs; rule?: RuleEcs; diff --git a/x-pack/plugins/timelines/common/ecs/kibana/index.ts b/x-pack/plugins/timelines/common/ecs/kibana/index.ts new file mode 100644 index 0000000000000..a582000631d24 --- /dev/null +++ b/x-pack/plugins/timelines/common/ecs/kibana/index.ts @@ -0,0 +1,20 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { RuleEcs } from '../rule'; + +export interface KibanaEcs { + alert?: { + rule?: RuleEcs; + original_time?: string[]; + status?: string[]; + group?: { + id?: string[]; + }; + threshold_result?: unknown; + }; +} diff --git a/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx b/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx index 338d7d1809074..143712dadaf38 100644 --- a/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx +++ b/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx @@ -27,7 +27,7 @@ describe('AddToCaseAction', () => { ecs: { _id: 'test-id', _index: 'test-index', - signal: { rule: { id: ['rule-id'], name: ['rule-name'], false_positives: [] } }, + kibana: { alert: { rule: { id: ['rule-id'], name: ['rule-name'], false_positives: [] } } }, }, }, casePermissions: { @@ -104,7 +104,7 @@ describe('AddToCaseAction', () => { ecs: { _id: 'test-id', _index: 'test-index', - signal: { rule: { id: ['rule-id'], false_positives: [] } }, + kibana: { alert: { rule: { id: ['rule-id'], false_positives: [] } } }, }, }} /> @@ -116,7 +116,7 @@ describe('AddToCaseAction', () => { ecs: { _id: 'test-id', _index: 'test-index', - signal: { rule: { id: ['rule-id'], false_positives: [] } }, + kibana: { alert: { rule: { id: ['rule-id'], false_positives: [] } } }, }, }} /> diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx index ca654dd969fc8..1f47805a9e937 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.test.tsx @@ -401,7 +401,7 @@ describe('helpers', () => { const mockedSetCellProps = jest.fn(); const ecs = { ...mockDnsEvent, - ...{ signal: { rule: { building_block_type: ['default'] } } }, + ...{ kibana: { alert: { rule: { building_block_type: ['default'] } } } }, }; addBuildingBlockStyle(ecs, THEME, mockedSetCellProps); diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index d7761a96ce022..fe6b3d9992348 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -6,6 +6,7 @@ */ import { + ALERT_REASON, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, @@ -120,7 +121,7 @@ export const getEventIdToDataMapping = ( }, {}); export const isEventBuildingBlockType = (event: Ecs): boolean => - !isEmpty(event.signal?.rule?.building_block_type); + !isEmpty(event.kibana?.alert?.rule?.building_block_type); export const isEvenEqlSequence = (event: Ecs): boolean => { if (!isEmpty(event.eql?.sequenceNumber)) { @@ -133,10 +134,10 @@ export const isEvenEqlSequence = (event: Ecs): boolean => { } return false; }; -/** Return eventType raw or signal or eql */ +/** Return eventType raw or kibana or eql */ export const getEventType = (event: Ecs): Omit => { - if (!isEmpty(event.signal?.rule?.id)) { - return 'signal'; + if (!isEmpty(event.kibana?.alert?.rule?.id)) { + return 'kibana'; } else if (!isEmpty(event.eql?.parentId)) { return 'eql'; } @@ -211,6 +212,7 @@ export const allowSorting = ({ ALERT_ORIGINAL_EVENT_TIMEZONE, ALERT_ORIGINAL_EVENT_TYPE, ALERT_ORIGINAL_TIME, + ALERT_REASON, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, @@ -248,75 +250,7 @@ export const allowSorting = ({ ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, ALERT_STATUS, - 'signal.ancestors.depth', - 'signal.ancestors.id', - 'signal.ancestors.rule', - 'signal.ancestors.type', - 'signal.original_event.action', - 'signal.original_event.category', - 'signal.original_event.code', - 'signal.original_event.created', - 'signal.original_event.dataset', - 'signal.original_event.duration', - 'signal.original_event.end', - 'signal.original_event.hash', - 'signal.original_event.id', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.original_event.original', - 'signal.original_event.outcome', - 'signal.original_event.provider', - 'signal.original_event.risk_score', - 'signal.original_event.risk_score_norm', - 'signal.original_event.sequence', - 'signal.original_event.severity', - 'signal.original_event.start', - 'signal.original_event.timezone', - 'signal.original_event.type', - 'signal.original_time', - 'signal.parent.depth', - 'signal.parent.id', - 'signal.parent.index', - 'signal.parent.rule', - 'signal.parent.type', - 'signal.reason', - 'signal.rule.created_by', - 'signal.rule.description', - 'signal.rule.enabled', - 'signal.rule.false_positives', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.id', - 'signal.rule.immutable', - 'signal.rule.index', - 'signal.rule.interval', - 'signal.rule.language', - 'signal.rule.max_signals', - 'signal.rule.name', - 'signal.rule.note', - 'signal.rule.output_index', - 'signal.rule.query', - 'signal.rule.references', - 'signal.rule.risk_score', - 'signal.rule.rule_id', - 'signal.rule.saved_id', - 'signal.rule.severity', - 'signal.rule.size', - 'signal.rule.tags', - 'signal.rule.threat', - 'signal.rule.threat.tactic.id', - 'signal.rule.threat.tactic.name', - 'signal.rule.threat.tactic.reference', - 'signal.rule.threat.technique.id', - 'signal.rule.threat.technique.name', - 'signal.rule.threat.technique.reference', - 'signal.rule.timeline_id', - 'signal.rule.timeline_title', - 'signal.rule.to', - 'signal.rule.type', - 'signal.rule.updated_by', - 'signal.rule.version', - 'signal.status', + // @ts-expect-error ].includes(fieldName); return isAllowlistedNonBrowserField || isAggregatable; diff --git a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx index 5fe766077a74c..512ba1f5af25f 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/helpers.tsx @@ -9,7 +9,6 @@ import type { Filter, EsQueryConfig, Query } from '@kbn/es-query'; import { FilterStateStore } from '@kbn/es-query'; import { isEmpty, get } from 'lodash/fp'; import memoizeOne from 'memoize-one'; -import { ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { elementOrChildrenHasFocus, getFocusedAriaColindexCell, @@ -192,7 +191,7 @@ export const buildCombinedQuery = (combineQueriesParams: CombineQueries) => { const combinedQuery = combineQueries(combineQueriesParams); return combinedQuery ? { - filterQuery: replaceStatusField(combinedQuery!.filterQuery), + filterQuery: combinedQuery!.filterQuery, } : null; }; @@ -229,23 +228,12 @@ export const getCombinedFilterQuery = ({ filters, ...combineQueriesParams }: CombineQueries & { from: string; to: string }): string => { - return replaceStatusField( - combineQueries({ - ...combineQueriesParams, - filters: [...filters, buildTimeRangeFilter(from, to)], - })!.filterQuery - ); + return combineQueries({ + ...combineQueriesParams, + filters: [...filters, buildTimeRangeFilter(from, to)], + })!.filterQuery; }; -/** - * This function is a temporary patch to prevent queries using old `signal.status` field. - * @todo The `signal.status` field should not be queried anymore and - * must be replaced by `ALERT_WORKFLOW_STATUS` field name constant - * @deprecated - */ -const replaceStatusField = (query: string): string => - query.replaceAll('signal.status', ALERT_WORKFLOW_STATUS); - /** * The CSS class name of a "stateful event", which appears in both * the `Timeline` and the `Events Viewer` widget diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 0aa3c6d9bbe50..0b4ae86565d5c 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -16,6 +16,7 @@ import { ALERT_RULE_SEVERITY, ALERT_RULE_RISK_SCORE, ALERT_RULE_NOTE, + ALERT_REASON, } from '@kbn/rule-data-utils'; import { ALERT_GROUP_ID, @@ -75,6 +76,7 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_STATUS, ALERT_GROUP_ID, ALERT_ORIGINAL_TIME, + ALERT_REASON, ALERT_RULE_FILTERS, ALERT_RULE_FROM, ALERT_RULE_LANGUAGE, @@ -90,25 +92,6 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_RULE_SEVERITY, ALERT_RULE_RISK_SCORE, ALERT_THRESHOLD_RESULT, - 'signal.status', - 'signal.group.id', - 'signal.original_time', - 'signal.reason', - 'signal.rule.filters', - 'signal.rule.from', - 'signal.rule.language', - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', - 'signal.rule.index', - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', - 'signal.rule.version', - 'signal.rule.severity', - 'signal.rule.risk_score', - 'signal.threshold_result', 'event.code', 'event.module', 'event.action', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 3521b8ff4d5ce..0955226519a8c 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -143,141 +143,143 @@ describe('#formatTimelineData', () => { }); }); - it('rule signal results', async () => { + it('rule alert results', async () => { const response: EventHit = { _index: '.siem-signals-patrykkopycinski-default-000007', _id: 'a77040f198355793c35bf22b900902371309be615381f0a2ec92c208b6132562', _score: 0, _source: { - signal: { - threshold_result: { - count: 10000, - value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - }, - parent: { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', - }, - depth: 1, - _meta: { - version: 14, - }, - rule: { - note: null, - throttle: null, - references: [], - severity_mapping: [], - description: 'asdasd', - created_at: '2021-01-09T11:25:45.046Z', - language: 'kuery', - threshold: { - field: '', - value: 200, - }, - building_block_type: null, - output_index: '.siem-signals-patrykkopycinski-default', - type: 'threshold', - rule_name_override: null, - enabled: true, - exceptions_list: [], - updated_at: '2021-01-09T13:36:39.204Z', - timestamp_override: null, - from: 'now-360s', - id: '696c24e0-526d-11eb-836c-e1620268b945', - timeline_id: null, - max_signals: 100, - severity: 'low', - risk_score: 21, - risk_score_mapping: [], - author: [], - query: '_id :*', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - ], - filters: [ - { - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: null, - disabled: false, - type: 'exists', - value: 'exists', - key: '_index', - }, - exists: { - field: '_index', - }, - }, - { - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: 'id_exists', - disabled: false, - type: 'exists', - value: 'exists', - key: '_id', - }, - exists: { - field: '_id', - }, - }, - ], - created_by: 'patryk_test_user', - version: 1, - saved_id: null, - tags: [], - rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', - license: '', - immutable: false, - timeline_title: null, - meta: { - from: '1m', - kibana_siem_app_url: 'http://localhost:5601/app/security', + kibana: { + alert: { + threshold_result: { + count: 10000, + value: '2a990c11-f61b-4c8e-b210-da2574e9f9db', }, - name: 'Threshold test', - updated_by: 'patryk_test_user', - interval: '5m', - false_positives: [], - to: 'now', - threat: [], - actions: [], - }, - original_time: '2021-01-09T13:39:32.595Z', - ancestors: [ - { + parent: { depth: 0, index: 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', id: '0268af90-d8da-576a-9747-2a191519416a', type: 'event', }, - ], - parents: [ - { - depth: 0, - index: - 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', - id: '0268af90-d8da-576a-9747-2a191519416a', - type: 'event', + depth: 1, + _meta: { + version: 14, }, - ], - status: 'open', + rule: { + note: null, + throttle: null, + references: [], + severity_mapping: [], + description: 'asdasd', + created_at: '2021-01-09T11:25:45.046Z', + language: 'kuery', + threshold: { + field: '', + value: 200, + }, + building_block_type: null, + output_index: '.siem-signals-patrykkopycinski-default', + type: 'threshold', + rule_name_override: null, + enabled: true, + exceptions_list: [], + updated_at: '2021-01-09T13:36:39.204Z', + timestamp_override: null, + from: 'now-360s', + id: '696c24e0-526d-11eb-836c-e1620268b945', + timeline_id: null, + max_signals: 100, + severity: 'low', + risk_score: 21, + risk_score_mapping: [], + author: [], + query: '_id :*', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + filters: [ + { + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: null, + disabled: false, + type: 'exists', + value: 'exists', + key: '_index', + }, + exists: { + field: '_index', + }, + }, + { + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: 'id_exists', + disabled: false, + type: 'exists', + value: 'exists', + key: '_id', + }, + exists: { + field: '_id', + }, + }, + ], + created_by: 'patryk_test_user', + version: 1, + saved_id: null, + tags: [], + rule_id: '2a990c11-f61b-4c8e-b210-da2574e9f9db', + license: '', + immutable: false, + timeline_title: null, + meta: { + from: '1m', + kibana_siem_app_url: 'http://localhost:5601/app/security', + }, + name: 'Threshold test', + updated_by: 'patryk_test_user', + interval: '5m', + false_positives: [], + to: 'now', + threat: [], + actions: [], + }, + original_time: '2021-01-09T13:39:32.595Z', + ancestors: [ + { + depth: 0, + index: + 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', + id: '0268af90-d8da-576a-9747-2a191519416a', + type: 'event', + }, + ], + parents: [ + { + depth: 0, + index: + 'apm-*-transaction*,traces-apm*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,winlogbeat-*', + id: '0268af90-d8da-576a-9747-2a191519416a', + type: 'event', + }, + ], + status: 'open', + }, }, }, fields: { From 3050f823e8654c4e49cdf2c169b2f261144fcd5d Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 17 Aug 2021 01:02:42 -0400 Subject: [PATCH 11/26] fix jest tests --- .../common/utils/field_formatters.test.ts | 4 ++-- .../alerts_histogram_panel/index.test.tsx | 10 +++++----- .../components/alerts_table/default_config.tsx | 10 +++++----- .../containers/detection_engine/alerts/api.test.ts | 2 +- .../lib/timeline/__mocks__/create_timelines.ts | 4 +--- .../lib/timeline/__mocks__/import_timelines.ts | 13 ++++++------- .../install_prepackaged_timelines/helpers.test.ts | 3 +-- 7 files changed, 21 insertions(+), 25 deletions(-) diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index b9e0d7639ef6c..ff839e983bbc8 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -162,14 +162,14 @@ describe('Events Details Helpers', () => { isObjectArray: false, }, { - category: 'signal', + category: 'kibana', field: ALERT_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_NAME, values: ['Rawr'], originalValue: ['Rawr'], diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx index 9fdf90a73f605..c3ea4586e233c 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/alerts_histogram_panel/index.test.tsx @@ -9,7 +9,7 @@ import React from 'react'; import { waitFor, act } from '@testing-library/react'; import { mount } from 'enzyme'; -import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { esQuery, Filter } from '../../../../../../../../src/plugins/data/public'; import { TestProviders } from '../../../../common/mock'; import { SecurityPageName } from '../../../../app/types'; @@ -197,7 +197,7 @@ describe('AlertsHistogramPanel', () => { meta: { alias: null, disabled: false, - key: 'signal.status', + key: ALERT_WORKFLOW_STATUS, negate: false, params: { query: 'open', @@ -206,7 +206,7 @@ describe('AlertsHistogramPanel', () => { }, query: { term: { - 'signal.status': 'open', + [ALERT_WORKFLOW_STATUS]: 'open', }, }, }; @@ -224,13 +224,13 @@ describe('AlertsHistogramPanel', () => { await waitFor(() => { expect(mockGetAlertsHistogramQuery.mock.calls[1]).toEqual([ - 'signal.rule.name', + ALERT_RULE_NAME, '2020-07-07T08:20:18.966Z', '2020-07-08T08:20:18.966Z', [ { bool: { - filter: [{ term: { 'signal.status': 'open' } }], + filter: [{ term: { [ALERT_WORKFLOW_STATUS]: 'open' } }], must: [], must_not: [], should: [], diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 21e8695ba85dd..e4e16167d2053 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -108,7 +108,7 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean): alias: null, disabled: false, negate: false, - key: 'signal.rule.threat_mapping', + key: 'signal.rule.threat_mapping', // TODO: These need to be updated type: 'exists', value: 'exists', }, @@ -158,14 +158,14 @@ export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] => negate: false, disabled: false, type: 'phrase', - key: ALERT_STATUS, + key: ALERT_WORKFLOW_STATUS, params: { query: status, }, }, query: { term: { - [ALERT_STATUS]: status, + [ALERT_WORKFLOW_STATUS]: status, }, }, }, @@ -183,11 +183,11 @@ export const buildShowBuildingBlockFilterRuleRegistry = ( negate: true, disabled: false, type: 'exists', - key: 'kibana.rule.building_block_type', + key: ALERT_RULE_BUILDING_BLOCK_TYPE, value: 'exists', }, // @ts-expect-error TODO: Rework parent typings to support ExistsFilter[] - exists: { field: 'kibana.rule.building_block_type' }, + exists: { field: ALERT_RULE_BUILDING_BLOCK_TYPE }, }, ]; diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts index d4c0498ccbe7a..8d50d062ecbe5 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/api.test.ts @@ -43,7 +43,7 @@ describe('Detections Alerts API', () => { test('check parameter url, body', async () => { await fetchQueryAlerts({ query: mockAlertsQuery, signal: abortCtrl.signal }); expect(fetchMock).toHaveBeenCalledWith('/api/detection_engine/signals/search', { - body: `{"aggs":{"alertsByGrouping":{"terms":{"field":${ALERT_RULE_RISK_SCORE},"missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, + body: `{"aggs":{"alertsByGrouping":{"terms":{"field":"${ALERT_RULE_RISK_SCORE}","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, method: 'POST', signal: abortCtrl.signal, }); diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts index cff1bd6c600d4..d03b445da26d0 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/create_timelines.ts @@ -5,8 +5,6 @@ * 2.0. */ -import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; - export const mockTemplate = { columns: [ { @@ -19,7 +17,7 @@ export const mockTemplate = { { columnHeaderType: 'not-filtered', indexes: null, - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', name: null, searchable: null, }, diff --git a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts index a799feea049f2..d7098556c9c3a 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/__mocks__/import_timelines.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; import { omit } from 'lodash/fp'; import { TimelineId, TimelineType, TimelineStatus } from '../../../../common/types/timeline'; @@ -272,7 +271,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { @@ -388,7 +387,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { @@ -551,7 +550,7 @@ export const mockCheckTimelinesStatusBeforeInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { @@ -739,7 +738,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { @@ -907,7 +906,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { @@ -1090,7 +1089,7 @@ export const mockCheckTimelinesStatusAfterInstallResult = { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { diff --git a/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts b/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts index 3bbcb863171ac..f30f80a4cf14c 100644 --- a/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts +++ b/x-pack/plugins/security_solution/server/lib/timeline/routes/prepackaged_timelines/install_prepackaged_timelines/helpers.test.ts @@ -25,7 +25,6 @@ import * as lib from './helpers'; import { importTimelines } from '../../timelines/import_timelines'; import { buildFrameworkRequest } from '../../../utils/common'; import { ImportTimelineResultSchema } from '../../../../../../common/types/timeline'; -import { ALERT_RULE_DESCRIPTION } from '@kbn/rule-data-utils'; jest.mock('../../timelines/import_timelines'); @@ -106,7 +105,7 @@ describe('installPrepackagedTimelines', () => { indexes: null, name: null, columnHeaderType: 'not-filtered', - id: ALERT_RULE_DESCRIPTION, + id: 'signal.rule.description', searchable: null, }, { From bfa882b63d5315064b16e7917040adb51a447bec Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 17 Aug 2021 01:47:27 -0400 Subject: [PATCH 12/26] fix types --- .../cypress/integration/detection_rules/override.spec.ts | 1 + x-pack/test/api_integration/apis/security_solution/utils.ts | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index 9fb838acbccc1..5b14fe9579911 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; import { formatMitreAttackDescription } from '../../helpers/rules'; import { getIndexPatterns, diff --git a/x-pack/test/api_integration/apis/security_solution/utils.ts b/x-pack/test/api_integration/apis/security_solution/utils.ts index 78b260ee32520..cce197441b5ca 100644 --- a/x-pack/test/api_integration/apis/security_solution/utils.ts +++ b/x-pack/test/api_integration/apis/security_solution/utils.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { JsonObject, JsonArray } from '@kbn/common-utils'; +import { JsonObject, JsonArray } from '@kbn/utility-types'; import { ALERT_ORIGINAL_TIME, ALERT_RULE_INDEX, From 251f9e477defb31b15036b12a0e796ada4e0e6b3 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 17 Aug 2021 16:25:37 -0400 Subject: [PATCH 13/26] fixed tests --- .../common/alert_constants.ts | 2 +- .../side_panel/event_details/index.tsx | 4 +- .../timelines/common/alert_constants.ts | 2 +- .../common/utils/field_formatters.test.ts | 4 +- .../fields_browser/field_items.test.tsx | 4 +- .../factory/events/all/helpers.test.ts | 146 +++++++++--------- 6 files changed, 82 insertions(+), 80 deletions(-) diff --git a/x-pack/plugins/security_solution/common/alert_constants.ts b/x-pack/plugins/security_solution/common/alert_constants.ts index 9323df388c749..714abd12171c2 100644 --- a/x-pack/plugins/security_solution/common/alert_constants.ts +++ b/x-pack/plugins/security_solution/common/alert_constants.ts @@ -84,7 +84,7 @@ export const ALERT_RULE_INDEX = `${ALERT_RULE_NAMESPACE}.index` as const; export const ALERT_RULE_LANGUAGE = `${ALERT_RULE_NAMESPACE}.language` as const; export const ALERT_RULE_MAX_SIGNALS = `${ALERT_RULE_NAMESPACE}.max_signals` as const; // TODO: Not supported in new RAC implementation. Can be removed -export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.ouput_index` as const; +export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.output_index` as const; export const ALERT_RULE_QUERY = `${ALERT_RULE_NAMESPACE}.query` as const; // TODO: Could be depracated export const ALERT_RULE_SAVED_ID = `${ALERT_RULE_NAMESPACE}.saved_id` as const; diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index 1bbcf8d57939a..3442e40cdd9ac 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -110,10 +110,10 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'signal', field: ALERT_RULE_ID }, detailsData); + const isAlert = some({ category: 'kibana', field: ALERT_RULE_ID }, detailsData); const ruleName = useMemo( - () => getFieldValue({ category: 'signal', field: ALERT_RULE_NAME }, detailsData), + () => getFieldValue({ category: 'kibana', field: ALERT_RULE_NAME }, detailsData), [detailsData] ); diff --git a/x-pack/plugins/timelines/common/alert_constants.ts b/x-pack/plugins/timelines/common/alert_constants.ts index 3c6c1abc77f1c..849f5eb27b904 100644 --- a/x-pack/plugins/timelines/common/alert_constants.ts +++ b/x-pack/plugins/timelines/common/alert_constants.ts @@ -91,7 +91,7 @@ export const ALERT_RULE_INDEX = `${ALERT_RULE_NAMESPACE}.index` as const; export const ALERT_RULE_LANGUAGE = `${ALERT_RULE_NAMESPACE}.language` as const; export const ALERT_RULE_MAX_SIGNALS = `${ALERT_RULE_NAMESPACE}.max_signals` as const; // TODO: Not supported in new RAC implementation. Can be removed -export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.ouput_index` as const; +export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.output_index` as const; export const ALERT_RULE_QUERY = `${ALERT_RULE_NAMESPACE}.query` as const; // TODO: Could be depracated export const ALERT_RULE_SAVED_ID = `${ALERT_RULE_NAMESPACE}.saved_id` as const; diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 59ec043ea73be..25b711dd226ce 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -162,14 +162,14 @@ describe('Events Details Helpers', () => { isObjectArray: false, }, { - category: 'signal', + category: 'kibana', field: ALERT_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_NAME, values: ['Rawr'], originalValue: ['Rawr'], diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx index 16e419ad439f4..ec1f43fdcc70c 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx @@ -199,11 +199,11 @@ describe('field_items', () => { const mockSelectedCategoryId = 'signal'; const mockBrowserFieldsWithSignal = { ...mockBrowserFields, - signal: { + kibana: { fields: { [ALERT_RULE_NAME]: { aggregatable: true, - category: 'signal', + category: 'kibana', description: 'rule name', example: '', format: '', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 0955226519a8c..74c2b7ef90b42 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -341,78 +341,80 @@ describe('#formatTimelineData', () => { event: { kind: ['signal'], }, - signal: { - original_time: ['2021-01-09T13:39:32.595Z'], - status: ['open'], - threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], - rule: { - building_block_type: [], - exceptions_list: [], - from: ['now-360s'], - id: ['696c24e0-526d-11eb-836c-e1620268b945'], - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - ], - language: ['kuery'], - name: ['Threshold test'], - output_index: ['.siem-signals-patrykkopycinski-default'], - risk_score: ['21'], - query: ['_id :*'], - severity: ['low'], - to: ['now'], - type: ['threshold'], - version: ['1'], - timeline_id: [], - timeline_title: [], - saved_id: [], - note: [], - threshold: [ - JSON.stringify({ - field: '', - value: 200, - }), - ], - filters: [ - JSON.stringify({ - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: null, - disabled: false, - type: 'exists', - value: 'exists', - key: '_index', - }, - exists: { - field: '_index', - }, - }), - JSON.stringify({ - $state: { - store: 'appState', - }, - meta: { - negate: false, - alias: 'id_exists', - disabled: false, - type: 'exists', - value: 'exists', - key: '_id', - }, - exists: { - field: '_id', - }, - }), - ], + kibana: { + alert: { + original_time: ['2021-01-09T13:39:32.595Z'], + status: ['open'], + threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], + rule: { + building_block_type: [], + exceptions_list: [], + from: ['now-360s'], + id: ['696c24e0-526d-11eb-836c-e1620268b945'], + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + ], + language: ['kuery'], + name: ['Threshold test'], + output_index: ['.siem-signals-patrykkopycinski-default'], + risk_score: ['21'], + query: ['_id :*'], + severity: ['low'], + to: ['now'], + type: ['threshold'], + version: ['1'], + timeline_id: [], + timeline_title: [], + saved_id: [], + note: [], + threshold: [ + JSON.stringify({ + field: '', + value: 200, + }), + ], + filters: [ + JSON.stringify({ + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: null, + disabled: false, + type: 'exists', + value: 'exists', + key: '_index', + }, + exists: { + field: '_index', + }, + }), + JSON.stringify({ + $state: { + store: 'appState', + }, + meta: { + negate: false, + alias: 'id_exists', + disabled: false, + type: 'exists', + value: 'exists', + key: '_id', + }, + exists: { + field: '_id', + }, + }), + ], + }, }, }, }, From 90358f311f66593acd10a7a3ae60dd53a0f885f0 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 19 Aug 2021 14:30:32 -0400 Subject: [PATCH 14/26] fix type errors --- .../common/alert_constants.ts | 106 ------------------ .../security_solution/common/constants.ts | 2 +- .../common/ecs/ecs_fields/index.ts | 6 +- .../components/drag_and_drop/helpers.ts | 15 ++- .../event_details/__mocks__/index.ts | 6 +- .../event_details/alert_summary_view.tsx | 8 +- .../components/event_details/reason.tsx | 10 +- .../components/exceptions/helpers.test.tsx | 2 +- .../common/components/exceptions/helpers.tsx | 2 +- .../common/components/hover_actions/utils.ts | 11 +- .../common/utils/endpoint_alert_check.test.ts | 6 +- .../common/utils/endpoint_alert_check.ts | 4 +- .../components/alerts_info/query.dsl.ts | 4 +- .../components/alerts_kpis/common/config.ts | 2 +- .../components/alerts_kpis/common/types.ts | 2 +- .../components/alerts_table/actions.test.tsx | 2 +- .../components/alerts_table/actions.tsx | 2 +- .../alerts_table/default_config.test.tsx | 6 +- .../alerts_table/default_config.tsx | 8 +- .../timeline_actions/alert_context_menu.tsx | 2 +- .../components/take_action_dropdown/index.tsx | 4 +- .../examples/security_solution_rac/columns.ts | 4 +- .../security_solution_detections/columns.ts | 4 +- .../rules/use_rule_with_fallback.tsx | 4 +- .../side_panel/event_details/footer.tsx | 6 +- .../side_panel/event_details/index.tsx | 4 +- .../components/host_tactics_table/columns.tsx | 2 +- .../rule_types/field_maps/alerts.ts | 2 +- .../find_previous_threshold_signals.ts | 2 +- .../host_tactics/query.host_tactics.dsl.ts | 2 +- .../constants.ts} | 100 ++++++++++++++++- .../plugins/timelines/common/alerts/index.ts | 8 ++ .../timelines/common/ecs/ecs_fields/index.ts | 6 +- x-pack/plugins/timelines/common/index.ts | 1 + x-pack/plugins/timelines/kibana.json | 2 +- .../components/drag_and_drop/helpers.ts | 4 +- .../public/components/t_grid/body/helpers.tsx | 15 ++- .../t_grid/event_rendered_view/index.tsx | 11 +- .../fields_browser/field_items.test.tsx | 6 +- .../timelines/public/container/index.tsx | 2 +- .../timeline/factory/events/all/constants.ts | 6 +- .../factory/events/all/helpers.test.ts | 6 +- .../server/search_strategy/timeline/index.ts | 1 + .../apis/security_solution/utils.ts | 2 +- 44 files changed, 203 insertions(+), 207 deletions(-) delete mode 100644 x-pack/plugins/security_solution/common/alert_constants.ts rename x-pack/plugins/timelines/common/{alert_constants.ts => alerts/constants.ts} (74%) create mode 100644 x-pack/plugins/timelines/common/alerts/index.ts diff --git a/x-pack/plugins/security_solution/common/alert_constants.ts b/x-pack/plugins/security_solution/common/alert_constants.ts deleted file mode 100644 index 714abd12171c2..0000000000000 --- a/x-pack/plugins/security_solution/common/alert_constants.ts +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; - -/** - * This file contains the security solution specific Alert fields not contained in the @kbn/rule-data-utils package - */ - -// Cast to `as const` to preserve the exact string value when using as a type rather than a value -export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const; -export const ALERT_ANCESTORS_DEPTH = `${ALERT_ANCESTORS}.depth` as const; -export const ALERT_ANCESTORS_ID = `${ALERT_ANCESTORS}.id` as const; -export const ALERT_ANCESTORS_INDEX = `${ALERT_ANCESTORS}.index` as const; -export const ALERT_ANCESTORS_RULE = `${ALERT_ANCESTORS}.rule` as const; -export const ALERT_ANCESTORS_TYPE = `${ALERT_ANCESTORS}.type` as const; -export const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth` as const; -export const ALERT_GROUP = `${ALERT_NAMESPACE}.group` as const; -export const ALERT_GROUP_ID = `${ALERT_GROUP}.id` as const; -export const ALERT_GROUP_INDEX = `${ALERT_GROUP}.index` as const; -export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event` as const; -export const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT}.action` as const; -export const ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS = `${ALERT_ORIGINAL_EVENT}.agent_id_status` as const; -export const ALERT_ORIGINAL_EVENT_CATEGORY = `${ALERT_ORIGINAL_EVENT}.category` as const; -export const ALERT_ORIGINAL_EVENT_CODE = `${ALERT_ORIGINAL_EVENT}.code` as const; -export const ALERT_ORIGINAL_EVENT_CREATED = `${ALERT_ORIGINAL_EVENT}.created` as const; -export const ALERT_ORIGINAL_EVENT_DATASET = `${ALERT_ORIGINAL_EVENT}.dataset` as const; -export const ALERT_ORIGINAL_EVENT_DURATION = `${ALERT_ORIGINAL_EVENT}.duration` as const; -export const ALERT_ORIGINAL_EVENT_END = `${ALERT_ORIGINAL_EVENT}.end` as const; -export const ALERT_ORIGINAL_EVENT_HASH = `${ALERT_ORIGINAL_EVENT}.hash` as const; -export const ALERT_ORIGINAL_EVENT_ID = `${ALERT_ORIGINAL_EVENT}.id` as const; -export const ALERT_ORIGINAL_EVENT_INGESTED = `${ALERT_ORIGINAL_EVENT}.ingested` as const; -export const ALERT_ORIGINAL_EVENT_KIND = `${ALERT_ORIGINAL_EVENT}.kind` as const; -export const ALERT_ORIGINAL_EVENT_MODULE = `${ALERT_ORIGINAL_EVENT}.module` as const; -export const ALERT_ORIGINAL_EVENT_ORIGINAL = `${ALERT_ORIGINAL_EVENT}.original` as const; -export const ALERT_ORIGINAL_EVENT_OUTCOME = `${ALERT_ORIGINAL_EVENT}.outcome` as const; -export const ALERT_ORIGINAL_EVENT_PROVIDER = `${ALERT_ORIGINAL_EVENT}.provider` as const; -export const ALERT_ORIGINAL_EVENT_REASON = `${ALERT_ORIGINAL_EVENT}.reason` as const; -export const ALERT_ORIGINAL_EVENT_REFERENCE = `${ALERT_ORIGINAL_EVENT}.reference` as const; -export const ALERT_ORIGINAL_EVENT_RISK_SCORE = `${ALERT_ORIGINAL_EVENT}.risk_score` as const; -export const ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM = `${ALERT_ORIGINAL_EVENT}.risk_score_norm` as const; -export const ALERT_ORIGINAL_EVENT_SEQUENCE = `${ALERT_ORIGINAL_EVENT}.sequence` as const; -export const ALERT_ORIGINAL_EVENT_SEVERITY = `${ALERT_ORIGINAL_EVENT}.severity` as const; -export const ALERT_ORIGINAL_EVENT_START = `${ALERT_ORIGINAL_EVENT}.start` as const; -export const ALERT_ORIGINAL_EVENT_TIMEZONE = `${ALERT_ORIGINAL_EVENT}.timezone` as const; -export const ALERT_ORIGINAL_EVENT_TYPE = `${ALERT_ORIGINAL_EVENT}.type` as const; -export const ALERT_ORIGINAL_EVENT_URL = `${ALERT_ORIGINAL_EVENT}.url` as const; -export const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time` as const; -export const ALERT_THREAT = `${ALERT_NAMESPACE}.threat` as const; -export const ALERT_THREAT_FRAMEWORK = `${ALERT_THREAT}.framework` as const; -export const ALERT_THREAT_TACTIC = `${ALERT_THREAT}.tactic` as const; -export const ALERT_THREAT_TACTIC_ID = `${ALERT_THREAT_TACTIC}.id` as const; -export const ALERT_THREAT_TACTIC_NAME = `${ALERT_THREAT_TACTIC}.name` as const; -export const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_THREAT_TACTIC}.reference` as const; -export const ALERT_THREAT_TECHNIQUE = `${ALERT_THREAT}.technique` as const; -export const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE}.id` as const; -export const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE}.name` as const; -export const ALERT_THREAT_TECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE}.reference` as const; -export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE = `${ALERT_THREAT_TECHNIQUE}.subtechnique` as const; -export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.id` as const; -export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.name` as const; -export const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE = `${ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE}.reference` as const; -export const ALERT_THRESHOLD_RESULT = `${ALERT_NAMESPACE}.threshold_result` as const; -export const ALERT_THRESHOLD_RESULT_CARDINALITY = `${ALERT_THRESHOLD_RESULT}.cardinality` as const; -export const ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.field` as const; -export const ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE = `${ALERT_THRESHOLD_RESULT_CARDINALITY}.value` as const; -export const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT}.count` as const; -export const ALERT_THRESHOLD_RESULT_FROM = `${ALERT_THRESHOLD_RESULT}.from` as const; -export const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT}.terms` as const; -export const ALERT_THRESHOLD_RESULT_TERMS_FIELD = `${ALERT_THRESHOLD_RESULT_TERMS}.field` as const; -export const ALERT_THRESHOLD_RESULT_TERMS_VALUE = `${ALERT_THRESHOLD_RESULT_TERMS}.value` as const; -export const ALERT_RULE_BUILDING_BLOCK_TYPE = `${ALERT_RULE_NAMESPACE}.building_block_type` as const; -// TODO: not accounted for in the excel doc -export const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; -export const ALERT_RULE_FALSE_POSITIVES = `${ALERT_RULE_NAMESPACE}.false_positives` as const; -// TODO: not accounted for in the excel doc -export const ALERT_RULE_FILTERS = `${ALERT_RULE_NAMESPACE}.filters` as const; -export const ALERT_RULE_IMMUTABLE = `${ALERT_RULE_NAMESPACE}.immutable` as const; -export const ALERT_RULE_INDEX = `${ALERT_RULE_NAMESPACE}.index` as const; -export const ALERT_RULE_LANGUAGE = `${ALERT_RULE_NAMESPACE}.language` as const; -export const ALERT_RULE_MAX_SIGNALS = `${ALERT_RULE_NAMESPACE}.max_signals` as const; -// TODO: Not supported in new RAC implementation. Can be removed -export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.output_index` as const; -export const ALERT_RULE_QUERY = `${ALERT_RULE_NAMESPACE}.query` as const; -// TODO: Could be depracated -export const ALERT_RULE_SAVED_ID = `${ALERT_RULE_NAMESPACE}.saved_id` as const; -// TODO: not accounted for in the excel doc -export const ALERT_RULE_SIZE = `${ALERT_RULE_NAMESPACE}.size` as const; -// TODO: not accounted for in the excel doc -export const ALERT_RULE_THRESHOLD = `${ALERT_RULE_NAMESPACE}.threshold` as const; -export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as const; -export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const; -export const ALERT_RULE_THREAT = `${ALERT_RULE_NAMESPACE}.threat` as const; -export const ALERT_RULE_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT}.framework` as const; -export const ALERT_RULE_THREAT_TACTIC = `${ALERT_RULE_THREAT}.tactic` as const; -export const ALERT_RULE_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_TACTIC}.id` as const; -export const ALERT_RULE_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_TACTIC}.name` as const; -export const ALERT_RULE_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_TACTIC}.reference` as const; -export const ALERT_RULE_THREAT_TECHNIQUE = `${ALERT_RULE_THREAT}.technique` as const; -export const ALERT_RULE_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_TECHNIQUE}.id` as const; -export const ALERT_RULE_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_TECHNIQUE}.name` as const; -export const ALERT_RULE_THREAT_TECHNIQUE_REFERENCE = `${ALERT_RULE_THREAT_TECHNIQUE}.reference` as const; diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts index e1be1fc070ee7..0c488e8a3dec3 100644 --- a/x-pack/plugins/security_solution/common/constants.ts +++ b/x-pack/plugins/security_solution/common/constants.ts @@ -8,7 +8,7 @@ import type { TransformConfigSchema } from './transforms/types'; import { ENABLE_CASE_CONNECTOR } from '../../cases/common'; import { metadataTransformPattern } from './endpoint/constants'; -import { ALERT_RULE_THREAT_TACTIC_NAME } from './alert_constants'; +import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../timelines/common/alerts'; export const APP_ID = 'securitySolution'; export const SERVER_APP_ID = 'siem'; diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts index 270c02234a82c..ca90da517fb7c 100644 --- a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts @@ -11,7 +11,7 @@ import { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, @@ -42,7 +42,7 @@ import { ALERT_RULE_THRESHOLD, ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, -} from '../../alert_constants'; +} from '../../../../timelines/common/alerts'; import { extendMap } from './extend_map'; export const auditdMap: Readonly> = { @@ -330,7 +330,7 @@ export const systemFieldsMap: Readonly> = { export const alertFieldsMap: Readonly> = { [ALERT_ORIGINAL_TIME]: ALERT_ORIGINAL_TIME, - [ALERT_RULE_ID]: ALERT_RULE_ID, + [ALERT_RULE_UUID]: ALERT_RULE_UUID, [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE, diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index db581faafff60..0c049a6ab76e9 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -14,7 +14,7 @@ import { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_INTERVAL, ALERT_RULE_NAME, ALERT_RULE_NOTE, @@ -27,7 +27,7 @@ import { ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { BrowserField } from '../../containers/source'; import { dragAndDropActions } from '../../store/actions'; @@ -81,7 +81,7 @@ import { ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, -} from './../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; export { draggableIdPrefix, @@ -178,7 +178,7 @@ export const allowTopN = ({ ].includes(fieldType); // TODO: remove this explicit allowlist when the ECS documentation includes alerts - const isAllowlistedNonBrowserField = [ + const isAllowlistedNonBrowserField = ([ ALERT_ANCESTORS_DEPTH, ALERT_ANCESTORS_ID, ALERT_ANCESTORS_INDEX, @@ -212,7 +212,7 @@ export const allowTopN = ({ ALERT_RULE_FALSE_POSITIVES, ALERT_RULE_FILTERS, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_IMMUTABLE, ALERT_RULE_INDEX, ALERT_RULE_INTERVAL, @@ -242,9 +242,8 @@ export const allowTopN = ({ ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, - // @ts-expect-error fieldName does not need to match the string literals above - ].includes(fieldName); + ALERT_WORKFLOW_STATUS, + ] as string[]).includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); }; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index cf419a7f0142a..6d560d82655d8 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -11,7 +11,7 @@ import { ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, ALERT_RULE_NAME, @@ -56,7 +56,7 @@ import { ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_THREAT, -} from './../../../../../common/alert_constants'; +} from '../../../../../../timelines/common/alerts'; export const mockAlertDetailsData = [ { category: 'process', field: 'process.name', values: ['-'], originalValue: '-' }, @@ -403,7 +403,7 @@ export const mockAlertDetailsData = [ { category: 'signal', field: ALERT_STATUS, values: ['open'], originalValue: 'open' }, { category: 'signal', - field: ALERT_RULE_ID, + field: ALERT_RULE_UUID, values: ['b69d086c-325a-4f46-b17b-fb6d227006ba'], originalValue: 'b69d086c-325a-4f46-b17b-fb6d227006ba', }, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx index ce07cb4c873f3..2faac84cb182c 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx @@ -11,7 +11,7 @@ import React, { useMemo } from 'react'; import styled from 'styled-components'; import { - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_SEVERITY, @@ -50,7 +50,7 @@ import { ALERT_THRESHOLD_RESULT_COUNT, ALERT_THRESHOLD_RESULT_TERMS, ALERT_THRESHOLD_RESULT_CARDINALITY, -} from '../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; import { EventCode } from '../../../../common/ecs/event'; export const Indent = styled.div` @@ -75,7 +75,7 @@ const defaultDisplayFields: EventSummaryField[] = [ { id: '@timestamp', label: TIMESTAMP }, { id: ALERT_RULE_NAME, - linkField: ALERT_RULE_ID, + linkField: ALERT_RULE_UUID, label: ALERTS_HEADERS_RULE, }, { id: ALERT_RULE_SEVERITY, label: ALERTS_HEADERS_SEVERITY }, @@ -318,7 +318,7 @@ const AlertSummaryViewComponent: React.FC<{ ]); const ruleId = useMemo(() => { - const item = data.find((d) => d.field === ALERT_RULE_ID); + const item = data.find((d) => d.field === ALERT_RULE_UUID); return Array.isArray(item?.originalValue) ? item?.originalValue[0] : item?.originalValue ?? null; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx index aab0e86681783..ec6a729641976 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx @@ -9,6 +9,7 @@ import { EuiTextColor, EuiFlexItem, EuiSpacer, EuiHorizontalRule, EuiTitle } fro import React, { useMemo } from 'react'; import styled from 'styled-components'; +import { ALERT_REASON } from '@kbn/rule-data-utils'; import { getRuleDetailsUrl, useFormatUrl } from '../link_to'; import * as i18n from './translations'; import { TimelineEventsDetailsItem } from '../../../../common'; @@ -33,13 +34,12 @@ export const ReasonComponent: React.FC = ({ eventId, data }) => { const { navigateToApp } = useKibana().services.application; const { formatUrl } = useFormatUrl(SecurityPageName.rules); - const reason = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.reason' }, data), - [data] - ); + const reason = useMemo(() => getFieldValue({ category: 'kibana', field: ALERT_REASON }, data), [ + data, + ]); const ruleId = useMemo( - () => getFieldValue({ category: 'signal', field: 'signal.rule.id' }, data), + () => getFieldValue({ category: 'kibana', field: 'signal.rule.id' }, data), [data] ); diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx index 39e2a4d10527e..c780be736d37a 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx @@ -46,7 +46,7 @@ import { IndexPatternBase } from '@kbn/es-query'; import { ALERT_ORIGINAL_EVENT_KIND, ALERT_ORIGINAL_EVENT_MODULE, -} from '../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; jest.mock('uuid', () => ({ v4: jest.fn().mockReturnValue('123'), diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index d06b7e287ba97..1f1ad1fc1a6b4 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -44,7 +44,7 @@ import exceptionableLinuxFields from './exceptionable_linux_fields.json'; import exceptionableWindowsMacFields from './exceptionable_windows_mac_fields.json'; import exceptionableEndpointFields from './exceptionable_endpoint_fields.json'; import exceptionableEndpointEventFields from './exceptionable_endpoint_event_fields.json'; -import { ALERT_ORIGINAL_EVENT } from '../../../../common/alert_constants'; +import { ALERT_ORIGINAL_EVENT } from '../../../../../timelines/common/alerts'; export const filterIndexPatterns = ( patterns: IndexPatternBase, diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts index a3ecb125af8af..3f4f3988491ef 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts @@ -10,7 +10,7 @@ import { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_INTERVAL, ALERT_RULE_NAME, ALERT_RULE_NOTE, @@ -73,7 +73,7 @@ import { ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, -} from './../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; export const getAdditionalScreenReaderOnlyContext = ({ field, @@ -110,7 +110,7 @@ export const allowTopN = ({ ].includes(fieldType); // TODO: remove this explicit allowlist when the ECS documentation includes alerts - const isAllowlistedNonBrowserField = [ + const isAllowlistedNonBrowserField = ([ ALERT_ANCESTORS_DEPTH, ALERT_ANCESTORS_ID, ALERT_ANCESTORS_INDEX, @@ -144,7 +144,7 @@ export const allowTopN = ({ ALERT_RULE_FALSE_POSITIVES, ALERT_RULE_FILTERS, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_IMMUTABLE, ALERT_RULE_INDEX, ALERT_RULE_INTERVAL, @@ -175,8 +175,7 @@ export const allowTopN = ({ ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, ALERT_STATUS, - // @ts-expect-error fieldName does not need to match the string literals above - ].includes(fieldName); + ] as string[]).includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); }; diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts index b234b08b1fba1..bea8b510ddbdb 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import _ from 'lodash'; import { generateMockDetailItemData } from '../mock'; import { endpointAlertCheck } from './endpoint_alert_check'; @@ -22,7 +22,7 @@ describe('Endpoint Alert Check Utility', () => { mockDetailItemData.push( // Must be an Alert { - field: ALERT_RULE_ID, + field: ALERT_RULE_UUID, category: 'signal', originalValue: 'endpoint', values: ['endpoint'], @@ -43,7 +43,7 @@ describe('Endpoint Alert Check Utility', () => { }); it('should return false if it is not an Alert (ex. maybe an event)', () => { - _.remove(mockDetailItemData, { field: ALERT_RULE_ID }); + _.remove(mockDetailItemData, { field: ALERT_RULE_UUID }); expect(endpointAlertCheck({ data: mockDetailItemData })).toBeFalsy(); }); diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts index 86067c9b04ada..5f06fa31c62a8 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { find, some } from 'lodash/fp'; import { TimelineEventsDetailsItem } from '../../../../timelines/common'; @@ -15,7 +15,7 @@ import { TimelineEventsDetailsItem } from '../../../../timelines/common'; * @param data */ export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] }): boolean => { - const isAlert = some({ category: 'signal', field: ALERT_RULE_ID }, data); + const isAlert = some({ category: 'kibana', field: ALERT_RULE_UUID }, data); if (!isAlert) { return false; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts index 94d0107ff7463..41a3af7e6bef7 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_info/query.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_ID, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { const queryFilter = [ @@ -26,7 +26,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => { ...queryFilter, { bool: { - should: [{ match: { [ALERT_RULE_ID]: ruleId } }], + should: [{ match: { [ALERT_RULE_UUID]: ruleId } }], minimum_should_match: 1, }, }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index a3fc98c9d446e..5e3ecda7ab181 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -12,7 +12,7 @@ import { ALERT_RULE_TYPE, } from '@kbn/rule-data-utils'; import type { AlertsStackByOption } from './types'; -import { ALERT_RULE_THREAT_TACTIC_NAME } from './../../../../../common/alert_constants'; +import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts'; export const alertsStackByOptions: AlertsStackByOption[] = [ { text: ALERT_RULE_RISK_SCORE, value: ALERT_RULE_RISK_SCORE }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index 9ca2fbf3744b2..0081bd1cf3f4d 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -11,7 +11,7 @@ import { ALERT_RULE_SEVERITY, ALERT_RULE_TYPE, } from '@kbn/rule-data-utils'; -import { ALERT_RULE_THREAT_TACTIC_NAME } from './../../../../../common/alert_constants'; +import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts'; export interface AlertsStackByOption { text: AlertsStackByField; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx index 22763d7e50960..10d0376ca3ac4 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx @@ -27,7 +27,7 @@ import { ISearchStart } from '../../../../../../../src/plugins/data/public'; import { dataPluginMock } from '../../../../../../../src/plugins/data/public/mocks'; import { getTimelineTemplate } from '../../../timelines/containers/api'; import { defaultHeaders } from '../../../timelines/components/timeline/body/column_headers/default_headers'; -import { ALERT_GROUP_ID } from '../../../../common/alert_constants'; +import { ALERT_GROUP_ID } from '../../../../../timelines/common/alerts'; jest.mock('../../../timelines/containers/api', () => ({ getTimelineTemplate: jest.fn(), diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx index 0b7db2e8a6547..8a90ae7dfb12e 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx @@ -54,7 +54,7 @@ import { ALERT_GROUP_ID, ALERT_ORIGINAL_TIME, ALERT_RULE_FILTERS, -} from '../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; export const getUpdateAlertsQuery = (eventIds: Readonly) => { return { diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx index 65527fec08725..4440c85a29b09 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { ExistsFilter, Filter } from '@kbn/es-query'; import { buildAlertsRuleIdFilter, buildThreatMatchFilter } from './default_config'; @@ -21,14 +21,14 @@ describe('alerts default_config', () => { negate: false, disabled: false, type: 'phrase', - key: ALERT_RULE_ID, + key: ALERT_RULE_UUID, params: { query: 'rule-id-1', }, }, query: { match_phrase: { - [ALERT_RULE_ID]: 'rule-id-1', + [ALERT_RULE_UUID]: 'rule-id-1', }, }, }; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index e3994dfee964e..74a5b0b9d0fcf 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -36,7 +36,7 @@ import { ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_QUERY, -} from '../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; export const buildAlertStatusFilter = (status: Status): Filter[] => [ { @@ -67,14 +67,14 @@ export const buildAlertsRuleIdFilter = (ruleId: string | null): Filter[] => negate: false, disabled: false, type: 'phrase', - key: ALERT_RULE_ID, + key: ALERT_RULE_UUID, params: { query: ruleId, }, }, query: { match_phrase: { - [ALERT_RULE_ID]: ruleId, + [ALERT_RULE_UUID]: ruleId, }, }, }, @@ -135,7 +135,7 @@ export const requiredFieldsForActions = [ ALERT_RULE_QUERY, ALERT_RULE_NAME, ALERT_RULE_TO, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_INDEX, ALERT_RULE_TYPE, ALERT_ORIGINAL_EVENT_KIND, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx index 422c01f4fa787..7edf9fd564d77 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx @@ -39,7 +39,7 @@ import { Status } from '../../../../../common/detection_engine/schemas/common/sc import { ALERT_ORIGINAL_EVENT_MODULE, ALERT_ORIGINAL_EVENT_KIND, -} from '../../../../../common/alert_constants'; +} from '../../../../../../timelines/common/alerts'; import { useInsertTimeline } from '../../../../cases/components/use_insert_timeline'; import { useGetUserCasesPermissions, useKibana } from '../../../../common/lib/kibana'; import { useInvestigateInResolverContextItem } from './investigate_in_resolver'; diff --git a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx index a01f9b8d24615..8b577b3604f2a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx @@ -9,7 +9,7 @@ import React, { useState, useCallback, useMemo } from 'react'; import { EuiContextMenu, EuiContextMenuPanel, EuiButton, EuiPopover } from '@elastic/eui'; import type { ExceptionListType } from '@kbn/securitysolution-io-ts-list-types'; -import { ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TAKE_ACTION } from '../alerts_table/alerts_utility_bar/translations'; import { TimelineEventsDetailsItem, TimelineNonEcsData } from '../../../../common'; @@ -76,7 +76,7 @@ export const TakeActionDropdown = React.memo( const actionsData = useMemo( () => [ - { category: 'signal', field: ALERT_RULE_ID, name: 'ruleId' }, + { category: 'signal', field: ALERT_RULE_UUID, name: 'ruleId' }, { category: 'signal', field: ALERT_RULE_NAME, name: 'ruleName' }, { category: 'signal', field: ALERT_STATUS, name: 'alertStatus' }, { category: 'event', field: 'event.kind', name: 'eventKind' }, diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index 420543acc953e..9c1e09dc90562 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -8,7 +8,7 @@ import { EuiDataGridColumn } from '@elastic/eui'; import { ALERT_REASON, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_RULE_SEVERITY, } from '@kbn/rule-data-utils'; @@ -34,7 +34,7 @@ export const columns: Array< columnHeaderType: defaultColumnHeaderType, id: ALERT_RULE_NAME, displayAsText: i18n.ALERTS_HEADERS_RULE_NAME, - linkField: ALERT_RULE_ID, + linkField: ALERT_RULE_UUID, initialWidth: 212, }, { diff --git a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts index c514f46ac3ad5..28158471f4622 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts @@ -7,7 +7,7 @@ import { EuiDataGridColumn } from '@elastic/eui'; import { - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_SEVERITY, @@ -41,7 +41,7 @@ export const columns: Array< displayAsText: i18n.ALERTS_HEADERS_RULE, id: ALERT_RULE_NAME, initialWidth: DEFAULT_COLUMN_MIN_WIDTH, - linkField: ALERT_RULE_ID, + linkField: ALERT_RULE_UUID, }, { columnHeaderType: defaultColumnHeaderType, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx index 7931da5d9f5e6..fcdde8c552a63 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx @@ -8,7 +8,7 @@ import { useCallback, useEffect, useMemo } from 'react'; import { isNotFoundError } from '@kbn/securitysolution-t-grid'; import { useAsync, withOptionalSignal } from '@kbn/securitysolution-hook-utils'; -import { ALERT_RULE_ID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { useAppToasts } from '../../../../common/hooks/use_app_toasts'; import { useQueryAlerts } from '../alerts/use_query'; import { fetchRuleById } from './api'; @@ -42,7 +42,7 @@ const useFetchRule = () => useAsync(fetchWithOptionslSignal); const buildLastAlertQuery = (ruleId: string) => ({ query: { bool: { - filter: [{ match: { [ALERT_RULE_ID]: ruleId } }], + filter: [{ match: { [ALERT_RULE_UUID]: ruleId } }], }, }, size: 1, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx index 4d2d1eb21f6c9..f82272c38f294 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx @@ -8,7 +8,7 @@ import React, { useMemo } from 'react'; import { EuiFlyoutFooter, EuiFlexGroup, EuiFlexItem } from '@elastic/eui'; import { find, get } from 'lodash/fp'; -import { ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TakeActionDropdown } from '../../../../detections/components/take_action_dropdown'; import type { TimelineEventsDetailsItem } from '../../../../../common'; import { useExceptionModal } from '../../../../detections/components/alerts_table/timeline_actions/use_add_exception_modal'; @@ -18,7 +18,7 @@ import { useEventFilterModal } from '../../../../detections/components/alerts_ta import { getFieldValue } from '../../../../detections/components/host_isolation/helpers'; import { Status } from '../../../../../common/detection_engine/schemas/common/schemas'; import { useFetchEcsAlertsData } from '../../../../detections/containers/detection_engine/alerts/use_fetch_ecs_alerts_data'; -import { ALERT_RULE_INDEX } from '../../../../../common/alert_constants'; +import { ALERT_RULE_INDEX } from '../../../../../../timelines/common/alerts'; import { Ecs } from '../../../../../common/ecs'; interface EventDetailsFooterProps { @@ -61,7 +61,7 @@ export const EventDetailsFooter = React.memo( const addExceptionModalWrapperData = useMemo( () => [ - { category: 'signal', field: ALERT_RULE_ID, name: 'ruleId' }, + { category: 'signal', field: ALERT_RULE_UUID, name: 'ruleId' }, { category: 'signal', field: ALERT_RULE_NAME, name: 'ruleName' }, { category: 'signal', field: ALERT_STATUS, name: 'alertStatus' }, { category: '_id', field: '_id', name: 'eventId' }, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index f9f40ce40769d..8d930046a1ceb 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -17,7 +17,7 @@ import { import React, { useState, useCallback, useMemo } from 'react'; import styled from 'styled-components'; import deepEqual from 'fast-deep-equal'; -import { ALERT_RULE_ID, ALERT_RULE_NAME, AlertConsumers } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID, ALERT_RULE_NAME, AlertConsumers } from '@kbn/rule-data-utils'; import { BrowserFields, DocValueFields } from '../../../../common/containers/source'; import { ExpandableEvent, ExpandableEventTitle } from './expandable_event'; import { useTimelineEventsDetails } from '../../../containers/details'; @@ -112,7 +112,7 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'kibana', field: ALERT_RULE_ID }, detailsData); + const isAlert = some({ category: 'kibana', field: ALERT_RULE_UUID }, detailsData); const ruleName = useMemo( () => getFieldValue({ category: 'kibana', field: ALERT_RULE_NAME }, detailsData), diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx index 3534e932ee7cc..10178389370f4 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx @@ -22,7 +22,7 @@ import { HostTacticsFields } from '../../../../common'; import { ALERT_RULE_THREAT_TACTIC_NAME, ALERT_RULE_THREAT_TECHNIQUE_NAME, -} from '../../../../common/alert_constants'; +} from '../../../../../timelines/common/alerts'; export const getHostTacticsColumns = (): HostTacticsColumns => [ { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts index 747f26ee8b01f..857121735a21a 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/alerts.ts @@ -68,7 +68,7 @@ import { ALERT_THRESHOLD_RESULT_TERMS, ALERT_THRESHOLD_RESULT_TERMS_FIELD, ALERT_THRESHOLD_RESULT_TERMS_VALUE, -} from './../../../../../common/alert_constants'; +} from './../../../../../../timelines/common/alerts'; export const alertsFieldMap: FieldMap = { [ALERT_ANCESTORS]: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts index 573bcddddd9d1..2d9d32cfdd510 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts @@ -6,7 +6,7 @@ */ import { TimestampOverrideOrUndefined } from '../../../../../common/detection_engine/schemas/common/schemas'; -import { ALERT_ORIGINAL_TIME } from '../../../../../common/alert_constants'; +import { ALERT_ORIGINAL_TIME } from '../../../../../../timelines/common/alerts'; import { AlertInstanceContext, AlertInstanceState, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts index 4f57187f5bbee..270ac25780749 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts @@ -10,7 +10,7 @@ import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_THREAT_TACTIC_NAME, ALERT_RULE_THREAT_TECHNIQUE_NAME, -} from '../../../../../../common/alert_constants'; +} from '../../../../../../../timelines/common/alerts'; import { HostTacticsRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; diff --git a/x-pack/plugins/timelines/common/alert_constants.ts b/x-pack/plugins/timelines/common/alerts/constants.ts similarity index 74% rename from x-pack/plugins/timelines/common/alert_constants.ts rename to x-pack/plugins/timelines/common/alerts/constants.ts index 849f5eb27b904..c5665d05854db 100644 --- a/x-pack/plugins/timelines/common/alert_constants.ts +++ b/x-pack/plugins/timelines/common/alerts/constants.ts @@ -5,7 +5,12 @@ * 2.0. */ -import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from '@kbn/rule-data-utils'; +import { + ALERT_NAMESPACE, + ALERT_RULE_NAMESPACE, + TechnicalRuleDataFieldName, +} from '@kbn/rule-data-utils'; +import { ValuesType } from 'utility-types'; // TODO: Replace the below located in: x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names.ts @@ -111,3 +116,96 @@ export const ALERT_RULE_THREAT_TECHNIQUE = `${ALERT_RULE_THREAT}.technique` as c export const ALERT_RULE_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_TECHNIQUE}.id` as const; export const ALERT_RULE_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_TECHNIQUE}.name` as const; export const ALERT_RULE_THREAT_TECHNIQUE_REFERENCE = `${ALERT_RULE_THREAT_TECHNIQUE}.reference` as const; + +const securityFields = { + ALERT_ANCESTORS, + ALERT_ANCESTORS_DEPTH, + ALERT_ANCESTORS_ID, + ALERT_ANCESTORS_INDEX, + ALERT_ANCESTORS_RULE, + ALERT_ANCESTORS_TYPE, + ALERT_DEPTH, + ALERT_GROUP, + ALERT_GROUP_ID, + ALERT_GROUP_INDEX, + ALERT_ORIGINAL_EVENT, + ALERT_ORIGINAL_EVENT_ACTION, + ALERT_ORIGINAL_EVENT_AGENT_ID_STATUS, + ALERT_ORIGINAL_EVENT_CATEGORY, + ALERT_ORIGINAL_EVENT_CODE, + ALERT_ORIGINAL_EVENT_CREATED, + ALERT_ORIGINAL_EVENT_DATASET, + ALERT_ORIGINAL_EVENT_DURATION, + ALERT_ORIGINAL_EVENT_END, + ALERT_ORIGINAL_EVENT_HASH, + ALERT_ORIGINAL_EVENT_ID, + ALERT_ORIGINAL_EVENT_INGESTED, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, + ALERT_ORIGINAL_EVENT_ORIGINAL, + ALERT_ORIGINAL_EVENT_OUTCOME, + ALERT_ORIGINAL_EVENT_PROVIDER, + ALERT_ORIGINAL_EVENT_REASON, + ALERT_ORIGINAL_EVENT_REFERENCE, + ALERT_ORIGINAL_EVENT_RISK_SCORE, + ALERT_ORIGINAL_EVENT_RISK_SCORE_NORM, + ALERT_ORIGINAL_EVENT_SEQUENCE, + ALERT_ORIGINAL_EVENT_SEVERITY, + ALERT_ORIGINAL_EVENT_START, + ALERT_ORIGINAL_EVENT_TIMEZONE, + ALERT_ORIGINAL_EVENT_TYPE, + ALERT_ORIGINAL_EVENT_URL, + ALERT_ORIGINAL_TIME, + ALERT_THREAT, + ALERT_THREAT_FRAMEWORK, + ALERT_THREAT_TACTIC, + ALERT_THREAT_TACTIC_ID, + ALERT_THREAT_TACTIC_NAME, + ALERT_THREAT_TACTIC_REFERENCE, + ALERT_THREAT_TECHNIQUE, + ALERT_THREAT_TECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_REFERENCE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME, + ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE, + ALERT_THRESHOLD_RESULT, + ALERT_THRESHOLD_RESULT_CARDINALITY, + ALERT_THRESHOLD_RESULT_CARDINALITY_FIELD, + ALERT_THRESHOLD_RESULT_CARDINALITY_VALUE, + ALERT_THRESHOLD_RESULT_COUNT, + ALERT_THRESHOLD_RESULT_FROM, + ALERT_THRESHOLD_RESULT_TERMS, + ALERT_THRESHOLD_RESULT_TERMS_FIELD, + ALERT_THRESHOLD_RESULT_TERMS_VALUE, + ALERT_RULE_BUILDING_BLOCK_TYPE, + ALERT_RULE_EXCEPTIONS_LIST, + ALERT_RULE_FALSE_POSITIVES, + ALERT_RULE_FILTERS, + ALERT_RULE_IMMUTABLE, + ALERT_RULE_INDEX, + ALERT_RULE_LANGUAGE, + ALERT_RULE_MAX_SIGNALS, + ALERT_RULE_OUTPUT_INDEX, + ALERT_RULE_QUERY, + ALERT_RULE_SAVED_ID, + ALERT_RULE_SIZE, + ALERT_RULE_THRESHOLD, + ALERT_RULE_TIMELINE_ID, + ALERT_RULE_TIMELINE_TITLE, + ALERT_RULE_THREAT, + ALERT_RULE_THREAT_FRAMEWORK, + ALERT_RULE_THREAT_TACTIC, + ALERT_RULE_THREAT_TACTIC_ID, + ALERT_RULE_THREAT_TACTIC_NAME, + ALERT_RULE_THREAT_TACTIC_REFERENCE, + ALERT_RULE_THREAT_TECHNIQUE, + ALERT_RULE_THREAT_TECHNIQUE_ID, + ALERT_RULE_THREAT_TECHNIQUE_NAME, + ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, +}; + +export type SecurityAlertRuleDataFieldName = + | ValuesType + | TechnicalRuleDataFieldName; diff --git a/x-pack/plugins/timelines/common/alerts/index.ts b/x-pack/plugins/timelines/common/alerts/index.ts new file mode 100644 index 0000000000000..63661f0d5a996 --- /dev/null +++ b/x-pack/plugins/timelines/common/alerts/index.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export * from './constants'; diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 72c4e2ecb049b..19d2660aec3f4 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -6,7 +6,7 @@ */ import { - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_FROM, ALERT_RULE_TO, ALERT_RULE_RULE_ID, @@ -43,7 +43,7 @@ import { ALERT_RULE_SIZE, ALERT_RULE_THRESHOLD, ALERT_RULE_EXCEPTIONS_LIST, -} from '../../alert_constants'; +} from '../../alerts'; import { extendMap } from './extend_map'; export const auditdMap: Readonly> = { @@ -332,7 +332,7 @@ export const systemFieldsMap: Readonly> = { export const alertFieldsMap: Readonly> = { [ALERT_ORIGINAL_TIME]: ALERT_ORIGINAL_TIME, [ALERT_REASON]: ALERT_REASON, - [ALERT_RULE_ID]: ALERT_RULE_ID, + [ALERT_RULE_UUID]: ALERT_RULE_UUID, [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE, diff --git a/x-pack/plugins/timelines/common/index.ts b/x-pack/plugins/timelines/common/index.ts index 05174235c20db..242d167ee37da 100644 --- a/x-pack/plugins/timelines/common/index.ts +++ b/x-pack/plugins/timelines/common/index.ts @@ -8,6 +8,7 @@ export * from './types'; export * from './search_strategy'; export * from './utils/accessibility'; +export * from './alerts'; export const PLUGIN_ID = 'timelines'; export const PLUGIN_NAME = 'timelines'; diff --git a/x-pack/plugins/timelines/kibana.json b/x-pack/plugins/timelines/kibana.json index 0239dcdd8f166..2c9ca1cc4d266 100644 --- a/x-pack/plugins/timelines/kibana.json +++ b/x-pack/plugins/timelines/kibana.json @@ -7,7 +7,7 @@ "version": "1.0.0", "kibanaVersion": "kibana", "configPath": ["xpack", "timelines"], - "extraPublicDirs": ["common"], + "extraPublicDirs": ["common", "common/alerts"], "server": true, "ui": true, "requiredPlugins": ["alerting", "cases", "data", "dataEnhanced", "kibanaReact", "kibanaUtils"], diff --git a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts index cad8486fac7f3..41fd1bdb10a91 100644 --- a/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/timelines/public/components/drag_and_drop/helpers.ts @@ -10,7 +10,7 @@ import { KEYBOARD_DRAG_OFFSET, getFieldIdFromDraggable } from '@kbn/securitysolu import { Dispatch } from 'redux'; import { isString, keyBy } from 'lodash/fp'; -import { ALERT_RULE_ID, ALERT_RULE_NAME } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { stopPropagationAndPreventDefault, TimelineId } from '../../../common'; import type { BrowserField, BrowserFields, ColumnHeaderOptions } from '../../../common'; import { tGridActions } from '../../store/t_grid'; @@ -145,7 +145,7 @@ const getAllFieldsByName = ( keyBy('name', getAllBrowserFields(browserFields)); const linkFields: Record = { - [ALERT_RULE_NAME]: ALERT_RULE_ID, + [ALERT_RULE_NAME]: ALERT_RULE_NAME, 'event.module': 'rule.reference', }; diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index fe6b3d9992348..3707091e126df 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -11,7 +11,7 @@ import { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_INTERVAL, ALERT_RULE_NAME, ALERT_RULE_NOTE, @@ -24,7 +24,7 @@ import { ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { EuiDataGridCellValueElementProps } from '@elastic/eui'; @@ -75,7 +75,7 @@ import { ALERT_RULE_THREAT_TECHNIQUE_REFERENCE, ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, -} from '../../../../common/alert_constants'; +} from '../../../../common/alerts'; import type { Ecs } from '../../../../common/ecs'; import type { @@ -184,7 +184,7 @@ export const allowSorting = ({ }): boolean => { const isAggregatable = browserField?.aggregatable ?? false; - const isAllowlistedNonBrowserField = [ + const isAllowlistedNonBrowserField = ([ ALERT_ANCESTORS_DEPTH, ALERT_ANCESTORS_ID, ALERT_ANCESTORS_INDEX, @@ -219,7 +219,7 @@ export const allowSorting = ({ ALERT_RULE_FALSE_POSITIVES, ALERT_RULE_FILTERS, ALERT_RULE_FROM, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_IMMUTABLE, ALERT_RULE_INDEX, ALERT_RULE_INTERVAL, @@ -249,9 +249,8 @@ export const allowSorting = ({ ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, - // @ts-expect-error - ].includes(fieldName); + ALERT_WORKFLOW_STATUS, + ] as string[]).includes(fieldName); return isAllowlistedNonBrowserField || isAggregatable; }; diff --git a/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx index c52924d481aa0..ce761b1d4af67 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx @@ -15,10 +15,7 @@ import { EuiHorizontalRule, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { - /* ALERT_REASON, ALERT_RULE_ID, */ ALERT_RULE_NAME, - TIMESTAMP, -} from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_RULE_NAME, ALERT_RULE_UUID, TIMESTAMP } from '@kbn/rule-data-utils'; import { get } from 'lodash'; import moment from 'moment'; import React, { ComponentType, useCallback, useMemo } from 'react'; @@ -169,8 +166,8 @@ const EventRenderedViewComponent = ({ hideForMobile: false, // eslint-disable-next-line react/display-name render: (name: unknown, item: TimelineItem) => { - const ruleName = get(item, `ecs.signal.rule.name`); /* `ecs.${ALERT_RULE_NAME}`*/ - const ruleId = get(item, `ecs.signal.rule.id}`); /* `ecs.${ALERT_RULE_ID}`*/ + const ruleName = get(item, `ecs.${ALERT_RULE_NAME}`); + const ruleId = get(item, `ecs.${ALERT_RULE_UUID}`); return ; }, }, @@ -184,7 +181,7 @@ const EventRenderedViewComponent = ({ // eslint-disable-next-line react/display-name render: (name: unknown, item: TimelineItem) => { const ecsData = get(item, 'ecs'); - const reason = get(item, `ecs.signal.reason`); /* `ecs.${ALERT_REASON}`*/ + const reason = get(item, `ecs.${ALERT_REASON}`); const rowRenderersValid = rowRenderers.filter((rowRenderer) => rowRenderer.isInstance(ecsData) ); diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx index ec1f43fdcc70c..94ab8f292636c 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx @@ -18,7 +18,7 @@ import { getFieldColumns, getFieldItems } from './field_items'; import { FIELDS_PANE_WIDTH } from './helpers'; import { useMountAppended } from '../../../utils/use_mount_appended'; import { ColumnHeaderOptions } from '../../../../../common'; -import { ALERT_RULE_THREAT_TECHNIQUE_NAME } from '../../../../../common/alert_constants'; +import { ALERT_RULE_THREAT_TECHNIQUE_NAME } from '../../../../../common/alerts'; const selectedCategoryId = 'base'; const selectedCategoryFields = mockBrowserFields[selectedCategoryId].fields; @@ -195,8 +195,8 @@ describe('field_items', () => { }); }); - test('it returns the expected signal column settings', async () => { - const mockSelectedCategoryId = 'signal'; + test('it returns the expected kibana column settings', async () => { + const mockSelectedCategoryId = 'kibana'; const mockBrowserFieldsWithSignal = { ...mockBrowserFields, kibana: { diff --git a/x-pack/plugins/timelines/public/container/index.tsx b/x-pack/plugins/timelines/public/container/index.tsx index 81578a001f6a4..1f9fcb8ee98b5 100644 --- a/x-pack/plugins/timelines/public/container/index.tsx +++ b/x-pack/plugins/timelines/public/container/index.tsx @@ -192,7 +192,7 @@ export const useTimelineEvents = ({ if (request == null || skip) { return; } - + console.log('REQUEST: ', request); // eslint-disable-line const asyncSearch = async () => { prevTimelineRequest.current = request; abortCtrl.current = new AbortController(); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 0b4ae86565d5c..6f750b5c35442 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -10,7 +10,7 @@ import { ALERT_RULE_FROM, ALERT_RULE_NAME, ALERT_RULE_TO, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_TYPE, ALERT_RULE_VERSION, ALERT_RULE_SEVERITY, @@ -35,7 +35,7 @@ import { ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, ALERT_RULE_BUILDING_BLOCK_TYPE, -} from '../../../../../../common/alert_constants'; +} from '../../../../../../common/alerts'; // import { CTI_ROW_RENDERER_FIELDS } from '../../../../../../common/cti/constants'; @@ -83,7 +83,7 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_RULE_QUERY, ALERT_RULE_NAME, ALERT_RULE_TO, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_INDEX, ALERT_RULE_TYPE, ALERT_ORIGINAL_EVENT_KIND, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 74c2b7ef90b42..87cc85f95bf63 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -8,7 +8,7 @@ import { ALERT_RULE_FROM, ALERT_RULE_TYPE, - ALERT_RULE_ID, + ALERT_RULE_UUID, ALERT_RULE_RISK_SCORE, ALERT_STATUS, ALERT_RULE_SEVERITY, @@ -23,7 +23,7 @@ import { ALERT_RULE_QUERY, ALERT_RULE_INDEX, ALERT_ORIGINAL_TIME, -} from '../../../../../../common/alert_constants'; +} from '../../../../../../common/alerts'; import { EventHit } from '../../../../../../common/search_strategy'; import { TIMELINE_EVENTS_FIELDS } from './constants'; import { buildObjectForFieldPath, formatTimelineData } from './helpers'; @@ -289,7 +289,7 @@ describe('#formatTimelineData', () => { '@timestamp': ['2021-01-09T13:41:40.517Z'], [ALERT_RULE_QUERY]: ['_id :*'], [ALERT_RULE_TYPE]: ['threshold'], - [ALERT_RULE_ID]: ['696c24e0-526d-11eb-836c-e1620268b945'], + [ALERT_RULE_UUID]: ['696c24e0-526d-11eb-836c-e1620268b945'], [ALERT_RULE_RISK_SCORE]: [21], [ALERT_STATUS]: ['open'], 'event.kind': ['signal'], diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts index bd70d989d97dd..ff1f059e3e728 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts @@ -179,6 +179,7 @@ const timelineAlertsSearchStrategy = ({ }), mergeMap((esSearchRes) => queryFactory.parse(requestWithAlertsIndices, esSearchRes)), catchError((err) => { + console.log('ERROR!!!:', err); // eslint-disable-line throw err; }) ); diff --git a/x-pack/test/api_integration/apis/security_solution/utils.ts b/x-pack/test/api_integration/apis/security_solution/utils.ts index cce197441b5ca..d7799cc592fb5 100644 --- a/x-pack/test/api_integration/apis/security_solution/utils.ts +++ b/x-pack/test/api_integration/apis/security_solution/utils.ts @@ -9,7 +9,7 @@ import { ALERT_ORIGINAL_TIME, ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, -} from './../../../../plugins/security_solution/common/alert_constants'; +} from './../../../../plugins/timelines/common/alerts'; export const getFilterValue = (hostName: string, from: string, to: string): JsonObject => ({ bool: { From a603a57e42ef913feb5648e42cb1d7519ff2601e Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 19 Aug 2021 15:18:24 -0400 Subject: [PATCH 15/26] additional signal changes --- x-pack/plugins/security_solution/common/ecs/index.ts | 2 +- .../common/utils/field_formatters.test.ts | 10 +++++----- .../common/components/event_details/__mocks__/index.ts | 4 ++-- .../public/common/components/event_details/reason.tsx | 6 +++--- .../table/use_action_cell_data_provider.ts | 4 ++-- .../exceptions/add_exception_modal/index.tsx | 4 ++-- .../public/common/components/hover_actions/utils.ts | 4 ++-- .../security_solution/public/common/translations.ts | 4 ++-- .../public/common/utils/endpoint_alert_check.ts | 2 +- .../components/alerts_table/default_config.tsx | 9 ++++----- .../detections/components/alerts_table/index.tsx | 4 ++-- .../examples/observablity_alerts/columns.ts | 4 ++-- .../observablity_alerts/render_cell_value.test.tsx | 4 ++-- .../security_solution_detections/columns.ts | 3 ++- x-pack/plugins/security_solution/public/plugin.tsx | 8 ++++---- .../components/side_panel/event_details/footer.tsx | 4 ++-- .../components/side_panel/event_details/index.tsx | 4 ++-- .../components/timeline/body/renderers/constants.tsx | 1 - .../timeline/body/renderers/formatted_field.tsx | 4 ++-- .../body/renderers/reason_column_renderer.test.tsx | 9 +++++---- .../timeline/body/renderers/reason_column_renderer.tsx | 4 ++-- .../notifications/build_signals_query.test.ts | 3 ++- .../notifications/build_signals_query.ts | 4 +++- .../t_grid/toolbar/fields_browser/field_items.test.tsx | 6 +++--- x-pack/plugins/timelines/public/container/index.tsx | 6 +++--- .../plugins/timelines/public/hooks/use_add_to_case.ts | 2 +- .../events/details/query.events_details.dsl.test.ts | 4 ++-- 27 files changed, 63 insertions(+), 60 deletions(-) diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts index eb07073b088df..4bcdeebd2fcb6 100644 --- a/x-pack/plugins/security_solution/common/ecs/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/index.ts @@ -50,7 +50,7 @@ export interface Ecs { network?: NetworkEcs; registry?: RegistryEcs; rule?: RuleEcs; - signal?: SignalEcs; // TODO: Should remove? + signal?: SignalEcs; source?: SourceEcs; suricata?: SuricataEcs; tls?: TlsEcs; diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index ff839e983bbc8..81e26a901f38d 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -6,7 +6,7 @@ */ import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; -import { ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { EventHit, EventSource } from '../search_strategy'; import { getDataFromFieldsHits, getDataFromSourceHits, getDataSafety } from './field_formatters'; @@ -136,7 +136,7 @@ describe('Events Details Helpers', () => { it('#getDataFromSourceHits', () => { const _source: EventSource = { '@timestamp': '2021-02-24T00:41:06.527Z', - [ALERT_STATUS]: 'open', + [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_RULE_NAME]: 'Rawr', 'threat.indicator': [ { @@ -162,14 +162,14 @@ describe('Events Details Helpers', () => { isObjectArray: false, }, { - category: 'kibana', - field: ALERT_STATUS, + category: 'signal', + field: ALERT_WORKFLOW_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, }, { - category: 'kibana', + category: 'signal', field: ALERT_RULE_NAME, values: ['Rawr'], originalValue: ['Rawr'], diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index 6d560d82655d8..c39d526de193a 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -27,7 +27,7 @@ import { ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { ALERT_ANCESTORS, @@ -400,7 +400,7 @@ export const mockAlertDetailsData = [ }, ], }, - { category: 'signal', field: ALERT_STATUS, values: ['open'], originalValue: 'open' }, + { category: 'signal', field: ALERT_WORKFLOW_STATUS, values: ['open'], originalValue: 'open' }, { category: 'signal', field: ALERT_RULE_UUID, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx index ec6a729641976..0691ddd1ab873 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx @@ -9,7 +9,7 @@ import { EuiTextColor, EuiFlexItem, EuiSpacer, EuiHorizontalRule, EuiTitle } fro import React, { useMemo } from 'react'; import styled from 'styled-components'; -import { ALERT_REASON } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { getRuleDetailsUrl, useFormatUrl } from '../link_to'; import * as i18n from './translations'; import { TimelineEventsDetailsItem } from '../../../../common'; @@ -34,12 +34,12 @@ export const ReasonComponent: React.FC = ({ eventId, data }) => { const { navigateToApp } = useKibana().services.application; const { formatUrl } = useFormatUrl(SecurityPageName.rules); - const reason = useMemo(() => getFieldValue({ category: 'kibana', field: ALERT_REASON }, data), [ + const reason = useMemo(() => getFieldValue({ category: 'signal', field: ALERT_REASON }, data), [ data, ]); const ruleId = useMemo( - () => getFieldValue({ category: 'kibana', field: 'signal.rule.id' }, data), + () => getFieldValue({ category: 'signal', field: ALERT_RULE_UUID }, data), [data] ); diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts b/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts index 558c436bc69c8..705641b8fd6ec 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts @@ -10,7 +10,7 @@ import { escapeDataProviderId } from '@kbn/securitysolution-t-grid'; import { isArray, isEmpty, isString } from 'lodash/fp'; import { useMemo } from 'react'; -import { ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { AGENT_STATUS_FIELD_NAME, EVENT_MODULE_FIELD_NAME, @@ -115,7 +115,7 @@ export const useActionCellDataProvider = ({ id = `event-details-value-default-draggable-${appendedUniqueId}-${linkValue}`; } else if (field === EVENT_MODULE_FIELD_NAME) { id = `event-details-value-default-draggable-${appendedUniqueId}-${value}`; - } else if (field === ALERT_STATUS) { + } else if (field === ALERT_WORKFLOW_STATUS) { id = `alert-details-value-default-draggable-${appendedUniqueId}`; } else if (field === AGENT_STATUS_FIELD_NAME) { const valueToUse = typeof value === 'string' ? value : ''; diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx index 9d4626fba313f..72a0b999e6cee 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx @@ -171,8 +171,8 @@ export const AddExceptionModal = memo(function AddExceptionModal({ onConfirm(shouldCloseAlert, shouldBulkCloseAlert); if (conflicts > 0) { addWarning({ - title: i18nCommon.UPDATE_ALERT_STATUS_FAILED(conflicts), - text: i18nCommon.UPDATE_ALERT_STATUS_FAILED_DETAILED(updated, conflicts), + title: i18nCommon.UPDATE_ALERT_WORKFLOW_STATUS_FAILED(conflicts), + text: i18nCommon.UPDATE_ALERT_WORKFLOW_STATUS_FAILED_DETAILED(updated, conflicts), }); } }, diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts index 3f4f3988491ef..c552e36d7ada7 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/utils.ts @@ -23,7 +23,7 @@ import { ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { BrowserField } from '../../containers/source'; import { @@ -174,7 +174,7 @@ export const allowTopN = ({ ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, ] as string[]).includes(fieldName); return isAllowlistedNonBrowserField || (isAggregatable && isAllowedType); diff --git a/x-pack/plugins/security_solution/public/common/translations.ts b/x-pack/plugins/security_solution/public/common/translations.ts index 1eefd69d57eb7..066e19dfd69a3 100644 --- a/x-pack/plugins/security_solution/public/common/translations.ts +++ b/x-pack/plugins/security_solution/public/common/translations.ts @@ -63,14 +63,14 @@ export const EMPTY_ACTION_ENDPOINT_DESCRIPTION = i18n.translate( } ); -export const UPDATE_ALERT_STATUS_FAILED = (conflicts: number) => +export const UPDATE_ALERT_WORKFLOW_STATUS_FAILED = (conflicts: number) => i18n.translate('xpack.securitySolution.pages.common.updateAlertStatusFailed', { values: { conflicts }, defaultMessage: 'Failed to update { conflicts } {conflicts, plural, =1 {alert} other {alerts}}.', }); -export const UPDATE_ALERT_STATUS_FAILED_DETAILED = (updated: number, conflicts: number) => +export const UPDATE_ALERT_WORKFLOW_STATUS_FAILED_DETAILED = (updated: number, conflicts: number) => i18n.translate('xpack.securitySolution.pages.common.updateAlertStatusFailedDetailed', { values: { updated, conflicts }, defaultMessage: `{ updated } {updated, plural, =1 {alert was} other {alerts were}} updated successfully, but { conflicts } failed to update diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts index 5f06fa31c62a8..023839c3743e2 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts @@ -15,7 +15,7 @@ import { TimelineEventsDetailsItem } from '../../../../timelines/common'; * @param data */ export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] }): boolean => { - const isAlert = some({ category: 'kibana', field: ALERT_RULE_UUID }, data); + const isAlert = some({ category: 'signal', field: ALERT_RULE_UUID }, data); if (!isAlert) { return false; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 74a5b0b9d0fcf..3abf2a6e0010a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -12,7 +12,6 @@ import { ALERT_RULE_TYPE, ALERT_RULE_PRODUCER, ALERT_START, - ALERT_STATUS, ALERT_UUID, ALERT_RULE_UUID, ALERT_RULE_NAME, @@ -107,12 +106,12 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean): alias: null, disabled: false, negate: false, - key: 'signal.rule.threat_mapping', // TODO: These need to be updated + key: 'signal.rule.threat_mapping', // TODO: This needs to be updated to kibana.alert? type: 'exists', value: 'exists', }, // @ts-expect-error TODO: Rework parent typings to support ExistsFilter[] - exists: { field: 'signal.rule.threat_mapping' }, + exists: { field: 'signal.rule.threat_mapping' }, // TODO: This needs to be updated to kibana.alert? }, ] : []; @@ -126,7 +125,7 @@ export const alertsDefaultModel: SubsetTimelineModel = { export const requiredFieldsForActions = [ '@timestamp', - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, ALERT_GROUP_ID, ALERT_ORIGINAL_TIME, ALERT_RULE_BUILDING_BLOCK_TYPE, @@ -197,7 +196,7 @@ export const requiredFieldMappingsForActionsRuleRegistry = { 'alert.start': ALERT_START, 'alert.uuid': ALERT_UUID, 'event.action': 'event.action', - 'alert.status': ALERT_STATUS, + 'alert.status': ALERT_WORKFLOW_STATUS, 'alert.duration.us': ALERT_DURATION, 'rule.uuid': ALERT_RULE_UUID, 'rule.name': ALERT_RULE_NAME, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx index fc3e1e7f2d69b..464b3a9ba816f 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx @@ -161,8 +161,8 @@ export const AlertsTableComponent: React.FC = ({ if (conflicts > 0) { // Partial failure addWarning({ - title: i18nCommon.UPDATE_ALERT_STATUS_FAILED(conflicts), - text: i18nCommon.UPDATE_ALERT_STATUS_FAILED_DETAILED(updated, conflicts), + title: i18nCommon.UPDATE_ALERT_WORKFLOW_STATUS_FAILED(conflicts), + text: i18nCommon.UPDATE_ALERT_WORKFLOW_STATUS_FAILED_DETAILED(updated, conflicts), }); } else { let title: string; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts index 32060df813dcb..9623100ac16c2 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts @@ -10,7 +10,7 @@ import { ALERT_DURATION, ALERT_REASON, ALERT_RULE_SEVERITY, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../../common'; @@ -29,7 +29,7 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.STATUS, - id: ALERT_STATUS, + id: ALERT_WORKFLOW_STATUS, initialWidth: 74, }, { diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx index a66e2b32758b6..8b3d22c90e01b 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx @@ -12,7 +12,7 @@ import { ALERT_DURATION, ALERT_REASON, ALERT_RULE_SEVERITY, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; @@ -60,7 +60,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts index 28158471f4622..19fa98d8ed542 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts @@ -13,6 +13,7 @@ import { ALERT_RULE_SEVERITY, ALERT_RULE_TYPE, ALERT_RULE_VERSION, + ALERT_REASON, } from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../common'; @@ -70,7 +71,7 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_REASON, - id: 'signal.reason', + id: ALERT_REASON, initialWidth: 450, }, { diff --git a/x-pack/plugins/security_solution/public/plugin.tsx b/x-pack/plugins/security_solution/public/plugin.tsx index 4a951dfff45d7..25c5f0186cec1 100644 --- a/x-pack/plugins/security_solution/public/plugin.tsx +++ b/x-pack/plugins/security_solution/public/plugin.tsx @@ -352,7 +352,7 @@ export class Plugin implements IPlugin( (acc, curr) => ({ diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index 8d930046a1ceb..6531cebfb58fe 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -112,10 +112,10 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'kibana', field: ALERT_RULE_UUID }, detailsData); + const isAlert = some({ category: 'signal', field: ALERT_RULE_UUID }, detailsData); const ruleName = useMemo( - () => getFieldValue({ category: 'kibana', field: ALERT_RULE_NAME }, detailsData), + () => getFieldValue({ category: 'signal', field: ALERT_RULE_NAME }, detailsData), [detailsData] ); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx index ca5ab9e5b01a0..f2316010debf6 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/constants.tsx @@ -15,4 +15,3 @@ export const RULE_REFERENCE_FIELD_NAME = 'rule.reference'; export const REFERENCE_URL_FIELD_NAME = 'reference.url'; export const EVENT_URL_FIELD_NAME = 'event.url'; export const AGENT_STATUS_FIELD_NAME = 'agent.status'; -export const REASON_FIELD_NAME = 'signal.reason'; diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx index f27b3ef6a5e55..a7b209b071433 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/formatted_field.tsx @@ -11,7 +11,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiToolTip } from '@elastic/eui'; import { isNumber, isEmpty } from 'lodash/fp'; import React from 'react'; -import { ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { INDICATOR_REFERENCE } from '../../../../../../common/cti/constants'; import { DefaultDraggable } from '../../../../../common/components/draggables'; import { Bytes, BYTES_FORMAT } from './bytes'; @@ -156,7 +156,7 @@ const FormattedFieldValueComponent: React.FC<{ truncate, value, }); - } else if (fieldName === ALERT_STATUS) { + } else if (fieldName === ALERT_WORKFLOW_STATUS) { return ( { @@ -68,7 +69,7 @@ const rowRenderers: RowRenderer[] = [ const browserFields: BrowserFields = {}; const defaultProps = { - columnName: REASON_FIELD_NAME, + columnName: ALERT_REASON, eventId: 'test-event-id', field, timelineId: 'test-timeline-id', @@ -81,8 +82,8 @@ describe('reasonColumnRenderer', () => { }); describe('isIntance', () => { - it('returns true when columnName is `signal.reason`', () => { - expect(reasonColumnRenderer.isInstance(REASON_FIELD_NAME, [])).toBeTruthy(); + it(`returns true when columnName is ${ALERT_REASON}`, () => { + expect(reasonColumnRenderer.isInstance(ALERT_REASON, [])).toBeTruthy(); }); }); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx index 0914c861d00ed..33ac64be5c299 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx @@ -6,6 +6,7 @@ */ import { EuiButtonEmpty, EuiPopover, EuiPopoverTitle } from '@elastic/eui'; +import { ALERT_REASON } from '@kbn/rule-data-utils'; import { isEqual } from 'lodash/fp'; import React, { useCallback, useMemo, useState } from 'react'; @@ -15,13 +16,12 @@ import { Ecs } from '../../../../../../common/ecs'; import { DefaultDraggable } from '../../../../../common/components/draggables'; import { eventRendererNames } from '../../../row_renderers_browser/catalog'; import { ColumnRenderer } from './column_renderer'; -import { REASON_FIELD_NAME } from './constants'; import { getRowRenderer } from './get_row_renderer'; import { plainColumnRenderer } from './plain_column_renderer'; import * as i18n from './translations'; export const reasonColumnRenderer: ColumnRenderer = { - isInstance: isEqual(REASON_FIELD_NAME), + isInstance: isEqual(ALERT_REASON), renderColumn: ({ columnName, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts index 6feae924c6381..a1609327b7ff6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RULE_RULE_ID } from '@kbn/rule-data-utils'; import { buildSignalsSearchQuery } from './build_signals_query'; describe('buildSignalsSearchQuery', () => { @@ -31,7 +32,7 @@ describe('buildSignalsSearchQuery', () => { bool: { should: { match: { - 'signal.rule.rule_id': ruleId, + [ALERT_RULE_RULE_ID]: ruleId, }, }, minimum_should_match: 1, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts index ac9a6b73c71fd..6a9ba6837db8f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts @@ -5,6 +5,8 @@ * 2.0. */ +import { ALERT_RULE_RULE_ID } from '@kbn/rule-data-utils'; + interface BuildSignalsSearchQuery { ruleId: string; index: string; @@ -30,7 +32,7 @@ export const buildSignalsSearchQuery = ({ bool: { should: { match: { - 'signal.rule.rule_id': ruleId, + [ALERT_RULE_RULE_ID]: ruleId, }, }, minimum_should_match: 1, diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx index 94ab8f292636c..32d776ae12c46 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx @@ -197,7 +197,7 @@ describe('field_items', () => { test('it returns the expected kibana column settings', async () => { const mockSelectedCategoryId = 'kibana'; - const mockBrowserFieldsWithSignal = { + const mockBrowserFieldsWithAlert = { ...mockBrowserFields, kibana: { fields: { @@ -221,9 +221,9 @@ describe('field_items', () => { | null>(null); - const clearSignalsState = useCallback(() => { + const clearAlertsState = useCallback(() => { if (id != null && detectionsTimelineIds.some((timelineId) => timelineId === id)) { dispatch(tGridActions.clearEventsLoading({ id })); dispatch(tGridActions.clearEventsDeleted({ id })); @@ -149,10 +149,10 @@ export const useTimelineEvents = ({ const wrappedLoadPage = useCallback( (newActivePage: number) => { - clearSignalsState(); + clearAlertsState(); setActivePage(newActivePage); }, - [clearSignalsState] + [clearAlertsState] ); const refetchGrid = useCallback(() => { diff --git a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts index f5bb27b3a5614..b16b56cc811ff 100644 --- a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts +++ b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts @@ -126,7 +126,7 @@ export const useAddToCase = ({ } }, [event]); const isSecurityAlert = useMemo(() => { - return !isEmpty(event?.ecs.signal?.rule?.id); + return !isEmpty(event?.ecs.kibana?.alert?.rule?.id); }, [event]); const isEventSupported = isSecurityAlert || isAlert; const userCanCrud = casePermissions?.crud ?? false; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts index 3572a2b9c497e..ed4b1d82e7c13 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.test.ts @@ -9,7 +9,7 @@ import { buildTimelineDetailsQuery } from './query.events_details.dsl'; describe('buildTimelineDetailsQuery', () => { it('returns the expected query', () => { - const indexName = '.siem-signals-default'; + const indexName = '.alerts-security.alerts-default'; const eventId = 'f0a936d50b5b3a5a193d415459c14587fe633f7e519df7b5dc151d56142680e3'; const docValueFields = [ { field: '@timestamp' }, @@ -54,7 +54,7 @@ describe('buildTimelineDetailsQuery', () => { }, }, "ignoreUnavailable": true, - "index": ".siem-signals-default", + "index": ".alerts-security.alerts-default", "size": 1, } `); From 53a94397765a22ae038e6ab4ea72adde59d79bd3 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 19 Aug 2021 15:44:23 -0400 Subject: [PATCH 16/26] snapshot updates --- .../common/utils/field_formatters.test.ts | 4 ++-- .../alert_summary_view.test.tsx.snap | 24 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts index 81e26a901f38d..f72bab0440514 100644 --- a/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/security_solution/common/utils/field_formatters.test.ts @@ -162,14 +162,14 @@ describe('Events Details Helpers', () => { isObjectArray: false, }, { - category: 'signal', + category: 'kibana', field: ALERT_WORKFLOW_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_NAME, values: ['Rawr'], originalValue: ['Rawr'], diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap index b71121b995c08..0ce9518470973 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap @@ -157,7 +157,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.status. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.workflow_status. Press tab to navigate options. Press escape to exit.

@@ -289,7 +289,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.rule.name. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.name. Press tab to navigate options. Press escape to exit.

@@ -353,7 +353,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.

@@ -417,7 +417,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field signal.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.

From e4b539740155cdace5f259bdcf8aaa4e1036f8a5 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 19 Aug 2021 16:17:22 -0400 Subject: [PATCH 17/26] revert some changes --- .../notifications/build_signals_query.test.ts | 3 +-- .../lib/detection_engine/notifications/build_signals_query.ts | 4 +--- .../signals/threshold/find_previous_threshold_signals.ts | 3 +-- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts index a1609327b7ff6..6feae924c6381 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.test.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { ALERT_RULE_RULE_ID } from '@kbn/rule-data-utils'; import { buildSignalsSearchQuery } from './build_signals_query'; describe('buildSignalsSearchQuery', () => { @@ -32,7 +31,7 @@ describe('buildSignalsSearchQuery', () => { bool: { should: { match: { - [ALERT_RULE_RULE_ID]: ruleId, + 'signal.rule.rule_id': ruleId, }, }, minimum_should_match: 1, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts index 6a9ba6837db8f..ac9a6b73c71fd 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/notifications/build_signals_query.ts @@ -5,8 +5,6 @@ * 2.0. */ -import { ALERT_RULE_RULE_ID } from '@kbn/rule-data-utils'; - interface BuildSignalsSearchQuery { ruleId: string; index: string; @@ -32,7 +30,7 @@ export const buildSignalsSearchQuery = ({ bool: { should: { match: { - [ALERT_RULE_RULE_ID]: ruleId, + 'signal.rule.rule_id': ruleId, }, }, minimum_should_match: 1, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts index 2d9d32cfdd510..1a2bfbf3a962d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts @@ -6,7 +6,6 @@ */ import { TimestampOverrideOrUndefined } from '../../../../../common/detection_engine/schemas/common/schemas'; -import { ALERT_ORIGINAL_TIME } from '../../../../../../timelines/common/alerts'; import { AlertInstanceContext, AlertInstanceState, @@ -55,7 +54,7 @@ export const findPreviousThresholdSignals = async ({ // We might find a signal that was generated on the interval for old data... make sure to exclude those. { range: { - [ALERT_ORIGINAL_TIME]: { + 'signal.original_time': { gte: from, }, }, From 36de6551b200441dc25facc643b8aac4f72df422 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Mon, 23 Aug 2021 09:23:40 -0400 Subject: [PATCH 18/26] update tests --- .../examples/observablity_alerts/render_cell_value.test.tsx | 4 ++-- .../t_grid/toolbar/fields_browser/field_items.test.tsx | 5 ++--- .../timeline/factory/events/all/helpers.test.ts | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx index 8b3d22c90e01b..a66e2b32758b6 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx @@ -12,7 +12,7 @@ import { ALERT_DURATION, ALERT_REASON, ALERT_RULE_SEVERITY, - ALERT_WORKFLOW_STATUS, + ALERT_STATUS, } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; @@ -60,7 +60,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx index 32d776ae12c46..f7c870a8592a0 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/toolbar/fields_browser/field_items.test.tsx @@ -18,7 +18,6 @@ import { getFieldColumns, getFieldItems } from './field_items'; import { FIELDS_PANE_WIDTH } from './helpers'; import { useMountAppended } from '../../../utils/use_mount_appended'; import { ColumnHeaderOptions } from '../../../../../common'; -import { ALERT_RULE_THREAT_TECHNIQUE_NAME } from '../../../../../common/alerts'; const selectedCategoryId = 'base'; const selectedCategoryFields = mockBrowserFields[selectedCategoryId].fields; @@ -208,7 +207,7 @@ describe('field_items', () => { example: '', format: '', indexes: ['auditbeat', 'filebeat', 'packetbeat'], - name: ALERT_RULE_THREAT_TECHNIQUE_NAME, + name: ALERT_RULE_NAME, searchable: true, type: 'string', }, @@ -246,7 +245,7 @@ describe('field_items', () => { await waitFor(() => { expect(toggleColumn).toBeCalledWith({ columnHeaderType: 'not-filtered', - id: ALERT_RULE_THREAT_TECHNIQUE_NAME, + id: ALERT_RULE_NAME, initialWidth: 180, }); }); diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 87cc85f95bf63..11809d4c03cb5 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -350,7 +350,7 @@ describe('#formatTimelineData', () => { building_block_type: [], exceptions_list: [], from: ['now-360s'], - id: ['696c24e0-526d-11eb-836c-e1620268b945'], + uuid: ['696c24e0-526d-11eb-836c-e1620268b945'], index: [ 'apm-*-transaction*', 'traces-apm*', From b54b767502ed0cea6c3b36e794937627e958e5e3 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 24 Aug 2021 07:32:16 -0400 Subject: [PATCH 19/26] fix tests --- .../common/components/drag_and_drop/helpers.ts | 1 + .../hover_actions/use_hover_action_items.test.tsx | 5 +++-- .../components/alerts_table/default_config.test.tsx | 12 ++++++------ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index 5a3d60caf5caa..e0920b9ce7c41 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -178,6 +178,7 @@ export const allowTopN = ({ 'numeric', 'string', ].includes(fieldType); + console.log('FIELDS: ', browserField, fieldName, hideTopN); // eslint-disable-line // TODO: remove this explicit allowlist when the ECS documentation includes alerts const isAllowlistedNonBrowserField = ([ diff --git a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx index 3a9217ce05c51..3b08dec78366b 100644 --- a/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/hover_actions/use_hover_action_items.test.tsx @@ -6,6 +6,7 @@ */ import { useRef } from 'react'; import { renderHook, act } from '@testing-library/react-hooks'; +import { ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { useHoverActionItems, UseHoverActionItemsProps } from './use_hover_action_items'; import { useDeepEqualSelector } from '../../hooks/use_selector'; import { DataProvider } from '../../../../common/types/timeline'; @@ -20,7 +21,7 @@ describe('useHoverActionItems', () => { const defaultProps: UseHoverActionItemsProps = ({ dataProvider: [{} as DataProvider], defaultFocusedButtonRef: null, - field: 'signal.rule.name', + field: ALERT_RULE_NAME, handleHoverActionClicked: jest.fn(), hideTopN: false, isObjectArray: false, @@ -96,7 +97,7 @@ describe('useHoverActionItems', () => { 'hover-actions-filter-out' ); expect(result.current.overflowActionItems[2].props['data-test-subj']).toEqual( - 'more-actions-signal.rule.name' + `more-actions-${ALERT_RULE_NAME}` ); expect(result.current.overflowActionItems[2].props.items[0].props['data-test-subj']).toEqual( 'hover-actions-toggle-column' diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx index a51b3f8365f11..9831b92f2d412 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { ExistsFilter, Filter } from '@kbn/es-query'; import { buildAlertsRuleIdFilter, @@ -73,7 +73,7 @@ describe('alerts default_config', () => { meta: { alias: null, disabled: false, - key: 'signal.status', + key: ALERT_WORKFLOW_STATUS, negate: false, params: { query: 'acknowledged', @@ -85,12 +85,12 @@ describe('alerts default_config', () => { should: [ { term: { - 'signal.status': 'acknowledged', + [ALERT_WORKFLOW_STATUS]: 'acknowledged', }, }, { term: { - 'signal.status': 'in-progress', + [ALERT_WORKFLOW_STATUS]: 'in-progress', }, }, ], @@ -107,7 +107,7 @@ describe('alerts default_config', () => { meta: { alias: null, disabled: false, - key: 'signal.status', + key: ALERT_WORKFLOW_STATUS, negate: false, params: { query: 'open', @@ -116,7 +116,7 @@ describe('alerts default_config', () => { }, query: { term: { - 'signal.status': 'open', + [ALERT_WORKFLOW_STATUS]: 'open', }, }, }; From 12b7f179063b38a9a79493c7659a39fcfb9245c7 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 24 Aug 2021 11:08:20 -0400 Subject: [PATCH 20/26] fixing update indices --- .../common/ecs/ecs_fields/index.ts | 2 - .../common/ecs/kibana/index.ts | 1 + .../common/ecs/rule/index.ts | 1 + .../components/drag_and_drop/helpers.ts | 3 - .../event_details/__mocks__/index.ts | 101 ++++++++---------- .../components/event_details/reason.tsx | 4 +- .../common/utils/endpoint_alert_check.test.ts | 2 +- .../common/utils/endpoint_alert_check.ts | 2 +- .../components/alerts_table/actions.test.tsx | 2 +- .../alerts_table/default_config.tsx | 6 +- .../timeline_actions/alert_context_menu.tsx | 4 +- .../components/take_action_dropdown/index.tsx | 8 +- .../security_solution_detections/columns.ts | 2 +- .../rules/use_rule_with_fallback.tsx | 14 ++- .../side_panel/event_details/footer.tsx | 8 +- .../side_panel/event_details/index.tsx | 4 +- .../timeline/body/actions/index.tsx | 4 +- .../components/timeline/body/helpers.tsx | 4 +- .../timelines/common/alerts/constants.ts | 11 +- .../timelines/common/ecs/ecs_fields/index.ts | 2 - .../timelines/common/ecs/kibana/index.ts | 1 + .../timelines/common/ecs/rule/index.ts | 1 + .../common/utils/field_formatters.test.ts | 6 +- .../cases/add_to_case_action.test.tsx | 8 +- .../public/components/t_grid/body/helpers.tsx | 6 +- .../timelines/public/container/index.tsx | 1 - .../timelines/public/hooks/use_add_to_case.ts | 2 +- .../timeline/factory/events/all/constants.ts | 6 +- .../factory/events/all/helpers.test.ts | 12 +-- .../server/search_strategy/timeline/index.ts | 1 - .../apis/security_solution/utils.ts | 43 +++++--- 31 files changed, 136 insertions(+), 136 deletions(-) diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts index ca90da517fb7c..61c8ed2d8b276 100644 --- a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts @@ -34,7 +34,6 @@ import { ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_MAX_SIGNALS, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_SAVED_ID, ALERT_RULE_SIZE, @@ -334,7 +333,6 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE, - [ALERT_RULE_OUTPUT_INDEX]: ALERT_RULE_OUTPUT_INDEX, [ALERT_RULE_FROM]: ALERT_RULE_FROM, [ALERT_RULE_INDEX]: ALERT_RULE_INDEX, [ALERT_RULE_LANGUAGE]: ALERT_RULE_LANGUAGE, diff --git a/x-pack/plugins/security_solution/common/ecs/kibana/index.ts b/x-pack/plugins/security_solution/common/ecs/kibana/index.ts index a582000631d24..5e36da400ccaf 100644 --- a/x-pack/plugins/security_solution/common/ecs/kibana/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/kibana/index.ts @@ -16,5 +16,6 @@ export interface KibanaEcs { id?: string[]; }; threshold_result?: unknown; + workflow_status?: string[]; }; } diff --git a/x-pack/plugins/security_solution/common/ecs/rule/index.ts b/x-pack/plugins/security_solution/common/ecs/rule/index.ts index ae7e5064a8ece..bb12596c765b4 100644 --- a/x-pack/plugins/security_solution/common/ecs/rule/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/rule/index.ts @@ -8,6 +8,7 @@ export interface RuleEcs { id?: string[]; rule_id?: string[]; + uuid?: string[]; name?: string[]; false_positives?: string[]; saved_id?: string[]; diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index e0920b9ce7c41..e24bd7517ce45 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -68,7 +68,6 @@ import { ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_MAX_SIGNALS, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_SAVED_ID, ALERT_RULE_SIZE, @@ -178,7 +177,6 @@ export const allowTopN = ({ 'numeric', 'string', ].includes(fieldType); - console.log('FIELDS: ', browserField, fieldName, hideTopN); // eslint-disable-line // TODO: remove this explicit allowlist when the ECS documentation includes alerts const isAllowlistedNonBrowserField = ([ @@ -223,7 +221,6 @@ export const allowTopN = ({ ALERT_RULE_MAX_SIGNALS, ALERT_RULE_NAME, ALERT_RULE_NOTE, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_REFERENCES, ALERT_RULE_RISK_SCORE, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index c39d526de193a..3e1e44c0b6d3f 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -53,7 +53,6 @@ import { ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_MAX_SIGNALS, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_THREAT, } from '../../../../../../timelines/common/alerts'; @@ -386,7 +385,7 @@ export const mockAlertDetailsData = [ }, { category: 'user', field: 'user.id', values: ['S-1-0-0'], originalValue: 'S-1-0-0' }, { - category: 'signal', + category: 'kibana', field: ALERT_ANCESTORS, values: [ '{"id":"688MAHYB7WTwW_Glsi_d","type":"event","index":"winlogbeat-7.10.0-2020.11.12-000001","depth":0}', @@ -400,22 +399,22 @@ export const mockAlertDetailsData = [ }, ], }, - { category: 'signal', field: ALERT_WORKFLOW_STATUS, values: ['open'], originalValue: 'open' }, + { category: 'kibana', field: ALERT_WORKFLOW_STATUS, values: ['open'], originalValue: 'open' }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_UUID, values: ['b69d086c-325a-4f46-b17b-fb6d227006ba'], originalValue: 'b69d086c-325a-4f46-b17b-fb6d227006ba', }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_RULE_ID, values: ['e7cd9a53-ac62-44b5-bdec-9c94d85bb1a5'], originalValue: 'e7cd9a53-ac62-44b5-bdec-9c94d85bb1a5', }, { category: 'signal', field: 'signal.rule.actions', values: [], originalValue: [] }, - { category: 'signal', field: ALERT_RULE_AUTHOR, values: [], originalValue: [] }, - { category: 'signal', field: ALERT_RULE_FALSE_POSITIVES, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_AUTHOR, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_FALSE_POSITIVES, values: [], originalValue: [] }, { category: 'signal', field: 'signal.rule.meta.from', values: ['1m'], originalValue: '1m' }, { category: 'signal', @@ -423,24 +422,18 @@ export const mockAlertDetailsData = [ values: ['http://localhost:5601/app/security'], originalValue: 'http://localhost:5601/app/security', }, - { category: 'signal', field: ALERT_RULE_MAX_SIGNALS, values: [100], originalValue: 100 }, - { category: 'signal', field: ALERT_RULE_RISK_SCORE, values: [21], originalValue: 21 }, - { category: 'signal', field: ALERT_RULE_RISK_SCORE_MAPPING, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_MAX_SIGNALS, values: [100], originalValue: 100 }, + { category: 'kibana', field: ALERT_RULE_RISK_SCORE, values: [21], originalValue: 21 }, + { category: 'kibana', field: ALERT_RULE_RISK_SCORE_MAPPING, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_DESCRIPTION, values: ['xxx'], originalValue: 'xxx' }, { - category: 'signal', - field: ALERT_RULE_OUTPUT_INDEX, - values: ['.siem-signals-angelachuang-default'], - originalValue: '.siem-signals-angelachuang-default', - }, - { category: 'signal', field: ALERT_RULE_DESCRIPTION, values: ['xxx'], originalValue: 'xxx' }, - { - category: 'signal', + category: 'kibana', field: ALERT_RULE_FROM, values: ['now-360s'], originalValue: 'now-360s', }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_INDEX, values: [ 'apm-*-transaction*', @@ -463,24 +456,24 @@ export const mockAlertDetailsData = [ 'winlogbeat-*', ], }, - { category: 'signal', field: ALERT_RULE_INTERVAL, values: ['5m'], originalValue: '5m' }, - { category: 'signal', field: ALERT_RULE_LANGUAGE, values: ['kuery'], originalValue: 'kuery' }, - { category: 'signal', field: ALERT_RULE_LICENSE, values: [''], originalValue: '' }, - { category: 'signal', field: ALERT_RULE_NAME, values: ['xxx'], originalValue: 'xxx' }, + { category: 'kibana', field: ALERT_RULE_INTERVAL, values: ['5m'], originalValue: '5m' }, + { category: 'kibana', field: ALERT_RULE_LANGUAGE, values: ['kuery'], originalValue: 'kuery' }, + { category: 'kibana', field: ALERT_RULE_LICENSE, values: [''], originalValue: '' }, + { category: 'kibana', field: ALERT_RULE_NAME, values: ['xxx'], originalValue: 'xxx' }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_QUERY, values: ['@timestamp : * '], originalValue: '@timestamp : * ', }, - { category: 'signal', field: ALERT_RULE_REFERENCES, values: [], originalValue: [] }, - { category: 'signal', field: ALERT_RULE_SEVERITY, values: ['low'], originalValue: 'low' }, - { category: 'signal', field: ALERT_RULE_SEVERITY_MAPPING, values: [], originalValue: [] }, - { category: 'signal', field: ALERT_RULE_TAGS, values: [], originalValue: [] }, - { category: 'signal', field: ALERT_RULE_TYPE, values: ['query'], originalValue: 'query' }, - { category: 'signal', field: ALERT_RULE_TO, values: ['now'], originalValue: 'now' }, + { category: 'kibana', field: ALERT_RULE_REFERENCES, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_SEVERITY, values: ['low'], originalValue: 'low' }, + { category: 'kibana', field: ALERT_RULE_SEVERITY_MAPPING, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_TAGS, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_TYPE, values: ['query'], originalValue: 'query' }, + { category: 'kibana', field: ALERT_RULE_TO, values: ['now'], originalValue: 'now' }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_FILTERS, values: [ '{"meta":{"alias":null,"negate":false,"disabled":false,"type":"exists","key":"message","value":"exists"},"exists":{"field":"message"},"$state":{"store":"appState"}}', @@ -501,60 +494,60 @@ export const mockAlertDetailsData = [ ], }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_CREATED_BY, values: ['angela'], originalValue: 'angela', }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_UPDATED_BY, values: ['angela'], originalValue: 'angela', }, - { category: 'signal', field: ALERT_RULE_THREAT, values: [], originalValue: [] }, - { category: 'signal', field: ALERT_RULE_VERSION, values: [2], originalValue: 2 }, + { category: 'kibana', field: ALERT_RULE_THREAT, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_RULE_VERSION, values: [2], originalValue: 2 }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_CREATED_AT, values: ['2020-11-24T10:30:33.660Z'], originalValue: '2020-11-24T10:30:33.660Z', }, { - category: 'signal', + category: 'kibana', field: ALERT_RULE_UPDATED_AT, values: ['2020-11-25T15:37:40.939Z'], originalValue: '2020-11-25T15:37:40.939Z', }, - { category: 'signal', field: ALERT_RULE_EXCEPTIONS_LIST, values: [], originalValue: [] }, - { category: 'signal', field: ALERT_DEPTH, values: [1], originalValue: 1 }, + { category: 'kibana', field: ALERT_RULE_EXCEPTIONS_LIST, values: [], originalValue: [] }, + { category: 'kibana', field: ALERT_DEPTH, values: [1], originalValue: 1 }, { - category: 'signal', + category: 'kibana', field: ALERT_ANCESTORS_ID, values: ['688MAHYB7WTwW_Glsi_d'], originalValue: '688MAHYB7WTwW_Glsi_d', }, - { category: 'signal', field: ALERT_ANCESTORS_TYPE, values: ['event'], originalValue: 'event' }, + { category: 'kibana', field: ALERT_ANCESTORS_TYPE, values: ['event'], originalValue: 'event' }, { - category: 'signal', + category: 'kibana', field: ALERT_ANCESTORS_INDEX, values: ['winlogbeat-7.10.0-2020.11.12-000001'], originalValue: 'winlogbeat-7.10.0-2020.11.12-000001', }, - { category: 'signal', field: ALERT_ANCESTORS_DEPTH, values: [0], originalValue: 0 }, + { category: 'kibana', field: ALERT_ANCESTORS_DEPTH, values: [0], originalValue: 0 }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_TIME, values: ['2020-11-25T15:36:38.847Z'], originalValue: '2020-11-25T15:36:38.847Z', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_INGESTED, values: ['2020-11-25T15:36:40.924914552Z'], originalValue: '2020-11-25T15:36:40.924914552Z', }, - { category: 'signal', field: ALERT_ORIGINAL_EVENT_CODE, values: [4625], originalValue: 4625 }, + { category: 'kibana', field: ALERT_ORIGINAL_EVENT_CODE, values: [4625], originalValue: 4625 }, { category: 'signal', field: 'signal.original_event.lag.total', @@ -574,49 +567,49 @@ export const mockAlertDetailsData = [ originalValue: 1002, }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_PROVIDER, values: ['Microsoft-Windows-Security-Auditing'], originalValue: 'Microsoft-Windows-Security-Auditing', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_CREATED, values: ['2020-11-25T15:36:39.922Z'], originalValue: '2020-11-25T15:36:39.922Z', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_KIND, values: ['event'], originalValue: 'event', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_MODULE, values: ['security'], originalValue: 'security', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_ACTION, values: ['logon-failed'], originalValue: 'logon-failed', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_TYPE, values: ['start'], originalValue: 'start', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_CATEGORY, values: ['authentication'], originalValue: 'authentication', }, { - category: 'signal', + category: 'kibana', field: ALERT_ORIGINAL_EVENT_OUTCOME, values: ['failure'], originalValue: 'failure', diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx index 0691ddd1ab873..6502d7709f37a 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/reason.tsx @@ -34,12 +34,12 @@ export const ReasonComponent: React.FC = ({ eventId, data }) => { const { navigateToApp } = useKibana().services.application; const { formatUrl } = useFormatUrl(SecurityPageName.rules); - const reason = useMemo(() => getFieldValue({ category: 'signal', field: ALERT_REASON }, data), [ + const reason = useMemo(() => getFieldValue({ category: 'kibana', field: ALERT_REASON }, data), [ data, ]); const ruleId = useMemo( - () => getFieldValue({ category: 'signal', field: ALERT_RULE_UUID }, data), + () => getFieldValue({ category: 'kibana', field: ALERT_RULE_UUID }, data), [data] ); diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts index bea8b510ddbdb..2ea5fd6914265 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts @@ -23,7 +23,7 @@ describe('Endpoint Alert Check Utility', () => { // Must be an Alert { field: ALERT_RULE_UUID, - category: 'signal', + category: 'kibana', originalValue: 'endpoint', values: ['endpoint'], isObjectArray: false, diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts index 023839c3743e2..5f06fa31c62a8 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.ts @@ -15,7 +15,7 @@ import { TimelineEventsDetailsItem } from '../../../../timelines/common'; * @param data */ export const endpointAlertCheck = ({ data }: { data: TimelineEventsDetailsItem[] }): boolean => { - const isAlert = some({ category: 'signal', field: ALERT_RULE_UUID }, data); + const isAlert = some({ category: 'kibana', field: ALERT_RULE_UUID }, data); if (!isAlert) { return false; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx index 10d0376ca3ac4..a9b0fd919b88c 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx @@ -340,7 +340,7 @@ describe('alert actions', () => { }); describe('Eql', () => { - test(' with kibana.alert.group.id', async () => { + test(`with ${ALERT_GROUP_ID}`, async () => { const ecsDataMock: Ecs = { ...mockEcsDataWithAlert, kibana: { diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index bad103733423b..d49a6e990e17f 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -37,7 +37,6 @@ import { ALERT_RULE_QUERY, } from '../../../../../timelines/common/alerts'; -// TODO: Confirm changes with @dplumlee export const buildAlertStatusFilter = (status: Status): Filter[] => { const combinedQuery = status === 'acknowledged' @@ -129,12 +128,12 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean): alias: null, disabled: false, negate: false, - key: 'signal.rule.threat_mapping', // TODO: This needs to be updated to kibana.alert? + key: 'signal.rule.threat_mapping', // TODO: Not updating to kibana.alert per: https://github.com/elastic/kibana/pull/107713/files#r692438231 type: 'exists', value: 'exists', }, // @ts-expect-error TODO: Rework parent typings to support ExistsFilter[] - exists: { field: 'signal.rule.threat_mapping' }, // TODO: This needs to be updated to kibana.alert? + exists: { field: 'signal.rule.threat_mapping' }, // TODO: Not updating to kibana.alert per: https://github.com/elastic/kibana/pull/107713/files#r692438231 }, ] : []; @@ -172,7 +171,6 @@ export const requiredFieldsForActions = [ ]; // TODO: Once we are past experimental phase this code should be removed -// TODO: Confirm changes with @dplumlee export const buildAlertStatusFilterRuleRegistry = (status: Status): Filter[] => { const combinedQuery = status === 'acknowledged' diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx index c102a269b0def..1d60256f184f4 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx @@ -69,7 +69,7 @@ const AlertContextMenuComponent: React.FC = ({ const afterItemSelection = useCallback(() => { setPopover(false); }, []); - const ruleId = get(0, ecsRowData?.kibana?.alert?.rule?.id); + const ruleId = get(0, ecsRowData?.kibana?.alert?.rule?.uuid); const ruleName = get(0, ecsRowData?.kibana?.alert?.rule?.name); const { timelines: timelinesUi } = useKibana().services; const casePermissions = useGetUserCasesPermissions(); @@ -108,7 +108,7 @@ const AlertContextMenuComponent: React.FC = ({ [addToCaseActionProps, hasWritePermissions, timelineId, timelinesUi] ); - const alertStatus = get(0, ecsRowData?.kibana?.alert?.status) as Status; + const alertStatus = get(0, ecsRowData?.kibana?.alert?.workflow_status) as Status; const isEvent = useMemo(() => indexOf(ecsRowData.event?.kind, 'event') !== -1, [ecsRowData]); diff --git a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx index d82e7693a9e54..6277327c95a31 100644 --- a/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/take_action_dropdown/index.tsx @@ -9,7 +9,7 @@ import React, { useState, useCallback, useMemo } from 'react'; import { EuiContextMenuPanel, EuiButton, EuiPopover } from '@elastic/eui'; import type { ExceptionListType } from '@kbn/securitysolution-io-ts-list-types'; -import { ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_STATUS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_UUID, ALERT_RULE_NAME, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils'; import { TAKE_ACTION } from '../alerts_table/alerts_utility_bar/translations'; import { TimelineEventsDetailsItem, TimelineNonEcsData } from '../../../../common'; @@ -73,9 +73,9 @@ export const TakeActionDropdown = React.memo( const actionsData = useMemo( () => [ - { category: 'signal', field: ALERT_RULE_UUID, name: 'ruleId' }, - { category: 'signal', field: ALERT_RULE_NAME, name: 'ruleName' }, - { category: 'signal', field: ALERT_STATUS, name: 'alertStatus' }, + { category: 'kibana', field: ALERT_RULE_UUID, name: 'ruleId' }, + { category: 'kibana', field: ALERT_RULE_NAME, name: 'ruleName' }, + { category: 'kibana', field: ALERT_WORKFLOW_STATUS, name: 'alertStatus' }, { category: 'event', field: 'event.kind', name: 'eventKind' }, { category: '_id', field: '_id', name: 'eventId' }, ].reduce( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts index 0ba60da97c77b..df3de90f2ca24 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts @@ -66,7 +66,7 @@ export const columns: Array< columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_RISK_SCORE, id: ALERT_RULE_RISK_SCORE, - initialWidth: 115, + initialWidth: 100, }, { columnHeaderType: defaultColumnHeaderType, diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx index fcdde8c552a63..2d44ff05d711e 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx @@ -32,6 +32,11 @@ interface AlertHit { signal: { rule: Rule; }; + kibana: { + alert: { + rule: Rule; + }; + }; }; } @@ -55,7 +60,6 @@ const buildLastAlertQuery = (ruleId: string) => ({ export const useRuleWithFallback = (ruleId: string): UseRuleWithFallback => { const { start, loading: ruleLoading, result: ruleData, error } = useFetchRule(); const { addError } = useAppToasts(); - const fetch = useCallback(() => { start({ id: ruleId }); }, [ruleId, start]); @@ -78,8 +82,12 @@ export const useRuleWithFallback = (ruleId: string): UseRuleWithFallback => { }, [addError, error]); const rule = useMemo(() => { - // TODO: Is this access still kosher? - const result = isExistingRule ? ruleData : alertsData?.hits.hits[0]?._source.signal.rule; + let result = isExistingRule ? ruleData : null; + if (result === null) { + result = alertsData?.hits.hits[0]?._source.signal + ? alertsData?.hits.hits[0]?._source.signal.rule + : alertsData?.hits.hits[0]?._source.kibana.alert.rule; + } if (result) { return transformInput(result); } diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx index 9bd079d4ecbf2..0c2f718062f67 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx @@ -54,16 +54,16 @@ export const EventDetailsFooter = React.memo( timelineId, }: EventDetailsFooterProps) => { const ruleIndex = useMemo( - () => find({ category: 'signal', field: ALERT_RULE_INDEX }, detailsData)?.values, + () => find({ category: 'kibana', field: ALERT_RULE_INDEX }, detailsData)?.values, [detailsData] ); const addExceptionModalWrapperData = useMemo( () => [ - { category: 'signal', field: ALERT_RULE_UUID, name: 'ruleId' }, - { category: 'signal', field: ALERT_RULE_NAME, name: 'ruleName' }, - { category: 'signal', field: ALERT_WORKFLOW_STATUS, name: 'alertStatus' }, + { category: 'kibana', field: ALERT_RULE_UUID, name: 'ruleId' }, + { category: 'kibana', field: ALERT_RULE_NAME, name: 'ruleName' }, + { category: 'kibana', field: ALERT_WORKFLOW_STATUS, name: 'alertStatus' }, { category: '_id', field: '_id', name: 'eventId' }, ].reduce( (acc, curr) => ({ diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx index cdd5251585a17..3ed9f39d06ee4 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/index.tsx @@ -107,10 +107,10 @@ const EventDetailsPanelComponent: React.FC = ({ } }, []); - const isAlert = some({ category: 'signal', field: ALERT_RULE_UUID }, detailsData); + const isAlert = some({ category: 'kibana', field: ALERT_RULE_UUID }, detailsData); const ruleName = useMemo( - () => getFieldValue({ category: 'signal', field: ALERT_RULE_NAME }, detailsData), + () => getFieldValue({ category: 'kibana', field: ALERT_RULE_NAME }, detailsData), [detailsData] ); diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx index c14973f91d8c3..12ada8a9ae1da 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx @@ -128,7 +128,7 @@ const ActionsComponent: React.FC = ({
<> - {timelineId !== TimelineId.active && eventType === 'signal' && ( + {timelineId !== TimelineId.active && eventType === 'kibana.alert' && ( = ({ key="alert-context-menu" ecsRowData={ecsData} timelineId={timelineId} - disabled={eventType !== 'signal' && !isEventContextMenuEnabledForEndpoint} + disabled={eventType !== 'kibana.alert' && !isEventContextMenuEnabledForEndpoint} refetch={refetch ?? noop} onRuleChange={onRuleChange} /> diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx index fcbb476ce9ae6..4dc5a78324d6d 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/helpers.tsx @@ -115,8 +115,8 @@ export const isEvenEqlSequence = (event: Ecs): boolean => { }; /** Return eventType raw or signal or eql */ export const getEventType = (event: Ecs): Omit => { - if (!isEmpty(event.kibana?.alert?.rule?.id)) { - return 'signal'; + if (!isEmpty(event.kibana?.alert?.rule?.uuid)) { + return 'kibana.alert'; } else if (!isEmpty(event.eql?.parentId)) { return 'eql'; } diff --git a/x-pack/plugins/timelines/common/alerts/constants.ts b/x-pack/plugins/timelines/common/alerts/constants.ts index c5665d05854db..4e5dda1441056 100644 --- a/x-pack/plugins/timelines/common/alerts/constants.ts +++ b/x-pack/plugins/timelines/common/alerts/constants.ts @@ -86,23 +86,21 @@ export const ALERT_THRESHOLD_RESULT_TERMS = `${ALERT_THRESHOLD_RESULT}.terms` as export const ALERT_THRESHOLD_RESULT_TERMS_FIELD = `${ALERT_THRESHOLD_RESULT_TERMS}.field` as const; export const ALERT_THRESHOLD_RESULT_TERMS_VALUE = `${ALERT_THRESHOLD_RESULT_TERMS}.value` as const; export const ALERT_RULE_BUILDING_BLOCK_TYPE = `${ALERT_RULE_NAMESPACE}.building_block_type` as const; -// TODO: not accounted for in the excel doc export const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const; export const ALERT_RULE_FALSE_POSITIVES = `${ALERT_RULE_NAMESPACE}.false_positives` as const; -// TODO: not accounted for in the excel doc export const ALERT_RULE_FILTERS = `${ALERT_RULE_NAMESPACE}.filters` as const; export const ALERT_RULE_IMMUTABLE = `${ALERT_RULE_NAMESPACE}.immutable` as const; export const ALERT_RULE_INDEX = `${ALERT_RULE_NAMESPACE}.index` as const; export const ALERT_RULE_LANGUAGE = `${ALERT_RULE_NAMESPACE}.language` as const; export const ALERT_RULE_MAX_SIGNALS = `${ALERT_RULE_NAMESPACE}.max_signals` as const; -// TODO: Not supported in new RAC implementation. Can be removed -export const ALERT_RULE_OUTPUT_INDEX = `${ALERT_RULE_NAMESPACE}.output_index` as const; export const ALERT_RULE_QUERY = `${ALERT_RULE_NAMESPACE}.query` as const; -// TODO: Could be depracated +// TODO: Could be deprecated export const ALERT_RULE_SAVED_ID = `${ALERT_RULE_NAMESPACE}.saved_id` as const; // TODO: not accounted for in the excel doc export const ALERT_RULE_SIZE = `${ALERT_RULE_NAMESPACE}.size` as const; -// TODO: not accounted for in the excel doc +export const ALERT_RULE_THREAT_MAPPING_ENTRIES_FIELD = `${ALERT_RULE_NAMESPACE}.threat_mapping.entries.field` as const; +export const ALERT_RULE_THREAT_MAPPING_ENTRIES_VALUE = `${ALERT_RULE_NAMESPACE}.threat_mapping.entries.value` as const; +export const ALERT_RULE_THREAT_MAPPING_ENTRIES_TYPE = `${ALERT_RULE_NAMESPACE}.threat_mapping.entries.type` as const; export const ALERT_RULE_THRESHOLD = `${ALERT_RULE_NAMESPACE}.threshold` as const; export const ALERT_RULE_TIMELINE_ID = `${ALERT_RULE_NAMESPACE}.timeline_id` as const; export const ALERT_RULE_TIMELINE_TITLE = `${ALERT_RULE_NAMESPACE}.timeline_title` as const; @@ -187,7 +185,6 @@ const securityFields = { ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_MAX_SIGNALS, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_SAVED_ID, ALERT_RULE_SIZE, diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 19d2660aec3f4..130e0ae1abd6a 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -31,7 +31,6 @@ import { ALERT_RULE_SAVED_ID, ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_QUERY, @@ -336,7 +335,6 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID, [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID, [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE, - [ALERT_RULE_OUTPUT_INDEX]: ALERT_RULE_OUTPUT_INDEX, [ALERT_RULE_FROM]: ALERT_RULE_FROM, [ALERT_RULE_INDEX]: ALERT_RULE_INDEX, [ALERT_RULE_LANGUAGE]: ALERT_RULE_LANGUAGE, diff --git a/x-pack/plugins/timelines/common/ecs/kibana/index.ts b/x-pack/plugins/timelines/common/ecs/kibana/index.ts index a582000631d24..5e36da400ccaf 100644 --- a/x-pack/plugins/timelines/common/ecs/kibana/index.ts +++ b/x-pack/plugins/timelines/common/ecs/kibana/index.ts @@ -16,5 +16,6 @@ export interface KibanaEcs { id?: string[]; }; threshold_result?: unknown; + workflow_status?: string[]; }; } diff --git a/x-pack/plugins/timelines/common/ecs/rule/index.ts b/x-pack/plugins/timelines/common/ecs/rule/index.ts index ae7e5064a8ece..bb12596c765b4 100644 --- a/x-pack/plugins/timelines/common/ecs/rule/index.ts +++ b/x-pack/plugins/timelines/common/ecs/rule/index.ts @@ -8,6 +8,7 @@ export interface RuleEcs { id?: string[]; rule_id?: string[]; + uuid?: string[]; name?: string[]; false_positives?: string[]; saved_id?: string[]; diff --git a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts index 25b711dd226ce..f00269f219984 100644 --- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts +++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_STATUS, ALERT_RULE_NAME } from '@kbn/rule-data-utils'; +import { ALERT_WORKFLOW_STATUS, ALERT_RULE_NAME } from '@kbn/rule-data-utils'; import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid'; import { EventHit, EventSource } from '../search_strategy'; import { getDataFromFieldsHits, getDataFromSourceHits, getDataSafety } from './field_formatters'; @@ -136,7 +136,7 @@ describe('Events Details Helpers', () => { it('#getDataFromSourceHits', () => { const _source: EventSource = { '@timestamp': '2021-02-24T00:41:06.527Z', - [ALERT_STATUS]: 'open', + [ALERT_WORKFLOW_STATUS]: 'open', [ALERT_RULE_NAME]: 'Rawr', 'threat.indicator': [ { @@ -163,7 +163,7 @@ describe('Events Details Helpers', () => { }, { category: 'kibana', - field: ALERT_STATUS, + field: ALERT_WORKFLOW_STATUS, values: ['open'], originalValue: ['open'], isObjectArray: false, diff --git a/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx b/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx index 108eb74ac57ec..0764f4fe37e49 100644 --- a/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx +++ b/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx @@ -28,7 +28,9 @@ describe('AddToCaseAction', () => { ecs: { _id: 'test-id', _index: 'test-index', - kibana: { alert: { rule: { id: ['rule-id'], name: ['rule-name'], false_positives: [] } } }, + kibana: { + alert: { rule: { uuid: ['rule-id'], name: ['rule-name'], false_positives: [] } }, + }, }, }, casePermissions: { @@ -105,7 +107,7 @@ describe('AddToCaseAction', () => { ecs: { _id: 'test-id', _index: 'test-index', - kibana: { alert: { rule: { id: ['rule-id'], false_positives: [] } } }, + kibana: { alert: { rule: { uuid: ['rule-id'], false_positives: [] } } }, }, }} /> @@ -117,7 +119,7 @@ describe('AddToCaseAction', () => { ecs: { _id: 'test-id', _index: 'test-index', - kibana: { alert: { rule: { id: ['rule-id'], false_positives: [] } } }, + kibana: { alert: { rule: { uuid: ['rule-id'], false_positives: [] } } }, }, }} /> diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index 3707091e126df..5f25f4dfcfb0b 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -62,7 +62,6 @@ import { ALERT_RULE_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_MAX_SIGNALS, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_SAVED_ID, ALERT_RULE_SIZE, @@ -136,8 +135,8 @@ export const isEvenEqlSequence = (event: Ecs): boolean => { }; /** Return eventType raw or kibana or eql */ export const getEventType = (event: Ecs): Omit => { - if (!isEmpty(event.kibana?.alert?.rule?.id)) { - return 'kibana'; + if (!isEmpty(event.kibana?.alert?.rule?.uuid)) { + return 'kibana.alert'; } else if (!isEmpty(event.eql?.parentId)) { return 'eql'; } @@ -227,7 +226,6 @@ export const allowSorting = ({ ALERT_RULE_MAX_SIGNALS, ALERT_RULE_NAME, ALERT_RULE_NOTE, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_QUERY, ALERT_RULE_REFERENCES, ALERT_RULE_RISK_SCORE, diff --git a/x-pack/plugins/timelines/public/container/index.tsx b/x-pack/plugins/timelines/public/container/index.tsx index de0ef5a27b5bb..78e501fcc5988 100644 --- a/x-pack/plugins/timelines/public/container/index.tsx +++ b/x-pack/plugins/timelines/public/container/index.tsx @@ -192,7 +192,6 @@ export const useTimelineEvents = ({ if (request == null || skip) { return; } - console.log('REQUEST: ', request); // eslint-disable-line const asyncSearch = async () => { prevTimelineRequest.current = request; abortCtrl.current = new AbortController(); diff --git a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts index b16b56cc811ff..4d621fb418994 100644 --- a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts +++ b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts @@ -126,7 +126,7 @@ export const useAddToCase = ({ } }, [event]); const isSecurityAlert = useMemo(() => { - return !isEmpty(event?.ecs.kibana?.alert?.rule?.id); + return !isEmpty(event?.ecs.kibana?.alert?.rule?.uuid); }, [event]); const isEventSupported = isSecurityAlert || isAlert; const userCanCrud = casePermissions?.crud ?? false; diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 6f750b5c35442..73435cf9b3199 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -6,7 +6,6 @@ */ import { - ALERT_STATUS, ALERT_RULE_FROM, ALERT_RULE_NAME, ALERT_RULE_TO, @@ -17,6 +16,7 @@ import { ALERT_RULE_RISK_SCORE, ALERT_RULE_NOTE, ALERT_REASON, + ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { ALERT_GROUP_ID, @@ -29,7 +29,6 @@ import { ALERT_ORIGINAL_EVENT_MODULE, ALERT_THRESHOLD_RESULT, ALERT_RULE_EXCEPTIONS_LIST, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_SAVED_ID, ALERT_RULE_THRESHOLD, ALERT_RULE_TIMELINE_ID, @@ -73,7 +72,6 @@ export const CTI_ROW_RENDERER_FIELDS = [ export const TIMELINE_EVENTS_FIELDS = [ '@timestamp', - ALERT_STATUS, ALERT_GROUP_ID, ALERT_ORIGINAL_TIME, ALERT_REASON, @@ -92,6 +90,7 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_RULE_SEVERITY, ALERT_RULE_RISK_SCORE, ALERT_THRESHOLD_RESULT, + ALERT_WORKFLOW_STATUS, 'event.code', 'event.module', 'event.action', @@ -205,7 +204,6 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_RULE_SAVED_ID, ALERT_RULE_TIMELINE_ID, ALERT_RULE_TIMELINE_TITLE, - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_NOTE, ALERT_RULE_THRESHOLD, ALERT_RULE_EXCEPTIONS_LIST, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 11809d4c03cb5..0e1123512eb36 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -10,7 +10,7 @@ import { ALERT_RULE_TYPE, ALERT_RULE_UUID, ALERT_RULE_RISK_SCORE, - ALERT_STATUS, + ALERT_WORKFLOW_STATUS, ALERT_RULE_SEVERITY, ALERT_RULE_VERSION, ALERT_RULE_NAME, @@ -18,7 +18,6 @@ import { } from '@kbn/rule-data-utils'; import { eventHit } from '@kbn/securitysolution-t-grid'; import { - ALERT_RULE_OUTPUT_INDEX, ALERT_RULE_LANGUAGE, ALERT_RULE_QUERY, ALERT_RULE_INDEX, @@ -179,7 +178,6 @@ describe('#formatTimelineData', () => { value: 200, }, building_block_type: null, - output_index: '.siem-signals-patrykkopycinski-default', type: 'threshold', rule_name_override: null, enabled: true, @@ -278,12 +276,11 @@ describe('#formatTimelineData', () => { type: 'event', }, ], - status: 'open', + workflow_status: 'open', }, }, }, fields: { - [ALERT_RULE_OUTPUT_INDEX]: ['.siem-signals-patrykkopycinski-default'], [ALERT_RULE_FROM]: ['now-360s'], [ALERT_RULE_LANGUAGE]: ['kuery'], '@timestamp': ['2021-01-09T13:41:40.517Z'], @@ -291,7 +288,7 @@ describe('#formatTimelineData', () => { [ALERT_RULE_TYPE]: ['threshold'], [ALERT_RULE_UUID]: ['696c24e0-526d-11eb-836c-e1620268b945'], [ALERT_RULE_RISK_SCORE]: [21], - [ALERT_STATUS]: ['open'], + [ALERT_WORKFLOW_STATUS]: ['open'], 'event.kind': ['signal'], [ALERT_ORIGINAL_TIME]: ['2021-01-09T13:39:32.595Z'], [ALERT_RULE_SEVERITY]: ['low'], @@ -344,7 +341,7 @@ describe('#formatTimelineData', () => { kibana: { alert: { original_time: ['2021-01-09T13:39:32.595Z'], - status: ['open'], + workflow_status: ['open'], threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], rule: { building_block_type: [], @@ -363,7 +360,6 @@ describe('#formatTimelineData', () => { ], language: ['kuery'], name: ['Threshold test'], - output_index: ['.siem-signals-patrykkopycinski-default'], risk_score: ['21'], query: ['_id :*'], severity: ['low'], diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts index 659b847a6a27d..b2e073d3ecf59 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts @@ -144,7 +144,6 @@ const timelineAlertsSearchStrategy = ({ }), mergeMap((esSearchRes) => queryFactory.parse(requestWithAlertsIndices, esSearchRes)), catchError((err) => { - console.log('ERROR!!!:', err); // eslint-disable-line throw err; }) ); diff --git a/x-pack/test/api_integration/apis/security_solution/utils.ts b/x-pack/test/api_integration/apis/security_solution/utils.ts index d7799cc592fb5..7e23322eaf97e 100644 --- a/x-pack/test/api_integration/apis/security_solution/utils.ts +++ b/x-pack/test/api_integration/apis/security_solution/utils.ts @@ -4,12 +4,27 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { + ALERT_RULE_FROM, + ALERT_RULE_NAME, + ALERT_RULE_TO, + ALERT_RULE_TYPE, + ALERT_RULE_UUID, + ALERT_WORKFLOW_STATUS, +} from '@kbn/rule-data-utils'; import { JsonObject, JsonArray } from '@kbn/utility-types'; + import { + ALERT_GROUP_ID, ALERT_ORIGINAL_TIME, - ALERT_RULE_INDEX, + ALERT_RULE_BUILDING_BLOCK_TYPE, + ALERT_RULE_FILTERS, ALERT_RULE_LANGUAGE, -} from './../../../../plugins/timelines/common/alerts'; + ALERT_RULE_QUERY, + ALERT_RULE_INDEX, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, +} from '../../../../plugins/timelines/common'; export const getFilterValue = (hostName: string, from: string, to: string): JsonObject => ({ bool: { @@ -53,21 +68,21 @@ export const getFieldsToRequest = (): string[] => [ 'destination.ip', 'user.name', '@timestamp', - 'signal.status', - 'signal.group.id', + ALERT_WORKFLOW_STATUS, + ALERT_GROUP_ID, ALERT_ORIGINAL_TIME, - 'signal.rule.building_block_type', - 'signal.rule.filters', - 'signal.rule.from', + ALERT_RULE_BUILDING_BLOCK_TYPE, + ALERT_RULE_FILTERS, + ALERT_RULE_FROM, ALERT_RULE_LANGUAGE, - 'signal.rule.query', - 'signal.rule.name', - 'signal.rule.to', - 'signal.rule.id', + ALERT_RULE_QUERY, + ALERT_RULE_NAME, + ALERT_RULE_TO, + ALERT_RULE_UUID, ALERT_RULE_INDEX, - 'signal.rule.type', - 'signal.original_event.kind', - 'signal.original_event.module', + ALERT_RULE_TYPE, + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, 'file.path', 'file.Ext.code_signature.subject_name', 'file.Ext.code_signature.trusted', From d572a2eeadf960ec6fab7713ab0c84438c74fa25 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 24 Aug 2021 11:29:26 -0400 Subject: [PATCH 21/26] update aad mapping --- .../detection_engine/routes/index/signal_aad_mapping.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json index 8391d490162df..c1db4b3f730d7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json @@ -27,6 +27,7 @@ "signal.original_event.type": "kibana.alert.original_event.type", "signal.original_time": "kibana.alert.original_time", "signal.reason": "kibana.alert.reason", + "signal.risk_score": "kibana.alert.risk_score", "signal.rule.author": "kibana.alert.rule.author", "signal.rule.building_block_type": "kibana.alert.rule.building_block_type", "signal.rule.created_at": "kibana.alert.rule.created_at", @@ -46,14 +47,14 @@ "signal.rule.note": "kibana.alert.rule.note", "signal.rule.query": "kibana.alert.rule.query", "signal.rule.references": "kibana.alert.rule.references", - "signal.rule.risk_score": "kibana.alert.risk_score", + "signal.rule.risk_score": "kibana.alert.rule.risk_score", "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field", "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator", "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value", "signal.rule.rule_id": "kibana.alert.rule.rule_id", "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override", "signal.rule.saved_id": "kibana.alert.rule.saved_id", - "signal.rule.severity": "kibana.alert.severity", + "signal.rule.severity": "kibana.alert.rule.severity", "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field", "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator", "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value", @@ -85,6 +86,7 @@ "signal.rule.updated_at": "kibana.alert.rule.updated_at", "signal.rule.updated_by": "kibana.alert.rule.updated_by", "signal.rule.version": "kibana.alert.rule.version", + "signal.severity": "kibana.alert.severity", "signal.status": "kibana.alert.workflow_status", "signal.threshold_result.from": "kibana.alert.threshold_result.from", "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field", From 68f30858ecc016b05ed5d307da1d240d21306ad2 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 24 Aug 2021 12:36:56 -0400 Subject: [PATCH 22/26] fix severity and risk score --- .../field_maps/technical_rule_field_map.ts | 5 + .../server/routes/get_alert_by_id.test.ts | 4 +- .../common/ecs/ecs_fields/index.ts | 8 +- .../indicator_match_rule.spec.ts | 10 +- .../detection_rules/override.spec.ts | 4 +- .../cypress/screens/alerts.ts | 4 + .../components/drag_and_drop/helpers.ts | 8 +- .../event_details/__mocks__/index.ts | 8 +- .../alert_summary_view.test.tsx.snap | 12 +- .../event_details/alert_summary_view.tsx | 8 +- .../components/alerts_kpis/common/config.ts | 8 +- .../components/alerts_kpis/common/types.ts | 8 +- .../rules/description_step/helpers.tsx | 4 +- .../examples/observablity_alerts/columns.ts | 4 +- .../render_cell_value.test.tsx | 9 +- .../observablity_alerts/render_cell_value.tsx | 9 +- .../examples/security_solution_rac/columns.ts | 4 +- .../render_cell_value.test.tsx | 4 +- .../render_cell_value.tsx | 4 +- .../security_solution_detections/columns.ts | 8 +- .../detection_engine/alerts/api.test.ts | 4 +- .../detection_engine/alerts/mock.ts | 4 +- .../__snapshots__/index.test.tsx.snap | 2020 +++++++++-------- .../default_cell_renderer.test.tsx | 4 +- .../components/host_rules_table/columns.tsx | 4 +- .../components/host_tactics_table/columns.tsx | 4 +- .../routes/index/signal_aad_mapping.json | 6 +- .../ueba/host_rules/query.host_rules.dsl.ts | 6 +- .../host_tactics/query.host_tactics.dsl.ts | 6 +- .../ueba/user_rules/query.user_rules.dsl.ts | 6 +- .../timelines/common/ecs/ecs_fields/index.ts | 8 +- .../public/components/t_grid/body/helpers.tsx | 8 +- .../timeline/factory/events/all/constants.ts | 8 +- .../factory/events/all/helpers.test.ts | 12 +- 34 files changed, 1124 insertions(+), 1109 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index b4ae89b7694f7..37a3a3b9fffbc 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -49,6 +49,11 @@ export const technicalRuleFieldMap = { array: false, required: false, }, + [Fields.ALERT_RISK_SCORE]: { + type: 'float', + array: false, + required: false, + }, [Fields.ALERT_WORKFLOW_STATUS]: { type: 'keyword', array: false, diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts index 372fb09661259..a605d9a4d5075 100644 --- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts +++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts @@ -7,7 +7,7 @@ import { ALERT_RULE_CONSUMER, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_STATUS, ECS_VERSION, ALERT_RULE_TYPE_ID, @@ -30,7 +30,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({ [ALERT_RULE_TYPE_ID]: 'apm.error_rate', [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', - [ALERT_RULE_RISK_SCORE]: 20, + [ALERT_RISK_SCORE]: 20, [SPACE_IDS]: ['fake-space-id'], }); diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts index 61c8ed2d8b276..7557b0393f367 100644 --- a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts @@ -15,15 +15,15 @@ import { ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_RISK_SCORE, + ALERT_SEVERITY, } from '@kbn/rule-data-utils'; import { ALERT_ORIGINAL_TIME, @@ -342,12 +342,10 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID, [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES, [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS, - [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE, [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION, [ALERT_RULE_NAME]: ALERT_RULE_NAME, [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE, [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES, - [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY, [ALERT_RULE_TAGS]: ALERT_RULE_TAGS, [ALERT_RULE_THREAT]: ALERT_RULE_THREAT, [ALERT_RULE_TYPE]: ALERT_RULE_TYPE, @@ -361,6 +359,8 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_NOTE]: ALERT_RULE_NOTE, [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD, [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST, + [ALERT_SEVERITY]: ALERT_SEVERITY, + [ALERT_RISK_SCORE]: ALERT_RISK_SCORE, }; export const ruleFieldsMap: Readonly> = { diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index f8b3b426580b2..3aebf87aa3faf 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -14,8 +14,8 @@ import { import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, NUMBER_OF_ALERTS, } from '../../screens/alerts'; import { @@ -480,12 +480,10 @@ describe('indicator match', () => { cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts); cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name); - cy.get(ALERT_RULE_SEVERITY) + cy.get(ALERT_SEVERITY) .first() .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase()); - cy.get(ALERT_RULE_RISK_SCORE) - .first() - .should('have.text', getNewThreatIndicatorRule().riskScore); + cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore); }); it('Investigate alert in timeline', () => { diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index 5b14fe9579911..540d5da61dae2 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { formatMitreAttackDescription } from '../../helpers/rules'; import { getIndexPatterns, @@ -140,7 +140,7 @@ describe('Detection rules, override', () => { getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore); getDetails(RISK_SCORE_OVERRIDE_DETAILS).should( 'have.text', - `${this.rule.riskOverride}${ALERT_RULE_RISK_SCORE}` + `${this.rule.riskOverride}${ALERT_RISK_SCORE}` ); getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride); getDetails(REFERENCE_URLS_DETAILS).should((details) => { diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts index 637658c57ca5e..7820c7340896e 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts @@ -28,6 +28,10 @@ export const ALERT_RULE_RISK_SCORE = export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]'; +export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]'; + +export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]'; + export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]'; export const CLOSE_ALERT_BTN = '[data-test-subj="close-alert-status"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index e24bd7517ce45..a4d34299875f3 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -19,14 +19,14 @@ import { ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { BrowserField } from '../../containers/source'; @@ -223,10 +223,8 @@ export const allowTopN = ({ ALERT_RULE_NOTE, ALERT_RULE_QUERY, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, ALERT_RULE_RULE_ID, ALERT_RULE_SAVED_ID, - ALERT_RULE_SEVERITY, ALERT_RULE_SIZE, ALERT_RULE_TAGS, ALERT_RULE_THREAT, @@ -242,6 +240,8 @@ export const allowTopN = ({ ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, ] as string[]).includes(fieldName); diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index 3e1e44c0b6d3f..e8809cdeb848b 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -16,10 +16,10 @@ import { ALERT_RULE_LICENSE, ALERT_RULE_NAME, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_RISK_SCORE_MAPPING, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_SEVERITY_MAPPING, ALERT_RULE_TAGS, ALERT_RULE_TO, @@ -423,7 +423,7 @@ export const mockAlertDetailsData = [ originalValue: 'http://localhost:5601/app/security', }, { category: 'kibana', field: ALERT_RULE_MAX_SIGNALS, values: [100], originalValue: 100 }, - { category: 'kibana', field: ALERT_RULE_RISK_SCORE, values: [21], originalValue: 21 }, + { category: 'kibana', field: ALERT_RISK_SCORE, values: [21], originalValue: 21 }, { category: 'kibana', field: ALERT_RULE_RISK_SCORE_MAPPING, values: [], originalValue: [] }, { category: 'kibana', field: ALERT_RULE_DESCRIPTION, values: ['xxx'], originalValue: 'xxx' }, { @@ -467,7 +467,7 @@ export const mockAlertDetailsData = [ originalValue: '@timestamp : * ', }, { category: 'kibana', field: ALERT_RULE_REFERENCES, values: [], originalValue: [] }, - { category: 'kibana', field: ALERT_RULE_SEVERITY, values: ['low'], originalValue: 'low' }, + { category: 'kibana', field: ALERT_SEVERITY, values: ['low'], originalValue: 'low' }, { category: 'kibana', field: ALERT_RULE_SEVERITY_MAPPING, values: [], originalValue: [] }, { category: 'kibana', field: ALERT_RULE_TAGS, values: [], originalValue: [] }, { category: 'kibana', field: ALERT_RULE_TYPE, values: ['query'], originalValue: 'query' }, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap index 0ce9518470973..3ad8b6c80b5e8 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap @@ -353,7 +353,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.

@@ -417,7 +417,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx index 2faac84cb182c..00afdb839cd83 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx @@ -13,8 +13,8 @@ import styled from 'styled-components'; import { ALERT_RULE_UUID, ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import * as i18n from './translations'; @@ -78,8 +78,8 @@ const defaultDisplayFields: EventSummaryField[] = [ linkField: ALERT_RULE_UUID, label: ALERTS_HEADERS_RULE, }, - { id: ALERT_RULE_SEVERITY, label: ALERTS_HEADERS_SEVERITY }, - { id: ALERT_RULE_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE }, + { id: ALERT_SEVERITY, label: ALERTS_HEADERS_SEVERITY }, + { id: ALERT_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE }, { id: 'host.name' }, { id: 'agent.id', overrideField: AGENT_STATUS_FIELD_NAME, label: i18n.AGENT_STATUS }, { id: 'user.name' }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index 5e3ecda7ab181..0f3062d5fec20 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -7,16 +7,16 @@ import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_RULE_TYPE, } from '@kbn/rule-data-utils'; import type { AlertsStackByOption } from './types'; import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts'; export const alertsStackByOptions: AlertsStackByOption[] = [ - { text: ALERT_RULE_RISK_SCORE, value: ALERT_RULE_RISK_SCORE }, - { text: ALERT_RULE_SEVERITY, value: ALERT_RULE_SEVERITY }, + { text: ALERT_RISK_SCORE, value: ALERT_RISK_SCORE }, + { text: ALERT_SEVERITY, value: ALERT_SEVERITY }, { text: ALERT_RULE_THREAT_TACTIC_NAME, value: ALERT_RULE_THREAT_TACTIC_NAME }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index 0081bd1cf3f4d..615fc53a8dfc3 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -7,8 +7,8 @@ import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_RULE_TYPE, } from '@kbn/rule-data-utils'; import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts'; @@ -19,8 +19,8 @@ export interface AlertsStackByOption { } export type AlertsStackByField = - | typeof ALERT_RULE_RISK_SCORE - | typeof ALERT_RULE_SEVERITY + | typeof ALERT_RISK_SCORE + | typeof ALERT_SEVERITY | typeof ALERT_RULE_THREAT_TACTIC_NAME | 'destination.ip' | 'event.action' diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index e53b78b8c482a..1a4a4642d0825 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -23,7 +23,7 @@ import React from 'react'; import styled from 'styled-components'; import { ThreatMapping, Type } from '@kbn/securitysolution-io-ts-alerting-types'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { MATCHES, AND, OR } from '../../../../common/components/threat_match/translations'; import { assertUnreachable } from '../../../../../common/utility_types'; import * as i18nSeverity from '../severity_mapping/translations'; @@ -351,7 +351,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt - {`${ALERT_RULE_RISK_SCORE}`} + {`${ALERT_RISK_SCORE}`} ), }; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts index 9623100ac16c2..e491423320927 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts @@ -9,7 +9,7 @@ import { EuiDataGridColumn } from '@elastic/eui'; import { ALERT_DURATION, ALERT_REASON, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; @@ -47,7 +47,7 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, - id: ALERT_RULE_SEVERITY, + id: ALERT_SEVERITY, initialWidth: 102, }, { diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx index a66e2b32758b6..dddb7108f607e 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx @@ -8,12 +8,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { - ALERT_DURATION, - ALERT_REASON, - ALERT_RULE_SEVERITY, - ALERT_STATUS, -} from '@kbn/rule-data-utils'; +import { ALERT_DURATION, ALERT_REASON, ALERT_SEVERITY, ALERT_STATUS } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; @@ -84,7 +79,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx index caf0d63c7fe05..07581e4c94d3b 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx @@ -9,12 +9,7 @@ import moment from 'moment'; import React from 'react'; import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui'; -import { - ALERT_DURATION, - ALERT_REASON, - ALERT_RULE_SEVERITY, - ALERT_STATUS, -} from '@kbn/rule-data-utils'; +import { ALERT_DURATION, ALERT_REASON, ALERT_SEVERITY, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TruncatableText } from '../../../../common/components/truncatable_text'; import { Severity } from '../../../components/severity'; @@ -60,7 +55,7 @@ export const RenderCellValue: React.FC< ); case ALERT_DURATION: return {moment().fromNow(true)}; - case ALERT_RULE_SEVERITY: + case ALERT_SEVERITY: return ; case ALERT_REASON: return ( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index 9c1e09dc90562..e238d73e3aff5 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -10,7 +10,7 @@ import { ALERT_REASON, ALERT_RULE_UUID, ALERT_RULE_NAME, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, } from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../../common'; import { defaultColumnHeaderType } from '../../../../timelines/components/timeline/body/column_headers/default_headers'; @@ -39,7 +39,7 @@ export const columns: Array< }, { columnHeaderType: defaultColumnHeaderType, - id: ALERT_RULE_SEVERITY, + id: ALERT_SEVERITY, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, initialWidth: 104, }, diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx index 26f4f4b919aff..542883796eb0f 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx @@ -9,7 +9,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { ALERT_REASON, ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_SEVERITY } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; @@ -56,7 +56,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx index 0d255eb95c754..db83eda337a1f 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx @@ -8,7 +8,7 @@ import { EuiDataGridCellValueElementProps } from '@elastic/eui'; import React from 'react'; -import { ALERT_REASON, ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_SEVERITY } from '@kbn/rule-data-utils'; import { DefaultDraggable } from '../../../../common/components/draggables'; import { TruncatableText } from '../../../../common/components/truncatable_text'; import { Severity } from '../../../components/severity'; @@ -47,7 +47,7 @@ export const RenderCellValue: React.FC< const draggableId = `${timelineId}-${eventId}-${columnId}-${value}`; switch (columnId) { - case ALERT_RULE_SEVERITY: + case ALERT_SEVERITY: return ( { test('check parameter url, body', async () => { await fetchQueryAlerts({ query: mockAlertsQuery, signal: abortCtrl.signal }); expect(fetchMock).toHaveBeenCalledWith('/api/detection_engine/signals/search', { - body: `{"aggs":{"alertsByGrouping":{"terms":{"field":"${ALERT_RULE_RISK_SCORE}","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, + body: `{"aggs":{"alertsByGrouping":{"terms":{"field":"${ALERT_RISK_SCORE}","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, method: 'POST', signal: abortCtrl.signal, }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts index 0d4a88e5e472b..aaff381aa3c9e 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { HostIsolationResponse } from '../../../../../common/endpoint/types/actions'; import { AlertSearchResponse, AlertsIndex, Privilege, CasesFromAlertsResponse } from './types'; @@ -950,7 +950,7 @@ export const mockAlertsQuery: object = { aggs: { alertsByGrouping: { terms: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, missing: 'All others', order: { _count: 'desc' }, size: 10, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap index e3cf7fed14abd..4b650271bdf4a 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap @@ -86,92 +86,94 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -324,147 +326,149 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], - }, - }, - "source": Object { - "ip": Array [ - "192.168.0.1", - ], - "port": Array [ - 80, - ], - }, - "timestamp": "2018-11-05T19:03:25.937Z", - "user": Object { - "id": Array [ - "1", - ], - "name": Array [ - "john.dee", - ], - }, - }, - "eventId": "my-id", - "indexName": "my-index", - } - } - isAlert={false} - loading={true} - timelineId="test" - timelineTabType="query" - > - - - - - - - - - + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, + }, + }, + "source": Object { + "ip": Array [ + "192.168.0.1", + ], + "port": Array [ + 80, + ], + }, + "timestamp": "2018-11-05T19:03:25.937Z", + "user": Object { + "id": Array [ + "1", + ], + "name": Array [ + "john.dee", + ], + }, + }, + "eventId": "my-id", + "indexName": "my-index", + } + } + isAlert={false} + loading={true} + timelineId="test" + timelineTabType="query" + > + + + + + + + + + @@ -626,122 +630,124 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], - }, - }, - "source": Object { - "ip": Array [ - "192.168.0.1", - ], - "port": Array [ - 80, - ], - }, - "timestamp": "2018-11-05T19:03:25.937Z", - "user": Object { - "id": Array [ - "1", - ], - "name": Array [ - "john.dee", - ], - }, - }, - "eventId": "my-id", - "indexName": "my-index", - } - } - handleOnEventClosed={[Function]} - isFlyoutView={true} - tabType="query" - timelineId="test" - > - +
- - - - - - - - - + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, + }, + }, + "source": Object { + "ip": Array [ + "192.168.0.1", + ], + "port": Array [ + 80, + ], + }, + "timestamp": "2018-11-05T19:03:25.937Z", + "user": Object { + "id": Array [ + "1", + ], + "name": Array [ + "john.dee", + ], + }, + }, + "eventId": "my-id", + "indexName": "my-index", + } + } + isAlert={false} + loading={true} + timelineId="test" + timelineTabType="flyout" + > + + + + + + + + + @@ -1097,92 +1105,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1275,92 +1285,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1485,92 +1497,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1700,92 +1714,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1956,92 +1972,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -2134,92 +2152,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx index add2cdc6c1b25..d0366affa9a2f 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx @@ -9,7 +9,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { columnRenderers } from '../body/renderers'; import { getColumnRenderer } from '../body/renderers/get_column_renderer'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; @@ -27,7 +27,7 @@ const mockImplementation = { }; describe('DefaultCellRenderer', () => { - const columnId = ALERT_RULE_RISK_SCORE; + const columnId = ALERT_RISK_SCORE; const eventId = '_id-123'; const isDetails = true; const isExpandable = true; diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx index 7f3033ec4b14e..e7bbe86f90d37 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { DragEffects, DraggableWrapper, @@ -110,7 +110,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx index 10178389370f4..eeba41c04cf53 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { DragEffects, DraggableWrapper, @@ -122,7 +122,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json index c1db4b3f730d7..8391d490162df 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json @@ -27,7 +27,6 @@ "signal.original_event.type": "kibana.alert.original_event.type", "signal.original_time": "kibana.alert.original_time", "signal.reason": "kibana.alert.reason", - "signal.risk_score": "kibana.alert.risk_score", "signal.rule.author": "kibana.alert.rule.author", "signal.rule.building_block_type": "kibana.alert.rule.building_block_type", "signal.rule.created_at": "kibana.alert.rule.created_at", @@ -47,14 +46,14 @@ "signal.rule.note": "kibana.alert.rule.note", "signal.rule.query": "kibana.alert.rule.query", "signal.rule.references": "kibana.alert.rule.references", - "signal.rule.risk_score": "kibana.alert.rule.risk_score", + "signal.rule.risk_score": "kibana.alert.risk_score", "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field", "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator", "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value", "signal.rule.rule_id": "kibana.alert.rule.rule_id", "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override", "signal.rule.saved_id": "kibana.alert.rule.saved_id", - "signal.rule.severity": "kibana.alert.rule.severity", + "signal.rule.severity": "kibana.alert.severity", "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field", "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator", "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value", @@ -86,7 +85,6 @@ "signal.rule.updated_at": "kibana.alert.rule.updated_at", "signal.rule.updated_by": "kibana.alert.rule.updated_by", "signal.rule.version": "kibana.alert.rule.version", - "signal.severity": "kibana.alert.severity", "signal.status": "kibana.alert.workflow_status", "signal.threshold_result.from": "kibana.alert.threshold_result.from", "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field", diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts index e9fa0acda988d..0b70d7bc06d0a 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { Direction, HostRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -40,7 +40,7 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_name: { @@ -53,7 +53,7 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_type: { diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts index 270ac25780749..1f689dfdae255 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_THREAT_TACTIC_NAME, @@ -44,7 +44,7 @@ export const buildHostTacticsQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, tactic: { @@ -59,7 +59,7 @@ export const buildHostTacticsQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts index 62da0a7c6ec26..2f52f052889d9 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { Direction, UserRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -49,7 +49,7 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_name: { @@ -62,7 +62,7 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_type: { diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 130e0ae1abd6a..e13d34b71d89d 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -10,11 +10,11 @@ import { ALERT_RULE_FROM, ALERT_RULE_TO, ALERT_RULE_RULE_ID, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_DESCRIPTION, ALERT_RULE_NAME, ALERT_RULE_REFERENCES, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TYPE, ALERT_RULE_ENABLED, @@ -344,12 +344,12 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID, [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES, [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS, - [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE, + [ALERT_RISK_SCORE]: ALERT_RISK_SCORE, [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION, [ALERT_RULE_NAME]: ALERT_RULE_NAME, [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE, [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES, - [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY, + [ALERT_SEVERITY]: ALERT_SEVERITY, [ALERT_RULE_TAGS]: ALERT_RULE_TAGS, [ALERT_RULE_THREAT]: ALERT_RULE_THREAT, [ALERT_RULE_TYPE]: ALERT_RULE_TYPE, diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index dc949861b4128..c937c803750b5 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -16,9 +16,9 @@ import { ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, @@ -228,10 +228,10 @@ export const allowSorting = ({ ALERT_RULE_NOTE, ALERT_RULE_QUERY, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_RULE_ID, ALERT_RULE_SAVED_ID, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_SIZE, ALERT_RULE_TAGS, ALERT_RULE_THREAT, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 73435cf9b3199..6f1cae70f950e 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -12,8 +12,8 @@ import { ALERT_RULE_UUID, ALERT_RULE_TYPE, ALERT_RULE_VERSION, - ALERT_RULE_SEVERITY, - ALERT_RULE_RISK_SCORE, + ALERT_SEVERITY, + ALERT_RISK_SCORE, ALERT_RULE_NOTE, ALERT_REASON, ALERT_WORKFLOW_STATUS, @@ -87,8 +87,8 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_ORIGINAL_EVENT_KIND, ALERT_ORIGINAL_EVENT_MODULE, ALERT_RULE_VERSION, - ALERT_RULE_SEVERITY, - ALERT_RULE_RISK_SCORE, + ALERT_SEVERITY, + ALERT_RISK_SCORE, ALERT_THRESHOLD_RESULT, ALERT_WORKFLOW_STATUS, 'event.code', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 0e1123512eb36..f1d0ece6f8176 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -9,9 +9,9 @@ import { ALERT_RULE_FROM, ALERT_RULE_TYPE, ALERT_RULE_UUID, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_WORKFLOW_STATUS, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_VERSION, ALERT_RULE_NAME, ALERT_RULE_TO, @@ -287,11 +287,11 @@ describe('#formatTimelineData', () => { [ALERT_RULE_QUERY]: ['_id :*'], [ALERT_RULE_TYPE]: ['threshold'], [ALERT_RULE_UUID]: ['696c24e0-526d-11eb-836c-e1620268b945'], - [ALERT_RULE_RISK_SCORE]: [21], + [ALERT_RISK_SCORE]: [21], [ALERT_WORKFLOW_STATUS]: ['open'], 'event.kind': ['signal'], [ALERT_ORIGINAL_TIME]: ['2021-01-09T13:39:32.595Z'], - [ALERT_RULE_SEVERITY]: ['low'], + [ALERT_SEVERITY]: ['low'], [ALERT_RULE_VERSION]: ['1'], [ALERT_RULE_INDEX]: [ 'apm-*-transaction*', @@ -341,7 +341,9 @@ describe('#formatTimelineData', () => { kibana: { alert: { original_time: ['2021-01-09T13:39:32.595Z'], + risk_score: ['21'], workflow_status: ['open'], + severity: ['low'], threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], rule: { building_block_type: [], @@ -360,9 +362,7 @@ describe('#formatTimelineData', () => { ], language: ['kuery'], name: ['Threshold test'], - risk_score: ['21'], query: ['_id :*'], - severity: ['low'], to: ['now'], type: ['threshold'], version: ['1'], From d1bdecfad947e1d253aa5a11fec84108ff14cc76 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 24 Aug 2021 16:48:20 -0400 Subject: [PATCH 23/26] fix cypress tests --- .../detection_rules/custom_query_rule.spec.ts | 14 ++++++++++---- .../detection_rules/override.spec.ts | 19 ++++++++++--------- .../detection_rules/threshold_rule.spec.ts | 14 ++++++++++---- .../factories/utils/build_alert.test.ts | 2 +- .../rule_types/factories/utils/build_alert.ts | 4 ++-- .../timelines/common/alerts/constants.ts | 11 ----------- .../timelines/public/hooks/use_add_to_case.ts | 4 ++-- .../timeline/factory/events/all/constants.ts | 1 + 8 files changed, 36 insertions(+), 33 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts index 9ee80636fab2e..6c5becdd7092d 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts @@ -13,7 +13,13 @@ import { getEditedRule, getNewOverrideRule, } from '../../objects/rule'; -import { ALERT_GRID_CELL, NUMBER_OF_ALERTS } from '../../screens/alerts'; +import { + ALERT_GRID_CELL, + ALERT_RISK_SCORE, + ALERT_RULE_NAME, + ALERT_SEVERITY, + NUMBER_OF_ALERTS, +} from '../../screens/alerts'; import { CUSTOM_RULES_BTN, @@ -215,9 +221,9 @@ describe('Custom detection rules creation', () => { waitForAlertsToPopulate(); cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1)); - cy.get(ALERT_GRID_CELL).eq(3).contains(this.rule.name); - cy.get(ALERT_GRID_CELL).eq(4).contains(this.rule.severity.toLowerCase()); - cy.get(ALERT_GRID_CELL).eq(5).contains(this.rule.riskScore); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains(this.rule.name); + cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains(this.rule.severity.toLowerCase()); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE}`).contains(this.rule.riskScore); }); }); diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index 540d5da61dae2..a2a1cc520e5cd 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { formatMitreAttackDescription } from '../../helpers/rules'; import { getIndexPatterns, @@ -14,7 +13,13 @@ import { OverrideRule, } from '../../objects/rule'; -import { NUMBER_OF_ALERTS, ALERT_GRID_CELL } from '../../screens/alerts'; +import { + NUMBER_OF_ALERTS, + ALERT_GRID_CELL, + ALERT_RISK_SCORE, + ALERT_RULE_NAME, + ALERT_SEVERITY, +} from '../../screens/alerts'; import { CUSTOM_RULES_BTN, @@ -188,12 +193,8 @@ describe('Detection rules, override', () => { waitForAlertsToPopulate(); cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1)); - cy.get(ALERT_GRID_CELL).eq(3).contains('auditbeat'); - cy.get(ALERT_GRID_CELL).eq(4).contains('critical'); - - // TODO: Is this necessary? - // sortRiskScore(); - - cy.get(ALERT_GRID_CELL).eq(5).contains('80'); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains('auditbeat'); + cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains('critical'); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE}`).contains('80'); }); }); diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts index 7bfc9631f7269..1b991bfe4e2a3 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts @@ -13,7 +13,13 @@ import { ThresholdRule, } from '../../objects/rule'; -import { ALERT_GRID_CELL, NUMBER_OF_ALERTS } from '../../screens/alerts'; +import { + ALERT_GRID_CELL, + ALERT_RISK_SCORE, + ALERT_RULE_NAME, + ALERT_SEVERITY, + NUMBER_OF_ALERTS, +} from '../../screens/alerts'; import { CUSTOM_RULES_BTN, @@ -171,9 +177,9 @@ describe('Detection rules, threshold', () => { waitForAlertsToPopulate(); cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.lt(100)); - cy.get(ALERT_GRID_CELL).eq(3).contains(rule.name); - cy.get(ALERT_GRID_CELL).eq(4).contains(rule.severity.toLowerCase()); - cy.get(ALERT_GRID_CELL).eq(5).contains(rule.riskScore); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains(rule.name); + cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains(rule.severity.toLowerCase()); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE}`).contains(rule.riskScore); }); it('Preview results of keyword using "host.name"', () => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts index 09f35e279a244..ed0ff92969e5e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts @@ -33,7 +33,7 @@ import { ALERT_ANCESTORS, ALERT_ORIGINAL_EVENT, ALERT_ORIGINAL_TIME, -} from '../../field_maps/field_names'; +} from '../../../../../../../timelines/common/alerts'; import { SERVER_APP_ID } from '../../../../../../common/constants'; type SignalDoc = SignalSourceHit & { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts index eea85ba26faf8..701d63bc35b75 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts @@ -25,13 +25,13 @@ import { import { invariant } from '../../../../../../common/utils/invariant'; import { RACAlert } from '../../types'; import { flattenWithPrefix } from './flatten_with_prefix'; +import { SERVER_APP_ID } from '../../../../../../common/constants'; import { ALERT_ANCESTORS, ALERT_DEPTH, ALERT_ORIGINAL_EVENT, ALERT_ORIGINAL_TIME, -} from '../../field_maps/field_names'; -import { SERVER_APP_ID } from '../../../../../../common/constants'; +} from '../../../../../../../timelines/common/alerts'; /** * Takes an event document and extracts the information needed for the corresponding entry in the child diff --git a/x-pack/plugins/timelines/common/alerts/constants.ts b/x-pack/plugins/timelines/common/alerts/constants.ts index 4e5dda1441056..a95c8254aa446 100644 --- a/x-pack/plugins/timelines/common/alerts/constants.ts +++ b/x-pack/plugins/timelines/common/alerts/constants.ts @@ -12,17 +12,6 @@ import { } from '@kbn/rule-data-utils'; import { ValuesType } from 'utility-types'; -// TODO: Replace the below located in: x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/field_maps/field_names.ts - -// export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors`; -// export const ALERT_DEPTH = `${ALERT_NAMESPACE}.depth`; -// export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event`; -// export const ALERT_ORIGINAL_TIME = `${ALERT_NAMESPACE}.original_time`; - -/** - * This file contains the security solution specific Alert fields not contained in the @kbn/rule-data-utils package - */ - // Cast to `as const` to preserve the exact string value when using as a type rather than a value export const ALERT_ANCESTORS = `${ALERT_NAMESPACE}.ancestors` as const; export const ALERT_ANCESTORS_DEPTH = `${ALERT_ANCESTORS}.depth` as const; diff --git a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts index 0313cd18b947b..0b77985be7170 100644 --- a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts +++ b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts @@ -8,7 +8,7 @@ import { get, isEmpty } from 'lodash/fp'; import { useState, useCallback, useMemo, SyntheticEvent } from 'react'; import { useLocation } from 'react-router-dom'; import { useDispatch } from 'react-redux'; -import { ALERT_RULE_NAME, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RULE_UUID, ALERT_UUID } from '@kbn/rule-data-utils'; import { useKibana } from '../../../../../src/plugins/kibana_react/public'; import { Case, SubCase } from '../../../cases/common'; import { TimelinesStartServices } from '../types'; @@ -120,7 +120,7 @@ export const useAddToCase = ({ const isAlert = useMemo(() => { if (event !== undefined) { const data = [...event.data]; - return data.some(({ field }) => field === 'kibana.alert.uuid'); + return data.some(({ field }) => field === ALERT_UUID); } else { return false; } diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 6f1cae70f950e..6e61055f1582a 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -245,6 +245,7 @@ export const TIMELINE_EVENTS_FIELDS = [ 'process.executable', 'process.title', 'process.working_directory', + 'signal.rule.threshold', 'zeek.session_id', 'zeek.connection.local_resp', 'zeek.connection.local_orig', From 2d157fa5cbaa0943394aba41ad8917b7fad13e1c Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Wed, 25 Aug 2021 08:29:38 -0400 Subject: [PATCH 24/26] fix cypress test --- .../cypress/integration/detection_rules/override.spec.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index a2a1cc520e5cd..94e713e1af5d5 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { formatMitreAttackDescription } from '../../helpers/rules'; import { getIndexPatterns, @@ -16,7 +17,7 @@ import { import { NUMBER_OF_ALERTS, ALERT_GRID_CELL, - ALERT_RISK_SCORE, + ALERT_RISK_SCORE as ALERT_RISK_SCORE_FIELD, ALERT_RULE_NAME, ALERT_SEVERITY, } from '../../screens/alerts'; @@ -195,6 +196,6 @@ describe('Detection rules, override', () => { cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1)); cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains('auditbeat'); cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains('critical'); - cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE}`).contains('80'); + cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE_FIELD}`).contains('80'); }); }); From 551629f9819f4e4c5c12fa1b538ca5b5ce16f6bb Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Wed, 25 Aug 2021 09:42:29 -0400 Subject: [PATCH 25/26] pr feedback --- .../common/ecs/kibana/index.ts | 2 + .../common/ecs/rule/index.ts | 1 - .../cypress/screens/alerts.ts | 2 +- .../components/exceptions/helpers.test.tsx | 4 +- .../common/components/exceptions/helpers.tsx | 2 +- .../common/mock/mock_detection_alerts.ts | 3 +- .../alerts_table/default_config.tsx | 2 +- .../timeline_actions/alert_context_menu.tsx | 5 +- .../rules/use_rule_with_fallback.tsx | 6 +- .../__snapshots__/index.test.tsx.snap | 90 ++++++++++++------- .../timelines/common/ecs/rule/index.ts | 1 - 11 files changed, 75 insertions(+), 43 deletions(-) diff --git a/x-pack/plugins/security_solution/common/ecs/kibana/index.ts b/x-pack/plugins/security_solution/common/ecs/kibana/index.ts index 5e36da400ccaf..95fba085d43e6 100644 --- a/x-pack/plugins/security_solution/common/ecs/kibana/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/kibana/index.ts @@ -9,6 +9,8 @@ import { RuleEcs } from '../rule'; export interface KibanaEcs { alert?: { + risk_score?: string[]; + severity?: string[]; rule?: RuleEcs; original_time?: string[]; status?: string[]; diff --git a/x-pack/plugins/security_solution/common/ecs/rule/index.ts b/x-pack/plugins/security_solution/common/ecs/rule/index.ts index bb12596c765b4..d8003b7b0cc2b 100644 --- a/x-pack/plugins/security_solution/common/ecs/rule/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/rule/index.ts @@ -6,7 +6,6 @@ */ export interface RuleEcs { - id?: string[]; rule_id?: string[]; uuid?: string[]; name?: string[]; diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts index 7820c7340896e..d93b1e5e25a0f 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts @@ -19,7 +19,7 @@ export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]'; export const ALERT_ID = '[data-test-subj="draggable-content-_id"]'; export const ALERT_RISK_SCORE_HEADER = - '[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]'; + '[data-test-subj="dataGridHeaderCell-kibana.alert.risk_score"]'; export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx index c780be736d37a..42a8a7e4d0e03 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx @@ -1264,7 +1264,7 @@ describe('Exception helpers', () => { const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', { _id: '123', rule: { - id: '123', + uuid: '123', }, process: { command_line: 'command_line', @@ -1451,7 +1451,7 @@ describe('Exception helpers', () => { const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', { _id: '123', rule: { - id: '123', + uuid: '123', }, process: { // command_line: 'command_line', intentionally left commented diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 1f1ad1fc1a6b4..fb98fe694ecc9 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -675,7 +675,7 @@ export const getPrepopulatedBehaviorException = ({ field: 'rule.id', operator: 'included' as const, type: 'match' as const, - value: alertEcsData.rule?.id ?? '', + value: alertEcsData.rule?.uuid ?? '', }, { field: 'process.executable.caseless', diff --git a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts index 304c3b95589b4..ec9dbe894c322 100644 --- a/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts +++ b/x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts @@ -41,6 +41,8 @@ export const mockEcsDataWithAlert: Ecs = { }, kibana: { alert: { + risk_score: ['21'], + severity: ['low'], rule: { created_at: ['2020-01-10T21:11:45.839Z'], updated_at: ['2020-01-10T21:11:45.839Z'], @@ -50,7 +52,6 @@ export const mockEcsDataWithAlert: Ecs = { false_positives: ['test-1'], filters: [], from: ['now-300s'], - id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'], immutable: [false], index: ['auditbeat-*'], interval: ['5m'], diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index d49a6e990e17f..eab3e5f6d621c 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -240,7 +240,7 @@ export const requiredFieldMappingsForActionsRuleRegistry = { 'alert.start': ALERT_START, 'alert.uuid': ALERT_UUID, 'event.action': 'event.action', - 'alert.status': ALERT_WORKFLOW_STATUS, + 'alert.workflow_status': ALERT_WORKFLOW_STATUS, 'alert.duration.us': ALERT_DURATION, 'rule.uuid': ALERT_RULE_UUID, 'rule.name': ALERT_RULE_NAME, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx index c5fe010cbc5ce..7a8c366515afb 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.tsx @@ -12,6 +12,7 @@ import { indexOf } from 'lodash'; import { ExceptionListType } from '@kbn/securitysolution-io-ts-list-types'; import { get, getOr } from 'lodash/fp'; +import { ALERT_RULE_NAME, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { buildGetAlertByIdQuery } from '../../../../common/components/exceptions/helpers'; import { EventsTdContent } from '../../../../timelines/components/timeline/styles'; import { DEFAULT_ICON_BUTTON_WIDTH } from '../../../../timelines/components/timeline/helpers'; @@ -67,8 +68,8 @@ const AlertContextMenuComponent: React.FC = ({ const afterItemSelection = useCallback(() => { setPopover(false); }, []); - const ruleId = get(0, ecsRowData?.kibana?.alert?.rule?.uuid); - const ruleName = get(0, ecsRowData?.kibana?.alert?.rule?.name); + const ruleId = getOr([], ALERT_RULE_UUID, ecsRowData); + const ruleName = getOr([], ALERT_RULE_NAME, ecsRowData); const { timelines: timelinesUi } = useKibana().services; const { addToCaseActionProps, addToCaseActionItems } = useAddToCaseActions({ diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx index 2d44ff05d711e..8271fddd0b0ad 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_with_fallback.tsx @@ -29,10 +29,10 @@ interface AlertHit { _index: string; _source: { '@timestamp': string; - signal: { + signal?: { rule: Rule; }; - kibana: { + kibana?: { alert: { rule: Rule; }; @@ -86,7 +86,7 @@ export const useRuleWithFallback = (ruleId: string): UseRuleWithFallback => { if (result === null) { result = alertsData?.hits.hits[0]?._source.signal ? alertsData?.hits.hits[0]?._source.signal.rule - : alertsData?.hits.hits[0]?._source.kibana.alert.rule; + : alertsData?.hits.hits[0]?._source.kibana?.alert.rule; } if (result) { return transformInput(result); diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap index 4b650271bdf4a..055e73f9f5dda 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap @@ -88,6 +88,9 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -108,9 +111,6 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -174,6 +174,9 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -328,6 +331,9 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -348,9 +354,6 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -414,6 +417,9 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -632,6 +638,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -652,9 +661,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -718,6 +724,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -849,6 +858,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -869,9 +881,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -935,6 +944,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -1107,6 +1119,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -1127,9 +1142,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -1193,6 +1205,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -1287,6 +1302,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -1307,9 +1325,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -1373,6 +1388,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -1499,6 +1517,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -1519,9 +1540,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -1585,6 +1603,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -1716,6 +1737,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -1736,9 +1760,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -1802,6 +1823,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -1974,6 +1998,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -1994,9 +2021,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -2060,6 +2084,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { @@ -2154,6 +2181,9 @@ Array [ }, "kibana": Object { "alert": Object { + "risk_score": Array [ + "21", + ], "rule": Object { "created_at": Array [ "2020-01-10T21:11:45.839Z", @@ -2174,9 +2204,6 @@ Array [ "from": Array [ "now-300s", ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], "immutable": Array [ false, ], @@ -2240,6 +2267,9 @@ Array [ "1", ], }, + "severity": Array [ + "low", + ], }, }, "source": Object { diff --git a/x-pack/plugins/timelines/common/ecs/rule/index.ts b/x-pack/plugins/timelines/common/ecs/rule/index.ts index bb12596c765b4..d8003b7b0cc2b 100644 --- a/x-pack/plugins/timelines/common/ecs/rule/index.ts +++ b/x-pack/plugins/timelines/common/ecs/rule/index.ts @@ -6,7 +6,6 @@ */ export interface RuleEcs { - id?: string[]; rule_id?: string[]; uuid?: string[]; name?: string[]; From 756470a7c08e2e48993ab2533b3aff83b4d9031a Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Thu, 9 Sep 2021 07:48:19 -0400 Subject: [PATCH 26/26] fix tests and types --- .../alert_summary_view.test.tsx.snap | 24 +++++++++---------- .../common/utils/endpoint_alert_check.test.ts | 12 ++++++---- .../t_grid/event_rendered_view/index.tsx | 2 +- 3 files changed, 21 insertions(+), 17 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap index 990f894504cc1..a045bf3f5163c 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap @@ -157,7 +157,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.status. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.workflow_status. Press tab to navigate options. Press escape to exit.

@@ -289,7 +289,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.rule.name. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.rule.name. Press tab to navigate options. Press escape to exit.

@@ -353,7 +353,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.

@@ -417,7 +417,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`

- You are in a dialog, containing options for field signal.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.

diff --git a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts index 97e78e62e6cd4..1ccc93c594a34 100644 --- a/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts +++ b/x-pack/plugins/security_solution/public/common/utils/endpoint_alert_check.test.ts @@ -7,6 +7,10 @@ import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import _ from 'lodash'; +import { + ALERT_ORIGINAL_EVENT_KIND, + ALERT_ORIGINAL_EVENT_MODULE, +} from '../../../../timelines/common'; import { Ecs } from '../../../common/ecs'; import { generateMockDetailItemData } from '../mock'; import { isAlertFromEndpointAlert, isAlertFromEndpointEvent } from './endpoint_alert_check'; @@ -58,8 +62,8 @@ describe('isAlertFromEndpointAlert', () => { it('should return true if detections data comes from an endpoint rule', () => { const mockEcsData = { _id: 'mockId', - 'signal.original_event.module': ['endpoint'], - 'signal.original_event.kind': ['alert'], + [ALERT_ORIGINAL_EVENT_MODULE]: ['endpoint'], + [ALERT_ORIGINAL_EVENT_KIND]: ['alert'], } as Ecs; expect(isAlertFromEndpointAlert({ ecsData: mockEcsData })).toBe(true); }); @@ -71,7 +75,7 @@ describe('isAlertFromEndpointAlert', () => { it('should return false if it is not an Alert', () => { const mockEcsData = { _id: 'mockId', - 'signal.original_event.module': ['endpoint'], + [ALERT_ORIGINAL_EVENT_MODULE]: ['endpoint'], } as Ecs; expect(isAlertFromEndpointAlert({ ecsData: mockEcsData })).toBeFalsy(); }); @@ -79,7 +83,7 @@ describe('isAlertFromEndpointAlert', () => { it('should return false if it is not an endpoint module', () => { const mockEcsData = { _id: 'mockId', - 'signal.original_event.kind': ['alert'], + [ALERT_ORIGINAL_EVENT_KIND]: ['alert'], } as Ecs; expect(isAlertFromEndpointAlert({ ecsData: mockEcsData })).toBeFalsy(); }); diff --git a/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx b/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx index 7215c8007db9c..47179fb683e48 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/event_rendered_view/index.tsx @@ -15,7 +15,7 @@ import { EuiHorizontalRule, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { ALERT_REASON, ALERT_RULE_NAME, ALERT_RULE_UUID, TIMESTAMP } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_RULE_NAME, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { get } from 'lodash'; import moment from 'moment'; import React, { ComponentType, useCallback, useMemo } from 'react';