diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
index 16b9ba91b96f2..c6edd30549a76 100644
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -55,12 +55,8 @@ const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
-const ALERT_RULE_RISK_SCORE = `${ALERT_RULE_NAMESPACE}.risk_score` as const;
-const ALERT_RULE_RISK_SCORE_MAPPING = `${ALERT_RULE_NAMESPACE}.risk_score_mapping` as const;
const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
-const ALERT_RULE_SEVERITY = `${ALERT_RULE_NAMESPACE}.severity` as const;
-const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` as const;
const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
@@ -114,12 +110,8 @@ const fields = {
ALERT_RULE_NOTE,
ALERT_RULE_PARAMETERS,
ALERT_RULE_REFERENCES,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
- ALERT_RULE_SEVERITY,
- ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_TAGS,
ALERT_RULE_TO,
ALERT_RULE_TYPE,
@@ -171,11 +163,8 @@ export {
ALERT_RULE_NOTE,
ALERT_RULE_PARAMETERS,
ALERT_RULE_REFERENCES,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
- ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_TAGS,
ALERT_RULE_TO,
ALERT_RULE_TYPE,
@@ -183,7 +172,6 @@ export {
ALERT_RULE_UPDATED_AT,
ALERT_RULE_UPDATED_BY,
ALERT_RULE_VERSION,
- ALERT_RULE_SEVERITY,
ALERT_SEVERITY,
ALERT_START,
ALERT_SYSTEM_STATUS,
diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
index 412b69210b04d..08840b1862dbb 100644
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
@@ -40,16 +40,6 @@ export const technicalRuleFieldMap = {
array: false,
required: false,
},
- [Fields.ALERT_RULE_SEVERITY]: {
- type: 'keyword',
- array: false,
- required: false,
- },
- [Fields.ALERT_RULE_RISK_SCORE]: {
- type: 'float',
- array: false,
- required: false,
- },
[Fields.ALERT_RISK_SCORE]: {
type: 'float',
array: false,
@@ -150,26 +140,6 @@ export const technicalRuleFieldMap = {
array: true,
required: false,
},
- [Fields.ALERT_RULE_RISK_SCORE_MAPPING]: {
- type: 'object',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.field`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.operator`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.value`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
[Fields.ALERT_RULE_RULE_ID]: {
type: 'keyword',
array: false,
@@ -180,31 +150,6 @@ export const technicalRuleFieldMap = {
array: false,
required: false,
},
- [Fields.ALERT_RULE_SEVERITY_MAPPING]: {
- type: 'object',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.field`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.operator`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.value`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
- [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.severity`]: {
- type: 'keyword',
- array: false,
- required: false,
- },
[Fields.ALERT_RULE_TAGS]: {
type: 'keyword',
array: true,
diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts
index 2ed92232c0db1..d787b13800718 100644
--- a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts
+++ b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts
@@ -57,7 +57,7 @@ const esFieldTypeMap = {
float: t.union([t.number, NumberFromString]),
scaled_float: t.union([t.number, NumberFromString]),
unsigned_long: t.union([t.number, NumberFromString]),
- flattened: t.record(t.string, t.array(t.string)),
+ flattened: t.UnknownRecord,
};
type EsFieldTypeMap = typeof esFieldTypeMap;
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
index cdc39a7597386..b142555d8a3d7 100644
--- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
+++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
@@ -11,7 +11,7 @@ import {
ALERT_RULE_CONSUMER,
ALERT_RULE_NAME,
ALERT_RULE_PRODUCER,
- ALERT_RULE_RISK_SCORE,
+ ALERT_RISK_SCORE,
ALERT_RULE_TYPE_ID,
ALERT_RULE_UUID,
ALERT_STATUS,
@@ -35,7 +35,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_RULE_NAME]: 'Check error rate',
[ALERT_RULE_PRODUCER]: 'apm',
- [ALERT_RULE_RISK_SCORE]: 20,
+ [ALERT_RISK_SCORE]: 20,
[ALERT_RULE_TYPE_ID]: 'fake-rule-type-id',
[ALERT_RULE_UUID]: 'fake-rule-uuid',
[ALERT_STATUS]: ALERT_STATUS_ACTIVE,
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
index 92e501e5a2bd3..c4709d857d5d0 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
@@ -14,8 +14,8 @@ import {
import {
ALERT_RULE_NAME,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_SEVERITY,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
NUMBER_OF_ALERTS,
} from '../../screens/alerts';
import {
@@ -505,12 +505,10 @@ describe('indicator match', () => {
cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
- cy.get(ALERT_RULE_SEVERITY)
+ cy.get(ALERT_SEVERITY)
.first()
.should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());
- cy.get(ALERT_RULE_RISK_SCORE)
- .first()
- .should('have.text', getNewThreatIndicatorRule().riskScore);
+ cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore);
});
it.skip('Investigate alert in timeline', () => {
diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts
index 92c6216f44847..8b67fb198495a 100644
--- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts
+++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts
@@ -139,7 +139,7 @@ describe('Detection rules, override', () => {
getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
'have.text',
- `${this.rule.riskOverride}kibana.alert.rule.risk_score`
+ `${this.rule.riskOverride}kibana.alert.risk_score`
);
getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
getDetails(REFERENCE_URLS_DETAILS).should((details) => {
diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts
index 6177234575ec3..0adfea65cfa9b 100644
--- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts
+++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts
@@ -15,14 +15,13 @@ export const ALERT_CHECKBOX = '[data-test-subj~="select-event"].euiCheckbox__inp
export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]';
export const ALERT_RISK_SCORE_HEADER =
- '[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]';
+ '[data-test-subj="dataGridHeaderCell-kibana.alert.risk_score"]';
export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]';
-export const ALERT_RULE_RISK_SCORE =
- '[data-test-subj="formatted-field-kibana.alert.rule.risk_score"]';
+export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]';
-export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]';
+export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]';
export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]';
diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
index 8208595a1cb4d..1334ab6acd467 100644
--- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
+++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
@@ -161,10 +161,10 @@ export const allowTopN = ({
'kibana.alert.rule.output_index',
'kibana.alert.rule.query',
'kibana.alert.rule.references',
- 'kibana.alert.rule.risk_score',
+ 'kibana.alert.risk_score',
'kibana.alert.rule.rule_id',
'kibana.alert.rule.saved_id',
- 'kibana.alert.rule.severity',
+ 'kibana.alert.severity',
'kibana.alert.rule.size',
'kibana.alert.rule.tags',
'kibana.alert.rule.threat',
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts
index 8ce108d202310..e06cd379e5131 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts
@@ -392,7 +392,7 @@ export const mockAlertDetailsData = [
originalValue: 'http://localhost:5601/app/security',
},
{ category: 'kibana', field: 'kibana.alert.rule.max_signals', values: [100], originalValue: 100 },
- { category: 'kibana', field: 'kibana.alert.rule.risk_score', values: [21], originalValue: 21 },
+ { category: 'kibana', field: 'kibana.alert.risk_score', values: [21], originalValue: 21 },
{
category: 'kibana',
field: 'kibana.alert.rule.risk_score_mapping',
@@ -459,7 +459,7 @@ export const mockAlertDetailsData = [
{ category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] },
{
category: 'kibana',
- field: 'kibana.alert.rule.severity',
+ field: 'kibana.alert.severity',
values: ['low'],
originalValue: 'low',
},
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
index 40784270e6c60..8772def686122 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap
@@ -350,7 +350,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
>
- You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.
+ You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.
@@ -421,7 +421,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
>
- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.
+ You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.
@@ -1042,7 +1042,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
>
- You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.
+ You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.
@@ -1113,7 +1113,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
>
- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.
+ You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap
index 4e62766fc1477..5e4a17dcb030b 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap
@@ -207,7 +207,7 @@ exports[`Event Details Overview Cards renders rows and spacers correctly 1`] = `
- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.
+ You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx
index 50da80f7b1304..0f241bace7663 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx
@@ -63,7 +63,7 @@ const props = {
data: [
{
category: 'kibana',
- field: 'kibana.alert.rule.risk_score',
+ field: 'kibana.alert.risk_score',
values: ['47'],
originalValue: ['47'],
isObjectArray: false,
@@ -91,7 +91,7 @@ const props = {
},
{
category: 'kibana',
- field: 'kibana.alert.rule.severity',
+ field: 'kibana.alert.severity',
values: ['medium'],
originalValue: ['medium'],
isObjectArray: false,
@@ -100,10 +100,10 @@ const props = {
browserFields: {
kibana: {
fields: {
- 'kibana.alert.rule.severity': {
+ 'kibana.alert.severity': {
category: 'kibana',
count: 0,
- name: 'kibana.alert.rule.severity',
+ name: 'kibana.alert.severity',
type: 'string',
esTypes: ['keyword'],
scripted: false,
@@ -115,10 +115,10 @@ const props = {
isMapped: true,
indexes: ['apm-*-transaction*'],
},
- 'kibana.alert.rule.risk_score': {
+ 'kibana.alert.risk_score': {
category: 'kibana',
count: 0,
- name: 'kibana.alert.rule.risk_score',
+ name: 'kibana.alert.risk_score',
type: 'number',
esTypes: ['float'],
scripted: false,
@@ -180,12 +180,10 @@ const props = {
},
};
-const dataWithoutSeverity = props.data.filter(
- (data) => data.field !== 'kibana.alert.rule.severity'
-);
+const dataWithoutSeverity = props.data.filter((data) => data.field !== 'kibana.alert.severity');
const fieldsWithoutSeverity = {
- 'kibana.alert.rule.risk_score': props.browserFields.kibana.fields['kibana.alert.rule.risk_score'],
+ 'kibana.alert.risk_score': props.browserFields.kibana.fields['kibana.alert.risk_score'],
'kibana.alert.rule.uuid': props.browserFields.kibana.fields['kibana.alert.rule.uuid'],
'kibana.alert.workflow_status': props.browserFields.kibana.fields['kibana.alert.workflow_status'],
'kibana.alert.rule.name': props.browserFields.kibana.fields['kibana.alert.rule.name'],
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx
index 70a8ec7ad0d22..17c9f29e33cb0 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx
@@ -63,7 +63,7 @@ export const Overview = React.memo
(
}, [browserFields, contextId, data, eventId, timelineId]);
const severityData = useMemo(() => {
- const item = find({ field: 'kibana.alert.rule.severity', category: 'kibana' }, data);
+ const item = find({ field: 'kibana.alert.severity', category: 'kibana' }, data);
return (
item &&
getEnrichedFieldInfo({
@@ -77,7 +77,7 @@ export const Overview = React.memo(
}, [browserFields, contextId, data, eventId, timelineId]);
const riskScoreData = useMemo(() => {
- const item = find({ field: 'kibana.alert.rule.risk_score', category: 'kibana' }, data);
+ const item = find({ field: 'kibana.alert.risk_score', category: 'kibana' }, data);
return (
item &&
getEnrichedFieldInfo({
diff --git a/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts b/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts
index ec636fc013758..bccd4efa8f98c 100644
--- a/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts
+++ b/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts
@@ -5,10 +5,12 @@
* 2.0.
*/
+import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
+
/** actions are disabled for these fields in tables and popovers */
export const FIELDS_WITHOUT_CELL_ACTIONS = [
'signal.rule.risk_score',
'signal.reason',
- 'kibana.alert.rule.risk_score',
+ ALERT_RISK_SCORE,
'kibana.alert.reason',
];
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts
index ff8dbc5d6ff9b..1a4bb3e0633f2 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts
@@ -8,8 +8,8 @@
import type { AlertsStackByOption } from './types';
export const alertsStackByOptions: AlertsStackByOption[] = [
- { text: 'kibana.alert.rule.risk_score', value: 'kibana.alert.rule.risk_score' },
- { text: 'kibana.alert.rule.severity', value: 'kibana.alert.rule.severity' },
+ { text: 'kibana.alert.risk_score', value: 'kibana.alert.risk_score' },
+ { text: 'kibana.alert.severity', value: 'kibana.alert.severity' },
{ text: 'kibana.alert.rule.threat.tactic.name', value: 'kibana.alert.rule.threat.tactic.name' },
{ text: 'destination.ip', value: 'destination.ip' },
{ text: 'event.action', value: 'event.action' },
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts
index 10b76410b8a46..8886b182dfaf5 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts
@@ -11,8 +11,8 @@ export interface AlertsStackByOption {
}
export type AlertsStackByField =
- | 'kibana.alert.rule.risk_score'
- | 'kibana.alert.rule.severity'
+ | 'kibana.alert.risk_score'
+ | 'kibana.alert.severity'
| 'kibana.alert.rule.threat.tactic.name'
| 'destination.ip'
| 'event.action'
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx
index aab6cabdb3a93..73d12f461f351 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx
@@ -48,15 +48,10 @@ describe('alerts default_config', () => {
alias: null,
disabled: false,
negate: false,
- key: 'kibana.alert.rule.threat_mapping',
- type: 'exists',
- value: 'exists',
- },
- query: {
- exists: {
- field: 'kibana.alert.rule.threat_mapping',
- },
+ key: 'kibana.alert.rule.type',
+ type: 'term',
},
+ query: { term: { 'kibana.alert.rule.type': 'threat_match' } },
};
expect(filters).toHaveLength(1);
expect(filters[0]).toEqual(expectedFilter);
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
index 663d133f04b1c..97d6459f99c98 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
@@ -141,11 +141,10 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean):
alias: null,
disabled: false,
negate: false,
- key: 'kibana.alert.rule.threat_mapping',
- type: 'exists',
- value: 'exists',
+ key: 'kibana.alert.rule.type',
+ type: 'term',
},
- query: { exists: { field: 'kibana.alert.rule.threat_mapping' } },
+ query: { term: { 'kibana.alert.rule.type': 'threat_match' } },
},
]
: [];
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx
index 871822077f718..78a739fd879b1 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx
@@ -17,7 +17,7 @@ import {
EuiIcon,
EuiToolTip,
} from '@elastic/eui';
-import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils';
+import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
import { isEmpty } from 'lodash/fp';
import React from 'react';
@@ -354,7 +354,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt
- {ALERT_RULE_RISK_SCORE}
+ {ALERT_RISK_SCORE}
),
};
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx
index 6d8ea92861df9..da941bac188c3 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx
@@ -24,7 +24,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate(
export const RISK_SCORE_FIELD = i18n.translate(
'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle',
{
- defaultMessage: 'kibana.alert.rule.risk_score',
+ defaultMessage: 'kibana.alert.risk_score',
}
);
diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
index 7976ad5dca7f3..37efdf6e54e8a 100644
--- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
+++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
@@ -12,7 +12,7 @@ import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui';
import {
ALERT_DURATION,
ALERT_REASON,
- ALERT_RULE_SEVERITY,
+ ALERT_SEVERITY,
ALERT_STATUS,
} from '@kbn/rule-data-utils/technical_field_names';
@@ -61,7 +61,7 @@ export const RenderCellValue: React.FC<
case ALERT_DURATION:
case 'signal.duration.us':
return {moment().fromNow(true)};
- case ALERT_RULE_SEVERITY:
+ case ALERT_SEVERITY:
case 'signal.rule.severity':
return ;
case ALERT_REASON:
diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts
index 7ae54e60944cc..d60a82441697b 100644
--- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts
+++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts
@@ -33,7 +33,7 @@ export const columns: Array<
},
{
columnHeaderType: defaultColumnHeaderType,
- id: 'kibana.alert.rule.severity',
+ id: 'kibana.alert.severity',
displayAsText: i18n.ALERTS_HEADERS_SEVERITY,
initialWidth: 104,
},
diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx
index 8d726c1c19213..8c50e24cc3305 100644
--- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx
+++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx
@@ -6,7 +6,7 @@
*/
import { EuiDataGridCellValueElementProps } from '@elastic/eui';
-import { ALERT_RULE_SEVERITY, ALERT_REASON } from '@kbn/rule-data-utils';
+import { ALERT_SEVERITY, ALERT_REASON } from '@kbn/rule-data-utils';
import React from 'react';
import { DefaultDraggable } from '../../../../common/components/draggables';
@@ -48,7 +48,7 @@ export const RenderCellValue: React.FC<
switch (columnId) {
case 'signal.rule.severity':
- case ALERT_RULE_SEVERITY:
+ case ALERT_SEVERITY:
return (
[
name: `${riskScore}`,
kqlQuery: '',
queryMatch: {
- field: 'kibana.alert.rule.risk_score',
+ field: ALERT_RISK_SCORE,
value: riskScore,
operator: IS_OPERATOR,
},
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
index 0dfe94854464a..6e0712332157d 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap
@@ -195,18 +195,6 @@ Object {
"path": "signal.rule.references",
"type": "alias",
},
- "kibana.alert.rule.risk_score_mapping.field": Object {
- "path": "signal.rule.risk_score_mapping.field",
- "type": "alias",
- },
- "kibana.alert.rule.risk_score_mapping.operator": Object {
- "path": "signal.rule.risk_score_mapping.operator",
- "type": "alias",
- },
- "kibana.alert.rule.risk_score_mapping.value": Object {
- "path": "signal.rule.risk_score_mapping.value",
- "type": "alias",
- },
"kibana.alert.rule.rule_id": Object {
"path": "signal.rule.rule_id",
"type": "alias",
@@ -219,22 +207,6 @@ Object {
"path": "signal.rule.saved_id",
"type": "alias",
},
- "kibana.alert.rule.severity_mapping.field": Object {
- "path": "signal.rule.severity_mapping.field",
- "type": "alias",
- },
- "kibana.alert.rule.severity_mapping.operator": Object {
- "path": "signal.rule.severity_mapping.operator",
- "type": "alias",
- },
- "kibana.alert.rule.severity_mapping.severity": Object {
- "path": "signal.rule.severity_mapping.severity",
- "type": "alias",
- },
- "kibana.alert.rule.severity_mapping.value": Object {
- "path": "signal.rule.severity_mapping.value",
- "type": "alias",
- },
"kibana.alert.rule.tags": Object {
"path": "signal.rule.tags",
"type": "alias",
@@ -2483,18 +2455,6 @@ Object {
"path": "signal.rule.references",
"type": "alias",
},
- "kibana.alert.rule.risk_score_mapping.field": Object {
- "path": "signal.rule.risk_score_mapping.field",
- "type": "alias",
- },
- "kibana.alert.rule.risk_score_mapping.operator": Object {
- "path": "signal.rule.risk_score_mapping.operator",
- "type": "alias",
- },
- "kibana.alert.rule.risk_score_mapping.value": Object {
- "path": "signal.rule.risk_score_mapping.value",
- "type": "alias",
- },
"kibana.alert.rule.rule_id": Object {
"path": "signal.rule.rule_id",
"type": "alias",
@@ -2507,22 +2467,6 @@ Object {
"path": "signal.rule.saved_id",
"type": "alias",
},
- "kibana.alert.rule.severity_mapping.field": Object {
- "path": "signal.rule.severity_mapping.field",
- "type": "alias",
- },
- "kibana.alert.rule.severity_mapping.operator": Object {
- "path": "signal.rule.severity_mapping.operator",
- "type": "alias",
- },
- "kibana.alert.rule.severity_mapping.severity": Object {
- "path": "signal.rule.severity_mapping.severity",
- "type": "alias",
- },
- "kibana.alert.rule.severity_mapping.value": Object {
- "path": "signal.rule.severity_mapping.value",
- "type": "alias",
- },
"kibana.alert.rule.tags": Object {
"path": "signal.rule.tags",
"type": "alias",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
index 94e9419c9f55c..66768c86f05e4 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
@@ -47,17 +47,10 @@
"signal.rule.query": "kibana.alert.rule.query",
"signal.rule.references": "kibana.alert.rule.references",
"signal.rule.risk_score": "kibana.alert.risk_score",
- "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field",
- "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator",
- "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value",
"signal.rule.rule_id": "kibana.alert.rule.rule_id",
"signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
"signal.rule.saved_id": "kibana.alert.rule.saved_id",
"signal.rule.severity": "kibana.alert.severity",
- "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field",
- "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator",
- "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value",
- "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity",
"signal.rule.tags": "kibana.alert.rule.tags",
"signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
"signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id",
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts
index f5a248c8a6ac0..19b1405cb1433 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts
@@ -149,8 +149,6 @@ export const sampleThresholdAlert = {
name: 'Query with a rule id',
query: 'user.name: root or user.name: admin',
references: ['test 1', 'test 2'],
- severity: 'high',
- severity_mapping: [],
updated_by: 'elastic_kibana',
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
@@ -162,8 +160,6 @@ export const sampleThresholdAlert = {
last_success_at: '2020-02-22T16:47:50.047Z',
last_success_message: 'succeeded',
max_signals: 100,
- risk_score: 55,
- risk_score_mapping: [],
language: 'kuery',
rule_id: 'f88a544c-1d4e-4652-ae2a-c953b38da5d0',
interval: '5m',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
index ace6096201d32..88b4ae01b3a64 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
@@ -158,8 +158,6 @@ export const buildAlert = (
updated_by: updatedBy ?? '',
type: completeRule.ruleParams.type,
...commonRuleParams,
- severity: overrides?.severityOverride ?? completeRule.ruleParams.severity,
- risk_score: overrides?.riskScoreOverride ?? completeRule.ruleParams.riskScore,
}),
} as unknown as RACAlert;
};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts
index 92084291a1251..4dd2903994085 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts
@@ -10,7 +10,6 @@ import { ALERT_UUID } from '@kbn/rule-data-utils';
import { Logger } from 'kibana/server';
import type { ConfigType } from '../../../../../config';
-import { buildRuleWithoutOverrides } from '../../../signals/build_rule';
import { Ancestor, SignalSource, SignalSourceHit } from '../../../signals/types';
import { RACAlert, WrappedRACAlert } from '../../types';
import { buildAlert, buildAncestors, generateAlertId } from './build_alert';
@@ -99,9 +98,12 @@ export const buildAlertRoot = (
(block2._source[ALERT_ORIGINAL_TIME] as number)
)
.map((alert) => alert._source[ALERT_ORIGINAL_TIME]);
- const rule = buildRuleWithoutOverrides(completeRule);
const mergedAlerts = objectArrayIntersection(wrappedBuildingBlocks.map((alert) => alert._source));
- const reason = buildReasonMessage({ rule, mergedDoc: mergedAlerts as SignalSourceHit });
+ const reason = buildReasonMessage({
+ name: completeRule.ruleConfig.name,
+ severity: completeRule.ruleParams.severity,
+ mergedDoc: mergedAlerts as SignalSourceHit,
+ });
const doc = buildAlert(wrappedBuildingBlocks, completeRule, spaceId, reason);
return {
...mergedAlerts,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts
index ab083a0d35138..ef3d76be1df4b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts
@@ -10,7 +10,6 @@ import { flattenWithPrefix } from '@kbn/securitysolution-rules';
import { BaseHit } from '../../../../../../common/detection_engine/types';
import type { ConfigType } from '../../../../../config';
-import { buildRuleWithOverrides, buildRuleWithoutOverrides } from '../../../signals/build_rule';
import { BuildReasonMessage } from '../../../signals/reason_formatters';
import { getMergeStrategy } from '../../../signals/source_fields_merging/strategies';
import { BaseSignalHit, SignalSource, SignalSourceHit, SimpleHit } from '../../../signals/types';
@@ -54,12 +53,8 @@ export const buildBulkBody = (
buildReasonMessage: BuildReasonMessage
): RACAlert => {
const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields });
- const rule = applyOverrides
- ? buildRuleWithOverrides(completeRule, mergedDoc._source ?? {})
- : buildRuleWithoutOverrides(completeRule);
const eventFields = buildEventTypeAlert(mergedDoc);
const filteredSource = filterSource(mergedDoc);
- const reason = buildReasonMessage({ mergedDoc, rule });
const overrides = applyOverrides
? {
@@ -81,6 +76,12 @@ export const buildBulkBody = (
}
: undefined;
+ const reason = buildReasonMessage({
+ name: overrides?.nameOverride ?? completeRule.ruleConfig.name,
+ severity: overrides?.severityOverride ?? completeRule.ruleParams.severity,
+ mergedDoc,
+ });
+
if (isSourceDoc(mergedDoc)) {
return {
...filteredSource,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts
index 095b3973edcb3..a3bf58fa25381 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts
@@ -9,6 +9,7 @@ import { Moment } from 'moment';
import { SearchHit } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
import { Logger } from '@kbn/logging';
+import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils';
import { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
import { AlertExecutorOptions, RuleType } from '../../../../../alerting/server';
@@ -37,6 +38,7 @@ import { ExperimentalFeatures } from '../../../../common/experimental_features';
import { IEventLogService } from '../../../../../event_log/server';
import { AlertsFieldMap, RulesFieldMap } from '../../../../common/field_maps';
import { IRuleExecutionLogClient } from '../rule_execution_log';
+import { commonParamsCamelToSnake } from '../schemas/rule_converters';
export interface SecurityAlertTypeReturnValue {
bulkCreateTimes: string[];
@@ -110,11 +112,12 @@ export type CreateSecurityRuleTypeWrapper = (
) => RuleType;
export type RACAlertSignal = TypeOfFieldMap & TypeOfFieldMap;
-export type RACAlert = Exclude<
+export type RACAlert = Omit<
TypeOfFieldMap & RACAlertSignal,
- '@timestamp'
+ '@timestamp' | typeof ALERT_RULE_PARAMETERS
> & {
'@timestamp': string;
+ [ALERT_RULE_PARAMETERS]: ReturnType;
};
export type RACSourceHit = SearchHit;
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
index bccd1f498372e..21bfced47df42 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
@@ -43,7 +43,11 @@ export const buildBulkBody = (
const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields });
const rule = buildRuleWithOverrides(completeRule, mergedDoc._source ?? {});
const timestamp = new Date().toISOString();
- const reason = buildReasonMessage({ mergedDoc, rule });
+ const reason = buildReasonMessage({
+ name: completeRule.ruleConfig.name,
+ severity: completeRule.ruleParams.severity,
+ mergedDoc,
+ });
const signal: Signal = {
...buildSignal([mergedDoc], rule, reason),
...additionalSignalFields(mergedDoc),
@@ -135,7 +139,11 @@ export const buildSignalFromSequence = (
const rule = buildRuleWithoutOverrides(completeRule);
const timestamp = new Date().toISOString();
const mergedEvents = objectArrayIntersection(events.map((event) => event._source));
- const reason = buildReasonMessage({ rule, mergedDoc: mergedEvents as SignalSourceHit });
+ const reason = buildReasonMessage({
+ name: completeRule.ruleConfig.name,
+ severity: completeRule.ruleParams.severity,
+ mergedDoc: mergedEvents as SignalSourceHit,
+ });
const signal: Signal = buildSignal(events, rule, reason);
return {
...mergedEvents,
@@ -167,7 +175,11 @@ export const buildSignalFromEvent = (
? buildRuleWithOverrides(completeRule, mergedEvent._source ?? {})
: buildRuleWithoutOverrides(completeRule);
const timestamp = new Date().toISOString();
- const reason = buildReasonMessage({ mergedDoc: mergedEvent, rule });
+ const reason = buildReasonMessage({
+ name: completeRule.ruleConfig.name,
+ severity: completeRule.ruleParams.severity,
+ mergedDoc: mergedEvent,
+ });
const signal: Signal = {
...buildSignal([mergedEvent], rule, reason),
...additionalSignalFields(mergedEvent),
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts
index 5b55df2bee936..d2d3638288868 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts
@@ -6,18 +6,15 @@
*/
import { buildReasonMessageUtil } from './reason_formatters';
-import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema';
import { SignalSourceHit } from './types';
describe('reason_formatter', () => {
- let rule: RulesSchema;
+ let name: string;
+ let severity: string;
let mergedDoc: SignalSourceHit;
beforeAll(() => {
- rule = {
- name: 'my-rule',
- risk_score: 9000,
- severity: 'medium',
- } as RulesSchema; // Cast here as all fields aren't required
+ name = 'my-rule';
+ severity = 'medium';
mergedDoc = {
_index: 'index-1',
_id: 'id-1',
@@ -40,7 +37,7 @@ describe('reason_formatter', () => {
describe('buildReasonMessageUtil', () => {
describe('when rule and mergedDoc are provided', () => {
it('should return the full reason message', () => {
- expect(buildReasonMessageUtil({ rule, mergedDoc })).toMatchInlineSnapshot(
+ expect(buildReasonMessageUtil({ name, severity, mergedDoc })).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@@ -54,7 +51,9 @@ describe('reason_formatter', () => {
'event.category': ['item one', 'item two'],
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
+ ).toMatchInlineSnapshot(
`"item one, item two event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@@ -68,7 +67,9 @@ describe('reason_formatter', () => {
'host.name': ['-'],
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
+ ).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user created medium alert my-rule."`
);
});
@@ -82,7 +83,9 @@ describe('reason_formatter', () => {
'user.name': ['-'],
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
+ ).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, on host created medium alert my-rule."`
);
});
@@ -97,7 +100,7 @@ describe('reason_formatter', () => {
},
};
expect(
- buildReasonMessageUtil({ rule, mergedDoc: noDestinationPortDoc })
+ buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9 by test-user on host created medium alert my-rule."`
);
@@ -112,7 +115,7 @@ describe('reason_formatter', () => {
},
};
expect(
- buildReasonMessageUtil({ rule, mergedDoc: noDestinationPortDoc })
+ buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, by test-user on host created medium alert my-rule."`
);
@@ -127,7 +130,9 @@ describe('reason_formatter', () => {
'source.port': ['-'],
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: noSourcePortDoc })).toMatchInlineSnapshot(
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc })
+ ).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1 destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@@ -140,7 +145,9 @@ describe('reason_formatter', () => {
'source.port': ['-'],
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: noSourcePortDoc })).toMatchInlineSnapshot(
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc })
+ ).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@@ -155,7 +162,9 @@ describe('reason_formatter', () => {
'process.parent.name': ['-'],
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
+ ).toMatchInlineSnapshot(
`"test event with file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@@ -170,14 +179,14 @@ describe('reason_formatter', () => {
'@timestamp': '2021-08-11T02:28:59.101Z',
},
};
- expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
- `"test event by test-user created medium alert my-rule."`
- );
+ expect(
+ buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
+ ).toMatchInlineSnapshot(`"test event by test-user created medium alert my-rule."`);
});
});
describe('when only rule is provided', () => {
it('should return the reason message without host name or user name', () => {
- expect(buildReasonMessageUtil({ rule })).toMatchInlineSnapshot(`""`);
+ expect(buildReasonMessageUtil({ name, severity })).toMatchInlineSnapshot(`""`);
});
});
});
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts
index e93a45bd13246..e30bf9a265193 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts
@@ -7,11 +7,11 @@
import { i18n } from '@kbn/i18n';
import { getOr } from 'lodash/fp';
-import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema';
import { SignalSourceHit } from './types';
export interface BuildReasonMessageArgs {
- rule: RulesSchema;
+ name: string;
+ severity: string;
mergedDoc?: SignalSourceHit;
}
@@ -56,8 +56,12 @@ const getFieldsFromDoc = (mergedDoc: SignalSourceHit) => {
* to more easily allow for this in the future.
* @export buildCommonReasonMessage - is only exported for testing purposes, and only used internally here.
*/
-export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUtilArgs) => {
- if (!rule || !mergedDoc) {
+export const buildReasonMessageUtil = ({
+ name,
+ severity,
+ mergedDoc,
+}: BuildReasonMessageUtilArgs) => {
+ if (!mergedDoc) {
// This should never happen, but in case, better to not show a malformed string
return '';
}
@@ -98,8 +102,8 @@ export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUt
{hostName, select, null {} other {{whitespace}on {hostName}} } \
created {alertSeverity} alert {alertName}.`,
values: {
- alertName: rule.name,
- alertSeverity: rule.severity,
+ alertName: name,
+ alertSeverity: severity,
destinationAddress: getFieldTemplateValue(destinationAddress, true),
destinationPort: getFieldTemplateValue(destinationPort, true),
eventCategory: getFieldTemplateValue(eventCategory),
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts
index 2c9aabb3c2c92..644a0b66aec70 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts
@@ -6,6 +6,7 @@
*/
import { isEmpty } from 'lodash/fp';
+import { ALERT_RISK_SCORE, ALERT_RULE_NAME, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import { Direction, HostRulesRequestOptions } from '../../../../../../common/search_strategy';
import { createQueryFilterClauses } from '../../../../../utils/build_query';
@@ -39,12 +40,12 @@ export const buildHostRulesQuery = ({
aggs: {
risk_score: {
sum: {
- field: 'kibana.alert.rule.risk_score',
+ field: ALERT_RISK_SCORE,
},
},
rule_name: {
terms: {
- field: 'kibana.alert.rule.name',
+ field: ALERT_RULE_NAME,
order: {
risk_score: Direction.desc,
},
@@ -52,19 +53,19 @@ export const buildHostRulesQuery = ({
aggs: {
risk_score: {
sum: {
- field: 'kibana.alert.rule.risk_score',
+ field: ALERT_RISK_SCORE,
},
},
rule_type: {
terms: {
- field: 'kibana.alert.rule.type',
+ field: ALERT_RULE_TYPE,
},
},
},
},
rule_count: {
cardinality: {
- field: 'kibana.alert.rule.name',
+ field: ALERT_RULE_NAME,
},
},
},
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts
index 6b12e3f329945..61f4084fa3784 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts
@@ -6,6 +6,7 @@
*/
import { isEmpty } from 'lodash/fp';
+import { ALERT_RISK_SCORE, ALERT_RULE_NAME, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import { Direction, UserRulesRequestOptions } from '../../../../../../common/search_strategy';
import { createQueryFilterClauses } from '../../../../../utils/build_query';
@@ -48,12 +49,12 @@ export const buildUserRulesQuery = ({
aggs: {
risk_score: {
sum: {
- field: 'kibana.alert.rule.risk_score',
+ field: ALERT_RISK_SCORE,
},
},
rule_name: {
terms: {
- field: 'kibana.alert.rule.name',
+ field: ALERT_RULE_NAME,
order: {
risk_score: Direction.desc,
},
@@ -61,19 +62,19 @@ export const buildUserRulesQuery = ({
aggs: {
risk_score: {
sum: {
- field: 'kibana.alert.rule.risk_score',
+ field: ALERT_RISK_SCORE,
},
},
rule_type: {
terms: {
- field: 'kibana.alert.rule.type',
+ field: ALERT_RULE_TYPE,
},
},
},
},
rule_count: {
cardinality: {
- field: 'kibana.alert.rule.name',
+ field: ALERT_RULE_NAME,
},
},
},
diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx
index 65b00af0fc13c..6f62727f68bef 100644
--- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx
@@ -191,10 +191,10 @@ export const allowSorting = ({
'kibana.alert.rule.output_index',
'kibana.alert.rule.query',
'kibana.alert.rule.references',
- 'kibana.alert.rule.risk_score',
+ 'kibana.alert.risk_score',
'kibana.alert.rule.rule_id',
'kibana.alert.rule.saved_id',
- 'kibana.alert.rule.severity',
+ 'kibana.alert.severity',
'kibana.alert.rule.size',
'kibana.alert.rule.tags',
'kibana.alert.rule.threat',
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts
index 74b85c00b9bce..43c638b2bb453 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts
@@ -5,7 +5,7 @@
* 2.0.
*/
-import { ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+import { ALERT_RULE_CONSUMER, ALERT_RISK_SCORE, ALERT_SEVERITY } from '@kbn/rule-data-utils';
// TODO: share with security_solution/common/cti/constants.ts
export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments';
@@ -61,8 +61,8 @@ export const TIMELINE_EVENTS_FIELDS = [
'kibana.alert.original_event.kind',
'kibana.alert.original_event.module',
'kibana.alert.rule.version',
- 'kibana.alert.rule.severity',
- 'kibana.alert.rule.risk_score',
+ ALERT_SEVERITY,
+ ALERT_RISK_SCORE,
'kibana.alert.threshold_result',
'kibana.alert.building_block_type',
'event.code',
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts
index c6935554a8ee5..ead9413b0d6b5 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts
@@ -150,11 +150,12 @@ describe('formatTimelineData', () => {
_meta: {
version: 14,
},
+ severity: 'low',
+ risk_score: 21,
rule: {
note: null,
throttle: null,
references: [],
- severity_mapping: [],
description: 'asdasd',
created_at: '2021-01-09T11:25:45.046Z',
language: 'kuery',
@@ -174,9 +175,6 @@ describe('formatTimelineData', () => {
uuid: '696c24e0-526d-11eb-836c-e1620268b945',
timeline_id: null,
max_signals: 100,
- severity: 'low',
- risk_score: 21,
- risk_score_mapping: [],
author: [],
query: '_id :*',
index: [
@@ -274,11 +272,11 @@ describe('formatTimelineData', () => {
'kibana.alert.rule.query': ['_id :*'],
'kibana.alert.rule.type': ['threshold'],
'kibana.alert.rule.uuid': ['696c24e0-526d-11eb-836c-e1620268b945'],
- 'kibana.alert.rule.risk_score': [21],
+ 'kibana.alert.risk_score': [21],
'kibana.alert.workflow_status': ['open'],
'event.kind': ['signal'],
'kibana.alert.original_time': ['2021-01-09T13:39:32.595Z'],
- 'kibana.alert.rule.severity': ['low'],
+ 'kibana.alert.severity': ['low'],
'kibana.alert.rule.version': ['1'],
'kibana.alert.rule.index': [
'apm-*-transaction*',
@@ -330,6 +328,8 @@ describe('formatTimelineData', () => {
original_time: ['2021-01-09T13:39:32.595Z'],
workflow_status: ['open'],
threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'],
+ severity: ['low'],
+ risk_score: ['21'],
rule: {
building_block_type: [],
exceptions_list: [],
@@ -348,9 +348,7 @@ describe('formatTimelineData', () => {
language: ['kuery'],
name: ['Threshold test'],
output_index: ['.siem-signals-patrykkopycinski-default'],
- risk_score: ['21'],
query: ['_id :*'],
- severity: ['low'],
to: ['now'],
type: ['threshold'],
version: ['1'],
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
index c17ead5142b0b..8d6764b8a6405 100644
--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
@@ -10,12 +10,9 @@ import {
ALERT_REASON,
ALERT_RISK_SCORE,
ALERT_RULE_NAME,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_RISK_SCORE_MAPPING,
+ ALERT_RULE_PARAMETERS,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
- ALERT_RULE_SEVERITY,
- ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_UUID,
ALERT_SEVERITY,
ALERT_WORKFLOW_STATUS,
@@ -980,11 +977,11 @@ export default ({ getService }: FtrProviderContext) => {
expect(signals.length).equal(4);
signals.forEach((s) => {
- expect(s?.[ALERT_RULE_SEVERITY]).equal('medium');
- expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([]);
+ expect(s?.[ALERT_SEVERITY]).equal('medium');
+ expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([]);
- expect(s?.[ALERT_RULE_RISK_SCORE]).equal(75);
- expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([]);
+ expect(s?.[ALERT_RISK_SCORE]).equal(75);
+ expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([]);
});
});
@@ -1014,9 +1011,9 @@ export default ({ getService }: FtrProviderContext) => {
]);
signals.forEach((s) => {
- expect(s?.[ALERT_RULE_RISK_SCORE]).equal(75);
- expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([]);
- expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([
+ expect(s?.[ALERT_RISK_SCORE]).equal(75);
+ expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([]);
+ expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([
{ field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' },
{ field: 'my_severity', operator: 'equals', value: 'sev_max', severity: 'critical' },
]);
@@ -1048,9 +1045,9 @@ export default ({ getService }: FtrProviderContext) => {
]);
signals.forEach((s) => {
- expect(s?.[ALERT_RULE_SEVERITY]).equal('medium');
- expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([]);
- expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([
+ expect(s?.[ALERT_SEVERITY]).equal('medium');
+ expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([]);
+ expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([
{ field: 'my_risk', operator: 'equals', value: '' },
]);
});
@@ -1086,11 +1083,11 @@ export default ({ getService }: FtrProviderContext) => {
]);
signals.forEach((s) => {
- expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([
+ expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([
{ field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' },
{ field: 'my_severity', operator: 'equals', value: 'sev_max', severity: 'critical' },
]);
- expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([
+ expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([
{ field: 'my_risk', operator: 'equals', value: '' },
]);
});