diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index 16b9ba91b96f2..c6edd30549a76 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -55,12 +55,8 @@ const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const; const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const; const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const; const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const; -const ALERT_RULE_RISK_SCORE = `${ALERT_RULE_NAMESPACE}.risk_score` as const; -const ALERT_RULE_RISK_SCORE_MAPPING = `${ALERT_RULE_NAMESPACE}.risk_score_mapping` as const; const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const; const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const; -const ALERT_RULE_SEVERITY = `${ALERT_RULE_NAMESPACE}.severity` as const; -const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` as const; const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const; const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const; const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const; @@ -114,12 +110,8 @@ const fields = { ALERT_RULE_NOTE, ALERT_RULE_PARAMETERS, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_RISK_SCORE_MAPPING, ALERT_RULE_RULE_ID, ALERT_RULE_RULE_NAME_OVERRIDE, - ALERT_RULE_SEVERITY, - ALERT_RULE_SEVERITY_MAPPING, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, @@ -171,11 +163,8 @@ export { ALERT_RULE_NOTE, ALERT_RULE_PARAMETERS, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_RISK_SCORE_MAPPING, ALERT_RULE_RULE_ID, ALERT_RULE_RULE_NAME_OVERRIDE, - ALERT_RULE_SEVERITY_MAPPING, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, @@ -183,7 +172,6 @@ export { ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, - ALERT_RULE_SEVERITY, ALERT_SEVERITY, ALERT_START, ALERT_SYSTEM_STATUS, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 412b69210b04d..08840b1862dbb 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -40,16 +40,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_SEVERITY]: { - type: 'keyword', - array: false, - required: false, - }, - [Fields.ALERT_RULE_RISK_SCORE]: { - type: 'float', - array: false, - required: false, - }, [Fields.ALERT_RISK_SCORE]: { type: 'float', array: false, @@ -150,26 +140,6 @@ export const technicalRuleFieldMap = { array: true, required: false, }, - [Fields.ALERT_RULE_RISK_SCORE_MAPPING]: { - type: 'object', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.field`]: { - type: 'keyword', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.operator`]: { - type: 'keyword', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.value`]: { - type: 'keyword', - array: false, - required: false, - }, [Fields.ALERT_RULE_RULE_ID]: { type: 'keyword', array: false, @@ -180,31 +150,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_SEVERITY_MAPPING]: { - type: 'object', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.field`]: { - type: 'keyword', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.operator`]: { - type: 'keyword', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.value`]: { - type: 'keyword', - array: false, - required: false, - }, - [`${Fields.ALERT_RULE_SEVERITY_MAPPING}.severity`]: { - type: 'keyword', - array: false, - required: false, - }, [Fields.ALERT_RULE_TAGS]: { type: 'keyword', array: true, diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts index 2ed92232c0db1..d787b13800718 100644 --- a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts +++ b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts @@ -57,7 +57,7 @@ const esFieldTypeMap = { float: t.union([t.number, NumberFromString]), scaled_float: t.union([t.number, NumberFromString]), unsigned_long: t.union([t.number, NumberFromString]), - flattened: t.record(t.string, t.array(t.string)), + flattened: t.UnknownRecord, }; type EsFieldTypeMap = typeof esFieldTypeMap; diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts index cdc39a7597386..b142555d8a3d7 100644 --- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts +++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts @@ -11,7 +11,7 @@ import { ALERT_RULE_CONSUMER, ALERT_RULE_NAME, ALERT_RULE_PRODUCER, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_TYPE_ID, ALERT_RULE_UUID, ALERT_STATUS, @@ -35,7 +35,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({ [ALERT_RULE_CONSUMER]: 'apm', [ALERT_RULE_NAME]: 'Check error rate', [ALERT_RULE_PRODUCER]: 'apm', - [ALERT_RULE_RISK_SCORE]: 20, + [ALERT_RISK_SCORE]: 20, [ALERT_RULE_TYPE_ID]: 'fake-rule-type-id', [ALERT_RULE_UUID]: 'fake-rule-uuid', [ALERT_STATUS]: ALERT_STATUS_ACTIVE, diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index 92e501e5a2bd3..c4709d857d5d0 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -14,8 +14,8 @@ import { import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, NUMBER_OF_ALERTS, } from '../../screens/alerts'; import { @@ -505,12 +505,10 @@ describe('indicator match', () => { cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts); cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name); - cy.get(ALERT_RULE_SEVERITY) + cy.get(ALERT_SEVERITY) .first() .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase()); - cy.get(ALERT_RULE_RISK_SCORE) - .first() - .should('have.text', getNewThreatIndicatorRule().riskScore); + cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore); }); it.skip('Investigate alert in timeline', () => { diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index 92c6216f44847..8b67fb198495a 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -139,7 +139,7 @@ describe('Detection rules, override', () => { getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore); getDetails(RISK_SCORE_OVERRIDE_DETAILS).should( 'have.text', - `${this.rule.riskOverride}kibana.alert.rule.risk_score` + `${this.rule.riskOverride}kibana.alert.risk_score` ); getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride); getDetails(REFERENCE_URLS_DETAILS).should((details) => { diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts index 6177234575ec3..0adfea65cfa9b 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts @@ -15,14 +15,13 @@ export const ALERT_CHECKBOX = '[data-test-subj~="select-event"].euiCheckbox__inp export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]'; export const ALERT_RISK_SCORE_HEADER = - '[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]'; + '[data-test-subj="dataGridHeaderCell-kibana.alert.risk_score"]'; export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]'; -export const ALERT_RULE_RISK_SCORE = - '[data-test-subj="formatted-field-kibana.alert.rule.risk_score"]'; +export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]'; -export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]'; +export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]'; export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index 8208595a1cb4d..1334ab6acd467 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -161,10 +161,10 @@ export const allowTopN = ({ 'kibana.alert.rule.output_index', 'kibana.alert.rule.query', 'kibana.alert.rule.references', - 'kibana.alert.rule.risk_score', + 'kibana.alert.risk_score', 'kibana.alert.rule.rule_id', 'kibana.alert.rule.saved_id', - 'kibana.alert.rule.severity', + 'kibana.alert.severity', 'kibana.alert.rule.size', 'kibana.alert.rule.tags', 'kibana.alert.rule.threat', diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index 8ce108d202310..e06cd379e5131 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -392,7 +392,7 @@ export const mockAlertDetailsData = [ originalValue: 'http://localhost:5601/app/security', }, { category: 'kibana', field: 'kibana.alert.rule.max_signals', values: [100], originalValue: 100 }, - { category: 'kibana', field: 'kibana.alert.rule.risk_score', values: [21], originalValue: 21 }, + { category: 'kibana', field: 'kibana.alert.risk_score', values: [21], originalValue: 21 }, { category: 'kibana', field: 'kibana.alert.rule.risk_score_mapping', @@ -459,7 +459,7 @@ export const mockAlertDetailsData = [ { category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] }, { category: 'kibana', - field: 'kibana.alert.rule.severity', + field: 'kibana.alert.severity', values: ['low'], originalValue: 'low', }, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap index 40784270e6c60..8772def686122 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap @@ -350,7 +350,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1` >
- You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.

@@ -421,7 +421,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1` >
- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.

@@ -1042,7 +1042,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`] >
- You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.

@@ -1113,7 +1113,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`] >
- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap index 4e62766fc1477..5e4a17dcb030b 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap @@ -207,7 +207,7 @@ exports[`Event Details Overview Cards renders rows and spacers correctly 1`] = `

- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx index 50da80f7b1304..0f241bace7663 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx @@ -63,7 +63,7 @@ const props = { data: [ { category: 'kibana', - field: 'kibana.alert.rule.risk_score', + field: 'kibana.alert.risk_score', values: ['47'], originalValue: ['47'], isObjectArray: false, @@ -91,7 +91,7 @@ const props = { }, { category: 'kibana', - field: 'kibana.alert.rule.severity', + field: 'kibana.alert.severity', values: ['medium'], originalValue: ['medium'], isObjectArray: false, @@ -100,10 +100,10 @@ const props = { browserFields: { kibana: { fields: { - 'kibana.alert.rule.severity': { + 'kibana.alert.severity': { category: 'kibana', count: 0, - name: 'kibana.alert.rule.severity', + name: 'kibana.alert.severity', type: 'string', esTypes: ['keyword'], scripted: false, @@ -115,10 +115,10 @@ const props = { isMapped: true, indexes: ['apm-*-transaction*'], }, - 'kibana.alert.rule.risk_score': { + 'kibana.alert.risk_score': { category: 'kibana', count: 0, - name: 'kibana.alert.rule.risk_score', + name: 'kibana.alert.risk_score', type: 'number', esTypes: ['float'], scripted: false, @@ -180,12 +180,10 @@ const props = { }, }; -const dataWithoutSeverity = props.data.filter( - (data) => data.field !== 'kibana.alert.rule.severity' -); +const dataWithoutSeverity = props.data.filter((data) => data.field !== 'kibana.alert.severity'); const fieldsWithoutSeverity = { - 'kibana.alert.rule.risk_score': props.browserFields.kibana.fields['kibana.alert.rule.risk_score'], + 'kibana.alert.risk_score': props.browserFields.kibana.fields['kibana.alert.risk_score'], 'kibana.alert.rule.uuid': props.browserFields.kibana.fields['kibana.alert.rule.uuid'], 'kibana.alert.workflow_status': props.browserFields.kibana.fields['kibana.alert.workflow_status'], 'kibana.alert.rule.name': props.browserFields.kibana.fields['kibana.alert.rule.name'], diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx index 70a8ec7ad0d22..17c9f29e33cb0 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx @@ -63,7 +63,7 @@ export const Overview = React.memo( }, [browserFields, contextId, data, eventId, timelineId]); const severityData = useMemo(() => { - const item = find({ field: 'kibana.alert.rule.severity', category: 'kibana' }, data); + const item = find({ field: 'kibana.alert.severity', category: 'kibana' }, data); return ( item && getEnrichedFieldInfo({ @@ -77,7 +77,7 @@ export const Overview = React.memo( }, [browserFields, contextId, data, eventId, timelineId]); const riskScoreData = useMemo(() => { - const item = find({ field: 'kibana.alert.rule.risk_score', category: 'kibana' }, data); + const item = find({ field: 'kibana.alert.risk_score', category: 'kibana' }, data); return ( item && getEnrichedFieldInfo({ diff --git a/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts b/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts index ec636fc013758..bccd4efa8f98c 100644 --- a/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts +++ b/x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts @@ -5,10 +5,12 @@ * 2.0. */ +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; + /** actions are disabled for these fields in tables and popovers */ export const FIELDS_WITHOUT_CELL_ACTIONS = [ 'signal.rule.risk_score', 'signal.reason', - 'kibana.alert.rule.risk_score', + ALERT_RISK_SCORE, 'kibana.alert.reason', ]; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index ff8dbc5d6ff9b..1a4bb3e0633f2 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -8,8 +8,8 @@ import type { AlertsStackByOption } from './types'; export const alertsStackByOptions: AlertsStackByOption[] = [ - { text: 'kibana.alert.rule.risk_score', value: 'kibana.alert.rule.risk_score' }, - { text: 'kibana.alert.rule.severity', value: 'kibana.alert.rule.severity' }, + { text: 'kibana.alert.risk_score', value: 'kibana.alert.risk_score' }, + { text: 'kibana.alert.severity', value: 'kibana.alert.severity' }, { text: 'kibana.alert.rule.threat.tactic.name', value: 'kibana.alert.rule.threat.tactic.name' }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index 10b76410b8a46..8886b182dfaf5 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -11,8 +11,8 @@ export interface AlertsStackByOption { } export type AlertsStackByField = - | 'kibana.alert.rule.risk_score' - | 'kibana.alert.rule.severity' + | 'kibana.alert.risk_score' + | 'kibana.alert.severity' | 'kibana.alert.rule.threat.tactic.name' | 'destination.ip' | 'event.action' diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx index aab6cabdb3a93..73d12f461f351 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx @@ -48,15 +48,10 @@ describe('alerts default_config', () => { alias: null, disabled: false, negate: false, - key: 'kibana.alert.rule.threat_mapping', - type: 'exists', - value: 'exists', - }, - query: { - exists: { - field: 'kibana.alert.rule.threat_mapping', - }, + key: 'kibana.alert.rule.type', + type: 'term', }, + query: { term: { 'kibana.alert.rule.type': 'threat_match' } }, }; expect(filters).toHaveLength(1); expect(filters[0]).toEqual(expectedFilter); diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 663d133f04b1c..97d6459f99c98 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -141,11 +141,10 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean): alias: null, disabled: false, negate: false, - key: 'kibana.alert.rule.threat_mapping', - type: 'exists', - value: 'exists', + key: 'kibana.alert.rule.type', + type: 'term', }, - query: { exists: { field: 'kibana.alert.rule.threat_mapping' } }, + query: { term: { 'kibana.alert.rule.type': 'threat_match' } }, }, ] : []; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index 871822077f718..78a739fd879b1 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -17,7 +17,7 @@ import { EuiIcon, EuiToolTip, } from '@elastic/eui'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import React from 'react'; @@ -354,7 +354,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt - {ALERT_RULE_RISK_SCORE} + {ALERT_RISK_SCORE} ), }; diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx index 6d8ea92861df9..da941bac188c3 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx @@ -24,7 +24,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate( export const RISK_SCORE_FIELD = i18n.translate( 'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle', { - defaultMessage: 'kibana.alert.rule.risk_score', + defaultMessage: 'kibana.alert.risk_score', } ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx index 7976ad5dca7f3..37efdf6e54e8a 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx @@ -12,7 +12,7 @@ import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui'; import { ALERT_DURATION, ALERT_REASON, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_STATUS, } from '@kbn/rule-data-utils/technical_field_names'; @@ -61,7 +61,7 @@ export const RenderCellValue: React.FC< case ALERT_DURATION: case 'signal.duration.us': return {moment().fromNow(true)}; - case ALERT_RULE_SEVERITY: + case ALERT_SEVERITY: case 'signal.rule.severity': return ; case ALERT_REASON: diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index 7ae54e60944cc..d60a82441697b 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -33,7 +33,7 @@ export const columns: Array< }, { columnHeaderType: defaultColumnHeaderType, - id: 'kibana.alert.rule.severity', + id: 'kibana.alert.severity', displayAsText: i18n.ALERTS_HEADERS_SEVERITY, initialWidth: 104, }, diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx index 8d726c1c19213..8c50e24cc3305 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx @@ -6,7 +6,7 @@ */ import { EuiDataGridCellValueElementProps } from '@elastic/eui'; -import { ALERT_RULE_SEVERITY, ALERT_REASON } from '@kbn/rule-data-utils'; +import { ALERT_SEVERITY, ALERT_REASON } from '@kbn/rule-data-utils'; import React from 'react'; import { DefaultDraggable } from '../../../../common/components/draggables'; @@ -48,7 +48,7 @@ export const RenderCellValue: React.FC< switch (columnId) { case 'signal.rule.severity': - case ALERT_RULE_SEVERITY: + case ALERT_SEVERITY: return ( [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: 'kibana.alert.rule.risk_score', + field: ALERT_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap index 0dfe94854464a..6e0712332157d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap @@ -195,18 +195,6 @@ Object { "path": "signal.rule.references", "type": "alias", }, - "kibana.alert.rule.risk_score_mapping.field": Object { - "path": "signal.rule.risk_score_mapping.field", - "type": "alias", - }, - "kibana.alert.rule.risk_score_mapping.operator": Object { - "path": "signal.rule.risk_score_mapping.operator", - "type": "alias", - }, - "kibana.alert.rule.risk_score_mapping.value": Object { - "path": "signal.rule.risk_score_mapping.value", - "type": "alias", - }, "kibana.alert.rule.rule_id": Object { "path": "signal.rule.rule_id", "type": "alias", @@ -219,22 +207,6 @@ Object { "path": "signal.rule.saved_id", "type": "alias", }, - "kibana.alert.rule.severity_mapping.field": Object { - "path": "signal.rule.severity_mapping.field", - "type": "alias", - }, - "kibana.alert.rule.severity_mapping.operator": Object { - "path": "signal.rule.severity_mapping.operator", - "type": "alias", - }, - "kibana.alert.rule.severity_mapping.severity": Object { - "path": "signal.rule.severity_mapping.severity", - "type": "alias", - }, - "kibana.alert.rule.severity_mapping.value": Object { - "path": "signal.rule.severity_mapping.value", - "type": "alias", - }, "kibana.alert.rule.tags": Object { "path": "signal.rule.tags", "type": "alias", @@ -2483,18 +2455,6 @@ Object { "path": "signal.rule.references", "type": "alias", }, - "kibana.alert.rule.risk_score_mapping.field": Object { - "path": "signal.rule.risk_score_mapping.field", - "type": "alias", - }, - "kibana.alert.rule.risk_score_mapping.operator": Object { - "path": "signal.rule.risk_score_mapping.operator", - "type": "alias", - }, - "kibana.alert.rule.risk_score_mapping.value": Object { - "path": "signal.rule.risk_score_mapping.value", - "type": "alias", - }, "kibana.alert.rule.rule_id": Object { "path": "signal.rule.rule_id", "type": "alias", @@ -2507,22 +2467,6 @@ Object { "path": "signal.rule.saved_id", "type": "alias", }, - "kibana.alert.rule.severity_mapping.field": Object { - "path": "signal.rule.severity_mapping.field", - "type": "alias", - }, - "kibana.alert.rule.severity_mapping.operator": Object { - "path": "signal.rule.severity_mapping.operator", - "type": "alias", - }, - "kibana.alert.rule.severity_mapping.severity": Object { - "path": "signal.rule.severity_mapping.severity", - "type": "alias", - }, - "kibana.alert.rule.severity_mapping.value": Object { - "path": "signal.rule.severity_mapping.value", - "type": "alias", - }, "kibana.alert.rule.tags": Object { "path": "signal.rule.tags", "type": "alias", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json index 94e9419c9f55c..66768c86f05e4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json @@ -47,17 +47,10 @@ "signal.rule.query": "kibana.alert.rule.query", "signal.rule.references": "kibana.alert.rule.references", "signal.rule.risk_score": "kibana.alert.risk_score", - "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field", - "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator", - "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value", "signal.rule.rule_id": "kibana.alert.rule.rule_id", "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override", "signal.rule.saved_id": "kibana.alert.rule.saved_id", "signal.rule.severity": "kibana.alert.severity", - "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field", - "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator", - "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value", - "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity", "signal.rule.tags": "kibana.alert.rule.tags", "signal.rule.threat.framework": "kibana.alert.rule.threat.framework", "signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts index f5a248c8a6ac0..19b1405cb1433 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts @@ -149,8 +149,6 @@ export const sampleThresholdAlert = { name: 'Query with a rule id', query: 'user.name: root or user.name: admin', references: ['test 1', 'test 2'], - severity: 'high', - severity_mapping: [], updated_by: 'elastic_kibana', tags: ['some fake tag 1', 'some fake tag 2'], to: 'now', @@ -162,8 +160,6 @@ export const sampleThresholdAlert = { last_success_at: '2020-02-22T16:47:50.047Z', last_success_message: 'succeeded', max_signals: 100, - risk_score: 55, - risk_score_mapping: [], language: 'kuery', rule_id: 'f88a544c-1d4e-4652-ae2a-c953b38da5d0', interval: '5m', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts index ace6096201d32..88b4ae01b3a64 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts @@ -158,8 +158,6 @@ export const buildAlert = ( updated_by: updatedBy ?? '', type: completeRule.ruleParams.type, ...commonRuleParams, - severity: overrides?.severityOverride ?? completeRule.ruleParams.severity, - risk_score: overrides?.riskScoreOverride ?? completeRule.ruleParams.riskScore, }), } as unknown as RACAlert; }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts index 92084291a1251..4dd2903994085 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts @@ -10,7 +10,6 @@ import { ALERT_UUID } from '@kbn/rule-data-utils'; import { Logger } from 'kibana/server'; import type { ConfigType } from '../../../../../config'; -import { buildRuleWithoutOverrides } from '../../../signals/build_rule'; import { Ancestor, SignalSource, SignalSourceHit } from '../../../signals/types'; import { RACAlert, WrappedRACAlert } from '../../types'; import { buildAlert, buildAncestors, generateAlertId } from './build_alert'; @@ -99,9 +98,12 @@ export const buildAlertRoot = ( (block2._source[ALERT_ORIGINAL_TIME] as number) ) .map((alert) => alert._source[ALERT_ORIGINAL_TIME]); - const rule = buildRuleWithoutOverrides(completeRule); const mergedAlerts = objectArrayIntersection(wrappedBuildingBlocks.map((alert) => alert._source)); - const reason = buildReasonMessage({ rule, mergedDoc: mergedAlerts as SignalSourceHit }); + const reason = buildReasonMessage({ + name: completeRule.ruleConfig.name, + severity: completeRule.ruleParams.severity, + mergedDoc: mergedAlerts as SignalSourceHit, + }); const doc = buildAlert(wrappedBuildingBlocks, completeRule, spaceId, reason); return { ...mergedAlerts, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts index ab083a0d35138..ef3d76be1df4b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts @@ -10,7 +10,6 @@ import { flattenWithPrefix } from '@kbn/securitysolution-rules'; import { BaseHit } from '../../../../../../common/detection_engine/types'; import type { ConfigType } from '../../../../../config'; -import { buildRuleWithOverrides, buildRuleWithoutOverrides } from '../../../signals/build_rule'; import { BuildReasonMessage } from '../../../signals/reason_formatters'; import { getMergeStrategy } from '../../../signals/source_fields_merging/strategies'; import { BaseSignalHit, SignalSource, SignalSourceHit, SimpleHit } from '../../../signals/types'; @@ -54,12 +53,8 @@ export const buildBulkBody = ( buildReasonMessage: BuildReasonMessage ): RACAlert => { const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields }); - const rule = applyOverrides - ? buildRuleWithOverrides(completeRule, mergedDoc._source ?? {}) - : buildRuleWithoutOverrides(completeRule); const eventFields = buildEventTypeAlert(mergedDoc); const filteredSource = filterSource(mergedDoc); - const reason = buildReasonMessage({ mergedDoc, rule }); const overrides = applyOverrides ? { @@ -81,6 +76,12 @@ export const buildBulkBody = ( } : undefined; + const reason = buildReasonMessage({ + name: overrides?.nameOverride ?? completeRule.ruleConfig.name, + severity: overrides?.severityOverride ?? completeRule.ruleParams.severity, + mergedDoc, + }); + if (isSourceDoc(mergedDoc)) { return { ...filteredSource, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts index 095b3973edcb3..a3bf58fa25381 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts @@ -9,6 +9,7 @@ import { Moment } from 'moment'; import { SearchHit } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; import { Logger } from '@kbn/logging'; +import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils'; import { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import { AlertExecutorOptions, RuleType } from '../../../../../alerting/server'; @@ -37,6 +38,7 @@ import { ExperimentalFeatures } from '../../../../common/experimental_features'; import { IEventLogService } from '../../../../../event_log/server'; import { AlertsFieldMap, RulesFieldMap } from '../../../../common/field_maps'; import { IRuleExecutionLogClient } from '../rule_execution_log'; +import { commonParamsCamelToSnake } from '../schemas/rule_converters'; export interface SecurityAlertTypeReturnValue { bulkCreateTimes: string[]; @@ -110,11 +112,12 @@ export type CreateSecurityRuleTypeWrapper = ( ) => RuleType; export type RACAlertSignal = TypeOfFieldMap & TypeOfFieldMap; -export type RACAlert = Exclude< +export type RACAlert = Omit< TypeOfFieldMap & RACAlertSignal, - '@timestamp' + '@timestamp' | typeof ALERT_RULE_PARAMETERS > & { '@timestamp': string; + [ALERT_RULE_PARAMETERS]: ReturnType; }; export type RACSourceHit = SearchHit; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts index bccd1f498372e..21bfced47df42 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts @@ -43,7 +43,11 @@ export const buildBulkBody = ( const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields }); const rule = buildRuleWithOverrides(completeRule, mergedDoc._source ?? {}); const timestamp = new Date().toISOString(); - const reason = buildReasonMessage({ mergedDoc, rule }); + const reason = buildReasonMessage({ + name: completeRule.ruleConfig.name, + severity: completeRule.ruleParams.severity, + mergedDoc, + }); const signal: Signal = { ...buildSignal([mergedDoc], rule, reason), ...additionalSignalFields(mergedDoc), @@ -135,7 +139,11 @@ export const buildSignalFromSequence = ( const rule = buildRuleWithoutOverrides(completeRule); const timestamp = new Date().toISOString(); const mergedEvents = objectArrayIntersection(events.map((event) => event._source)); - const reason = buildReasonMessage({ rule, mergedDoc: mergedEvents as SignalSourceHit }); + const reason = buildReasonMessage({ + name: completeRule.ruleConfig.name, + severity: completeRule.ruleParams.severity, + mergedDoc: mergedEvents as SignalSourceHit, + }); const signal: Signal = buildSignal(events, rule, reason); return { ...mergedEvents, @@ -167,7 +175,11 @@ export const buildSignalFromEvent = ( ? buildRuleWithOverrides(completeRule, mergedEvent._source ?? {}) : buildRuleWithoutOverrides(completeRule); const timestamp = new Date().toISOString(); - const reason = buildReasonMessage({ mergedDoc: mergedEvent, rule }); + const reason = buildReasonMessage({ + name: completeRule.ruleConfig.name, + severity: completeRule.ruleParams.severity, + mergedDoc: mergedEvent, + }); const signal: Signal = { ...buildSignal([mergedEvent], rule, reason), ...additionalSignalFields(mergedEvent), diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts index 5b55df2bee936..d2d3638288868 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts @@ -6,18 +6,15 @@ */ import { buildReasonMessageUtil } from './reason_formatters'; -import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema'; import { SignalSourceHit } from './types'; describe('reason_formatter', () => { - let rule: RulesSchema; + let name: string; + let severity: string; let mergedDoc: SignalSourceHit; beforeAll(() => { - rule = { - name: 'my-rule', - risk_score: 9000, - severity: 'medium', - } as RulesSchema; // Cast here as all fields aren't required + name = 'my-rule'; + severity = 'medium'; mergedDoc = { _index: 'index-1', _id: 'id-1', @@ -40,7 +37,7 @@ describe('reason_formatter', () => { describe('buildReasonMessageUtil', () => { describe('when rule and mergedDoc are provided', () => { it('should return the full reason message', () => { - expect(buildReasonMessageUtil({ rule, mergedDoc })).toMatchInlineSnapshot( + expect(buildReasonMessageUtil({ name, severity, mergedDoc })).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); }); @@ -54,7 +51,9 @@ describe('reason_formatter', () => { 'event.category': ['item one', 'item two'], }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + ).toMatchInlineSnapshot( `"item one, item two event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); }); @@ -68,7 +67,9 @@ describe('reason_formatter', () => { 'host.name': ['-'], }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user created medium alert my-rule."` ); }); @@ -82,7 +83,9 @@ describe('reason_formatter', () => { 'user.name': ['-'], }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, on host created medium alert my-rule."` ); }); @@ -97,7 +100,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ rule, mergedDoc: noDestinationPortDoc }) + buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9 by test-user on host created medium alert my-rule."` ); @@ -112,7 +115,7 @@ describe('reason_formatter', () => { }, }; expect( - buildReasonMessageUtil({ rule, mergedDoc: noDestinationPortDoc }) + buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc }) ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, by test-user on host created medium alert my-rule."` ); @@ -127,7 +130,9 @@ describe('reason_formatter', () => { 'source.port': ['-'], }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: noSourcePortDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc }) + ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1 destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); }); @@ -140,7 +145,9 @@ describe('reason_formatter', () => { 'source.port': ['-'], }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: noSourcePortDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc }) + ).toMatchInlineSnapshot( `"test event with process doingThings.exe, parent process didThings.exe, file sample, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); }); @@ -155,7 +162,9 @@ describe('reason_formatter', () => { 'process.parent.name': ['-'], }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot( + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + ).toMatchInlineSnapshot( `"test event with file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."` ); }); @@ -170,14 +179,14 @@ describe('reason_formatter', () => { '@timestamp': '2021-08-11T02:28:59.101Z', }, }; - expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot( - `"test event by test-user created medium alert my-rule."` - ); + expect( + buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc }) + ).toMatchInlineSnapshot(`"test event by test-user created medium alert my-rule."`); }); }); describe('when only rule is provided', () => { it('should return the reason message without host name or user name', () => { - expect(buildReasonMessageUtil({ rule })).toMatchInlineSnapshot(`""`); + expect(buildReasonMessageUtil({ name, severity })).toMatchInlineSnapshot(`""`); }); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts index e93a45bd13246..e30bf9a265193 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts @@ -7,11 +7,11 @@ import { i18n } from '@kbn/i18n'; import { getOr } from 'lodash/fp'; -import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema'; import { SignalSourceHit } from './types'; export interface BuildReasonMessageArgs { - rule: RulesSchema; + name: string; + severity: string; mergedDoc?: SignalSourceHit; } @@ -56,8 +56,12 @@ const getFieldsFromDoc = (mergedDoc: SignalSourceHit) => { * to more easily allow for this in the future. * @export buildCommonReasonMessage - is only exported for testing purposes, and only used internally here. */ -export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUtilArgs) => { - if (!rule || !mergedDoc) { +export const buildReasonMessageUtil = ({ + name, + severity, + mergedDoc, +}: BuildReasonMessageUtilArgs) => { + if (!mergedDoc) { // This should never happen, but in case, better to not show a malformed string return ''; } @@ -98,8 +102,8 @@ export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUt {hostName, select, null {} other {{whitespace}on {hostName}} } \ created {alertSeverity} alert {alertName}.`, values: { - alertName: rule.name, - alertSeverity: rule.severity, + alertName: name, + alertSeverity: severity, destinationAddress: getFieldTemplateValue(destinationAddress, true), destinationPort: getFieldTemplateValue(destinationPort, true), eventCategory: getFieldTemplateValue(eventCategory), diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts index 2c9aabb3c2c92..644a0b66aec70 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts @@ -6,6 +6,7 @@ */ import { isEmpty } from 'lodash/fp'; +import { ALERT_RISK_SCORE, ALERT_RULE_NAME, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { Direction, HostRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -39,12 +40,12 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'kibana.alert.rule.risk_score', + field: ALERT_RISK_SCORE, }, }, rule_name: { terms: { - field: 'kibana.alert.rule.name', + field: ALERT_RULE_NAME, order: { risk_score: Direction.desc, }, @@ -52,19 +53,19 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'kibana.alert.rule.risk_score', + field: ALERT_RISK_SCORE, }, }, rule_type: { terms: { - field: 'kibana.alert.rule.type', + field: ALERT_RULE_TYPE, }, }, }, }, rule_count: { cardinality: { - field: 'kibana.alert.rule.name', + field: ALERT_RULE_NAME, }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts index 6b12e3f329945..61f4084fa3784 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts @@ -6,6 +6,7 @@ */ import { isEmpty } from 'lodash/fp'; +import { ALERT_RISK_SCORE, ALERT_RULE_NAME, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { Direction, UserRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -48,12 +49,12 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'kibana.alert.rule.risk_score', + field: ALERT_RISK_SCORE, }, }, rule_name: { terms: { - field: 'kibana.alert.rule.name', + field: ALERT_RULE_NAME, order: { risk_score: Direction.desc, }, @@ -61,19 +62,19 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: 'kibana.alert.rule.risk_score', + field: ALERT_RISK_SCORE, }, }, rule_type: { terms: { - field: 'kibana.alert.rule.type', + field: ALERT_RULE_TYPE, }, }, }, }, rule_count: { cardinality: { - field: 'kibana.alert.rule.name', + field: ALERT_RULE_NAME, }, }, }, diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index 65b00af0fc13c..6f62727f68bef 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -191,10 +191,10 @@ export const allowSorting = ({ 'kibana.alert.rule.output_index', 'kibana.alert.rule.query', 'kibana.alert.rule.references', - 'kibana.alert.rule.risk_score', + 'kibana.alert.risk_score', 'kibana.alert.rule.rule_id', 'kibana.alert.rule.saved_id', - 'kibana.alert.rule.severity', + 'kibana.alert.severity', 'kibana.alert.rule.size', 'kibana.alert.rule.tags', 'kibana.alert.rule.threat', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts index 74b85c00b9bce..43c638b2bb453 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; +import { ALERT_RULE_CONSUMER, ALERT_RISK_SCORE, ALERT_SEVERITY } from '@kbn/rule-data-utils'; // TODO: share with security_solution/common/cti/constants.ts export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments'; @@ -61,8 +61,8 @@ export const TIMELINE_EVENTS_FIELDS = [ 'kibana.alert.original_event.kind', 'kibana.alert.original_event.module', 'kibana.alert.rule.version', - 'kibana.alert.rule.severity', - 'kibana.alert.rule.risk_score', + ALERT_SEVERITY, + ALERT_RISK_SCORE, 'kibana.alert.threshold_result', 'kibana.alert.building_block_type', 'event.code', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts index c6935554a8ee5..ead9413b0d6b5 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts @@ -150,11 +150,12 @@ describe('formatTimelineData', () => { _meta: { version: 14, }, + severity: 'low', + risk_score: 21, rule: { note: null, throttle: null, references: [], - severity_mapping: [], description: 'asdasd', created_at: '2021-01-09T11:25:45.046Z', language: 'kuery', @@ -174,9 +175,6 @@ describe('formatTimelineData', () => { uuid: '696c24e0-526d-11eb-836c-e1620268b945', timeline_id: null, max_signals: 100, - severity: 'low', - risk_score: 21, - risk_score_mapping: [], author: [], query: '_id :*', index: [ @@ -274,11 +272,11 @@ describe('formatTimelineData', () => { 'kibana.alert.rule.query': ['_id :*'], 'kibana.alert.rule.type': ['threshold'], 'kibana.alert.rule.uuid': ['696c24e0-526d-11eb-836c-e1620268b945'], - 'kibana.alert.rule.risk_score': [21], + 'kibana.alert.risk_score': [21], 'kibana.alert.workflow_status': ['open'], 'event.kind': ['signal'], 'kibana.alert.original_time': ['2021-01-09T13:39:32.595Z'], - 'kibana.alert.rule.severity': ['low'], + 'kibana.alert.severity': ['low'], 'kibana.alert.rule.version': ['1'], 'kibana.alert.rule.index': [ 'apm-*-transaction*', @@ -330,6 +328,8 @@ describe('formatTimelineData', () => { original_time: ['2021-01-09T13:39:32.595Z'], workflow_status: ['open'], threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], + severity: ['low'], + risk_score: ['21'], rule: { building_block_type: [], exceptions_list: [], @@ -348,9 +348,7 @@ describe('formatTimelineData', () => { language: ['kuery'], name: ['Threshold test'], output_index: ['.siem-signals-patrykkopycinski-default'], - risk_score: ['21'], query: ['_id :*'], - severity: ['low'], to: ['now'], type: ['threshold'], version: ['1'], diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts index c17ead5142b0b..8d6764b8a6405 100644 --- a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts +++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts @@ -10,12 +10,9 @@ import { ALERT_REASON, ALERT_RISK_SCORE, ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_RISK_SCORE_MAPPING, + ALERT_RULE_PARAMETERS, ALERT_RULE_RULE_ID, ALERT_RULE_RULE_NAME_OVERRIDE, - ALERT_RULE_SEVERITY, - ALERT_RULE_SEVERITY_MAPPING, ALERT_RULE_UUID, ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, @@ -980,11 +977,11 @@ export default ({ getService }: FtrProviderContext) => { expect(signals.length).equal(4); signals.forEach((s) => { - expect(s?.[ALERT_RULE_SEVERITY]).equal('medium'); - expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([]); + expect(s?.[ALERT_SEVERITY]).equal('medium'); + expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([]); - expect(s?.[ALERT_RULE_RISK_SCORE]).equal(75); - expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([]); + expect(s?.[ALERT_RISK_SCORE]).equal(75); + expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([]); }); }); @@ -1014,9 +1011,9 @@ export default ({ getService }: FtrProviderContext) => { ]); signals.forEach((s) => { - expect(s?.[ALERT_RULE_RISK_SCORE]).equal(75); - expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([]); - expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([ + expect(s?.[ALERT_RISK_SCORE]).equal(75); + expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([]); + expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([ { field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' }, { field: 'my_severity', operator: 'equals', value: 'sev_max', severity: 'critical' }, ]); @@ -1048,9 +1045,9 @@ export default ({ getService }: FtrProviderContext) => { ]); signals.forEach((s) => { - expect(s?.[ALERT_RULE_SEVERITY]).equal('medium'); - expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([]); - expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([ + expect(s?.[ALERT_SEVERITY]).equal('medium'); + expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([]); + expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([ { field: 'my_risk', operator: 'equals', value: '' }, ]); }); @@ -1086,11 +1083,11 @@ export default ({ getService }: FtrProviderContext) => { ]); signals.forEach((s) => { - expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([ + expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([ { field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' }, { field: 'my_severity', operator: 'equals', value: 'sev_max', severity: 'critical' }, ]); - expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([ + expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([ { field: 'my_risk', operator: 'equals', value: '' }, ]); });