From 68f30858ecc016b05ed5d307da1d240d21306ad2 Mon Sep 17 00:00:00 2001 From: Michael Olorunnisola Date: Tue, 24 Aug 2021 12:36:56 -0400 Subject: [PATCH] fix severity and risk score --- .../field_maps/technical_rule_field_map.ts | 5 + .../server/routes/get_alert_by_id.test.ts | 4 +- .../common/ecs/ecs_fields/index.ts | 8 +- .../indicator_match_rule.spec.ts | 10 +- .../detection_rules/override.spec.ts | 4 +- .../cypress/screens/alerts.ts | 4 + .../components/drag_and_drop/helpers.ts | 8 +- .../event_details/__mocks__/index.ts | 8 +- .../alert_summary_view.test.tsx.snap | 12 +- .../event_details/alert_summary_view.tsx | 8 +- .../components/alerts_kpis/common/config.ts | 8 +- .../components/alerts_kpis/common/types.ts | 8 +- .../rules/description_step/helpers.tsx | 4 +- .../examples/observablity_alerts/columns.ts | 4 +- .../render_cell_value.test.tsx | 9 +- .../observablity_alerts/render_cell_value.tsx | 9 +- .../examples/security_solution_rac/columns.ts | 4 +- .../render_cell_value.test.tsx | 4 +- .../render_cell_value.tsx | 4 +- .../security_solution_detections/columns.ts | 8 +- .../detection_engine/alerts/api.test.ts | 4 +- .../detection_engine/alerts/mock.ts | 4 +- .../__snapshots__/index.test.tsx.snap | 2020 +++++++++-------- .../default_cell_renderer.test.tsx | 4 +- .../components/host_rules_table/columns.tsx | 4 +- .../components/host_tactics_table/columns.tsx | 4 +- .../routes/index/signal_aad_mapping.json | 6 +- .../ueba/host_rules/query.host_rules.dsl.ts | 6 +- .../host_tactics/query.host_tactics.dsl.ts | 6 +- .../ueba/user_rules/query.user_rules.dsl.ts | 6 +- .../timelines/common/ecs/ecs_fields/index.ts | 8 +- .../public/components/t_grid/body/helpers.tsx | 8 +- .../timeline/factory/events/all/constants.ts | 8 +- .../factory/events/all/helpers.test.ts | 12 +- 34 files changed, 1124 insertions(+), 1109 deletions(-) diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index b4ae89b7694f72..37a3a3b9fffbc3 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -49,6 +49,11 @@ export const technicalRuleFieldMap = { array: false, required: false, }, + [Fields.ALERT_RISK_SCORE]: { + type: 'float', + array: false, + required: false, + }, [Fields.ALERT_WORKFLOW_STATUS]: { type: 'keyword', array: false, diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts index 372fb09661259a..a605d9a4d50756 100644 --- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts +++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts @@ -7,7 +7,7 @@ import { ALERT_RULE_CONSUMER, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_STATUS, ECS_VERSION, ALERT_RULE_TYPE_ID, @@ -30,7 +30,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({ [ALERT_RULE_TYPE_ID]: 'apm.error_rate', [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', - [ALERT_RULE_RISK_SCORE]: 20, + [ALERT_RISK_SCORE]: 20, [SPACE_IDS]: ['fake-space-id'], }); diff --git a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts index 61c8ed2d8b276c..7557b0393f3679 100644 --- a/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts @@ -15,15 +15,15 @@ import { ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, ALERT_RULE_UPDATED_AT, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_RISK_SCORE, + ALERT_SEVERITY, } from '@kbn/rule-data-utils'; import { ALERT_ORIGINAL_TIME, @@ -342,12 +342,10 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID, [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES, [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS, - [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE, [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION, [ALERT_RULE_NAME]: ALERT_RULE_NAME, [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE, [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES, - [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY, [ALERT_RULE_TAGS]: ALERT_RULE_TAGS, [ALERT_RULE_THREAT]: ALERT_RULE_THREAT, [ALERT_RULE_TYPE]: ALERT_RULE_TYPE, @@ -361,6 +359,8 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_NOTE]: ALERT_RULE_NOTE, [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD, [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST, + [ALERT_SEVERITY]: ALERT_SEVERITY, + [ALERT_RISK_SCORE]: ALERT_RISK_SCORE, }; export const ruleFieldsMap: Readonly> = { diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index f8b3b426580b29..3aebf87aa3fafb 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -14,8 +14,8 @@ import { import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, NUMBER_OF_ALERTS, } from '../../screens/alerts'; import { @@ -480,12 +480,10 @@ describe('indicator match', () => { cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts); cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name); - cy.get(ALERT_RULE_SEVERITY) + cy.get(ALERT_SEVERITY) .first() .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase()); - cy.get(ALERT_RULE_RISK_SCORE) - .first() - .should('have.text', getNewThreatIndicatorRule().riskScore); + cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore); }); it('Investigate alert in timeline', () => { diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts index 5b14fe95799111..540d5da61dae2c 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { formatMitreAttackDescription } from '../../helpers/rules'; import { getIndexPatterns, @@ -140,7 +140,7 @@ describe('Detection rules, override', () => { getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore); getDetails(RISK_SCORE_OVERRIDE_DETAILS).should( 'have.text', - `${this.rule.riskOverride}${ALERT_RULE_RISK_SCORE}` + `${this.rule.riskOverride}${ALERT_RISK_SCORE}` ); getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride); getDetails(REFERENCE_URLS_DETAILS).should((details) => { diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts.ts b/x-pack/plugins/security_solution/cypress/screens/alerts.ts index 637658c57ca5ed..7820c7340896e4 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts.ts @@ -28,6 +28,10 @@ export const ALERT_RULE_RISK_SCORE = export const ALERT_RULE_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.rule.severity"]'; +export const ALERT_RISK_SCORE = '[data-test-subj="formatted-field-kibana.alert.risk_score"]'; + +export const ALERT_SEVERITY = '[data-test-subj="formatted-field-kibana.alert.severity"]'; + export const ALERT_DATA_GRID = '[data-test-subj="dataGridWrapper"]'; export const CLOSE_ALERT_BTN = '[data-test-subj="close-alert-status"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts index e24bd7517ce45e..a4d34299875f36 100644 --- a/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts +++ b/x-pack/plugins/security_solution/public/common/components/drag_and_drop/helpers.ts @@ -19,14 +19,14 @@ import { ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import { BrowserField } from '../../containers/source'; @@ -223,10 +223,8 @@ export const allowTopN = ({ ALERT_RULE_NOTE, ALERT_RULE_QUERY, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, ALERT_RULE_RULE_ID, ALERT_RULE_SAVED_ID, - ALERT_RULE_SEVERITY, ALERT_RULE_SIZE, ALERT_RULE_TAGS, ALERT_RULE_THREAT, @@ -242,6 +240,8 @@ export const allowTopN = ({ ALERT_RULE_TYPE, ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, ] as string[]).includes(fieldName); diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts index 3e1e44c0b6d3f5..e8809cdeb848b4 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__mocks__/index.ts @@ -16,10 +16,10 @@ import { ALERT_RULE_LICENSE, ALERT_RULE_NAME, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_RISK_SCORE_MAPPING, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_SEVERITY_MAPPING, ALERT_RULE_TAGS, ALERT_RULE_TO, @@ -423,7 +423,7 @@ export const mockAlertDetailsData = [ originalValue: 'http://localhost:5601/app/security', }, { category: 'kibana', field: ALERT_RULE_MAX_SIGNALS, values: [100], originalValue: 100 }, - { category: 'kibana', field: ALERT_RULE_RISK_SCORE, values: [21], originalValue: 21 }, + { category: 'kibana', field: ALERT_RISK_SCORE, values: [21], originalValue: 21 }, { category: 'kibana', field: ALERT_RULE_RISK_SCORE_MAPPING, values: [], originalValue: [] }, { category: 'kibana', field: ALERT_RULE_DESCRIPTION, values: ['xxx'], originalValue: 'xxx' }, { @@ -467,7 +467,7 @@ export const mockAlertDetailsData = [ originalValue: '@timestamp : * ', }, { category: 'kibana', field: ALERT_RULE_REFERENCES, values: [], originalValue: [] }, - { category: 'kibana', field: ALERT_RULE_SEVERITY, values: ['low'], originalValue: 'low' }, + { category: 'kibana', field: ALERT_SEVERITY, values: ['low'], originalValue: 'low' }, { category: 'kibana', field: ALERT_RULE_SEVERITY_MAPPING, values: [], originalValue: [] }, { category: 'kibana', field: ALERT_RULE_TAGS, values: [], originalValue: [] }, { category: 'kibana', field: ALERT_RULE_TYPE, values: ['query'], originalValue: 'query' }, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap index 0ce9518470973a..3ad8b6c80b5e89 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/common/components/event_details/__snapshots__/alert_summary_view.test.tsx.snap @@ -353,7 +353,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field kibana.alert.rule.severity. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.severity. Press tab to navigate options. Press escape to exit.

@@ -417,7 +417,7 @@ exports[`AlertSummaryView Memory event code renders additional summary rows 1`]

- You are in a dialog, containing options for field kibana.alert.rule.risk_score. Press tab to navigate options. Press escape to exit. + You are in a dialog, containing options for field kibana.alert.risk_score. Press tab to navigate options. Press escape to exit.

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx index 2faac84cb182c8..00afdb839cd832 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx @@ -13,8 +13,8 @@ import styled from 'styled-components'; import { ALERT_RULE_UUID, ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; import * as i18n from './translations'; @@ -78,8 +78,8 @@ const defaultDisplayFields: EventSummaryField[] = [ linkField: ALERT_RULE_UUID, label: ALERTS_HEADERS_RULE, }, - { id: ALERT_RULE_SEVERITY, label: ALERTS_HEADERS_SEVERITY }, - { id: ALERT_RULE_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE }, + { id: ALERT_SEVERITY, label: ALERTS_HEADERS_SEVERITY }, + { id: ALERT_RISK_SCORE, label: ALERTS_HEADERS_RISK_SCORE }, { id: 'host.name' }, { id: 'agent.id', overrideField: AGENT_STATUS_FIELD_NAME, label: i18n.AGENT_STATUS }, { id: 'user.name' }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts index 5e3ecda7ab181f..0f3062d5fec203 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/config.ts @@ -7,16 +7,16 @@ import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_RULE_TYPE, } from '@kbn/rule-data-utils'; import type { AlertsStackByOption } from './types'; import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts'; export const alertsStackByOptions: AlertsStackByOption[] = [ - { text: ALERT_RULE_RISK_SCORE, value: ALERT_RULE_RISK_SCORE }, - { text: ALERT_RULE_SEVERITY, value: ALERT_RULE_SEVERITY }, + { text: ALERT_RISK_SCORE, value: ALERT_RISK_SCORE }, + { text: ALERT_SEVERITY, value: ALERT_SEVERITY }, { text: ALERT_RULE_THREAT_TACTIC_NAME, value: ALERT_RULE_THREAT_TACTIC_NAME }, { text: 'destination.ip', value: 'destination.ip' }, { text: 'event.action', value: 'event.action' }, diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts index 0081bd1cf3f4db..615fc53a8dfc3a 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_kpis/common/types.ts @@ -7,8 +7,8 @@ import { ALERT_RULE_NAME, - ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, + ALERT_RISK_SCORE, + ALERT_SEVERITY, ALERT_RULE_TYPE, } from '@kbn/rule-data-utils'; import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../../../../../timelines/common/alerts'; @@ -19,8 +19,8 @@ export interface AlertsStackByOption { } export type AlertsStackByField = - | typeof ALERT_RULE_RISK_SCORE - | typeof ALERT_RULE_SEVERITY + | typeof ALERT_RISK_SCORE + | typeof ALERT_SEVERITY | typeof ALERT_RULE_THREAT_TACTIC_NAME | 'destination.ip' | 'event.action' diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx index e53b78b8c482a1..1a4a4642d0825b 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/description_step/helpers.tsx @@ -23,7 +23,7 @@ import React from 'react'; import styled from 'styled-components'; import { ThreatMapping, Type } from '@kbn/securitysolution-io-ts-alerting-types'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { MATCHES, AND, OR } from '../../../../common/components/threat_match/translations'; import { assertUnreachable } from '../../../../../common/utility_types'; import * as i18nSeverity from '../severity_mapping/translations'; @@ -351,7 +351,7 @@ export const buildRiskScoreDescription = (riskScore: AboutStepRiskScore): ListIt - {`${ALERT_RULE_RISK_SCORE}`} + {`${ALERT_RISK_SCORE}`} ), }; diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts index 9623100ac16c22..e4914233209278 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/columns.ts @@ -9,7 +9,7 @@ import { EuiDataGridColumn } from '@elastic/eui'; import { ALERT_DURATION, ALERT_REASON, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_WORKFLOW_STATUS, } from '@kbn/rule-data-utils'; @@ -47,7 +47,7 @@ export const columns: Array< { columnHeaderType: defaultColumnHeaderType, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, - id: ALERT_RULE_SEVERITY, + id: ALERT_SEVERITY, initialWidth: 102, }, { diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx index a66e2b32758b67..dddb7108f607ec 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.test.tsx @@ -8,12 +8,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { - ALERT_DURATION, - ALERT_REASON, - ALERT_RULE_SEVERITY, - ALERT_STATUS, -} from '@kbn/rule-data-utils'; +import { ALERT_DURATION, ALERT_REASON, ALERT_SEVERITY, ALERT_STATUS } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; @@ -84,7 +79,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx index caf0d63c7fe05f..07581e4c94d3b5 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/observablity_alerts/render_cell_value.tsx @@ -9,12 +9,7 @@ import moment from 'moment'; import React from 'react'; import { EuiDataGridCellValueElementProps, EuiLink } from '@elastic/eui'; -import { - ALERT_DURATION, - ALERT_REASON, - ALERT_RULE_SEVERITY, - ALERT_STATUS, -} from '@kbn/rule-data-utils'; +import { ALERT_DURATION, ALERT_REASON, ALERT_SEVERITY, ALERT_STATUS } from '@kbn/rule-data-utils'; import { TruncatableText } from '../../../../common/components/truncatable_text'; import { Severity } from '../../../components/severity'; @@ -60,7 +55,7 @@ export const RenderCellValue: React.FC< ); case ALERT_DURATION: return {moment().fromNow(true)}; - case ALERT_RULE_SEVERITY: + case ALERT_SEVERITY: return ; case ALERT_REASON: return ( diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts index 9c1e09dc905625..e238d73e3aff58 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/columns.ts @@ -10,7 +10,7 @@ import { ALERT_REASON, ALERT_RULE_UUID, ALERT_RULE_NAME, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, } from '@kbn/rule-data-utils'; import { ColumnHeaderOptions } from '../../../../../common'; import { defaultColumnHeaderType } from '../../../../timelines/components/timeline/body/column_headers/default_headers'; @@ -39,7 +39,7 @@ export const columns: Array< }, { columnHeaderType: defaultColumnHeaderType, - id: ALERT_RULE_SEVERITY, + id: ALERT_SEVERITY, displayAsText: i18n.ALERTS_HEADERS_SEVERITY, initialWidth: 104, }, diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx index 26f4f4b919aff8..542883796eb0f7 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.test.tsx @@ -9,7 +9,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { ALERT_REASON, ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_SEVERITY } from '@kbn/rule-data-utils'; import { mockBrowserFields } from '../../../../common/containers/source/mock'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; import { defaultHeaders, mockTimelineData, TestProviders } from '../../../../common/mock'; @@ -56,7 +56,7 @@ describe('RenderCellValue', () => { const wrapper = mount( - + ); diff --git a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx index 0d255eb95c7547..db83eda337a1f6 100644 --- a/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx +++ b/x-pack/plugins/security_solution/public/detections/configurations/examples/security_solution_rac/render_cell_value.tsx @@ -8,7 +8,7 @@ import { EuiDataGridCellValueElementProps } from '@elastic/eui'; import React from 'react'; -import { ALERT_REASON, ALERT_RULE_SEVERITY } from '@kbn/rule-data-utils'; +import { ALERT_REASON, ALERT_SEVERITY } from '@kbn/rule-data-utils'; import { DefaultDraggable } from '../../../../common/components/draggables'; import { TruncatableText } from '../../../../common/components/truncatable_text'; import { Severity } from '../../../components/severity'; @@ -47,7 +47,7 @@ export const RenderCellValue: React.FC< const draggableId = `${timelineId}-${eventId}-${columnId}-${value}`; switch (columnId) { - case ALERT_RULE_SEVERITY: + case ALERT_SEVERITY: return ( { test('check parameter url, body', async () => { await fetchQueryAlerts({ query: mockAlertsQuery, signal: abortCtrl.signal }); expect(fetchMock).toHaveBeenCalledWith('/api/detection_engine/signals/search', { - body: `{"aggs":{"alertsByGrouping":{"terms":{"field":"${ALERT_RULE_RISK_SCORE}","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, + body: `{"aggs":{"alertsByGrouping":{"terms":{"field":"${ALERT_RISK_SCORE}","missing":"All others","order":{"_count":"desc"},"size":10},"aggs":{"alerts":{"date_histogram":{"field":"@timestamp","fixed_interval":"81000000ms","min_doc_count":0,"extended_bounds":{"min":1579644343954,"max":1582236343955}}}}}},"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_all":{}}],"should":[],"must_not":[]}},{"range":{"@timestamp":{"gte":1579644343954,"lte":1582236343955}}}]}}}`, method: 'POST', signal: abortCtrl.signal, }); diff --git a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts index 0d4a88e5e472bb..aaff381aa3c9e8 100644 --- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts +++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/mock.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { HostIsolationResponse } from '../../../../../common/endpoint/types/actions'; import { AlertSearchResponse, AlertsIndex, Privilege, CasesFromAlertsResponse } from './types'; @@ -950,7 +950,7 @@ export const mockAlertsQuery: object = { aggs: { alertsByGrouping: { terms: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, missing: 'All others', order: { _count: 'desc' }, size: 10, diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap index e3cf7fed14abdb..4b650271bdf4a7 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap +++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap @@ -86,92 +86,94 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -324,147 +326,149 @@ exports[`Details Panel Component DetailsPanel:EventDetails: rendering it should "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], - }, - }, - "source": Object { - "ip": Array [ - "192.168.0.1", - ], - "port": Array [ - 80, - ], - }, - "timestamp": "2018-11-05T19:03:25.937Z", - "user": Object { - "id": Array [ - "1", - ], - "name": Array [ - "john.dee", - ], - }, - }, - "eventId": "my-id", - "indexName": "my-index", - } - } - isAlert={false} - loading={true} - timelineId="test" - timelineTabType="query" - > - - - - - - - - - + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, + }, + }, + "source": Object { + "ip": Array [ + "192.168.0.1", + ], + "port": Array [ + 80, + ], + }, + "timestamp": "2018-11-05T19:03:25.937Z", + "user": Object { + "id": Array [ + "1", + ], + "name": Array [ + "john.dee", + ], + }, + }, + "eventId": "my-id", + "indexName": "my-index", + } + } + isAlert={false} + loading={true} + timelineId="test" + timelineTabType="query" + > + + + + + + + + + @@ -626,122 +630,124 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], - }, - }, - "source": Object { - "ip": Array [ - "192.168.0.1", - ], - "port": Array [ - 80, - ], - }, - "timestamp": "2018-11-05T19:03:25.937Z", - "user": Object { - "id": Array [ - "1", - ], - "name": Array [ - "john.dee", - ], - }, - }, - "eventId": "my-id", - "indexName": "my-index", - } - } - handleOnEventClosed={[Function]} - isFlyoutView={true} - tabType="query" - timelineId="test" - > - +
- - - - - - - - - + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, + }, + }, + "source": Object { + "ip": Array [ + "192.168.0.1", + ], + "port": Array [ + 80, + ], + }, + "timestamp": "2018-11-05T19:03:25.937Z", + "user": Object { + "id": Array [ + "1", + ], + "name": Array [ + "john.dee", + ], + }, + }, + "eventId": "my-id", + "indexName": "my-index", + } + } + isAlert={false} + loading={true} + timelineId="test" + timelineTabType="flyout" + > + + + + + + + + + @@ -1097,92 +1105,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1275,92 +1285,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1485,92 +1497,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1700,92 +1714,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -1956,92 +1972,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { @@ -2134,92 +2152,94 @@ Array [ "apache", ], }, - "signal": Object { - "rule": Object { - "created_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "created_by": Array [ - "elastic", - ], - "description": Array [ - "24/7", - ], - "enabled": Array [ - true, - ], - "false_positives": Array [ - "test-1", - ], - "filters": Array [], - "from": Array [ - "now-300s", - ], - "id": Array [ - "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", - ], - "immutable": Array [ - false, - ], - "index": Array [ - "auditbeat-*", - ], - "interval": Array [ - "5m", - ], - "language": Array [ - "kuery", - ], - "max_signals": Array [ - 100, - ], - "note": Array [ - "# this is some markdown documentation", - ], - "output_index": Array [ - ".siem-signals-default", - ], - "query": Array [ - "user.name: root or user.name: admin", - ], - "references": Array [ - "www.test.co", - ], - "risk_score": Array [ - "21", - ], - "rule_id": Array [ - "rule-id-1", - ], - "saved_id": Array [ - "Garrett's IP", - ], - "severity": Array [ - "low", - ], - "tags": Array [], - "threat": Array [], - "timeline_id": Array [ - "1234-2136-11ea-9864-ebc8cc1cb8c2", - ], - "timeline_title": Array [ - "Untitled timeline", - ], - "to": Array [ - "now", - ], - "type": Array [ - "saved_query", - ], - "updated_at": Array [ - "2020-01-10T21:11:45.839Z", - ], - "updated_by": Array [ - "elastic", - ], - "version": Array [ - "1", - ], + "kibana": Object { + "alert": Object { + "rule": Object { + "created_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "created_by": Array [ + "elastic", + ], + "description": Array [ + "24/7", + ], + "enabled": Array [ + true, + ], + "false_positives": Array [ + "test-1", + ], + "filters": Array [], + "from": Array [ + "now-300s", + ], + "id": Array [ + "b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea", + ], + "immutable": Array [ + false, + ], + "index": Array [ + "auditbeat-*", + ], + "interval": Array [ + "5m", + ], + "language": Array [ + "kuery", + ], + "max_signals": Array [ + 100, + ], + "note": Array [ + "# this is some markdown documentation", + ], + "output_index": Array [ + ".siem-signals-default", + ], + "query": Array [ + "user.name: root or user.name: admin", + ], + "references": Array [ + "www.test.co", + ], + "risk_score": Array [ + "21", + ], + "rule_id": Array [ + "rule-id-1", + ], + "saved_id": Array [ + "Garrett's IP", + ], + "severity": Array [ + "low", + ], + "tags": Array [], + "threat": Array [], + "timeline_id": Array [ + "1234-2136-11ea-9864-ebc8cc1cb8c2", + ], + "timeline_title": Array [ + "Untitled timeline", + ], + "to": Array [ + "now", + ], + "type": Array [ + "saved_query", + ], + "updated_at": Array [ + "2020-01-10T21:11:45.839Z", + ], + "updated_by": Array [ + "elastic", + ], + "version": Array [ + "1", + ], + }, }, }, "source": Object { diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx index add2cdc6c1b252..d0366affa9a2fd 100644 --- a/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx +++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.test.tsx @@ -9,7 +9,7 @@ import { mount } from 'enzyme'; import { cloneDeep } from 'lodash/fp'; import React from 'react'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { columnRenderers } from '../body/renderers'; import { getColumnRenderer } from '../body/renderers/get_column_renderer'; import { DragDropContextWrapper } from '../../../../common/components/drag_and_drop/drag_drop_context_wrapper'; @@ -27,7 +27,7 @@ const mockImplementation = { }; describe('DefaultCellRenderer', () => { - const columnId = ALERT_RULE_RISK_SCORE; + const columnId = ALERT_RISK_SCORE; const eventId = '_id-123'; const isDetails = true; const isExpandable = true; diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx index 7f3033ec4b14ed..e7bbe86f90d37a 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_rules_table/columns.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { DragEffects, DraggableWrapper, @@ -110,7 +110,7 @@ export const getHostRulesColumns = (): HostRulesColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx index 10178389370f4d..eeba41c04cf53b 100644 --- a/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx +++ b/x-pack/plugins/security_solution/public/ueba/components/host_tactics_table/columns.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { DragEffects, DraggableWrapper, @@ -122,7 +122,7 @@ export const getHostTacticsColumns = (): HostTacticsColumns => [ name: `${riskScore}`, kqlQuery: '', queryMatch: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, value: riskScore, operator: IS_OPERATOR, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json index c1db4b3f730d72..8391d490162dfa 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json @@ -27,7 +27,6 @@ "signal.original_event.type": "kibana.alert.original_event.type", "signal.original_time": "kibana.alert.original_time", "signal.reason": "kibana.alert.reason", - "signal.risk_score": "kibana.alert.risk_score", "signal.rule.author": "kibana.alert.rule.author", "signal.rule.building_block_type": "kibana.alert.rule.building_block_type", "signal.rule.created_at": "kibana.alert.rule.created_at", @@ -47,14 +46,14 @@ "signal.rule.note": "kibana.alert.rule.note", "signal.rule.query": "kibana.alert.rule.query", "signal.rule.references": "kibana.alert.rule.references", - "signal.rule.risk_score": "kibana.alert.rule.risk_score", + "signal.rule.risk_score": "kibana.alert.risk_score", "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field", "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator", "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value", "signal.rule.rule_id": "kibana.alert.rule.rule_id", "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override", "signal.rule.saved_id": "kibana.alert.rule.saved_id", - "signal.rule.severity": "kibana.alert.rule.severity", + "signal.rule.severity": "kibana.alert.severity", "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field", "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator", "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value", @@ -86,7 +85,6 @@ "signal.rule.updated_at": "kibana.alert.rule.updated_at", "signal.rule.updated_by": "kibana.alert.rule.updated_by", "signal.rule.version": "kibana.alert.rule.version", - "signal.severity": "kibana.alert.severity", "signal.status": "kibana.alert.workflow_status", "signal.threshold_result.from": "kibana.alert.threshold_result.from", "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field", diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts index e9fa0acda988d0..0b70d7bc06d0a0 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_rules/query.host_rules.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { Direction, HostRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -40,7 +40,7 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_name: { @@ -53,7 +53,7 @@ export const buildHostRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_type: { diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts index 270ac257807497..1f689dfdae2554 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/host_tactics/query.host_tactics.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_RISK_SCORE } from '@kbn/rule-data-utils'; +import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { ALERT_RULE_THREAT_TACTIC_NAME, @@ -44,7 +44,7 @@ export const buildHostTacticsQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, tactic: { @@ -59,7 +59,7 @@ export const buildHostTacticsQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, }, diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts index 62da0a7c6ec269..2f52f052889d9b 100644 --- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts +++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/ueba/user_rules/query.user_rules.dsl.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ALERT_RULE_NAME, ALERT_RULE_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAME, ALERT_RISK_SCORE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import { isEmpty } from 'lodash/fp'; import { Direction, UserRulesRequestOptions } from '../../../../../../common/search_strategy'; import { createQueryFilterClauses } from '../../../../../utils/build_query'; @@ -49,7 +49,7 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_name: { @@ -62,7 +62,7 @@ export const buildUserRulesQuery = ({ aggs: { risk_score: { sum: { - field: ALERT_RULE_RISK_SCORE, + field: ALERT_RISK_SCORE, }, }, rule_type: { diff --git a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts index 130e0ae1abd6a0..e13d34b71d89d5 100644 --- a/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts +++ b/x-pack/plugins/timelines/common/ecs/ecs_fields/index.ts @@ -10,11 +10,11 @@ import { ALERT_RULE_FROM, ALERT_RULE_TO, ALERT_RULE_RULE_ID, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_DESCRIPTION, ALERT_RULE_NAME, ALERT_RULE_REFERENCES, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TYPE, ALERT_RULE_ENABLED, @@ -344,12 +344,12 @@ export const alertFieldsMap: Readonly> = { [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID, [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES, [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS, - [ALERT_RULE_RISK_SCORE]: ALERT_RULE_RISK_SCORE, + [ALERT_RISK_SCORE]: ALERT_RISK_SCORE, [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION, [ALERT_RULE_NAME]: ALERT_RULE_NAME, [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE, [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES, - [ALERT_RULE_SEVERITY]: ALERT_RULE_SEVERITY, + [ALERT_SEVERITY]: ALERT_SEVERITY, [ALERT_RULE_TAGS]: ALERT_RULE_TAGS, [ALERT_RULE_THREAT]: ALERT_RULE_THREAT, [ALERT_RULE_TYPE]: ALERT_RULE_TYPE, diff --git a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx index dc949861b41284..c937c803750b5e 100644 --- a/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx +++ b/x-pack/plugins/timelines/public/components/t_grid/body/helpers.tsx @@ -16,9 +16,9 @@ import { ALERT_RULE_NAME, ALERT_RULE_NOTE, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_RULE_ID, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_TAGS, ALERT_RULE_TO, ALERT_RULE_TYPE, @@ -228,10 +228,10 @@ export const allowSorting = ({ ALERT_RULE_NOTE, ALERT_RULE_QUERY, ALERT_RULE_REFERENCES, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_RULE_RULE_ID, ALERT_RULE_SAVED_ID, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_SIZE, ALERT_RULE_TAGS, ALERT_RULE_THREAT, diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts index 73435cf9b3199c..6f1cae70f950e1 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/constants.ts @@ -12,8 +12,8 @@ import { ALERT_RULE_UUID, ALERT_RULE_TYPE, ALERT_RULE_VERSION, - ALERT_RULE_SEVERITY, - ALERT_RULE_RISK_SCORE, + ALERT_SEVERITY, + ALERT_RISK_SCORE, ALERT_RULE_NOTE, ALERT_REASON, ALERT_WORKFLOW_STATUS, @@ -87,8 +87,8 @@ export const TIMELINE_EVENTS_FIELDS = [ ALERT_ORIGINAL_EVENT_KIND, ALERT_ORIGINAL_EVENT_MODULE, ALERT_RULE_VERSION, - ALERT_RULE_SEVERITY, - ALERT_RULE_RISK_SCORE, + ALERT_SEVERITY, + ALERT_RISK_SCORE, ALERT_THRESHOLD_RESULT, ALERT_WORKFLOW_STATUS, 'event.code', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts index 0e1123512eb365..f1d0ece6f81768 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/helpers.test.ts @@ -9,9 +9,9 @@ import { ALERT_RULE_FROM, ALERT_RULE_TYPE, ALERT_RULE_UUID, - ALERT_RULE_RISK_SCORE, + ALERT_RISK_SCORE, ALERT_WORKFLOW_STATUS, - ALERT_RULE_SEVERITY, + ALERT_SEVERITY, ALERT_RULE_VERSION, ALERT_RULE_NAME, ALERT_RULE_TO, @@ -287,11 +287,11 @@ describe('#formatTimelineData', () => { [ALERT_RULE_QUERY]: ['_id :*'], [ALERT_RULE_TYPE]: ['threshold'], [ALERT_RULE_UUID]: ['696c24e0-526d-11eb-836c-e1620268b945'], - [ALERT_RULE_RISK_SCORE]: [21], + [ALERT_RISK_SCORE]: [21], [ALERT_WORKFLOW_STATUS]: ['open'], 'event.kind': ['signal'], [ALERT_ORIGINAL_TIME]: ['2021-01-09T13:39:32.595Z'], - [ALERT_RULE_SEVERITY]: ['low'], + [ALERT_SEVERITY]: ['low'], [ALERT_RULE_VERSION]: ['1'], [ALERT_RULE_INDEX]: [ 'apm-*-transaction*', @@ -341,7 +341,9 @@ describe('#formatTimelineData', () => { kibana: { alert: { original_time: ['2021-01-09T13:39:32.595Z'], + risk_score: ['21'], workflow_status: ['open'], + severity: ['low'], threshold_result: ['{"count":10000,"value":"2a990c11-f61b-4c8e-b210-da2574e9f9db"}'], rule: { building_block_type: [], @@ -360,9 +362,7 @@ describe('#formatTimelineData', () => { ], language: ['kuery'], name: ['Threshold test'], - risk_score: ['21'], query: ['_id :*'], - severity: ['low'], to: ['now'], type: ['threshold'], version: ['1'],