github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.8] [Security Solution][Investigations] - Add tests and handle building block alerts (#155903) (#156046)

Browse source 
# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution][Investigations] - Add tests and handle building
block alerts (#155903)](https://github.com/elastic/kibana/pull/155903)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Michael
Olorunnisola","email":"michael.olorunnisola@elastic.co"},"sourceCommit":{"committedDate":"2023-04-27T16:45:44Z","message":"[Security
Solution][Investigations] - Add tests and handle building block alerts
(#155903)\n\n## Summary\r\n\r\nThis PR accomplishes a few
things:\r\n\r\n1. Make sure eql building block alerts show up when
redirecting directly\r\nto the alerts page (demo of this fix
below)\r\n2. Bumps up the time window from 1 ms to 5 min, to make it
easier to see\r\nother alerts when clearing out the filters\r\n3. Add
unit tests for the `alert_details_redirect.tsx` component\r\n4. Adds a
cypress test to test the presence of `kibana.alert.url` in an\r\nalert
document and updates the config with the `publicBaseUrl` field\r\nwhich
is needed for the field to be present.\r\n\r\n**Before the eql
fix:**\r\n\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/234636355-507b33fc-5211-4b02-9818-d1ba78fee115.mov\r\n\r\n\r\n\r\n**After
the eql
fix:**\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/234635657-bdbdc2cf-8a3e-4e5c-a14e-04f878f09e7b.mov\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"d4477976e6ccf4bd91bb6852d19345492524f063","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Threat
Hunting:Investigations","v8.8.0","v8.9.0"],"number":155903,"url":"https://github.com/elastic/kibana/pull/155903","mergeCommit":{"message":"[Security
Solution][Investigations] - Add tests and handle building block alerts
(#155903)\n\n## Summary\r\n\r\nThis PR accomplishes a few
things:\r\n\r\n1. Make sure eql building block alerts show up when
redirecting directly\r\nto the alerts page (demo of this fix
below)\r\n2. Bumps up the time window from 1 ms to 5 min, to make it
easier to see\r\nother alerts when clearing out the filters\r\n3. Add
unit tests for the `alert_details_redirect.tsx` component\r\n4. Adds a
cypress test to test the presence of `kibana.alert.url` in an\r\nalert
document and updates the config with the `publicBaseUrl` field\r\nwhich
is needed for the field to be present.\r\n\r\n**Before the eql
fix:**\r\n\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/234636355-507b33fc-5211-4b02-9818-d1ba78fee115.mov\r\n\r\n\r\n\r\n**After
the eql
fix:**\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/234635657-bdbdc2cf-8a3e-4e5c-a14e-04f878f09e7b.mov\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"d4477976e6ccf4bd91bb6852d19345492524f063"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/155903","number":155903,"mergeCommit":{"message":"[Security
Solution][Investigations] - Add tests and handle building block alerts
(#155903)\n\n## Summary\r\n\r\nThis PR accomplishes a few
things:\r\n\r\n1. Make sure eql building block alerts show up when
redirecting directly\r\nto the alerts page (demo of this fix
below)\r\n2. Bumps up the time window from 1 ms to 5 min, to make it
easier to see\r\nother alerts when clearing out the filters\r\n3. Add
unit tests for the `alert_details_redirect.tsx` component\r\n4. Adds a
cypress test to test the presence of `kibana.alert.url` in an\r\nalert
document and updates the config with the `publicBaseUrl` field\r\nwhich
is needed for the field to be present.\r\n\r\n**Before the eql
fix:**\r\n\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/234636355-507b33fc-5211-4b02-9818-d1ba78fee115.mov\r\n\r\n\r\n\r\n**After
the eql
fix:**\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/234635657-bdbdc2cf-8a3e-4e5c-a14e-04f878f09e7b.mov\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"d4477976e6ccf4bd91bb6852d19345492524f063"}}]}]
BACKPORT-->

Co-authored-by: Michael Olorunnisola <michael.olorunnisola@elastic.co>
This commit is contained in:
Kibana Machine 2023-04-27 14:32:47 -04:00 committed by GitHub
parent 26d7c5a5a4
commit 7cd0cdde01
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 8495 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

18
x-pack/plugins/security_solution/cypress/e2e/detection_alerts/alerts_details.cy.ts
View file

@ -21,7 +21,7 @@ import { cleanKibana } from '../../tasks/common';
import { waitForAlertsToPopulate } from '../../tasks/create_new_rule';
import { esArchiverLoad, esArchiverUnload } from '../../tasks/es_archiver';
import { login, visit, visitWithoutDateRange } from '../../tasks/login';
import { getUnmappedRule, getNewRule } from '../../objects/rule';
import { getUnmappedRule } from '../../objects/rule';
import { ALERTS_URL } from '../../urls/navigation';
import { tablePageSelector } from '../../screens/table_pagination';
import { ALERTS_COUNT } from '../../screens/alerts';
@ -90,13 +90,13 @@ describe('Alert details flyout', () => {
});
describe('Url state management', { testIsolation: false }, () => {
const testRule = getNewRule();
before(() => {
cleanKibana();
esArchiverLoad('query_alert');
login();
createRule(testRule);
visit(ALERTS_URL);
waitForAlertsToPopulate();
expandFirstAlert();
});
it('should store the flyout state in the url when it is opened', () => {
@ -118,7 +118,7 @@ describe('Alert details flyout', () => {
cy.reload();
cy.get(OVERVIEW_RULE).should('be.visible');
cy.get(OVERVIEW_RULE).then((field) => {
expect(field).to.contain(testRule.name);
expect(field).to.contain('Endpoint Security');
});
});
@ -140,5 +140,15 @@ describe('Alert details flyout', () => {
cy.get(OVERVIEW_RULE).should('be.visible');
});
});
it('should have the `kibana.alert.url` field set', () => {
expandFirstAlert();
openTable();
filterBy('kibana.alert.url');
cy.get('[data-test-subj="formatted-field-kibana.alert.url"]').should(
'have.text',
'http://localhost:5601/app/security/alerts/redirect/eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1?index=.alerts-security.alerts-default&timestamp=2023-04-27T11:03:57.906Z'
);
});
});
});

34
x-pack/plugins/security_solution/public/common/hooks/flyout/use_init_flyout_url_param.ts
View file

@ -10,10 +10,10 @@ import { useCallback, useEffect, useState } from 'react';
import { useDispatch } from 'react-redux';
import {
dataTableActions,
dataTableSelectors,
tableDefaults,
TableId,
tableDefaults,
dataTableActions,
} from '@kbn/securitysolution-data-table';
import { useInitializeUrlParam } from '../../utils/global_query_string';
import { URL_PARAM_KEY } from '../use_url_state';
@ -39,16 +39,28 @@ export const useInitFlyoutFromUrlParam = () => {
}, []);
const loadExpandedDetailFromUrl = useCallback(() => {
const { initialized, isLoading, totalCount } = dataTableCurrent;
const { initialized, isLoading, totalCount, additionalFilters } = dataTableCurrent;
const isTableLoaded = initialized && !isLoading && totalCount > 0;
if (urlDetails && isTableLoaded) {
updateHasLoadedUrlDetails(true);
dispatch(
dataTableActions.toggleDetailPanel({
id: TableId.alertsOnAlertsPage,
...urlDetails,
})
);
if (urlDetails) {
if (!additionalFilters.showBuildingBlockAlerts) {
// We want to show building block alerts when loading the flyout in case the alert is a building block alert
dispatch(
dataTableActions.updateShowBuildingBlockAlertsFilter({
id: TableId.alertsOnAlertsPage,
showBuildingBlockAlerts: true,
})
);
}
if (isTableLoaded) {
updateHasLoadedUrlDetails(true);
dispatch(
dataTableActions.toggleDetailPanel({
id: TableId.alertsOnAlertsPage,
...urlDetails,
})
);
}
}
}, [dataTableCurrent, dispatch, urlDetails]);

132
x-pack/plugins/security_solution/public/detections/pages/alerts/alert_details_redirect.test.tsx Normal file
View file

@ -0,0 +1,132 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import React from 'react';
import { render } from '@testing-library/react';
import { Router } from 'react-router-dom';
import { AlertDetailsRedirect } from './alert_details_redirect';
import {
createSecuritySolutionStorageMock,
mockGlobalState,
SUB_PLUGINS_REDUCER,
TestProviders,
} from '../../../common/mock';
import { createStore } from '../../../common/store';
import { kibanaObservable } from '@kbn/timelines-plugin/public/mock';
import {
ALERTS_PATH,
ALERT_DETAILS_REDIRECT_PATH,
DEFAULT_ALERTS_INDEX,
} from '../../../../common/constants';
import { mockHistory } from '../../../common/utils/route/mocks';
jest.mock('../../../common/lib/kibana');
const testAlertId = 'test-alert-id';
jest.mock('react-router-dom', () => ({
...jest.requireActual('react-router-dom'),
useParams: () => ({
alertId: testAlertId,
}),
}));
const testIndex = '.someTestIndex';
const testTimestamp = '2023-04-20T12:00:00.000Z';
const mockPathname = `${ALERT_DETAILS_REDIRECT_PATH}/${testAlertId}`;
describe('AlertDetailsRedirect', () => {
const { storage } = createSecuritySolutionStorageMock();
const store = createStore(mockGlobalState, SUB_PLUGINS_REDUCER, kibanaObservable, storage);
afterEach(() => {
mockHistory.replace.mockClear();
});
describe('with index and timestamp query parameters set', () => {
it('redirects to the expected path with the correct query parameters', () => {
const testSearch = `?index=${testIndex}&timestamp=${testTimestamp}`;
const historyMock = {
...mockHistory,
location: {
hash: '',
pathname: mockPathname,
search: testSearch,
state: '',
},
};
render(
<TestProviders store={store}>
<Router history={historyMock}>
<AlertDetailsRedirect />
</Router>
</TestProviders>
);
expect(historyMock.replace).toHaveBeenCalledWith({
hash: '',
pathname: ALERTS_PATH,
search: `?query=(language:kuery,query:'_id: ${testAlertId}')&timerange=(global:(linkTo:!(timeline,socTrends),timerange:(from:'${testTimestamp}',kind:absolute,to:'2023-04-20T12:05:00.000Z')),timeline:(linkTo:!(global,socTrends),timerange:(from:'2020-07-07T08:20:18.966Z',fromStr:now/d,kind:relative,to:'2020-07-08T08:20:18.966Z',toStr:now/d)))&eventFlyout=(panelView:eventDetail,params:(eventId:${testAlertId},indexName:${testIndex}))`,
state: undefined,
});
});
});
describe('with only index query parameter set', () => {
it('redirects to the expected path with the default global timestamp settings', () => {
const testSearch = `?index=${testIndex}`;
const historyMock = {
...mockHistory,
location: {
hash: '',
pathname: mockPathname,
search: testSearch,
state: '',
},
};
render(
<TestProviders store={store}>
<Router history={historyMock}>
<AlertDetailsRedirect />
</Router>
</TestProviders>
);
expect(historyMock.replace).toHaveBeenCalledWith({
hash: '',
pathname: ALERTS_PATH,
search: `?query=(language:kuery,query:'_id: ${testAlertId}')&timerange=(global:(linkTo:!(timeline,socTrends),timerange:(from:'2020-07-07T08:20:18.966Z',kind:absolute,to:'2020-07-08T08:25:18.966Z')),timeline:(linkTo:!(global,socTrends),timerange:(from:'2020-07-07T08:20:18.966Z',fromStr:now/d,kind:relative,to:'2020-07-08T08:20:18.966Z',toStr:now/d)))&eventFlyout=(panelView:eventDetail,params:(eventId:${testAlertId},indexName:${testIndex}))`,
state: undefined,
});
});
});
describe('with no query parameters set', () => {
it('redirects to the expected path with the proper default alerts index and default global timestamp setting', () => {
const historyMock = {
...mockHistory,
location: {
hash: '',
pathname: mockPathname,
search: '',
state: '',
},
};
render(
<TestProviders store={store}>
<Router history={historyMock}>
<AlertDetailsRedirect />
</Router>
</TestProviders>
);
expect(historyMock.replace).toHaveBeenCalledWith({
hash: '',
pathname: ALERTS_PATH,
search: `?query=(language:kuery,query:'_id: ${testAlertId}')&timerange=(global:(linkTo:!(timeline,socTrends),timerange:(from:'2020-07-07T08:20:18.966Z',kind:absolute,to:'2020-07-08T08:25:18.966Z')),timeline:(linkTo:!(global,socTrends),timerange:(from:'2020-07-07T08:20:18.966Z',fromStr:now/d,kind:relative,to:'2020-07-08T08:20:18.966Z',toStr:now/d)))&eventFlyout=(panelView:eventDetail,params:(eventId:${testAlertId},indexName:.internal${DEFAULT_ALERTS_INDEX}-default))`,
state: undefined,
});
});
});
});

6
x-pack/plugins/security_solution/public/detections/pages/alerts/alert_details_redirect.tsx
View file

@ -32,9 +32,9 @@ export const AlertDetailsRedirect = () => {
// Default to the existing global timerange if we don't get this query param for whatever reason
const fromTime = timestamp ?? globalTimerange.from;
// Add 1 millisecond to the alert timestamp as the alert table is non-inclusive of the end time
// So we have to extend slightly beyond the range of the timestamp of the given alert
const toTime = moment(timestamp ?? globalTimerange.to).add('1', 'millisecond');
// Add 5 minutes to the alert timestamp as the alert table is non-inclusive of the end time
// This also provides padding time if the user clears the `_id` filter after redirect to see other alerts
const toTime = moment(timestamp ?? globalTimerange.to).add('5', 'minutes');
const timerange = encode({
global: {

419
x-pack/test/security_solution_cypress/es_archives/query_alert/data.json Normal file
View file

@ -0,0 +1,419 @@
{
"type": "doc",
"value": {
"id": "eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1",
"index": ".internal.alerts-security.alerts-default-000001",
"source": {
"@timestamp": "2023-04-27T11:03:57.906Z",
"Endpoint": {
"capabilities": [
"isolation",
"kill_process",
"suspend_process",
"running_processes",
"get_file",
"execute"
],
"configuration": {
"isolation": true
},
"policy": {
"applied": {
"endpoint_policy_version": 3,
"id": "C2A9093E-E289-4C0A-AA44-8C32A414FA7A",
"name": "With Eventing",
"status": "success",
"version": 5
}
},
"state": {
"isolation": true
},
"status": "enrolled"
},
"agent": {
"id": "b563ce99-e373-4a1f-a5fe-97e956140aeb",
"type": "endpoint",
"version": "8.8.0"
},
"data_stream": {
"dataset": "endpoint.alerts",
"namespace": "default",
"type": "logs"
},
"dll": [
{
"Ext": {
"compile_time": 1534424710,
"malware_classification": {
"identifier": "Whitelisted",
"score": 0,
"threshold": 0,
"version": "3.0.0"
},
"mapped_address": 5362483200,
"mapped_size": 0
},
"code_signature": {
"subject_name": "Cybereason Inc",
"trusted": true
},
"hash": {
"md5": "1f2d082566b0fc5f2c238a5180db7451",
"sha1": "ca85243c0af6a6471bdaa560685c51eefd6dbc0d",
"sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2"
},
"path": "C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe",
"pe": {
"architecture": "x64"
}
}
],
"ecs": {
"version": "1.4.0"
},
"elastic": {
"agent": {
"id": "b563ce99-e373-4a1f-a5fe-97e956140aeb"
}
},
"event.action": "creation",
"event.agent_id_status": "auth_metadata_missing",
"event.category": "malware",
"event.code": "malicious_file",
"event.dataset": "endpoint",
"event.id": "b28993d4-8b8a-4f0f-9f54-84a89bad66ae",
"event.ingested": "2023-04-27T10:58:03Z",
"event.kind": "signal",
"event.module": "endpoint",
"event.sequence": 5826,
"event.type": "creation",
"file": {
"Ext": {
"code_signature": [
{
"subject_name": "bad signer",
"trusted": false
}
],
"malware_classification": {
"identifier": "endpointpe",
"score": 1,
"threshold": 0.66,
"version": "3.0.33"
},
"quarantine_message": "fake quarantine message",
"quarantine_result": true,
"temp_file_path": "C:/temp/fake_malware.exe"
},
"accessed": 1682752652103,
"created": 1682752652103,
"hash": {
"md5": "fake file md5",
"sha1": "fake file sha1",
"sha256": "fake file sha256"
},
"mtime": 1682752652103,
"name": "fake_malware.exe",
"owner": "SYSTEM",
"path": "C:/fake_malware.exe",
"size": 3456
},
"host": {
"architecture": "wtnozeqvub",
"hostname": "Host-fwarau82er",
"id": "4260adf9-5e63-445d-92c6-e03359bcd342",
"ip": [
"10.249.37.72",
"10.150.39.243",
"10.186.17.170"
],
"mac": [
"f5-f-97-dc-20-67",
"b5-56-ca-98-81-ca",
"22-86-39-4c-87-33"
],
"name": "Host-fwarau82er",
"os": {
"Ext": {
"variant": "Darwin"
},
"family": "Darwin",
"full": "macOS Monterey",
"name": "macOS",
"platform": "macOS",
"version": "12.6.1"
}
},
"kibana.alert.ancestors": [
{
"depth": 0,
"id": "vT9cwocBh3b8EMpD8lsi",
"index": ".ds-logs-endpoint.alerts-default-2023.04.27-000001",
"type": "event"
}
],
"kibana.alert.depth": 1,
"kibana.alert.last_detected": "2023-04-27T11:03:57.993Z",
"kibana.alert.original_event.action": "creation",
"kibana.alert.original_event.agent_id_status": "auth_metadata_missing",
"kibana.alert.original_event.category": "malware",
"kibana.alert.original_event.code": "malicious_file",
"kibana.alert.original_event.dataset": "endpoint",
"kibana.alert.original_event.id": "b28993d4-8b8a-4f0f-9f54-84a89bad66ae",
"kibana.alert.original_event.ingested": "2023-04-27T10:58:03Z",
"kibana.alert.original_event.kind": "alert",
"kibana.alert.original_event.module": "endpoint",
"kibana.alert.original_event.sequence": 5826,
"kibana.alert.original_event.type": "creation",
"kibana.alert.original_time": "2023-04-29T07:17:32.103Z",
"kibana.alert.reason": "malware event with process malware writer, file fake_malware.exe, on Host-fwarau82er created medium alert Endpoint Security.",
"kibana.alert.risk_score": 47,
"kibana.alert.rule.actions": [
],
"kibana.alert.rule.author": [
"Elastic"
],
"kibana.alert.rule.category": "Custom Query Rule",
"kibana.alert.rule.consumer": "siem",
"kibana.alert.rule.created_at": "2023-04-27T10:58:27.546Z",
"kibana.alert.rule.created_by": "elastic",
"kibana.alert.rule.description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
"kibana.alert.rule.enabled": true,
"kibana.alert.rule.exceptions_list": [
{
"id": "endpoint_list",
"list_id": "endpoint_list",
"namespace_type": "agnostic",
"type": "endpoint"
}
],
"kibana.alert.rule.execution.uuid": "ebf843ff-e0e1-47f8-9ed2-cc8066afbcef",
"kibana.alert.rule.false_positives": [
],
"kibana.alert.rule.from": "now-10m",
"kibana.alert.rule.immutable": true,
"kibana.alert.rule.indices": [
"logs-endpoint.alerts-*"
],
"kibana.alert.rule.interval": "5m",
"kibana.alert.rule.license": "Elastic License v2",
"kibana.alert.rule.max_signals": 10000,
"kibana.alert.rule.name": "Endpoint Security",
"kibana.alert.rule.parameters": {
"author": [
"Elastic"
],
"description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.",
"exceptions_list": [
{
"id": "endpoint_list",
"list_id": "endpoint_list",
"namespace_type": "agnostic",
"type": "endpoint"
}
],
"false_positives": [
],
"from": "now-10m",
"immutable": true,
"index": [
"logs-endpoint.alerts-*"
],
"language": "kuery",
"license": "Elastic License v2",
"max_signals": 10000,
"query": "event.kind:alert and event.module:(endpoint and not endgame)\n",
"references": [
],
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.kind",
"type": "keyword"
},
{
"ecs": true,
"name": "event.module",
"type": "keyword"
}
],
"risk_score": 47,
"risk_score_mapping": [
{
"field": "event.risk_score",
"operator": "equals",
"value": ""
}
],
"rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
"rule_name_override": "message",
"setup": "",
"severity": "medium",
"severity_mapping": [
{
"field": "event.severity",
"operator": "equals",
"severity": "low",
"value": "21"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "medium",
"value": "47"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "high",
"value": "73"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "critical",
"value": "99"
}
],
"threat": [
],
"timestamp_override": "event.ingested",
"to": "now",
"type": "query",
"version": 101
},
"kibana.alert.rule.producer": "siem",
"kibana.alert.rule.references": [
],
"kibana.alert.rule.revision": 0,
"kibana.alert.rule.risk_score": 47,
"kibana.alert.rule.risk_score_mapping": [
{
"field": "event.risk_score",
"operator": "equals",
"value": ""
}
],
"kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
"kibana.alert.rule.rule_name_override": "message",
"kibana.alert.rule.rule_type_id": "siem.queryRule",
"kibana.alert.rule.severity": "medium",
"kibana.alert.rule.severity_mapping": [
{
"field": "event.severity",
"operator": "equals",
"severity": "low",
"value": "21"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "medium",
"value": "47"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "high",
"value": "73"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "critical",
"value": "99"
}
],
"kibana.alert.rule.tags": [
"Elastic",
"Endpoint Security"
],
"kibana.alert.rule.threat": [
],
"kibana.alert.rule.timestamp_override": "event.ingested",
"kibana.alert.rule.to": "now",
"kibana.alert.rule.type": "query",
"kibana.alert.rule.updated_at": "2023-04-27T10:58:27.546Z",
"kibana.alert.rule.updated_by": "elastic",
"kibana.alert.rule.uuid": "7015a3e2-e4ea-11ed-8c11-49608884878f",
"kibana.alert.rule.version": 101,
"kibana.alert.severity": "medium",
"kibana.alert.start": "2023-04-27T11:03:57.993Z",
"kibana.alert.status": "active",
"kibana.alert.url": "http://localhost:5601/app/security/alerts/redirect/eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1?index=.alerts-security.alerts-default&timestamp=2023-04-27T11:03:57.906Z",
"kibana.alert.uuid": "eabbdefc23da981f2b74ab58b82622a97bb9878caa11bc914e2adfacc94780f1",
"kibana.alert.workflow_status": "open",
"kibana.space_ids": [
"default"
],
"kibana.version": "8.8.0",
"process": {
"Ext": {
"ancestry": [
"qa5jgw1wr7",
"5k1hclygc6"
],
"code_signature": [
{
"subject_name": "bad signer",
"trusted": false
}
],
"token": {
"domain": "NT AUTHORITY",
"integrity_level": 16384,
"integrity_level_name": "system",
"privileges": [
{
"description": "Replace a process level token",
"enabled": false,
"name": "SeAssignPrimaryTokenPrivilege"
}
],
"sid": "S-1-5-18",
"type": "tokenPrimary",
"user": "SYSTEM"
},
"user": "SYSTEM"
},
"entity_id": "nqh8ts6ves",
"entry_leader": {
"entity_id": "jnm38bel0w",
"name": "fake entry",
"pid": 791
},
"executable": "C:/malware.exe",
"group_leader": {
"entity_id": "jnm38bel0w",
"name": "fake leader",
"pid": 848
},
"hash": {
"md5": "fake md5",
"sha1": "fake sha1",
"sha256": "fake sha256"
},
"name": "malware writer",
"parent": {
"entity_id": "qa5jgw1wr7",
"pid": 1
},
"pid": 2,
"session_leader": {
"entity_id": "jnm38bel0w",
"name": "fake session",
"pid": 909
},
"start": 1682752652103,
"uptime": 0
}
}
}
}

7904
x-pack/test/security_solution_cypress/es_archives/query_alert/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff