diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index f4f54a52cae66..86a036bbb9fe2 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -47,7 +47,6 @@ const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const; const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const; const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const; const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const; -const ALERT_RULE_ID = `${ALERT_RULE_NAMESPACE}.id` as const; const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const; const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const; const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const; @@ -106,7 +105,6 @@ const fields = { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_FROM, - ALERT_RULE_ID, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, ALERT_RULE_NAME, @@ -162,7 +160,6 @@ export { ALERT_RULE_DESCRIPTION, ALERT_RULE_ENABLED, ALERT_RULE_FROM, - ALERT_RULE_ID, ALERT_RULE_INTERVAL, ALERT_RULE_LICENSE, ALERT_RULE_NAME, diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 82ce5a3e267a4..54a4b80a35bb4 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -94,11 +94,6 @@ export const technicalRuleFieldMap = { array: false, required: true, }, - [Fields.ALERT_RULE_ID]: { - type: 'keyword', - array: false, - required: false, - }, [Fields.ALERT_RULE_CREATED_AT]: { type: 'date', array: false, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index a0514a69a60c8..3bc229273bc83 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -13,7 +13,6 @@ import { ALERT_WORKFLOW_STATUS, ALERT_UUID, ALERT_RULE_UUID, - ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_RULE_CATEGORY, } from '@kbn/rule-data-utils'; @@ -284,7 +283,6 @@ export const requiredFieldMappingsForActionsRuleRegistry = { 'alert.workflow_status': ALERT_WORKFLOW_STATUS, 'alert.duration.us': ALERT_DURATION, 'rule.uuid': ALERT_RULE_UUID, - 'rule.id': ALERT_RULE_ID, 'rule.name': ALERT_RULE_NAME, 'rule.category': ALERT_RULE_CATEGORY, producer: ALERT_RULE_PRODUCER, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap index 005fd8905b601..3c065ab0ac109 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap @@ -1829,10 +1829,6 @@ Object { "path": "signal.rule.from", "type": "alias", }, - "kibana.alert.rule.id": Object { - "path": "signal.rule.id", - "type": "alias", - }, "kibana.alert.rule.immutable": Object { "path": "signal.rule.immutable", "type": "alias", @@ -2017,6 +2013,10 @@ Object { "path": "signal.rule.updated_by", "type": "alias", }, + "kibana.alert.rule.uuid": Object { + "path": "signal.rule.id", + "type": "alias", + }, "kibana.alert.rule.version": Object { "path": "signal.rule.version", "type": "alias", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json index 68c184b66c562..8391d490162df 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json @@ -35,7 +35,7 @@ "signal.rule.enabled": "kibana.alert.rule.enabled", "signal.rule.false_positives": "kibana.alert.rule.false_positives", "signal.rule.from": "kibana.alert.rule.from", - "signal.rule.id": "kibana.alert.rule.id", + "signal.rule.id": "kibana.alert.rule.uuid", "signal.rule.immutable": "kibana.alert.rule.immutable", "signal.rule.index": "kibana.alert.rule.index", "signal.rule.interval": "kibana.alert.rule.interval", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts index dc556fc988afa..1d6e462ef8b11 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts @@ -13,7 +13,7 @@ import { EVENT_KIND, SPACE_IDS, TIMESTAMP, - ALERT_RULE_ID, + ALERT_RULE_UUID, } from '@kbn/rule-data-utils'; import moment from 'moment'; @@ -94,7 +94,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { } const filter: estypes.QueryDslQueryContainer[] = [ - { terms: { [ALERT_RULE_ID]: ruleIds } }, + { terms: { [ALERT_RULE_UUID]: ruleIds } }, { terms: { [SPACE_IDS]: [spaceId] } }, ]; @@ -113,7 +113,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { aggs: { rules: { terms: { - field: ALERT_RULE_ID, + field: ALERT_RULE_UUID, size: ruleIds.length, }, aggs: { @@ -147,7 +147,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { bucket.most_recent_logs.hits.hits.map((event) => { const logEntry = parseRuleExecutionLog(event._source); invariant( - logEntry[ALERT_RULE_ID] ?? '', + logEntry[ALERT_RULE_UUID] ?? '', 'Malformed execution log entry: rule.id field not found' ); @@ -181,7 +181,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { ] : undefined; - const alertId = logEntry[ALERT_RULE_ID] ?? ''; + const alertId = logEntry[ALERT_RULE_UUID] ?? ''; const statusDate = logEntry[TIMESTAMP]; const lastFailureAt = lastFailure?.[TIMESTAMP]; const lastFailureMessage = lastFailure?.[MESSAGE]; @@ -228,7 +228,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { [EVENT_ACTION]: metric, [EVENT_KIND]: 'metric', [getMetricField(metric)]: value, - [ALERT_RULE_ID]: ruleId ?? '', + [ALERT_RULE_UUID]: ruleId ?? '', [TIMESTAMP]: new Date().toISOString(), [ALERT_RULE_CONSUMER]: SERVER_APP_ID, [ALERT_RULE_TYPE_ID]: SERVER_APP_ID, @@ -251,7 +251,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { [EVENT_KIND]: 'event', [EVENT_SEQUENCE]: this.sequence++, [MESSAGE]: message, - [ALERT_RULE_ID]: ruleId ?? '', + [ALERT_RULE_UUID]: ruleId ?? '', [RULE_STATUS_SEVERITY]: statusSeverityDict[newStatus], [RULE_STATUS]: newStatus, [TIMESTAMP]: new Date().toISOString(), diff --git a/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx b/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx index fb7899165bb3d..19206c40d18c2 100644 --- a/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx +++ b/x-pack/plugins/timelines/public/components/actions/timeline/cases/add_to_case_action.test.tsx @@ -11,6 +11,7 @@ import { TestProviders, mockGetAllCasesSelectorModal } from '../../../../mock'; import { AddToCaseAction } from './add_to_case_action'; import { SECURITY_SOLUTION_OWNER } from '../../../../../../cases/common'; import { AddToCaseActionButton } from './add_to_case_action_button'; +import { ALERT_RULE_UUID } from '@kbn/rule-data-utils'; jest.mock('react-router-dom', () => ({ useLocation: () => ({ @@ -100,7 +101,7 @@ describe('AddToCaseAction', () => { {...props} event={{ _id: 'test-id', - data: [{ field: 'kibana.alert.rule.id', value: ['rule-id'] }], + data: [{ field: ALERT_RULE_UUID, value: ['rule-id'] }], ecs: { _id: 'test-id', _index: 'test-index', @@ -112,7 +113,7 @@ describe('AddToCaseAction', () => { {...props} event={{ _id: 'test-id', - data: [{ field: 'kibana.alert.rule.id', value: ['rule-id'] }], + data: [{ field: ALERT_RULE_UUID, value: ['rule-id'] }], ecs: { _id: 'test-id', _index: 'test-index', diff --git a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts index 623fbf53b0598..3ac2e28841b3e 100644 --- a/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts +++ b/x-pack/plugins/timelines/public/hooks/use_add_to_case.ts @@ -8,7 +8,7 @@ import { get, isEmpty } from 'lodash/fp'; import { useState, useCallback, useMemo, SyntheticEvent } from 'react'; import { useLocation } from 'react-router-dom'; import { useDispatch } from 'react-redux'; -import { ALERT_RULE_ID, ALERT_RULE_NAME, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RULE_UUID } from '@kbn/rule-data-utils'; import { useKibana } from '../../../../../src/plugins/kibana_react/public'; import { Case, SubCase } from '../../../cases/common'; import { TimelinesStartServices } from '../types'; @@ -243,15 +243,12 @@ export const useAddToCase = ({ }; export function normalizedEventFields(event?: TimelineItem) { - const ruleId = event && event.data.find(({ field }) => field === ALERT_RULE_ID); const ruleUuid = event && event.data.find(({ field }) => field === ALERT_RULE_UUID); const ruleName = event && event.data.find(({ field }) => field === ALERT_RULE_NAME); - const ruleIdValue = ruleId && ruleId.value && ruleId.value[0]; const ruleUuidValue = ruleUuid && ruleUuid.value && ruleUuid.value[0]; const ruleNameValue = ruleName && ruleName.value && ruleName.value[0]; - const idToUse = ruleIdValue ? ruleIdValue : ruleUuidValue; const id = - idToUse ?? + ruleUuidValue ?? get(`ecs.${ALERT_RULE_UUID}[0]`, event) ?? get(`ecs.signal.rule.id[0]`, event) ?? null; diff --git a/x-pack/test/security_solution_cypress/config.ts b/x-pack/test/security_solution_cypress/config.ts index 0026f5897019e..d22ff564beb2c 100644 --- a/x-pack/test/security_solution_cypress/config.ts +++ b/x-pack/test/security_solution_cypress/config.ts @@ -40,6 +40,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { // retrieve rules from the filesystem but not from fleet for Cypress tests '--xpack.securitySolution.prebuiltRulesFromFileSystem=true', '--xpack.securitySolution.prebuiltRulesFromSavedObjects=false', + `--home.disableWelcomeScreen=true`, ], }, };