From 00c547b91d103046030c0b3dedc830e7e2e5482e Mon Sep 17 00:00:00 2001 From: Amardeepsingh Siglani Date: Tue, 13 Dec 2022 00:35:08 -0800 Subject: [PATCH 1/4] refactored finding flyout Signed-off-by: Amardeepsingh Siglani --- .../components/FindingDetailsFlyout.tsx | 109 +++++++++++------- 1 file changed, 65 insertions(+), 44 deletions(-) diff --git a/public/pages/Findings/components/FindingDetailsFlyout.tsx b/public/pages/Findings/components/FindingDetailsFlyout.tsx index 0a89d06ec..ead06f543 100644 --- a/public/pages/Findings/components/FindingDetailsFlyout.tsx +++ b/public/pages/Findings/components/FindingDetailsFlyout.tsx @@ -8,6 +8,7 @@ import { EuiAccordion, EuiBadge, EuiBadgeGroup, + EuiButton, EuiButtonIcon, EuiCodeBlock, EuiFlexGroup, @@ -63,13 +64,7 @@ export default class FindingDetailsFlyout extends Component< }; renderRuleDetails = (rules: Query[] = []) => { - const { - allRules, - finding: { index, related_doc_ids, document_list }, - } = this.props; - const documents = document_list; - const docId = related_doc_ids[0]; - const document = documents.filter((doc) => doc.id === docId); + const { allRules } = this.props; return rules.map((rule, key) => { const fullRule = allRules[rule.id]; const severity = capitalizeFirstLetter(fullRule.level); @@ -140,51 +135,75 @@ export default class FindingDetailsFlyout extends Component< + + {rules.length > 1 && } + + ); + }); + }; + + onViewSurroundingDocumentsClicked = () => {}; + + renderFindingDocuments() { + const { + finding: { index, document_list, related_doc_ids }, + } = this.props; + const documents = document_list; + const docId = related_doc_ids[0]; + const matchedDocuments = documents.filter((doc) => doc.id === docId); + const document = matchedDocuments.length > 0 ? matchedDocuments[0].document : ''; + return ( + <> + +

Documents

- - - - - - {docId || DEFAULT_EMPTY_DATA} - - +
+ + + View surrounding documents + + +
- - - {index || DEFAULT_EMPTY_DATA} - - - + - + + + + {docId || DEFAULT_EMPTY_DATA} + + - - - {JSON.stringify(document, null, 4)} - + + + {index || DEFAULT_EMPTY_DATA} - - {rules.length > 1 && } - - ); - }); - }; + + + + + + + + {JSON.stringify(JSON.parse(document), null, 2)} + + + + ); + } render() { const { @@ -270,6 +289,8 @@ export default class FindingDetailsFlyout extends Component< {this.renderRuleDetails(queries)} + + {this.renderFindingDocuments()} ); From 00678357a878c979cfc7d1d7222fc93c5d6c251c Mon Sep 17 00:00:00 2001 From: Amardeepsingh Siglani Date: Tue, 13 Dec 2022 17:57:49 -0800 Subject: [PATCH 2/4] updated cypress test Signed-off-by: Amardeepsingh Siglani --- cypress/integration/3_alerts.spec.js | 80 +++++++++++++--------------- 1 file changed, 37 insertions(+), 43 deletions(-) diff --git a/cypress/integration/3_alerts.spec.js b/cypress/integration/3_alerts.spec.js index a40037503..64d52cbd8 100644 --- a/cypress/integration/3_alerts.spec.js +++ b/cypress/integration/3_alerts.spec.js @@ -249,51 +249,45 @@ describe('Alerts', () => { ['low', 'windows', 'attack.initial_access', 'attack.t1200'].forEach((tag) => { cy.get('[data-test-subj="finding-details-flyout-rule-tags"]').contains(tag); }); - - // Confirm the rule document ID is present - cy.get('[data-test-subj="finding-details-flyout-rule-document-id"]') - .invoke('text') - .then((text) => expect(text).to.not.equal('-')); - - // Confirm the rule index - cy.get('[data-test-subj="finding-details-flyout-rule-document-index"]').contains(testIndex); - - // Confirm the rule document matches - // The EuiCodeEditor used for this component stores each line of the JSON in an array of elements; - // so this test formats the expected document into an array of strings, - // and matches each entry with the corresponding element line. - const document = JSON.stringify( - [ - { - index: 'sample_alerts_spec_cypress_test_index', - id: '', - found: true, - document: - '{"EventTime":"2020-02-04T14:59:39.343541+00:00","HostName":"EC2AMAZ-EPO7HKA","Keywords":"9223372036854775808","SeverityValue":2,"Severity":"INFO","EventID":2003,"SourceName":"Microsoft-Windows-Sysmon","ProviderGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Version":5,"TaskValue":22,"OpcodeValue":0,"RecordNumber":9532,"ExecutionProcessID":1996,"ExecutionThreadID":2616,"Channel":"Microsoft-Windows-Sysmon/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2020-02-04 14:59:38.349\\r\\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\\r\\nProcessId: 1904\\r\\nQueryName: EC2AMAZ-EPO7HKA\\r\\nQueryStatus: 0\\r\\nQueryResults: 172.31.46.38;\\r\\nImage: C:\\\\Program Files\\\\nxlog\\\\nxlog.exe","Category":"Dns query (rule: DnsQuery)","Opcode":"Info","UtcTime":"2020-02-04 14:59:38.349","ProcessGuid":"{b3c285a4-3cda-5dc0-0000-001077270b00}","ProcessId":"1904","QueryName":"EC2AMAZ-EPO7HKA","QueryStatus":"0","QueryResults":"172.31.46.38;","Image":"C:\\\\Program Files\\\\nxlog\\\\regsvr32.exe","EventReceivedTime":"2020-02-04T14:59:40.780905+00:00","SourceModuleName":"in","SourceModuleType":"im_msvistalog","CommandLine":"eachtest","Initiated":"true","Provider_Name":"Microsoft-Windows-Kernel-General","TargetObject":"\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\Outlook\\\\Security","EventType":"SetValue"}', - }, - ], - null, - 4 - ); - const documentLines = document.split('\n'); - cy.get('[data-test-subj="finding-details-flyout-rule-document"]') - .get('[class="euiCodeBlock__line"]') - .each((lineElement, lineIndex) => { - let line = lineElement.text(); - let expectedLine = documentLines[lineIndex]; - - // The document ID field is generated when the document is added to the index, - // so this test just checks that the line starts with the ID key. - if (expectedLine.trimStart().startsWith('"id": "')) { - expectedLine = '"id": "'; - expect(line, `document JSON line ${lineIndex}`).to.contain(expectedLine); - } else { - line = line.replaceAll('\n', ''); - expect(line, `document JSON line ${lineIndex}`).to.equal(expectedLine); - } - }); }); + // Confirm the rule document ID is present + cy.get('[data-test-subj="finding-details-flyout-rule-document-id"]') + .invoke('text') + .then((text) => expect(text).to.not.equal('-')); + + // Confirm the rule index + cy.get('[data-test-subj="finding-details-flyout-rule-document-index"]').contains(testIndex); + + // Confirm the rule document matches + // The EuiCodeEditor used for this component stores each line of the JSON in an array of elements; + // so this test formats the expected document into an array of strings, + // and matches each entry with the corresponding element line. + const document = JSON.stringify( + JSON.parse( + '{"EventTime":"2020-02-04T14:59:39.343541+00:00","HostName":"EC2AMAZ-EPO7HKA","Keywords":"9223372036854775808","SeverityValue":2,"Severity":"INFO","EventID":2003,"SourceName":"Microsoft-Windows-Sysmon","ProviderGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Version":5,"TaskValue":22,"OpcodeValue":0,"RecordNumber":9532,"ExecutionProcessID":1996,"ExecutionThreadID":2616,"Channel":"Microsoft-Windows-Sysmon/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Message":"Dns query:\\r\\nRuleName: \\r\\nUtcTime: 2020-02-04 14:59:38.349\\r\\nProcessGuid: {b3c285a4-3cda-5dc0-0000-001077270b00}\\r\\nProcessId: 1904\\r\\nQueryName: EC2AMAZ-EPO7HKA\\r\\nQueryStatus: 0\\r\\nQueryResults: 172.31.46.38;\\r\\nImage: C:\\\\Program Files\\\\nxlog\\\\nxlog.exe","Category":"Dns query (rule: DnsQuery)","Opcode":"Info","UtcTime":"2020-02-04 14:59:38.349","ProcessGuid":"{b3c285a4-3cda-5dc0-0000-001077270b00}","ProcessId":"1904","QueryName":"EC2AMAZ-EPO7HKA","QueryStatus":"0","QueryResults":"172.31.46.38;","Image":"C:\\\\Program Files\\\\nxlog\\\\regsvr32.exe","EventReceivedTime":"2020-02-04T14:59:40.780905+00:00","SourceModuleName":"in","SourceModuleType":"im_msvistalog","CommandLine":"eachtest","Initiated":"true","Provider_Name":"Microsoft-Windows-Kernel-General","TargetObject":"\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\Outlook\\\\Security","EventType":"SetValue"}' + ), + null, + 2 + ); + const documentLines = document.split('\n'); + cy.get('[data-test-subj="finding-details-flyout-rule-document"]') + .get('[class="euiCodeBlock__line"]') + .each((lineElement, lineIndex) => { + let line = lineElement.text(); + let expectedLine = documentLines[lineIndex]; + + // The document ID field is generated when the document is added to the index, + // so this test just checks that the line starts with the ID key. + if (expectedLine.trimStart().startsWith('"id": "')) { + expectedLine = '"id": "'; + expect(line, `document JSON line ${lineIndex}`).to.contain(expectedLine); + } else { + line = line.replaceAll('\n', ''); + expect(line, `document JSON line ${lineIndex}`).to.equal(expectedLine); + } + }); + // Press the "back" button cy.get( '[data-test-subj="finding-details-flyout-back-button"]', From 9b5c0722f3137f65c688df58d5ed5e66dfe4340e Mon Sep 17 00:00:00 2001 From: Amardeepsingh Siglani Date: Tue, 13 Dec 2022 20:53:20 -0800 Subject: [PATCH 3/4] show surrounding documents when index-pattern available Signed-off-by: Amardeepsingh Siglani --- .../components/AlertFlyout/AlertFlyout.tsx | 13 +++--- .../pages/Alerts/containers/Alerts/Alerts.tsx | 3 +- .../components/FindingDetailsFlyout.tsx | 43 +++++++++++++++++-- .../FindingsTable/FindingsTable.tsx | 5 +-- public/pages/Main/Main.tsx | 1 + public/security_analytics_app.tsx | 4 +- public/services/OpenSearchService.ts | 27 +++++++++--- 7 files changed, 74 insertions(+), 22 deletions(-) diff --git a/public/pages/Alerts/components/AlertFlyout/AlertFlyout.tsx b/public/pages/Alerts/components/AlertFlyout/AlertFlyout.tsx index 8f30e9d5a..a9d8234fa 100644 --- a/public/pages/Alerts/components/AlertFlyout/AlertFlyout.tsx +++ b/public/pages/Alerts/components/AlertFlyout/AlertFlyout.tsx @@ -27,9 +27,9 @@ import { errorNotificationToast, renderTime, } from '../../../../utils/helpers'; -import { FindingsService, RuleService } from '../../../../services'; +import { FindingsService, RuleService, OpenSearchService } from '../../../../services'; import FindingDetailsFlyout from '../../../Findings/components/FindingDetailsFlyout'; -import { Detector, Rule } from '../../../../../models/interfaces'; +import { Detector } from '../../../../../models/interfaces'; import { parseAlertSeverityToOption } from '../../../CreateDetector/components/ConfigureAlerts/utils/helpers'; import { Finding } from '../../../Findings/models/interfaces'; import { NotificationsStart } from 'opensearch-dashboards/public'; @@ -39,9 +39,10 @@ export interface AlertFlyoutProps { detector: Detector; findingsService: FindingsService; ruleService: RuleService; + notifications: NotificationsStart; + opensearchService: OpenSearchService; onClose: () => void; onAcknowledge: (selectedItems: AlertItem[]) => void; - notifications: NotificationsStart; } export interface AlertFlyoutState { @@ -49,7 +50,7 @@ export interface AlertFlyoutState { findingFlyoutData?: Finding; findingItems: Finding[]; loading: boolean; - rules: { [key: string]: Rule }; + rules: { [key: string]: RuleSource }; } export class AlertFlyout extends React.Component { @@ -86,7 +87,7 @@ export class AlertFlyout extends React.Component void; backButton?: React.ReactNode; - allRules: object; + allRules: { [id: string]: RuleSource }; + opensearchService: OpenSearchService; + closeFlyout: () => void; } interface FindingDetailsFlyoutState { loading: boolean; + indexPatternId?: string; } export default class FindingDetailsFlyout extends Component< @@ -49,6 +53,14 @@ export default class FindingDetailsFlyout extends Component< }; } + componentDidMount(): void { + this.getIndexPatternId().then((patternId) => { + if (patternId) { + this.setState({ indexPatternId: patternId }); + } + }); + } + renderTags = () => { const { finding } = this.props; const tags = finding.queries[0].tags || []; @@ -142,7 +154,22 @@ export default class FindingDetailsFlyout extends Component< }); }; - onViewSurroundingDocumentsClicked = () => {}; + getIndexPatternId = async () => { + const indexPatterns = await this.props.opensearchService.getIndexPatterns(); + const { + finding: { index }, + } = this.props; + let patternId; + indexPatterns.map((pattern) => { + const patternName = pattern.attributes.title.replaceAll('*', '.*'); + const patternRegex = new RegExp(patternName); + if (index.match(patternRegex)) { + patternId = pattern.id; + } + }); + + return patternId; + }; renderFindingDocuments() { const { @@ -152,6 +179,7 @@ export default class FindingDetailsFlyout extends Component< const docId = related_doc_ids[0]; const matchedDocuments = documents.filter((doc) => doc.id === docId); const document = matchedDocuments.length > 0 ? matchedDocuments[0].document : ''; + const { indexPatternId } = this.state; return ( <> @@ -162,7 +190,14 @@ export default class FindingDetailsFlyout extends Component< - + View surrounding documents diff --git a/public/pages/Findings/components/FindingsTable/FindingsTable.tsx b/public/pages/Findings/components/FindingsTable/FindingsTable.tsx index 6ab37b28d..47dbb2a5a 100644 --- a/public/pages/Findings/components/FindingsTable/FindingsTable.tsx +++ b/public/pages/Findings/components/FindingsTable/FindingsTable.tsx @@ -9,10 +9,8 @@ import moment from 'moment'; import { EuiBasicTableColumn, EuiButtonIcon, - EuiEmptyPrompt, EuiInMemoryTable, EuiLink, - EuiText, EuiToolTip, } from '@elastic/eui'; import { FieldValueSelectionFilterConfigType } from '@elastic/eui/src/components/search_bar/filters/field_value_selection_filter'; @@ -26,6 +24,7 @@ import CreateAlertFlyout from '../CreateAlertFlyout'; import { NotificationChannelTypeOptions } from '../../../CreateDetector/components/ConfigureAlerts/models/interfaces'; import { FindingItemType } from '../../containers/Findings/Findings'; import { parseAlertSeverityToOption } from '../../../CreateDetector/components/ConfigureAlerts/utils/helpers'; +import { RuleSource } from '../../../../../server/models/interfaces'; interface FindingsTableProps extends RouteComponentProps { detectorService: DetectorsService; @@ -34,7 +33,7 @@ interface FindingsTableProps extends RouteComponentProps { notificationChannels: NotificationChannelTypeOptions[]; refreshNotificationChannels: () => void; loading: boolean; - rules: any; + rules: { [id: string]: RuleSource }; startTime: string; endTime: string; onRefresh: () => void; diff --git a/public/pages/Main/Main.tsx b/public/pages/Main/Main.tsx index 394fe7651..aa7bb0a26 100644 --- a/public/pages/Main/Main.tsx +++ b/public/pages/Main/Main.tsx @@ -353,6 +353,7 @@ export default class Main extends Component { findingService={services.findingsService} ruleService={services.ruleService} notifications={core?.notifications} + opensearchService={services.opensearchService} /> )} /> diff --git a/public/security_analytics_app.tsx b/public/security_analytics_app.tsx index 78c7beac4..73caff669 100644 --- a/public/security_analytics_app.tsx +++ b/public/security_analytics_app.tsx @@ -21,12 +21,12 @@ import FieldMappingService from './services/FieldMappingService'; import RuleService from './services/RuleService'; export function renderApp(coreStart: CoreStart, params: AppMountParameters, landingPage: string) { - const http = coreStart.http; + const { http, savedObjects } = coreStart; const detectorsService = new DetectorsService(http); const indexService = new IndexService(http); const findingsService = new FindingsService(http); - const opensearchService = new OpenSearchService(http); + const opensearchService = new OpenSearchService(http, savedObjects.client); const fieldMappingService = new FieldMappingService(http); const alertsService = new AlertsService(http); const ruleService = new RuleService(http); diff --git a/public/services/OpenSearchService.ts b/public/services/OpenSearchService.ts index d2be13864..f1b1c6632 100644 --- a/public/services/OpenSearchService.ts +++ b/public/services/OpenSearchService.ts @@ -3,17 +3,20 @@ * SPDX-License-Identifier: Apache-2.0 */ -import { HttpSetup } from 'opensearch-dashboards/public'; +import { + HttpSetup, + SavedObjectsClientContract, + SimpleSavedObject, +} from 'opensearch-dashboards/public'; import { ServerResponse } from '../../server/models/types'; import { SearchResponse, Plugin } from '../../server/models/interfaces'; import { API } from '../../server/utils/constants'; export default class OpenSearchService { - httpClient: HttpSetup; - - constructor(httpClient: HttpSetup) { - this.httpClient = httpClient; - } + constructor( + private httpClient: HttpSetup, + private savedObjectsClient: SavedObjectsClientContract + ) {} documentIdsQuery = async ( index: string, @@ -41,4 +44,16 @@ export default class OpenSearchService { let url = `..${API.PLUGINS}`; return await this.httpClient.get(url); }; + + getIndexPatterns = async (): Promise[]> => { + const indexPatterns = await this.savedObjectsClient + .find<{ title: string }>({ + type: 'index-pattern', + fields: ['title', 'type'], + perPage: 10000, + }) + .then((response) => response.savedObjects); + + return Promise.resolve(indexPatterns); + }; } From c429df6106785018eca1c3127cf340159ef889a5 Mon Sep 17 00:00:00 2001 From: Amardeepsingh Siglani Date: Tue, 13 Dec 2022 23:22:12 -0800 Subject: [PATCH 4/4] fixed search filter for log source Signed-off-by: Amardeepsingh Siglani --- .../components/DetectorDataSource/DetectorDataSource.tsx | 1 - 1 file changed, 1 deletion(-) diff --git a/public/pages/CreateDetector/components/DefineDetector/components/DetectorDataSource/DetectorDataSource.tsx b/public/pages/CreateDetector/components/DefineDetector/components/DetectorDataSource/DetectorDataSource.tsx index 9433510cf..271bae803 100644 --- a/public/pages/CreateDetector/components/DefineDetector/components/DetectorDataSource/DetectorDataSource.tsx +++ b/public/pages/CreateDetector/components/DefineDetector/components/DetectorDataSource/DetectorDataSource.tsx @@ -102,7 +102,6 @@ export default class DetectorDataSource extends Component< >