github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security solution] Fix bug for rendering CTI enrichments (#137645)

Browse source 
* [Security solution] Fix bug for rendering CTI enrichments

* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'

* timeline SS fix

* Fixed the tests

* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Yuliia Naumenko 2022-08-01 13:45:22 -07:00 committed by GitHub
parent 1f33c5bdc6
commit c7c9b67a70
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 627 additions and 307 deletions
Download patch file Download diff file Expand all files Collapse all files

123
packages/kbn-securitysolution-t-grid/src/mock/mock_event_details.ts
View file

@ -78,6 +78,41 @@ export const eventHit = {
},
],
},
{
'matched.field': ['host.name'],
'matched.index': ['im'],
'matched.type': ['indicator_match_rule'],
'matched.id': ['FFEtSYIBZ61VHL7LvV2j'],
'matched.atomic': ['MacBook-Pro-de-Gloria.local'],
},
{
'matched.field': ['host.hostname'],
'matched.index': ['im'],
'matched.type': ['indicator_match_rule'],
'matched.id': ['E1EtSYIBZ61VHL7Ltl3m'],
'matched.atomic': ['MacBook-Pro-de-Gloria.local'],
},
{
'matched.field': ['host.architecture'],
'matched.index': ['im'],
'matched.type': ['indicator_match_rule'],
'matched.id': ['E1EtSYIBZ61VHL7Ltl3m'],
'matched.atomic': ['x86_64'],
},
{
'matched.field': ['host.name'],
'matched.index': ['im'],
'matched.type': ['indicator_match_rule'],
'matched.id': ['E1EtSYIBZ61VHL7Ltl3m'],
'matched.atomic': ['MacBook-Pro-de-Gloria.local'],
},
{
'matched.field': ['host.hostname'],
'matched.index': ['im'],
'matched.type': ['indicator_match_rule'],
'matched.id': ['CFErSYIBZ61VHL7LIV1N'],
'matched.atomic': ['MacBook-Pro-de-Gloria.local'],
},
],
},
_source: {},
@ -258,51 +293,109 @@ export const eventDetailsFormattedFields = [
{
category: 'threat',
field: 'threat.enrichments.matched.field',
values: ['matched_field', 'other_matched_field', 'matched_field_2'],
originalValue: ['matched_field', 'other_matched_field', 'matched_field_2'],
isObjectArray: false,
originalValue: [
'matched_field',
'other_matched_field',
'matched_field_2',
'host.name',
'host.hostname',
'host.architecture',
],
values: [
'matched_field',
'other_matched_field',
'matched_field_2',
'host.name',
'host.hostname',
'host.architecture',
],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.first_seen',
values: ['2021-02-22T17:29:25.195Z'],
originalValue: ['2021-02-22T17:29:25.195Z'],
isObjectArray: false,
originalValue: ['2021-02-22T17:29:25.195Z'],
values: ['2021-02-22T17:29:25.195Z'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.provider',
values: ['yourself', 'other_you'],
originalValue: ['yourself', 'other_you'],
isObjectArray: false,
originalValue: ['yourself', 'other_you'],
values: ['yourself', 'other_you'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.type',
values: ['custom'],
originalValue: ['custom'],
isObjectArray: false,
originalValue: ['custom'],
values: ['custom'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.atomic',
values: ['matched_atomic', 'matched_atomic_2'],
originalValue: ['matched_atomic', 'matched_atomic_2'],
isObjectArray: false,
originalValue: ['matched_atomic', 'matched_atomic_2', 'MacBook-Pro-de-Gloria.local', 'x86_64'],
values: ['matched_atomic', 'matched_atomic_2', 'MacBook-Pro-de-Gloria.local', 'x86_64'],
},
{
category: 'threat',
field: 'threat.enrichments.lazer',
values: [
'{"great.field":["grrrrr"]}',
'{"great.field":["grrrrr_2"]}',
'{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}',
],
isObjectArray: true,
originalValue: [
'{"great.field":["grrrrr"]}',
'{"great.field":["grrrrr_2"]}',
'{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}',
],
values: [
'{"great.field":["grrrrr"]}',
'{"great.field":["grrrrr_2"]}',
'{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}',
],
},
{
category: 'threat',
field: 'threat.enrichments.matched.index',
isObjectArray: false,
originalValue: ['im'],
values: ['im'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.type',
isObjectArray: false,
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.id',
isObjectArray: false,
originalValue: ['FFEtSYIBZ61VHL7LvV2j', 'E1EtSYIBZ61VHL7Ltl3m', 'CFErSYIBZ61VHL7LIV1N'],
values: ['FFEtSYIBZ61VHL7LvV2j', 'E1EtSYIBZ61VHL7Ltl3m', 'CFErSYIBZ61VHL7LIV1N'],
},
{
category: 'threat',
field: 'threat.enrichments',
isObjectArray: true,
originalValue: [
'{"matched.field":["matched_field","other_matched_field"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["yourself"],"indicator.type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"]},{"great.field":["grrrrr_2"]}]}',
'{"matched.field":["matched_field_2"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["other_you"],"indicator.type":["custom"],"matched.atomic":["matched_atomic_2"],"lazer":[{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["FFEtSYIBZ61VHL7LvV2j"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.architecture"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["x86_64"]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["CFErSYIBZ61VHL7LIV1N"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
],
values: [
'{"matched.field":["matched_field","other_matched_field"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["yourself"],"indicator.type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"]},{"great.field":["grrrrr_2"]}]}',
'{"matched.field":["matched_field_2"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["other_you"],"indicator.type":["custom"],"matched.atomic":["matched_atomic_2"],"lazer":[{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["FFEtSYIBZ61VHL7LvV2j"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.architecture"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["x86_64"]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["CFErSYIBZ61VHL7LIV1N"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
],
},
];

17
x-pack/plugins/security_solution/common/utils/field_formatters.ts
View file

@ -9,6 +9,7 @@ import { ecsFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/
import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/technical_rule_field_map';
import { isEmpty } from 'lodash/fp';
import { ENRICHMENT_DESTINATION_PATH } from '../constants';
import type { EventHit, TimelineEventsDetailsItem } from '../search_strategy';
import { toObjectArrayOfStrings, toStringArray } from './to_array';
@ -41,6 +42,9 @@ export const formatGeoLocation = (item: unknown[]) => {
export const isGeoField = (field: string) =>
field.includes('geo.location') || field.includes('geoip.location');
export const isThreatEnrichmentFieldOrSubfield = (field: string, prependField?: string) =>
prependField?.includes(ENRICHMENT_DESTINATION_PATH) || field === ENRICHMENT_DESTINATION_PATH;
export const getDataFromFieldsHits = (
fields: EventHit['fields'],
prependField?: string,
@ -88,6 +92,18 @@ export const getDataFromFieldsHits = (
];
}
const threatEnrichmentObject = isThreatEnrichmentFieldOrSubfield(field, prependField)
? [
{
category: fieldCategory,
field: dotField,
values: strArr,
originalValue: strArr,
isObjectArray,
},
]
: [];
// format nested fields
const nestedFields = Array.isArray(item)
? item
@ -99,6 +115,7 @@ export const getDataFromFieldsHits = (
const flat: Record<string, TimelineEventsDetailsItem> = [
...accumulator,
...nestedFields,
...threatEnrichmentObject,
].reduce(
(acc, f) => ({
...acc,

527
x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.test.tsx
View file

@ -49,147 +49,60 @@ describe('parseExistingEnrichments', () => {
const data = [
{
category: 'threat',
field: 'threat.enrichments.indicator.first_seen',
field: 'threat.enrichments',
isObjectArray: true,
originalValue: ['2021-03-21T19:40:19.000Z'],
values: ['2021-03-21T19:40:19.000Z'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.provider',
isObjectArray: true,
originalValue: ['provider'],
values: ['provider'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.reference',
isObjectArray: true,
originalValue: ['http://reference.url'],
values: ['http://reference.url'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.ip',
isObjectArray: true,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.type',
isObjectArray: true,
originalValue: ['ip'],
values: ['ip'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.atomic',
isObjectArray: true,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.field',
isObjectArray: true,
originalValue: ['host.ip'],
values: ['host.ip'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.id',
isObjectArray: true,
originalValue: ['0SIZMnoB_Blp1Ib9ZYHU'],
values: ['0SIZMnoB_Blp1Ib9ZYHU'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.index',
isObjectArray: true,
originalValue: ['filebeat-8.0.0-2021.05.28-000001'],
values: ['filebeat-8.0.0-2021.05.28-000001'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.type',
isObjectArray: true,
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
originalValue: [
'{"matched.field":["matched_field","other_matched_field"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["yourself"],"indicator.type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"]},{"great.field":["grrrrr_2"]}]}',
],
values: [
'{"matched.field":["matched_field","other_matched_field"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["yourself"],"indicator.type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"]},{"great.field":["grrrrr_2"]}]}',
],
},
];
expect(parseExistingEnrichments(data)).toEqual([
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['matched_field', 'other_matched_field'],
values: ['matched_field', 'other_matched_field'],
},
{
category: 'indicator',
field: 'indicator.first_seen',
isObjectArray: false,
originalValue: ['2021-03-21T19:40:19.000Z'],
values: ['2021-03-21T19:40:19.000Z'],
originalValue: ['2021-02-22T17:29:25.195Z'],
values: ['2021-02-22T17:29:25.195Z'],
},
{
category: 'indicator',
field: 'indicator.provider',
isObjectArray: false,
originalValue: ['provider'],
values: ['provider'],
},
{
category: 'indicator',
field: 'indicator.reference',
isObjectArray: false,
originalValue: ['http://reference.url'],
values: ['http://reference.url'],
},
{
category: 'indicator',
field: 'indicator.ip',
isObjectArray: false,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
originalValue: ['yourself'],
values: ['yourself'],
},
{
category: 'indicator',
field: 'indicator.type',
isObjectArray: false,
originalValue: ['ip'],
values: ['ip'],
originalValue: ['custom'],
values: ['custom'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
originalValue: ['matched_atomic'],
values: ['matched_atomic'],
},
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.ip'],
values: ['host.ip'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['0SIZMnoB_Blp1Ib9ZYHU'],
values: ['0SIZMnoB_Blp1Ib9ZYHU'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['filebeat-8.0.0-2021.05.28-000001'],
values: ['filebeat-8.0.0-2021.05.28-000001'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: [ENRICHMENT_TYPES.IndicatorMatchRule],
values: [ENRICHMENT_TYPES.IndicatorMatchRule],
category: 'lazer',
field: 'lazer',
isObjectArray: true,
originalValue: ['{"great.field":["grrrrr"]}', '{"great.field":["grrrrr_2"]}'],
values: ['{"great.field":["grrrrr"]}', '{"great.field":["grrrrr_2"]}'],
},
],
]);
@ -199,221 +112,307 @@ describe('parseExistingEnrichments', () => {
const data = [
{
category: 'threat',
field: 'threat.enrichments.indicator.first_seen',
field: 'threat.enrichments',
isObjectArray: true,
originalValue: ['2021-03-21T19:40:19.000Z', '2021-03-21T19:40:19.000Z'],
values: ['2021-03-21T19:40:19.000Z', '2021-03-21T19:40:19.000Z'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.provider',
isObjectArray: true,
originalValue: ['provider', 'other'],
values: ['provider', 'other'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.reference',
isObjectArray: true,
originalValue: ['http://reference.url', 'http://reference.url'],
values: ['http://reference.url', 'http://reference.url'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.ip',
isObjectArray: true,
originalValue: ['192.168.1.19', '192.168.1.19'],
values: ['192.168.1.19', '192.168.1.19'],
},
{
category: 'threat',
field: 'threat.enrichments.indicator.type',
isObjectArray: true,
originalValue: ['ip', 'ip'],
values: ['ip', 'ip'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.atomic',
isObjectArray: true,
originalValue: ['192.168.1.19', '192.168.1.19'],
values: ['192.168.1.19', '192.168.1.19'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.field',
isObjectArray: true,
originalValue: ['host.ip', 'host.ip'],
values: ['host.ip', 'host.ip'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.id',
isObjectArray: true,
originalValue: ['0SIZMnoB_Blp1Ib9ZYHU', 'iiL9NHoB_Blp1Ib9yoJo'],
values: ['0SIZMnoB_Blp1Ib9ZYHU', 'iiL9NHoB_Blp1Ib9yoJo'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.index',
isObjectArray: true,
originalValue: ['filebeat-8.0.0-2021.05.28-000001', 'filebeat-8.0.0-2021.05.28-000001'],
values: ['filebeat-8.0.0-2021.05.28-000001', 'filebeat-8.0.0-2021.05.28-000001'],
},
{
category: 'threat',
field: 'threat.enrichments.matched.type',
isObjectArray: true,
originalValue: ['indicator_match_rule', 'indicator_match_rule'],
values: ['indicator_match_rule', 'indicator_match_rule'],
originalValue: [
'{"matched.field":["matched_field","other_matched_field"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["yourself"],"indicator.type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"]},{"great.field":["grrrrr_2"]}]}',
'{"matched.field":["matched_field_2"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["other_you"],"indicator.type":["custom"],"matched.atomic":["matched_atomic_2"],"lazer":[{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["FFEtSYIBZ61VHL7LvV2j"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.architecture"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["x86_64"]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["CFErSYIBZ61VHL7LIV1N"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
],
values: [
'{"matched.field":["matched_field","other_matched_field"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["yourself"],"indicator.type":["custom"],"matched.atomic":["matched_atomic"],"lazer":[{"great.field":["grrrrr"]},{"great.field":["grrrrr_2"]}]}',
'{"matched.field":["matched_field_2"],"indicator.first_seen":["2021-02-22T17:29:25.195Z"],"indicator.provider":["other_you"],"indicator.type":["custom"],"matched.atomic":["matched_atomic_2"],"lazer":[{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["FFEtSYIBZ61VHL7LvV2j"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.architecture"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["x86_64"]}',
'{"matched.field":["host.name"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["E1EtSYIBZ61VHL7Ltl3m"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
'{"matched.field":["host.hostname"],"matched.index":["im"],"matched.type":["indicator_match_rule"],"matched.id":["CFErSYIBZ61VHL7LIV1N"],"matched.atomic":["MacBook-Pro-de-Gloria.local"]}',
],
},
];
expect(parseExistingEnrichments(data)).toEqual([
expect.arrayContaining([
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['matched_field', 'other_matched_field'],
values: ['matched_field', 'other_matched_field'],
},
{
category: 'indicator',
field: 'indicator.first_seen',
isObjectArray: false,
originalValue: ['2021-03-21T19:40:19.000Z'],
values: ['2021-03-21T19:40:19.000Z'],
originalValue: ['2021-02-22T17:29:25.195Z'],
values: ['2021-02-22T17:29:25.195Z'],
},
{
category: 'indicator',
field: 'indicator.provider',
isObjectArray: false,
originalValue: ['provider'],
values: ['provider'],
},
{
category: 'indicator',
field: 'indicator.reference',
isObjectArray: false,
originalValue: ['http://reference.url'],
values: ['http://reference.url'],
},
{
category: 'indicator',
field: 'indicator.ip',
isObjectArray: false,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
originalValue: ['yourself'],
values: ['yourself'],
},
{
category: 'indicator',
field: 'indicator.type',
isObjectArray: false,
originalValue: ['ip'],
values: ['ip'],
originalValue: ['custom'],
values: ['custom'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
originalValue: ['matched_atomic'],
values: ['matched_atomic'],
},
{
category: 'lazer',
field: 'lazer',
isObjectArray: true,
originalValue: ['{"great.field":["grrrrr"]}', '{"great.field":["grrrrr_2"]}'],
values: ['{"great.field":["grrrrr"]}', '{"great.field":["grrrrr_2"]}'],
},
],
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.ip'],
values: ['host.ip'],
originalValue: ['matched_field_2'],
values: ['matched_field_2'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['0SIZMnoB_Blp1Ib9ZYHU'],
values: ['0SIZMnoB_Blp1Ib9ZYHU'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['filebeat-8.0.0-2021.05.28-000001'],
values: ['filebeat-8.0.0-2021.05.28-000001'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: [ENRICHMENT_TYPES.IndicatorMatchRule],
values: [ENRICHMENT_TYPES.IndicatorMatchRule],
},
]),
expect.arrayContaining([
{
category: 'indicator',
field: 'indicator.first_seen',
isObjectArray: false,
originalValue: ['2021-03-21T19:40:19.000Z'],
values: ['2021-03-21T19:40:19.000Z'],
originalValue: ['2021-02-22T17:29:25.195Z'],
values: ['2021-02-22T17:29:25.195Z'],
},
{
category: 'indicator',
field: 'indicator.provider',
isObjectArray: false,
originalValue: ['other'],
values: ['other'],
},
{
category: 'indicator',
field: 'indicator.reference',
isObjectArray: false,
originalValue: ['http://reference.url'],
values: ['http://reference.url'],
},
{
category: 'indicator',
field: 'indicator.ip',
isObjectArray: false,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
originalValue: ['other_you'],
values: ['other_you'],
},
{
category: 'indicator',
field: 'indicator.type',
isObjectArray: false,
originalValue: ['ip'],
values: ['ip'],
originalValue: ['custom'],
values: ['custom'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['192.168.1.19'],
values: ['192.168.1.19'],
originalValue: ['matched_atomic_2'],
values: ['matched_atomic_2'],
},
{
category: 'lazer',
field: 'lazer',
isObjectArray: true,
originalValue: [
'{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}',
],
values: [
'{"great.field":[{"wowoe":[{"fooooo":["grrrrr"]}],"astring":"cool","aNumber":1,"neat":true}]}',
],
},
],
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.ip'],
values: ['host.ip'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['iiL9NHoB_Blp1Ib9yoJo'],
values: ['iiL9NHoB_Blp1Ib9yoJo'],
originalValue: ['host.name'],
values: ['host.name'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['filebeat-8.0.0-2021.05.28-000001'],
values: ['filebeat-8.0.0-2021.05.28-000001'],
originalValue: ['im'],
values: ['im'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: [ENRICHMENT_TYPES.IndicatorMatchRule],
values: [ENRICHMENT_TYPES.IndicatorMatchRule],
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
},
]),
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['FFEtSYIBZ61VHL7LvV2j'],
values: ['FFEtSYIBZ61VHL7LvV2j'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['MacBook-Pro-de-Gloria.local'],
values: ['MacBook-Pro-de-Gloria.local'],
},
],
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.hostname'],
values: ['host.hostname'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['im'],
values: ['im'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['E1EtSYIBZ61VHL7Ltl3m'],
values: ['E1EtSYIBZ61VHL7Ltl3m'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['MacBook-Pro-de-Gloria.local'],
values: ['MacBook-Pro-de-Gloria.local'],
},
],
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.architecture'],
values: ['host.architecture'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['im'],
values: ['im'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['E1EtSYIBZ61VHL7Ltl3m'],
values: ['E1EtSYIBZ61VHL7Ltl3m'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['x86_64'],
values: ['x86_64'],
},
],
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.name'],
values: ['host.name'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['im'],
values: ['im'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['E1EtSYIBZ61VHL7Ltl3m'],
values: ['E1EtSYIBZ61VHL7Ltl3m'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['MacBook-Pro-de-Gloria.local'],
values: ['MacBook-Pro-de-Gloria.local'],
},
],
[
{
category: 'matched',
field: 'matched.field',
isObjectArray: false,
originalValue: ['host.hostname'],
values: ['host.hostname'],
},
{
category: 'matched',
field: 'matched.index',
isObjectArray: false,
originalValue: ['im'],
values: ['im'],
},
{
category: 'matched',
field: 'matched.type',
isObjectArray: false,
originalValue: ['indicator_match_rule'],
values: ['indicator_match_rule'],
},
{
category: 'matched',
field: 'matched.id',
isObjectArray: false,
originalValue: ['CFErSYIBZ61VHL7LIV1N'],
values: ['CFErSYIBZ61VHL7LIV1N'],
},
{
category: 'matched',
field: 'matched.atomic',
isObjectArray: false,
originalValue: ['MacBook-Pro-de-Gloria.local'],
values: ['MacBook-Pro-de-Gloria.local'],
},
],
]);
});
});

39
x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx
View file

@ -5,7 +5,8 @@
* 2.0.
*/
import { groupBy, isArray } from 'lodash';
import { groupBy } from 'lodash';
import { getDataFromFieldsHits } from '../../../../../common/utils/field_formatters';
import { ENRICHMENT_DESTINATION_PATH } from '../../../../../common/constants';
import {
ENRICHMENT_TYPES,
@ -31,37 +32,21 @@ export const isInvestigationTimeEnrichment = (type: string | undefined) =>
export const parseExistingEnrichments = (
data: TimelineEventsDetailsItem[]
): TimelineEventsDetailsItem[][] => {
const threatIndicatorFields = data.filter(
({ field, originalValue }) =>
field.startsWith(`${ENRICHMENT_DESTINATION_PATH}.`) && originalValue
const threatIndicatorField = data.find(
({ field, originalValue }) => field === ENRICHMENT_DESTINATION_PATH && originalValue
);
if (threatIndicatorFields.length === 0) {
if (!threatIndicatorField) {
return [];
}
return threatIndicatorFields.reduce<TimelineEventsDetailsItem[][]>(
(enrichments, enrichmentData) => {
const { originalValue } = threatIndicatorField;
const enrichmentStrings = Array.isArray(originalValue) ? originalValue : [originalValue];
return enrichmentStrings.reduce<TimelineEventsDetailsItem[][]>(
(enrichments, enrichmentString) => {
try {
if (isArray(enrichmentData.values)) {
for (
let enrichmentIndex = 0;
enrichmentIndex < enrichmentData.values.length;
enrichmentIndex++
) {
if (!isArray(enrichments[enrichmentIndex])) {
enrichments[enrichmentIndex] = [];
}
const fieldParts = enrichmentData.field.split('.');
enrichments[enrichmentIndex].push({
...enrichmentData,
isObjectArray: false,
field: enrichmentData.field.replace(`${ENRICHMENT_DESTINATION_PATH}.`, ''),
category: fieldParts.length > 3 ? fieldParts[2] : enrichmentData.category,
values: [enrichmentData.values[enrichmentIndex]],
originalValue: [enrichmentData.originalValue[enrichmentIndex]],
});
}
}
const enrichment = getDataFromFieldsHits(JSON.parse(enrichmentString));
enrichments.push(enrichment);
} catch (e) {
// omit failed parse
}

11
x-pack/plugins/timelines/common/utils/field_formatters.test.ts
View file

@ -581,6 +581,17 @@ describe('Events Details Helpers', () => {
originalValue: ['a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3'],
values: ['a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3'],
},
{
category: 'threat',
field: 'threat.enrichments',
isObjectArray: true,
originalValue: [
'{"matched.field":["myhash.mysha256"],"matched.index":["logs-ti_abusech.malware"],"matched.type":["indicator_match_rule"],"feed.name":["AbuseCH malware"],"matched.atomic":["a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3"]}',
],
values: [
'{"matched.field":["myhash.mysha256"],"matched.index":["logs-ti_abusech.malware"],"matched.type":["indicator_match_rule"],"feed.name":["AbuseCH malware"],"matched.atomic":["a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3"]}',
],
},
];
const result = getDataFromFieldsHits(data);
expect(result).toEqual(ruleParametersResultFields);

18
x-pack/plugins/timelines/common/utils/field_formatters.ts
View file

@ -13,6 +13,7 @@ import { technicalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/f
import { experimentalRuleFieldMap } from '@kbn/rule-registry-plugin/common/assets/field_maps/experimental_rule_field_map';
import { EventHit, TimelineEventsDetailsItem } from '../search_strategy';
import { toObjectArrayOfStrings, toStringArray } from './to_array';
import { ENRICHMENT_DESTINATION_PATH } from '../constants';
export const baseCategoryFields = ['@timestamp', 'labels', 'message', 'tags'];
const nonFlattenedFormatParamsFields = ['related_integrations', 'threat_mapping'];
@ -46,6 +47,9 @@ export const isRuleParametersFieldOrSubfield = (field: string, prependField?: st
(prependField?.includes(ALERT_RULE_PARAMETERS) || field === ALERT_RULE_PARAMETERS) &&
!nonFlattenedFormatParamsFields.includes(field);
export const isThreatEnrichmentFieldOrSubfield = (field: string, prependField?: string) =>
prependField?.includes(ENRICHMENT_DESTINATION_PATH) || field === ENRICHMENT_DESTINATION_PATH;
export const getDataFromFieldsHits = (
fields: EventHit['fields'],
prependField?: string,
@ -91,6 +95,19 @@ export const getDataFromFieldsHits = (
},
];
}
const threatEnrichmentObject = isThreatEnrichmentFieldOrSubfield(field, prependField)
? [
{
category: fieldCategory,
field: dotField,
values: strArr,
originalValue: strArr,
isObjectArray,
},
]
: [];
// format nested fields
let nestedFields;
if (isRuleParametersFieldOrSubfield(field, prependField)) {
@ -111,6 +128,7 @@ export const getDataFromFieldsHits = (
const flat: Record<string, TimelineEventsDetailsItem> = [
...accumulator,
...nestedFields,
...threatEnrichmentObject,
].reduce(
(acc, f) => ({
...acc,

70
x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_ecs_objects.test.ts
View file

@ -112,6 +112,76 @@ describe('buildEcsObjects', () => {
type: [],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.name'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.hostname'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['x86_64'],
field: ['host.architecture'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.name'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.hostname'],
type: ['indicator_match_rule'],
},
},
],
},
timestamp: '2020-11-17T14:48:08.922Z',

50
x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/build_object_recursive.test.ts
View file

@ -86,6 +86,31 @@ describe('buildObjectRecursive', () => {
atomic: ['matched_atomic_2'],
},
},
{
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
},
},
{
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
},
},
{
matched: {
atomic: ['x86_64'],
},
},
{
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
},
},
{
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
},
},
],
},
});
@ -105,6 +130,31 @@ describe('buildObjectRecursive', () => {
field: ['matched_field_2'],
},
},
{
matched: {
field: ['host.name'],
},
},
{
matched: {
field: ['host.hostname'],
},
},
{
matched: {
field: ['host.architecture'],
},
},
{
matched: {
field: ['host.name'],
},
},
{
matched: {
field: ['host.hostname'],
},
},
],
},
});

79
x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts
View file

@ -43,7 +43,14 @@ describe('formatTimelineData', () => {
},
{
field: 'threat.enrichments.matched.field',
value: ['matched_field', 'other_matched_field', 'matched_field_2'],
value: [
'matched_field',
'other_matched_field',
'matched_field_2',
'host.name',
'host.hostname',
'host.architecture',
],
},
{
field: 'source.geo.location',
@ -120,6 +127,76 @@ describe('formatTimelineData', () => {
type: [],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.name'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.hostname'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['x86_64'],
field: ['host.architecture'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.name'],
type: ['indicator_match_rule'],
},
},
{
feed: {
name: [],
},
indicator: {
provider: [],
reference: [],
},
matched: {
atomic: ['MacBook-Pro-de-Gloria.local'],
field: ['host.hostname'],
type: ['indicator_match_rule'],
},
},
],
},
},