fix severity and risk score

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts

@@ -49,6 +49,11 @@ export const technicalRuleFieldMap = {
  array: false,
  required: false,
  },
+ [Fields.ALERT_RISK_SCORE]: {
+ type: 'float',
+ array: false,
+ required: false,
+ },
  [Fields.ALERT_WORKFLOW_STATUS]: {
  type: 'keyword',
  array: false,

x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts

@@ -7,7 +7,7 @@
 
 import {
  ALERT_RULE_CONSUMER,
- ALERT_RULE_RISK_SCORE,
+ ALERT_RISK_SCORE,
  ALERT_STATUS,
  ECS_VERSION,
  ALERT_RULE_TYPE_ID,
@@ -30,7 +30,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
  [ALERT_RULE_TYPE_ID]: 'apm.error_rate',
  [ALERT_RULE_CONSUMER]: 'apm',
  [ALERT_STATUS]: 'open',
- [ALERT_RULE_RISK_SCORE]: 20,
+ [ALERT_RISK_SCORE]: 20,
  [SPACE_IDS]: ['fake-space-id'],
 });
 

x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts

@@ -15,15 +15,15 @@ import {
  ALERT_RULE_NAME,
  ALERT_RULE_NOTE,
  ALERT_RULE_REFERENCES,
- ALERT_RULE_RISK_SCORE,
  ALERT_RULE_RULE_ID,
- ALERT_RULE_SEVERITY,
  ALERT_RULE_TAGS,
  ALERT_RULE_TO,
  ALERT_RULE_TYPE,
  ALERT_RULE_UPDATED_AT,
  ALERT_RULE_UPDATED_BY,
  ALERT_RULE_VERSION,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
 } from '@kbn/rule-data-utils';
 import {
  ALERT_ORIGINAL_TIME,
@@ -342,12 +342,10 @@ export const alertFieldsMap: Readonly<Record<string, string>> = {
  [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID,
  [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES,
  [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS,
- [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE,
  [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION,
  [ALERT_RULE_NAME]: ALERT_RULE_NAME,
  [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE,
  [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES,
- [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY,
  [ALERT_RULE_TAGS]: ALERT_RULE_TAGS,
  [ALERT_RULE_THREAT]: ALERT_RULE_THREAT,
  [ALERT_RULE_TYPE]: ALERT_RULE_TYPE,
@@ -361,6 +359,8 @@ export const alertFieldsMap: Readonly<Record<string, string>> = {
  [ALERT_RULE_NOTE]: ALERT_RULE_NOTE,
  [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD,
  [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST,
+ [ALERT_SEVERITY]: ALERT_SEVERITY,
+ [ALERT_RISK_SCORE]: ALERT_RISK_SCORE,
 };
 
 export const ruleFieldsMap: Readonly<Record<string, string>> = {

x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts

@@ -14,8 +14,8 @@ import {
 
 import {
  ALERT_RULE_NAME,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_SEVERITY,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
  NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 import {
@@ -480,12 +480,10 @@ describe('indicator match', () => {
 
  cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
  cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
- cy.get(ALERT_RULE_SEVERITY)
+ cy.get(ALERT_SEVERITY)
  .first()
  .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());
- cy.get(ALERT_RULE_RISK_SCORE)
- .first()
- .should('have.text', getNewThreatIndicatorRule().riskScore);
+ cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore);
  });
 
  it('Investigate alert in timeline', () => {

x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils';
+import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
 import { formatMitreAttackDescription } from '../../helpers/rules';
 import {
  getIndexPatterns,
@@ -140,7 +140,7 @@ describe('Detection rules, override', () => {
  getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
  getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
  'have.text',
- `${this.rule.riskOverride}${ALERT_RULE_RISK_SCORE}`
+ `${this.rule.riskOverride}${ALERT_RISK_SCORE}`
  );
  getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
  getDetails(REFERENCE_URLS_DETAILS).should((details) => {

x-pack/plugins/security_solution/cypress/screens/alerts.ts

@@ -28,6 +28,10 @@ export const ALERT_RULE_RISK_SCORE =
 
 export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]';
 
+export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]';
+
+export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]';
+
 export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]';
 
 export const CLOSE_ALERT_BTN = '[data-test-subj="close-alert-status"]';

x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts

@@ -19,14 +19,14 @@ import {
  ALERT_RULE_NAME,
  ALERT_RULE_NOTE,
  ALERT_RULE_REFERENCES,
- ALERT_RULE_RISK_SCORE,
  ALERT_RULE_RULE_ID,
- ALERT_RULE_SEVERITY,
  ALERT_RULE_TAGS,
  ALERT_RULE_TO,
  ALERT_RULE_TYPE,
  ALERT_RULE_UPDATED_BY,
  ALERT_RULE_VERSION,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
  ALERT_WORKFLOW_STATUS,
 } from '@kbn/rule-data-utils';
 import { BrowserField } from '../../containers/source';
@@ -223,10 +223,8 @@ export const allowTopN = ({
  ALERT_RULE_NOTE,
  ALERT_RULE_QUERY,
  ALERT_RULE_REFERENCES,
- ALERT_RULE_RISK_SCORE,
  ALERT_RULE_RULE_ID,
  ALERT_RULE_SAVED_ID,
- ALERT_RULE_SEVERITY,
  ALERT_RULE_SIZE,
  ALERT_RULE_TAGS,
  ALERT_RULE_THREAT,
@@ -242,6 +240,8 @@ export const allowTopN = ({
  ALERT_RULE_TYPE,
  ALERT_RULE_UPDATED_BY,
  ALERT_RULE_VERSION,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
  ALERT_WORKFLOW_STATUS,
  ] as string[]).includes(fieldName);
 

x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts

@@ -16,10 +16,10 @@ import {
  ALERT_RULE_LICENSE,
  ALERT_RULE_NAME,
  ALERT_RULE_REFERENCES,
- ALERT_RULE_RISK_SCORE,
+ ALERT_RISK_SCORE,
  ALERT_RULE_RISK_SCORE_MAPPING,
  ALERT_RULE_RULE_ID,
- ALERT_RULE_SEVERITY,
+ ALERT_SEVERITY,
  ALERT_RULE_SEVERITY_MAPPING,
  ALERT_RULE_TAGS,
  ALERT_RULE_TO,
@@ -423,7 +423,7 @@ export const mockAlertDetailsData = [
  originalValue: 'http://localhost:5601/app/security',
  },
  { category: 'kibana', field: ALERT_RULE_MAX_SIGNALS, values: [100], originalValue: 100 },
- { category: 'kibana', field: ALERT_RULE_RISK_SCORE, values: [21], originalValue: 21 },
+ { category: 'kibana', field: ALERT_RISK_SCORE, values: [21], originalValue: 21 },
  { category: 'kibana', field: ALERT_RULE_RISK_SCORE_MAPPING, values: [], originalValue: [] },
  { category: 'kibana', field: ALERT_RULE_DESCRIPTION, values: ['xxx'], originalValue: 'xxx' },
  {
@@ -467,7 +467,7 @@ export const mockAlertDetailsData = [
  originalValue: '@timestamp : * ',
  },
  { category: 'kibana', field: ALERT_RULE_REFERENCES, values: [], originalValue: [] },
- { category: 'kibana', field: ALERT_RULE_SEVERITY, values: ['low'], originalValue: 'low' },
+ { category: 'kibana', field: ALERT_SEVERITY, values: ['low'], originalValue: 'low' },
  { category: 'kibana', field: ALERT_RULE_SEVERITY_MAPPING, values: [], originalValue: [] },
  { category: 'kibana', field: ALERT_RULE_TAGS, values: [], originalValue: [] },
  { category: 'kibana', field: ALERT_RULE_TYPE, values: ['query'], originalValue: 'query' },

x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx

@@ -13,8 +13,8 @@ import styled from 'styled-components';
 import {
  ALERT_RULE_UUID,
  ALERT_RULE_NAME,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_SEVERITY,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
  ALERT_WORKFLOW_STATUS,
 } from '@kbn/rule-data-utils';
 import * as i18n from './translations';
@@ -78,8 +78,8 @@ const defaultDisplayFields: EventSummaryField[] = [
  linkField: ALERT_RULE_UUID,
  label: ALERTS_HEADERS_RULE,
  },
- { id: ALERT_RULE_SEVERITY, label: ALERTS_HEADERS_SEVERITY },
- { id: ALERT_RULE_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE },
+ { id: ALERT_SEVERITY, label: ALERTS_HEADERS_SEVERITY },
+ { id: ALERT_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE },
  { id: 'host.name' },
  { id: 'agent.id', overrideField: AGENT_STATUS_FIELD_NAME, label: i18n.AGENT_STATUS },
  { id: 'user.name' },

x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts

@@ -7,16 +7,16 @@
 
 import {
  ALERT_RULE_NAME,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_SEVERITY,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
  ALERT_RULE_TYPE,
 } from '@kbn/rule-data-utils';
 import type { AlertsStackByOption } from './types';
 import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts';
 
 export const alertsStackByOptions: AlertsStackByOption[] = [
- { text: ALERT_RULE_RISK_SCORE, value: ALERT_RULE_RISK_SCORE },
- { text: ALERT_RULE_SEVERITY, value: ALERT_RULE_SEVERITY },
+ { text: ALERT_RISK_SCORE, value: ALERT_RISK_SCORE },
+ { text: ALERT_SEVERITY, value: ALERT_SEVERITY },
  { text: ALERT_RULE_THREAT_TACTIC_NAME, value: ALERT_RULE_THREAT_TACTIC_NAME },
  { text: 'destination.ip', value: 'destination.ip' },
  { text: 'event.action', value: 'event.action' },

x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts

@@ -7,8 +7,8 @@
 
 import {
  ALERT_RULE_NAME,
- ALERT_RULE_RISK_SCORE,
- ALERT_RULE_SEVERITY,
+ ALERT_RISK_SCORE,
+ ALERT_SEVERITY,
  ALERT_RULE_TYPE,
 } from '@kbn/rule-data-utils';
 import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts';
@@ -19,8 +19,8 @@ export interface AlertsStackByOption {
 }
 
 export type AlertsStackByField =
- | typeof ALERT_RULE_RISK_SCORE
- | typeof ALERT_RULE_SEVERITY
+ | typeof ALERT_RISK_SCORE
+ | typeof ALERT_SEVERITY
  | typeof ALERT_RULE_THREAT_TACTIC_NAME
  | 'destination.ip'
  | 'event.action'

x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx

@@ -23,7 +23,7 @@ import React from 'react';
 import styled from 'styled-components';
 
 import { ThreatMapping, Type } from '@kbn/securitysolution-io-ts-alerting-types';
-import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils';
+import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
 import { MATCHES, AND, OR } from '../../../../common/components/threat_match/translations';
 import { assertUnreachable } from '../../../../../common/utility_types';
 import * as i18nSeverity from '../severity_mapping/translations';
@@ -351,7 +351,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt
  <EuiFlexItem grow={false}>
  <EuiIcon type={'sortRight'} />
  </EuiFlexItem>
- <EuiFlexItem>{`${ALERT_RULE_RISK_SCORE}`}</EuiFlexItem>
+ <EuiFlexItem>{`${ALERT_RISK_SCORE}`}</EuiFlexItem>
  </EuiFlexGroup>
  ),
  };

x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts

@@ -9,7 +9,7 @@ import { EuiDataGridColumn } from '@elastic/eui';
 import {
  ALERT_DURATION,
  ALERT_REASON,
- ALERT_RULE_SEVERITY,
+ ALERT_SEVERITY,
  ALERT_WORKFLOW_STATUS,
 } from '@kbn/rule-data-utils';
 
@@ -47,7 +47,7 @@ export const columns: Array<
  {
  columnHeaderType: defaultColumnHeaderType,
  displayAsText: i18n.ALERTS_HEADERS_SEVERITY,
- id: ALERT_RULE_SEVERITY,
+ id: ALERT_SEVERITY,
  initialWidth: 102,
  },
  {

x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx

@@ -8,12 +8,7 @@
 import { mount } from 'enzyme';
 import { cloneDeep } from 'lodash/fp';
 import React from 'react';
-import {
- ALERT_DURATION,
- ALERT_REASON,
- ALERT_RULE_SEVERITY,
- ALERT_STATUS,
-} from '@kbn/rule-data-utils';
+import { ALERT_DURATION, ALERT_REASON, ALERT_SEVERITY, ALERT_STATUS } from '@kbn/rule-data-utils';
 import { mockBrowserFields } from '../../../../common/containers/source/mock';
 import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper';
 import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock';
@@ -84,7 +79,7 @@ describe('RenderCellValue', () => {
  const wrapper = mount(
  <TestProviders>
  <DragDropContextWrapper browserFields={mockBrowserFields}>
- <RenderCellValue {...props} columnId={ALERT_RULE_SEVERITY} />
+ <RenderCellValue {...props} columnId={ALERT_SEVERITY} />
  </DragDropContextWrapper>
  </TestProviders>
  );

x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx

@@ -9,12 +9,7 @@ import moment from 'moment';
 import React from 'react';
 
 import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui';
-import {
- ALERT_DURATION,
- ALERT_REASON,
- ALERT_RULE_SEVERITY,
- ALERT_STATUS,
-} from '@kbn/rule-data-utils';
+import { ALERT_DURATION, ALERT_REASON, ALERT_SEVERITY, ALERT_STATUS } from '@kbn/rule-data-utils';
 
 import { TruncatableText } from '../../../../common/components/truncatable_text';
 import { Severity } from '../../../components/severity';
@@ -60,7 +55,7 @@ export const RenderCellValue: React.FC<
  );
  case ALERT_DURATION:
  return <span data-test-subj="alert-duration">{moment().fromNow(true)}</span>;
- case ALERT_RULE_SEVERITY:
+ case ALERT_SEVERITY:
  return <Severity data-test-subj="rule-severity" severity={value} />;
  case ALERT_REASON:
  return (

x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts

@@ -10,7 +10,7 @@ import {
  ALERT_REASON,
  ALERT_RULE_UUID,
  ALERT_RULE_NAME,
- ALERT_RULE_SEVERITY,
+ ALERT_SEVERITY,
 } from '@kbn/rule-data-utils';
 import { ColumnHeaderOptions } from '../../../../../common';
 import { defaultColumnHeaderType } from '../../../../timelines/components/timeline/body/column_headers/default_headers';
@@ -39,7 +39,7 @@ export const columns: Array<
  },
  {
  columnHeaderType: defaultColumnHeaderType,
- id: ALERT_RULE_SEVERITY,
+ id: ALERT_SEVERITY,
  displayAsText: i18n.ALERTS_HEADERS_SEVERITY,
  initialWidth: 104,
  },