github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Remove extra rule fields from kibana.alert.rule (#121135) (#121571)

Browse source 
* Remove kibana.alert.rule.risk_score and severity

* Fix tests related to risk_score and severity

* Make translation a template

* Can't use expression in template literal

* Remove commented line added by bad merge

* Fix linting

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
# Conflicts:
#	x-pack/plugins/security_solution/public/common/components/event_details/overview/__snapshots__/index.test.tsx.snap
#	x-pack/plugins/security_solution/public/common/components/event_details/overview/index.test.tsx
#	x-pack/plugins/security_solution/public/common/components/event_details/overview/index.tsx
#	x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
#	x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx
#	x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts
This commit is contained in:
Marshall Main 2021-12-17 15:28:41 -08:00 committed by GitHub
parent b093830b6b
commit 04014638b4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 162 additions and 277 deletions
Download patch file Download diff file Expand all files Collapse all files

12
packages/kbn-rule-data-utils/src/technical_field_names.ts
View file

@ -55,12 +55,8 @@ const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
const ALERT_RULE_RISK_SCORE = `${ALERT_RULE_NAMESPACE}.risk_score` as const;
const ALERT_RULE_RISK_SCORE_MAPPING = `${ALERT_RULE_NAMESPACE}.risk_score_mapping` as const;
const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
const ALERT_RULE_SEVERITY = `${ALERT_RULE_NAMESPACE}.severity` as const;
const ALERT_RULE_SEVERITY_MAPPING = `${ALERT_RULE_NAMESPACE}.severity_mapping` as const;
const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
@ -114,12 +110,8 @@ const fields = {
ALERT_RULE_NOTE,
ALERT_RULE_PARAMETERS,
ALERT_RULE_REFERENCES,
ALERT_RULE_RISK_SCORE,
ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
ALERT_RULE_SEVERITY,
ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_TAGS,
ALERT_RULE_TO,
ALERT_RULE_TYPE,
@ -171,11 +163,8 @@ export {
ALERT_RULE_NOTE,
ALERT_RULE_PARAMETERS,
ALERT_RULE_REFERENCES,
ALERT_RULE_RISK_SCORE,
ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_TAGS,
ALERT_RULE_TO,
ALERT_RULE_TYPE,
@ -183,7 +172,6 @@ export {
ALERT_RULE_UPDATED_AT,
ALERT_RULE_UPDATED_BY,
ALERT_RULE_VERSION,
ALERT_RULE_SEVERITY,
ALERT_SEVERITY,
ALERT_START,
ALERT_SYSTEM_STATUS,

55
x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
View file

@ -40,16 +40,6 @@ export const technicalRuleFieldMap = {
array: false,
required: false,
},
[Fields.ALERT_RULE_SEVERITY]: {
type: 'keyword',
array: false,
required: false,
},
[Fields.ALERT_RULE_RISK_SCORE]: {
type: 'float',
array: false,
required: false,
},
[Fields.ALERT_RISK_SCORE]: {
type: 'float',
array: false,
@ -150,26 +140,6 @@ export const technicalRuleFieldMap = {
array: true,
required: false,
},
[Fields.ALERT_RULE_RISK_SCORE_MAPPING]: {
type: 'object',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.field`]: {
type: 'keyword',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.operator`]: {
type: 'keyword',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_RISK_SCORE_MAPPING}.value`]: {
type: 'keyword',
array: false,
required: false,
},
[Fields.ALERT_RULE_RULE_ID]: {
type: 'keyword',
array: false,
@ -180,31 +150,6 @@ export const technicalRuleFieldMap = {
array: false,
required: false,
},
[Fields.ALERT_RULE_SEVERITY_MAPPING]: {
type: 'object',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_SEVERITY_MAPPING}.field`]: {
type: 'keyword',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_SEVERITY_MAPPING}.operator`]: {
type: 'keyword',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_SEVERITY_MAPPING}.value`]: {
type: 'keyword',
array: false,
required: false,
},
[`${Fields.ALERT_RULE_SEVERITY_MAPPING}.severity`]: {
type: 'keyword',
array: false,
required: false,
},
[Fields.ALERT_RULE_TAGS]: {
type: 'keyword',
array: true,

2
x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts
View file

@ -57,7 +57,7 @@ const esFieldTypeMap = {
float: t.union([t.number, NumberFromString]),
scaled_float: t.union([t.number, NumberFromString]),
unsigned_long: t.union([t.number, NumberFromString]),
flattened: t.record(t.string, t.array(t.string)),
flattened: t.UnknownRecord,
};
type EsFieldTypeMap = typeof esFieldTypeMap;

4
x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
View file

@ -11,7 +11,7 @@ import {
ALERT_RULE_CONSUMER,
ALERT_RULE_NAME,
ALERT_RULE_PRODUCER,
ALERT_RULE_RISK_SCORE,
ALERT_RISK_SCORE,
ALERT_RULE_TYPE_ID,
ALERT_RULE_UUID,
ALERT_STATUS,
@ -35,7 +35,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
[ALERT_RULE_CONSUMER]: 'apm',
[ALERT_RULE_NAME]: 'Check error rate',
[ALERT_RULE_PRODUCER]: 'apm',
[ALERT_RULE_RISK_SCORE]: 20,
[ALERT_RISK_SCORE]: 20,
[ALERT_RULE_TYPE_ID]: 'fake-rule-type-id',
[ALERT_RULE_UUID]: 'fake-rule-uuid',
[ALERT_STATUS]: ALERT_STATUS_ACTIVE,

10
x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
View file

@ -14,8 +14,8 @@ import {
import {
ALERT_RULE_NAME,
ALERT_RULE_RISK_SCORE,
ALERT_RULE_SEVERITY,
ALERT_RISK_SCORE,
ALERT_SEVERITY,
NUMBER_OF_ALERTS,
} from '../../screens/alerts';
import {
@ -505,12 +505,10 @@ describe('indicator match', () => {
cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
cy.get(ALERT_RULE_SEVERITY)
cy.get(ALERT_SEVERITY)
.first()
.should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());
cy.get(ALERT_RULE_RISK_SCORE)
.first()
.should('have.text', getNewThreatIndicatorRule().riskScore);
cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore);
});
it.skip('Investigate alert in timeline', () => {

2
x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts
View file

@ -139,7 +139,7 @@ describe('Detection rules, override', () => {
getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
'have.text',
`${this.rule.riskOverride}kibana.alert.rule.risk_score`
`${this.rule.riskOverride}kibana.alert.risk_score`
);
getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
getDetails(REFERENCE_URLS_DETAILS).should((details) => {

7
x-pack/plugins/security_solution/cypress/screens/alerts.ts
View file

@ -15,14 +15,13 @@ export const ALERT_CHECKBOX = '[data-test-subj~="select-event"].euiCheckbox__inp
export const ALERT_GRID_CELL = '[data-test-subj="dataGridRowCell"]';
export const ALERT_RISK_SCORE_HEADER =
'[data-test-subj="dataGridHeaderCell-kibana.alert.rule.risk_score"]';
'[data-test-subj="dataGridHeaderCell-kibana.alert.risk_score"]';
export const ALERT_RULE_NAME = '[data-test-subj="formatted-field-kibana.alert.rule.name"]';
export const ALERT_RULE_RISK_SCORE =
'[data-test-subj="formatted-field-kibana.alert.rule.risk_score"]';
export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]';
export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]';
export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]';
export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]';

4
x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts
View file

@ -161,10 +161,10 @@ export const allowTopN = ({
'kibana.alert.rule.output_index',
'kibana.alert.rule.query',
'kibana.alert.rule.references',
'kibana.alert.rule.risk_score',
'kibana.alert.risk_score',
'kibana.alert.rule.rule_id',
'kibana.alert.rule.saved_id',
'kibana.alert.rule.severity',
'kibana.alert.severity',
'kibana.alert.rule.size',
'kibana.alert.rule.tags',
'kibana.alert.rule.threat',

4
x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts
View file

@ -392,7 +392,7 @@ export const mockAlertDetailsData = [
originalValue: 'http://localhost:5601/app/security',
},
{ category: 'kibana', field: 'kibana.alert.rule.max_signals', values: [100], originalValue: 100 },
{ category: 'kibana', field: 'kibana.alert.rule.risk_score', values: [21], originalValue: 21 },
{ category: 'kibana', field: 'kibana.alert.risk_score', values: [21], originalValue: 21 },
{
category: 'kibana',
field: 'kibana.alert.rule.risk_score_mapping',
@ -459,7 +459,7 @@ export const mockAlertDetailsData = [
{ category: 'kibana', field: 'kibana.alert.rule.references', values: [], originalValue: [] },
{
category: 'kibana',
field: 'kibana.alert.rule.severity',
field: 'kibana.alert.severity',
values: ['low'],
originalValue: 'low',
},

32
x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap generated
View file

@ -350,7 +350,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
>
<div
class="euiFlexGroup euiFlexGroup--alignItemsFlexStart euiFlexGroup--directionColumn euiFlexGroup--responsive"
data-test-subj="event-field-kibana.alert.rule.severity"
data-test-subj="event-field-kibana.alert.severity"
>
<div
class="euiFlexItem euiFlexItem--flexGrowZero"
@ -371,7 +371,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
<p
class="euiScreenReaderOnly"
>
You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.
You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.
</p>
<div
data-test-subj="hover-actions-filter-for"
@ -384,8 +384,8 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
Filter out button
</div>
<div
data-test-subj="more-actions-kibana.alert.rule.severity"
field="kibana.alert.rule.severity"
data-test-subj="more-actions-kibana.alert.severity"
field="kibana.alert.severity"
items="[object Object]"
value="low"
>
@ -421,7 +421,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
>
<div
class="euiFlexGroup euiFlexGroup--alignItemsFlexStart euiFlexGroup--directionColumn euiFlexGroup--responsive"
data-test-subj="event-field-kibana.alert.rule.risk_score"
data-test-subj="event-field-kibana.alert.risk_score"
>
<div
class="euiFlexItem euiFlexItem--flexGrowZero"
@ -442,7 +442,7 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
<p
class="euiScreenReaderOnly"
>
You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.
You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.
</p>
<div
data-test-subj="hover-actions-filter-for"
@ -455,8 +455,8 @@ exports[`AlertSummaryView Behavior event code renders additional summary rows 1`
Filter out button
</div>
<div
data-test-subj="more-actions-kibana.alert.rule.risk_score"
field="kibana.alert.rule.risk_score"
data-test-subj="more-actions-kibana.alert.risk_score"
field="kibana.alert.risk_score"
items="[object Object]"
value="21"
>
@ -1042,7 +1042,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
>
<div
class="euiFlexGroup euiFlexGroup--alignItemsFlexStart euiFlexGroup--directionColumn euiFlexGroup--responsive"
data-test-subj="event-field-kibana.alert.rule.severity"
data-test-subj="event-field-kibana.alert.severity"
>
<div
class="euiFlexItem euiFlexItem--flexGrowZero"
@ -1063,7 +1063,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
<p
class="euiScreenReaderOnly"
>
You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit.
You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.
</p>
<div
data-test-subj="hover-actions-filter-for"
@ -1076,8 +1076,8 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
Filter out button
</div>
<div
data-test-subj="more-actions-kibana.alert.rule.severity"
field="kibana.alert.rule.severity"
data-test-subj="more-actions-kibana.alert.severity"
field="kibana.alert.severity"
items="[object Object]"
value="low"
>
@ -1113,7 +1113,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
>
<div
class="euiFlexGroup euiFlexGroup--alignItemsFlexStart euiFlexGroup--directionColumn euiFlexGroup--responsive"
data-test-subj="event-field-kibana.alert.rule.risk_score"
data-test-subj="event-field-kibana.alert.risk_score"
>
<div
class="euiFlexItem euiFlexItem--flexGrowZero"
@ -1134,7 +1134,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
<p
class="euiScreenReaderOnly"
>
You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit.
You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.
</p>
<div
data-test-subj="hover-actions-filter-for"
@ -1147,8 +1147,8 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]
Filter out button
</div>
<div
data-test-subj="more-actions-kibana.alert.rule.risk_score"
field="kibana.alert.rule.risk_score"
data-test-subj="more-actions-kibana.alert.risk_score"
field="kibana.alert.risk_score"
items="[object Object]"
value="21"
>

4
x-pack/plugins/security_solution/public/common/lib/cell_actions/constants.ts
View file

@ -5,10 +5,12 @@
* 2.0.
*/
import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
/** actions are disabled for these fields in tables and popovers */
export const FIELDS_WITHOUT_CELL_ACTIONS = [
'signal.rule.risk_score',
'signal.reason',
'kibana.alert.rule.risk_score',
ALERT_RISK_SCORE,
'kibana.alert.reason',
];

4
x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts
View file

@ -8,8 +8,8 @@
import type { AlertsStackByOption } from './types';
export const alertsStackByOptions: AlertsStackByOption[] = [
{ text: 'kibana.alert.rule.risk_score', value: 'kibana.alert.rule.risk_score' },
{ text: 'kibana.alert.rule.severity', value: 'kibana.alert.rule.severity' },
{ text: 'kibana.alert.risk_score', value: 'kibana.alert.risk_score' },
{ text: 'kibana.alert.severity', value: 'kibana.alert.severity' },
{ text: 'kibana.alert.rule.threat.tactic.name', value: 'kibana.alert.rule.threat.tactic.name' },
{ text: 'destination.ip', value: 'destination.ip' },
{ text: 'event.action', value: 'event.action' },

4
x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts
View file

@ -11,8 +11,8 @@ export interface AlertsStackByOption {
}
export type AlertsStackByField =
| 'kibana.alert.rule.risk_score'
| 'kibana.alert.rule.severity'
| 'kibana.alert.risk_score'
| 'kibana.alert.severity'
| 'kibana.alert.rule.threat.tactic.name'
| 'destination.ip'
| 'event.action'

11
x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.test.tsx
View file

@ -48,15 +48,10 @@ describe('alerts default_config', () => {
alias: null,
disabled: false,
negate: false,
key: 'kibana.alert.rule.threat_mapping',
type: 'exists',
value: 'exists',
},
query: {
exists: {
field: 'kibana.alert.rule.threat_mapping',
},
key: 'kibana.alert.rule.type',
type: 'term',
},
query: { term: { 'kibana.alert.rule.type': 'threat_match' } },
};
expect(filters).toHaveLength(1);
expect(filters[0]).toEqual(expectedFilter);

7
x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
View file

@ -141,11 +141,10 @@ export const buildThreatMatchFilter = (showOnlyThreatIndicatorAlerts: boolean):
alias: null,
disabled: false,
negate: false,
key: 'kibana.alert.rule.threat_mapping',
type: 'exists',
value: 'exists',
key: 'kibana.alert.rule.type',
type: 'term',
},
query: { exists: { field: 'kibana.alert.rule.threat_mapping' } },
query: { term: { 'kibana.alert.rule.type': 'threat_match' } },
},
]
: [];

4
x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx
View file

@ -17,7 +17,7 @@ import {
EuiIcon,
EuiToolTip,
} from '@elastic/eui';
import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils';
import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
import { isEmpty } from 'lodash/fp';
import React from 'react';
@ -354,7 +354,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt
<EuiFlexItem grow={false}>
<EuiIcon type={'sortRight'} />
</EuiFlexItem>
<EuiFlexItem>{ALERT_RULE_RISK_SCORE}</EuiFlexItem>
<EuiFlexItem>{ALERT_RISK_SCORE}</EuiFlexItem>
</EuiFlexGroup>
),
};

2
x-pack/plugins/security_solution/public/detections/components/rules/risk_score_mapping/translations.tsx
View file

@ -24,7 +24,7 @@ export const DEFAULT_RISK_SCORE = i18n.translate(
export const RISK_SCORE_FIELD = i18n.translate(
'xpack.securitySolution.alerts.riskScoreMapping.riskScoreFieldTitle',
{
defaultMessage: 'kibana.alert.rule.risk_score',
defaultMessage: 'kibana.alert.risk_score',
}
);

4
x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx
View file

@ -12,7 +12,7 @@ import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui';
import {
ALERT_DURATION,
ALERT_REASON,
ALERT_RULE_SEVERITY,
ALERT_SEVERITY,
ALERT_STATUS,
} from '@kbn/rule-data-utils/technical_field_names';
@ -60,7 +60,7 @@ export const RenderCellValue: React.FC<EuiDataGridCellValueElementProps & CellVa
case ALERT_DURATION:
case 'signal.duration.us':
return <span data-test-subj="alert-duration">{moment().fromNow(true)}</span>;
case ALERT_RULE_SEVERITY:
case ALERT_SEVERITY:
case 'signal.rule.severity':
return <Severity data-test-subj="rule-severity" severity={value} />;
case ALERT_REASON:

2
x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts
View file

@ -33,7 +33,7 @@ export const columns: Array<
},
{
columnHeaderType: defaultColumnHeaderType,
id: 'kibana.alert.rule.severity',
id: 'kibana.alert.severity',
displayAsText: i18n.ALERTS_HEADERS_SEVERITY,
initialWidth: 104,
},

4
x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx
View file

@ -6,7 +6,7 @@
*/
import { EuiDataGridCellValueElementProps } from '@elastic/eui';
import { ALERT_RULE_SEVERITY, ALERT_REASON } from '@kbn/rule-data-utils';
import { ALERT_SEVERITY, ALERT_REASON } from '@kbn/rule-data-utils';
import React from 'react';
import { DefaultDraggable } from '../../../../common/components/draggables';
@ -47,7 +47,7 @@ export const RenderCellValue: React.FC<EuiDataGridCellValueElementProps & CellVa
switch (columnId) {
case 'signal.rule.severity':
case ALERT_RULE_SEVERITY:
case ALERT_SEVERITY:
return (
<DefaultDraggable
data-test-subj="custom-severity"

4
x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts
View file

@ -38,13 +38,13 @@ export const columns: Array<
{
columnHeaderType: defaultColumnHeaderType,
displayAsText: i18n.ALERTS_HEADERS_SEVERITY,
id: 'kibana.alert.rule.severity',
id: 'kibana.alert.severity',
initialWidth: 105,
},
{
columnHeaderType: defaultColumnHeaderType,
displayAsText: i18n.ALERTS_HEADERS_RISK_SCORE,
id: 'kibana.alert.rule.risk_score',
id: 'kibana.alert.risk_score',
initialWidth: 100,
},
{

3
x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx
View file

@ -6,6 +6,7 @@
*/
import React from 'react';
import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
import {
DragEffects,
DraggableWrapper,
@ -117,7 +118,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [
name: `${riskScore}`,
kqlQuery: '',
queryMatch: {
field: 'kibana.alert.rule.risk_score',
field: ALERT_RISK_SCORE,
value: riskScore,
operator: IS_OPERATOR,
},

56
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap generated
View file

@ -195,18 +195,6 @@ Object {
"path": "signal.rule.references",
"type": "alias",
},
"kibana.alert.rule.risk_score_mapping.field": Object {
"path": "signal.rule.risk_score_mapping.field",
"type": "alias",
},
"kibana.alert.rule.risk_score_mapping.operator": Object {
"path": "signal.rule.risk_score_mapping.operator",
"type": "alias",
},
"kibana.alert.rule.risk_score_mapping.value": Object {
"path": "signal.rule.risk_score_mapping.value",
"type": "alias",
},
"kibana.alert.rule.rule_id": Object {
"path": "signal.rule.rule_id",
"type": "alias",
@ -219,22 +207,6 @@ Object {
"path": "signal.rule.saved_id",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.field": Object {
"path": "signal.rule.severity_mapping.field",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.operator": Object {
"path": "signal.rule.severity_mapping.operator",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.severity": Object {
"path": "signal.rule.severity_mapping.severity",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.value": Object {
"path": "signal.rule.severity_mapping.value",
"type": "alias",
},
"kibana.alert.rule.tags": Object {
"path": "signal.rule.tags",
"type": "alias",
@ -2483,18 +2455,6 @@ Object {
"path": "signal.rule.references",
"type": "alias",
},
"kibana.alert.rule.risk_score_mapping.field": Object {
"path": "signal.rule.risk_score_mapping.field",
"type": "alias",
},
"kibana.alert.rule.risk_score_mapping.operator": Object {
"path": "signal.rule.risk_score_mapping.operator",
"type": "alias",
},
"kibana.alert.rule.risk_score_mapping.value": Object {
"path": "signal.rule.risk_score_mapping.value",
"type": "alias",
},
"kibana.alert.rule.rule_id": Object {
"path": "signal.rule.rule_id",
"type": "alias",
@ -2507,22 +2467,6 @@ Object {
"path": "signal.rule.saved_id",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.field": Object {
"path": "signal.rule.severity_mapping.field",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.operator": Object {
"path": "signal.rule.severity_mapping.operator",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.severity": Object {
"path": "signal.rule.severity_mapping.severity",
"type": "alias",
},
"kibana.alert.rule.severity_mapping.value": Object {
"path": "signal.rule.severity_mapping.value",
"type": "alias",
},
"kibana.alert.rule.tags": Object {
"path": "signal.rule.tags",
"type": "alias",

7
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json
View file

@ -47,17 +47,10 @@
"signal.rule.query": "kibana.alert.rule.query",
"signal.rule.references": "kibana.alert.rule.references",
"signal.rule.risk_score": "kibana.alert.risk_score",
"signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field",
"signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator",
"signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value",
"signal.rule.rule_id": "kibana.alert.rule.rule_id",
"signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
"signal.rule.saved_id": "kibana.alert.rule.saved_id",
"signal.rule.severity": "kibana.alert.severity",
"signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field",
"signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator",
"signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value",
"signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity",
"signal.rule.tags": "kibana.alert.rule.tags",
"signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
"signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id",

4
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/threshold.ts
View file

@ -149,8 +149,6 @@ export const sampleThresholdAlert = {
name: 'Query with a rule id',
query: 'user.name: root or user.name: admin',
references: ['test 1', 'test 2'],
severity: 'high',
severity_mapping: [],
updated_by: 'elastic_kibana',
tags: ['some fake tag 1', 'some fake tag 2'],
to: 'now',
@ -162,8 +160,6 @@ export const sampleThresholdAlert = {
last_success_at: '2020-02-22T16:47:50.047Z',
last_success_message: 'succeeded',
max_signals: 100,
risk_score: 55,
risk_score_mapping: [],
language: 'kuery',
rule_id: 'f88a544c-1d4e-4652-ae2a-c953b38da5d0',
interval: '5m',

2
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
View file

@ -158,8 +158,6 @@ export const buildAlert = (
updated_by: updatedBy ?? '',
type: completeRule.ruleParams.type,
...commonRuleParams,
severity: overrides?.severityOverride ?? completeRule.ruleParams.severity,
risk_score: overrides?.riskScoreOverride ?? completeRule.ruleParams.riskScore,
}),
} as unknown as RACAlert;
};

8
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert_group_from_sequence.ts
View file

@ -10,7 +10,6 @@ import { ALERT_UUID } from '@kbn/rule-data-utils';
import { Logger } from 'kibana/server';
import type { ConfigType } from '../../../../../config';
import { buildRuleWithoutOverrides } from '../../../signals/build_rule';
import { Ancestor, SignalSource, SignalSourceHit } from '../../../signals/types';
import { RACAlert, WrappedRACAlert } from '../../types';
import { buildAlert, buildAncestors, generateAlertId } from './build_alert';
@ -99,9 +98,12 @@ export const buildAlertRoot = (
(block2._source[ALERT_ORIGINAL_TIME] as number)
)
.map((alert) => alert._source[ALERT_ORIGINAL_TIME]);
const rule = buildRuleWithoutOverrides(completeRule);
const mergedAlerts = objectArrayIntersection(wrappedBuildingBlocks.map((alert) => alert._source));
const reason = buildReasonMessage({ rule, mergedDoc: mergedAlerts as SignalSourceHit });
const reason = buildReasonMessage({
name: completeRule.ruleConfig.name,
severity: completeRule.ruleParams.severity,
mergedDoc: mergedAlerts as SignalSourceHit,
});
const doc = buildAlert(wrappedBuildingBlocks, completeRule, spaceId, reason);
return {
...mergedAlerts,

11
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts
View file

@ -10,7 +10,6 @@ import { flattenWithPrefix } from '@kbn/securitysolution-rules';
import { BaseHit } from '../../../../../../common/detection_engine/types';
import type { ConfigType } from '../../../../../config';
import { buildRuleWithOverrides, buildRuleWithoutOverrides } from '../../../signals/build_rule';
import { BuildReasonMessage } from '../../../signals/reason_formatters';
import { getMergeStrategy } from '../../../signals/source_fields_merging/strategies';
import { BaseSignalHit, SignalSource, SignalSourceHit, SimpleHit } from '../../../signals/types';
@ -54,12 +53,8 @@ export const buildBulkBody = (
buildReasonMessage: BuildReasonMessage
): RACAlert => {
const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields });
const rule = applyOverrides
? buildRuleWithOverrides(completeRule, mergedDoc._source ?? {})
: buildRuleWithoutOverrides(completeRule);
const eventFields = buildEventTypeAlert(mergedDoc);
const filteredSource = filterSource(mergedDoc);
const reason = buildReasonMessage({ mergedDoc, rule });
const overrides = applyOverrides
? {
@ -81,6 +76,12 @@ export const buildBulkBody = (
}
: undefined;
const reason = buildReasonMessage({
name: overrides?.nameOverride ?? completeRule.ruleConfig.name,
severity: overrides?.severityOverride ?? completeRule.ruleParams.severity,
mergedDoc,
});
if (isSourceDoc(mergedDoc)) {
return {
...filteredSource,

7
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts
View file

@ -9,6 +9,7 @@ import { Moment } from 'moment';
import { SearchHit } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
import { Logger } from '@kbn/logging';
import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils';
import { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
import { AlertExecutorOptions, AlertType } from '../../../../../alerting/server';
@ -37,6 +38,7 @@ import { ExperimentalFeatures } from '../../../../common/experimental_features';
import { IEventLogService } from '../../../../../event_log/server';
import { AlertsFieldMap, RulesFieldMap } from '../../../../common/field_maps';
import { IRuleExecutionLogClient } from '../rule_execution_log';
import { commonParamsCamelToSnake } from '../schemas/rule_converters';
export interface SecurityAlertTypeReturnValue<TState extends AlertTypeState> {
bulkCreateTimes: string[];
@ -110,11 +112,12 @@ export type CreateSecurityRuleTypeWrapper = (
) => AlertType<TParams, TParams, TState, AlertInstanceState, TInstanceContext, 'default'>;
export type RACAlertSignal = TypeOfFieldMap<AlertsFieldMap> & TypeOfFieldMap<RulesFieldMap>;
export type RACAlert = Exclude<
export type RACAlert = Omit<
TypeOfFieldMap<TechnicalRuleFieldMap> & RACAlertSignal,
'@timestamp'
'@timestamp' | typeof ALERT_RULE_PARAMETERS
> & {
'@timestamp': string;
[ALERT_RULE_PARAMETERS]: ReturnType<typeof commonParamsCamelToSnake>;
};
export type RACSourceHit = SearchHit<RACAlert>;

18
x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
View file

@ -43,7 +43,11 @@ export const buildBulkBody = (
const mergedDoc = getMergeStrategy(mergeStrategy)({ doc, ignoreFields });
const rule = buildRuleWithOverrides(completeRule, mergedDoc._source ?? {});
const timestamp = new Date().toISOString();
const reason = buildReasonMessage({ mergedDoc, rule });
const reason = buildReasonMessage({
name: completeRule.ruleConfig.name,
severity: completeRule.ruleParams.severity,
mergedDoc,
});
const signal: Signal = {
...buildSignal([mergedDoc], rule, reason),
...additionalSignalFields(mergedDoc),
@ -135,7 +139,11 @@ export const buildSignalFromSequence = (
const rule = buildRuleWithoutOverrides(completeRule);
const timestamp = new Date().toISOString();
const mergedEvents = objectArrayIntersection(events.map((event) => event._source));
const reason = buildReasonMessage({ rule, mergedDoc: mergedEvents as SignalSourceHit });
const reason = buildReasonMessage({
name: completeRule.ruleConfig.name,
severity: completeRule.ruleParams.severity,
mergedDoc: mergedEvents as SignalSourceHit,
});
const signal: Signal = buildSignal(events, rule, reason);
return {
...mergedEvents,
@ -167,7 +175,11 @@ export const buildSignalFromEvent = (
? buildRuleWithOverrides(completeRule, mergedEvent._source ?? {})
: buildRuleWithoutOverrides(completeRule);
const timestamp = new Date().toISOString();
const reason = buildReasonMessage({ mergedDoc: mergedEvent, rule });
const reason = buildReasonMessage({
name: completeRule.ruleConfig.name,
severity: completeRule.ruleParams.severity,
mergedDoc: mergedEvent,
});
const signal: Signal = {
...buildSignal([mergedEvent], rule, reason),
...additionalSignalFields(mergedEvent),

49
x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts
View file

@ -6,18 +6,15 @@
*/
import { buildReasonMessageUtil } from './reason_formatters';
import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema';
import { SignalSourceHit } from './types';
describe('reason_formatter', () => {
let rule: RulesSchema;
let name: string;
let severity: string;
let mergedDoc: SignalSourceHit;
beforeAll(() => {
rule = {
name: 'my-rule',
risk_score: 9000,
severity: 'medium',
} as RulesSchema; // Cast here as all fields aren't required
name = 'my-rule';
severity = 'medium';
mergedDoc = {
_index: 'index-1',
_id: 'id-1',
@ -40,7 +37,7 @@ describe('reason_formatter', () => {
describe('buildReasonMessageUtil', () => {
describe('when rule and mergedDoc are provided', () => {
it('should return the full reason message', () => {
expect(buildReasonMessageUtil({ rule, mergedDoc })).toMatchInlineSnapshot(
expect(buildReasonMessageUtil({ name, severity, mergedDoc })).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@ -54,7 +51,9 @@ describe('reason_formatter', () => {
'event.category': ['item one', 'item two'],
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
).toMatchInlineSnapshot(
`"item one, item two event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@ -68,7 +67,9 @@ describe('reason_formatter', () => {
'host.name': ['-'],
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user created medium alert my-rule."`
);
});
@ -82,7 +83,9 @@ describe('reason_formatter', () => {
'user.name': ['-'],
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, on host created medium alert my-rule."`
);
});
@ -97,7 +100,7 @@ describe('reason_formatter', () => {
},
};
expect(
buildReasonMessageUtil({ rule, mergedDoc: noDestinationPortDoc })
buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, destination 9.99.99.9 by test-user on host created medium alert my-rule."`
);
@ -112,7 +115,7 @@ describe('reason_formatter', () => {
},
};
expect(
buildReasonMessageUtil({ rule, mergedDoc: noDestinationPortDoc })
buildReasonMessageUtil({ name, severity, mergedDoc: noDestinationPortDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1:1234, by test-user on host created medium alert my-rule."`
);
@ -127,7 +130,9 @@ describe('reason_formatter', () => {
'source.port': ['-'],
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: noSourcePortDoc })).toMatchInlineSnapshot(
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, source 1.11.11.1 destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@ -140,7 +145,9 @@ describe('reason_formatter', () => {
'source.port': ['-'],
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: noSourcePortDoc })).toMatchInlineSnapshot(
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: noSourcePortDoc })
).toMatchInlineSnapshot(
`"test event with process doingThings.exe, parent process didThings.exe, file sample, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@ -155,7 +162,9 @@ describe('reason_formatter', () => {
'process.parent.name': ['-'],
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
).toMatchInlineSnapshot(
`"test event with file sample, source 1.11.11.1:1234, destination 9.99.99.9:6789, by test-user on host created medium alert my-rule."`
);
});
@ -170,14 +179,14 @@ describe('reason_formatter', () => {
'@timestamp': '2021-08-11T02:28:59.101Z',
},
};
expect(buildReasonMessageUtil({ rule, mergedDoc: updatedMergedDoc })).toMatchInlineSnapshot(
`"test event by test-user created medium alert my-rule."`
);
expect(
buildReasonMessageUtil({ name, severity, mergedDoc: updatedMergedDoc })
).toMatchInlineSnapshot(`"test event by test-user created medium alert my-rule."`);
});
});
describe('when only rule is provided', () => {
it('should return the reason message without host name or user name', () => {
expect(buildReasonMessageUtil({ rule })).toMatchInlineSnapshot(`""`);
expect(buildReasonMessageUtil({ name, severity })).toMatchInlineSnapshot(`""`);
});
});
});

16
x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts
View file

@ -7,11 +7,11 @@
import { i18n } from '@kbn/i18n';
import { getOr } from 'lodash/fp';
import { RulesSchema } from '../../../../common/detection_engine/schemas/response/rules_schema';
import { SignalSourceHit } from './types';
export interface BuildReasonMessageArgs {
rule: RulesSchema;
name: string;
severity: string;
mergedDoc?: SignalSourceHit;
}
@ -56,8 +56,12 @@ const getFieldsFromDoc = (mergedDoc: SignalSourceHit) => {
* to more easily allow for this in the future.
* @export buildCommonReasonMessage - is only exported for testing purposes, and only used internally here.
*/
export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUtilArgs) => {
if (!rule || !mergedDoc) {
export const buildReasonMessageUtil = ({
name,
severity,
mergedDoc,
}: BuildReasonMessageUtilArgs) => {
if (!mergedDoc) {
// This should never happen, but in case, better to not show a malformed string
return '';
}
@ -98,8 +102,8 @@ export const buildReasonMessageUtil = ({ rule, mergedDoc }: BuildReasonMessageUt
{hostName, select, null {} other {{whitespace}on {hostName}} } \
created {alertSeverity} alert {alertName}.`,
values: {
alertName: rule.name,
alertSeverity: rule.severity,
alertName: name,
alertSeverity: severity,
destinationAddress: getFieldTemplateValue(destinationAddress, true),
destinationPort: getFieldTemplateValue(destinationPort, true),
eventCategory: getFieldTemplateValue(eventCategory),

11
x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts
View file

@ -6,6 +6,7 @@
*/
import { isEmpty } from 'lodash/fp';
import { ALERT_RISK_SCORE, ALERT_RULE_NAME, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import { Direction, HostRulesRequestOptions } from '../../../../../../common/search_strategy';
import { createQueryFilterClauses } from '../../../../../utils/build_query';
@ -39,12 +40,12 @@ export const buildHostRulesQuery = ({
aggs: {
risk_score: {
sum: {
field: 'kibana.alert.rule.risk_score',
field: ALERT_RISK_SCORE,
},
},
rule_name: {
terms: {
field: 'kibana.alert.rule.name',
field: ALERT_RULE_NAME,
order: {
risk_score: Direction.desc,
},
@ -52,19 +53,19 @@ export const buildHostRulesQuery = ({
aggs: {
risk_score: {
sum: {
field: 'kibana.alert.rule.risk_score',
field: ALERT_RISK_SCORE,
},
},
rule_type: {
terms: {
field: 'kibana.alert.rule.type',
field: ALERT_RULE_TYPE,
},
},
},
},
rule_count: {
cardinality: {
field: 'kibana.alert.rule.name',
field: ALERT_RULE_NAME,
},
},
},

11
x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts
View file

@ -6,6 +6,7 @@
*/
import { isEmpty } from 'lodash/fp';
import { ALERT_RISK_SCORE, ALERT_RULE_NAME, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import { Direction, UserRulesRequestOptions } from '../../../../../../common/search_strategy';
import { createQueryFilterClauses } from '../../../../../utils/build_query';
@ -48,12 +49,12 @@ export const buildUserRulesQuery = ({
aggs: {
risk_score: {
sum: {
field: 'kibana.alert.rule.risk_score',
field: ALERT_RISK_SCORE,
},
},
rule_name: {
terms: {
field: 'kibana.alert.rule.name',
field: ALERT_RULE_NAME,
order: {
risk_score: Direction.desc,
},
@ -61,19 +62,19 @@ export const buildUserRulesQuery = ({
aggs: {
risk_score: {
sum: {
field: 'kibana.alert.rule.risk_score',
field: ALERT_RISK_SCORE,
},
},
rule_type: {
terms: {
field: 'kibana.alert.rule.type',
field: ALERT_RULE_TYPE,
},
},
},
},
rule_count: {
cardinality: {
field: 'kibana.alert.rule.name',
field: ALERT_RULE_NAME,
},
},
},

4
x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx
View file

@ -191,10 +191,10 @@ export const allowSorting = ({
'kibana.alert.rule.output_index',
'kibana.alert.rule.query',
'kibana.alert.rule.references',
'kibana.alert.rule.risk_score',
'kibana.alert.risk_score',
'kibana.alert.rule.rule_id',
'kibana.alert.rule.saved_id',
'kibana.alert.rule.severity',
'kibana.alert.severity',
'kibana.alert.rule.size',
'kibana.alert.rule.tags',
'kibana.alert.rule.threat',

7
x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts
View file

@ -5,8 +5,7 @@
* 2.0.
*/
import { ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
// import { CTI_ROW_RENDERER_FIELDS } from '../../../../../../common/cti/constants';
import { ALERT_RULE_CONSUMER, ALERT_RISK_SCORE, ALERT_SEVERITY } from '@kbn/rule-data-utils';
// TODO: share with security_solution/common/cti/constants.ts
export const ENRICHMENT_DESTINATION_PATH = 'threat.enrichments';
@ -62,8 +61,8 @@ export const TIMELINE_EVENTS_FIELDS = [
'kibana.alert.original_event.kind',
'kibana.alert.original_event.module',
'kibana.alert.rule.version',
'kibana.alert.rule.severity',
'kibana.alert.rule.risk_score',
ALERT_SEVERITY,
ALERT_RISK_SCORE,
'kibana.alert.threshold_result',
'kibana.alert.building_block_type',
'event.code',

14
x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts
View file

@ -150,11 +150,12 @@ describe('#formatTimelineData', () => {
_meta: {
version: 14,
},
severity: 'low',
risk_score: 21,
rule: {
note: null,
throttle: null,
references: [],
severity_mapping: [],
description: 'asdasd',
created_at: '2021-01-09T11:25:45.046Z',
language: 'kuery',
@ -174,9 +175,6 @@ describe('#formatTimelineData', () => {
uuid: '696c24e0-526d-11eb-836c-e1620268b945',
timeline_id: null,
max_signals: 100,
severity: 'low',
risk_score: 21,
risk_score_mapping: [],
author: [],
query: '_id :*',
index: [
@ -274,11 +272,11 @@ describe('#formatTimelineData', () => {
'kibana.alert.rule.query': ['_id :*'],
'kibana.alert.rule.type': ['threshold'],
'kibana.alert.rule.uuid': ['696c24e0-526d-11eb-836c-e1620268b945'],
'kibana.alert.rule.risk_score': [21],
'kibana.alert.risk_score': [21],
'kibana.alert.workflow_status': ['open'],
'event.kind': ['signal'],
'kibana.alert.original_time': ['2021-01-09T13:39:32.595Z'],
'kibana.alert.rule.severity': ['low'],
'kibana.alert.severity': ['low'],
'kibana.alert.rule.version': ['1'],
'kibana.alert.rule.index': [
'apm-*-transaction*',
@ -330,6 +328,8 @@ describe('#formatTimelineData', () => {
original_time: ['2021-01-09T13:39:32.595Z'],
workflow_status: ['open'],
threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'],
severity: ['low'],
risk_score: ['21'],
rule: {
building_block_type: [],
exceptions_list: [],
@ -348,9 +348,7 @@ describe('#formatTimelineData', () => {
language: ['kuery'],
name: ['Threshold test'],
output_index: ['.siem-signals-patrykkopycinski-default'],
risk_score: ['21'],
query: ['_id :*'],
severity: ['low'],
to: ['now'],
type: ['threshold'],
version: ['1'],

29
x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
View file

@ -10,12 +10,9 @@ import {
ALERT_REASON,
ALERT_RISK_SCORE,
ALERT_RULE_NAME,
ALERT_RULE_RISK_SCORE,
ALERT_RULE_RISK_SCORE_MAPPING,
ALERT_RULE_PARAMETERS,
ALERT_RULE_RULE_ID,
ALERT_RULE_RULE_NAME_OVERRIDE,
ALERT_RULE_SEVERITY,
ALERT_RULE_SEVERITY_MAPPING,
ALERT_RULE_UUID,
ALERT_SEVERITY,
ALERT_WORKFLOW_STATUS,
@ -980,11 +977,11 @@ export default ({ getService }: FtrProviderContext) => {
expect(signals.length).equal(4);
signals.forEach((s) => {
expect(s?.[ALERT_RULE_SEVERITY]).equal('medium');
expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([]);
expect(s?.[ALERT_SEVERITY]).equal('medium');
expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([]);
expect(s?.[ALERT_RULE_RISK_SCORE]).equal(75);
expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([]);
expect(s?.[ALERT_RISK_SCORE]).equal(75);
expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([]);
});
});
@ -1014,9 +1011,9 @@ export default ({ getService }: FtrProviderContext) => {
]);
signals.forEach((s) => {
expect(s?.[ALERT_RULE_RISK_SCORE]).equal(75);
expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([]);
expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([
expect(s?.[ALERT_RISK_SCORE]).equal(75);
expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([]);
expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([
{ field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' },
{ field: 'my_severity', operator: 'equals', value: 'sev_max', severity: 'critical' },
]);
@ -1048,9 +1045,9 @@ export default ({ getService }: FtrProviderContext) => {
]);
signals.forEach((s) => {
expect(s?.[ALERT_RULE_SEVERITY]).equal('medium');
expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([]);
expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([
expect(s?.[ALERT_SEVERITY]).equal('medium');
expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([]);
expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([
{ field: 'my_risk', operator: 'equals', value: '' },
]);
});
@ -1086,11 +1083,11 @@ export default ({ getService }: FtrProviderContext) => {
]);
signals.forEach((s) => {
expect(s?.[ALERT_RULE_SEVERITY_MAPPING]).eql([
expect(s?.[ALERT_RULE_PARAMETERS].severity_mapping).eql([
{ field: 'my_severity', operator: 'equals', value: 'sev_900', severity: 'high' },
{ field: 'my_severity', operator: 'equals', value: 'sev_max', severity: 'critical' },
]);
expect(s?.[ALERT_RULE_RISK_SCORE_MAPPING]).eql([
expect(s?.[ALERT_RULE_PARAMETERS].risk_score_mapping).eql([
{ field: 'my_risk', operator: 'equals', value: '' },
]);
});