[CTI] Filters alerts table by presence of threat (elastic/security-team#907)

[ecezalp]

Closes elastic/security-team#907.

Summary

This change enables alert table filtering by the presence of signal.rule.threat_mapping. Previously we have discussed the usage of threat.indicator.matched to detect whether an alert is a "threat" or not, but I was unable to get hits on threat and any fields that would be under it, even though I was able to see the fields when I queried my siem-signals index with a match all query. So, this implementation detail (using signal.rule.threat_mapping instead of threat.indicator.matched is up for discussion.

Another interesting finding was around the default filters, it appeared that the filters were reversed, in the sense that I had to use a must_not query to obtain the results containing the threats, as opposed to a must. I found this peculiar, so please let me know if there are any improvements to be made in this area.

Lastly, a few unit tests were added, but so far there are no integration tests, I wasn't able to find if the Alerts Table is currently covered with integration tests, so I would appreciate a nudge towards that direction.

Images

not applied (Detections Home)

applied (Detections Home)

also available on the Rules page

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[rylnd]

So, this implementation detail (using signal.rule.threat_mapping instead of threat.indicator.matched is up for discussion.

My initial thinking was that we need a canonical definition for a threat match alert, and that "has threat match fields" was the simplest answer. To that end, I'd be happy to pair to see if we can't figure out a query that works; I'm guessing it's either the nested fields thing, or a consequence of the fields being requested.

I was also going to claim that this logic would also catch old, pre-enriched indicator alerts (which I don't think we want), however, we didn't have mappings for these fields until 7.12, so (I think) both enrichment and the ability to query threat_mapping happened in the same release, so this should work? Regardless, I think we should try to make the former work before settling on this solution.

You've got some type failures which look related to one of my questions, so let's discuss this again on Monday :)

[ecezalp]

@kibana-app-services you have been summoned because I temporarily removed a TODO that was left in the codebase, which suppressed a ts-error regarding the Filter not having an "exists" field. I briefly added an optional field to the Filter object in the data plugin, but that seemed to result in a lot of type errors in this build, so I decided to bring back the TODO -- nothing to see here. Creating a new ticket for the removal of the TODO for the future, will attach to this comment shortly.

[rylnd]

The filter functionality works great! The only things to address are the label copy and the space between the two labels.

[rylnd]

nit:

Suggested change

	<ThreatMatchContainer>
	<ThreatMatchFilterContainer>

[rylnd]

Suggested change

	defaultMessage: 'Show threat indicator matches only',
	defaultMessage: 'Show only threat match alerts',

Thoughts: I would emphasize the entities that this filter is acting on (alerts), and move "only" to the beginning of the label since it's logically different than the existing building block query.

RE qualifying alert, I like "threat indicator alert" more than "threat indicator match alert" as that seems redundant, but we should probably rope product in for the final say here. /cc @MikePaquette @devonakerr

[devonakerr]

I think "threat indicator match alert" is awkward, and "threat indicator alert" is more concise without losing meaning.

[ecezalp]

updating as Show only threat indicator alerts

[rylnd]

I think this PR unintentionally inverted the logic of the building block filter; please do fix that before merging. Other than that, this looks great!

[rylnd]

Can we safely remove this ternary that was here before? What was its purpose?

[rylnd]

Update: never mind, I see that you moved this logic into the function itself 👍

[rylnd]

Would be great to add a quick unit test for that 😉

[rylnd]

nit:

Suggested change

	onShowThreatMatchesOnlyChanged: (showBuildingBlockAlerts: boolean) => void;
	onShowThreatMatchesOnlyChanged: (showThreatMatchesOnly: boolean) => void;

[rylnd]

I think the logic was inverted here; we were previously returning an empty array if showBuildingBlockAlerts was truthy.

[kibanamachine]

💛 Build succeeded, but was flaky

• continuous-integration/kibana-ci/pull-request

• Commit: 5ae850c

• Storybooks Preview

• Flaky suites:

  • xpack-securitySolutionCypressChrome

---

Test Failures

Kibana Pipeline / general / "before all" hook for "should open a modal".Open timeline Open timeline modal "before all" hook for "should open a modal"

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

AssertionError: Timed out retrying after 60000ms: Expected to find element: `[data-test-subj="title-924470b0-9bca-11eb-bf7d-539c5070ec2a"]`, but never found it.

Because this error occurred during a `before all` hook we are skipping the remaining tests in the current suite: `Open timeline`

Although you have test retries enabled, we do not retry tests when `before all` or `after all` hooks fail
    at Object.openTimelineById (http://localhost:6121/__cypress/tests?p=cypress/integration/timelines/open_timeline.spec.ts:16092:15)
    at Context.eval (http://localhost:6121/__cypress/tests?p=cypress/integration/timelines/open_timeline.spec.ts:15046:28)

---

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	7.3MB	7.3MB	+2.9KB

History

• 💛 Build #118914 was flaky 945101b
• 💔 Build #117984 failed a956112
• 💔 Build #117939 failed 1d3b581
• 💔 Build #117645 failed 8a63480
• 💔 Build #117615 failed 0ac8f87

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream