[8.x] [SecuritySolution] List Entities UI (#193167) (#194302)

# Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution] List Entities UI (#193167)](#193167)  ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) \r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"eea06c0d64d2424601552bd905b2b020ba4dcd56","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","release_note:feature","backport:prev-minor","Theme: entity_analytics","Feature:Entity Analytics","Team:Entity Analytics"],"title":"[SecuritySolution] List Entities UI","number":193167,"url":"https://github.com/elastic/kibana/pull/193167","mergeCommit":{"message":"[SecuritySolution] List Entities UI (#193167)\n\nThis PR creates a UI component to list entities inside the Entity Store.\r\n\r\n### What is included\r\n - Create `EntitiesList` component\r\n - Duplicate `MultiselectFilter` component\r\n - Display `EntitiesList` in the entity analytics dashboard\r\n - Use the `entityStoreEnabled` experimental flag \r\n \r\n### What is NOT included\r\n - Asset criticality\r\n - Source field\r\n - Risk score fields\r\n\r\n\r\n![Screenshot 2024-09-20 at 15 27\r\n23](https://github.com/user-attachments/assets/87295c76-a7d4-4303-b1ea-46d644bf21f4)\r\n\r\n\r\n\r\n### How to test\r\n\r\n1. Add some host/user data\r\n* Easiest is to use\r\n[elastic/security-data-generator](https://github.com/elastic/security-documents-generator)\r\n2. Make sure to add `entityStoreEnabled` under\r\n`xpack.securitySolution.enableExperimental` in your `kibana.dev.yml`\r\n3. In kibana dev tools or your terminal, call the `INIT` route for\r\neither `user` or `host`.\r\n4. You should now see 2 transforms in kibana. Make sure to re-trigger\r\nthem if needed so they process the documents.\r\n5. Enable the experimental flag `entityStoreEnabled`\r\n6. Go to entity analytics dashboard and you should see an populated\r\nentities page\r\n\r\n\r\nImplements https://github.com/elastic/security-team/issues/10536\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"eea06c0d64d2424601552bd905b2b020ba4dcd56"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193167","number":193167,"mergeCommit":{"message":"[SecuritySolution] List Entities UI (#193167)\n\nThis PR creates a UI component to list entities inside the Entity Store.\r\n\r\n### What is included\r\n - Create `EntitiesList` component\r\n - Duplicate `MultiselectFilter` component\r\n - Display `EntitiesList` in the entity analytics dashboard\r\n - Use the `entityStoreEnabled` experimental flag \r\n \r\n### What is NOT included\r\n - Asset criticality\r\n - Source field\r\n - Risk score fields\r\n\r\n\r\n![Screenshot 2024-09-20 at 15 27\r\n23](https://github.com/user-attachments/assets/87295c76-a7d4-4303-b1ea-46d644bf21f4)\r\n\r\n\r\n\r\n### How to test\r\n\r\n1. Add some host/user data\r\n* Easiest is to use\r\n[elastic/security-data-generator](https://github.com/elastic/security-documents-generator)\r\n2. Make sure to add `entityStoreEnabled` under\r\n`xpack.securitySolution.enableExperimental` in your `kibana.dev.yml`\r\n3. In kibana dev tools or your terminal, call the `INIT` route for\r\neither `user` or `host`.\r\n4. You should now see 2 transforms in kibana. Make sure to re-trigger\r\nthem if needed so they process the documents.\r\n5. Enable the experimental flag `entityStoreEnabled`\r\n6. Go to entity analytics dashboard and you should see an populated\r\nentities page\r\n\r\n\r\nImplements https://github.com/elastic/security-team/issues/10536\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"eea06c0d64d2424601552bd905b2b020ba4dcd56"}}]}] BACKPORT--> Co-authored-by: Pablo Machado <pablo.nevesmachado@elastic.co>
elastic · Sep 27, 2024 · 7a872dc · 7a872dc
1 parent 71fa6d7
commit 7a872dc
Show file tree

Hide file tree

Showing 43 changed files with 1,867 additions and 256 deletions.
diff --git a/oas_docs/output/kibana.serverless.staging.yaml b/oas_docs/output/kibana.serverless.staging.yaml
@@ -29716,6 +29716,96 @@ components:
       oneOf:
         - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity'
         - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity'
+    Security_Entity_Analytics_API_EntityRiskLevels:
+      enum:
+        - Unknown
+        - Low
+        - Moderate
+        - High
+        - Critical
+      type: string
+    Security_Entity_Analytics_API_EntityRiskScoreRecord:
+      type: object
+      properties:
+        '@timestamp':
+          description: The time at which the risk score was calculated.
+          example: '2017-07-21T17:32:28Z'
+          format: date-time
+          type: string
+        calculated_level:
+          $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels'
+          description: Lexical description of the entity's risk.
+          example: Critical
+        calculated_score:
+          description: The raw numeric value of the given entity's risk score.
+          format: double
+          type: number
+        calculated_score_norm:
+          description: >-
+            The normalized numeric value of the given entity's risk score.
+            Useful for comparing with other entities.
+          format: double
+          maximum: 100
+          minimum: 0
+          type: number
+        category_1_count:
+          description: >-
+            The number of risk input documents that contributed to the Category
+            1 score (`category_1_score`).
+          format: integer
+          type: number
+        category_1_score:
+          description: >-
+            The contribution of Category 1 to the overall risk score
+            (`calculated_score`). Category 1 contains Detection Engine Alerts.
+          format: double
+          type: number
+        category_2_count:
+          format: integer
+          type: number
+        category_2_score:
+          format: double
+          type: number
+        criticality_level:
+          $ref: >-
+            #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel
+        criticality_modifier:
+          format: double
+          type: number
+        id_field:
+          description: >-
+            The identifier field defining this risk score. Coupled with
+            `id_value`, uniquely identifies the entity being scored.
+          example: host.name
+          type: string
+        id_value:
+          description: >-
+            The identifier value defining this risk score. Coupled with
+            `id_field`, uniquely identifies the entity being scored.
+          example: example.host
+          type: string
+        inputs:
+          description: >-
+            A list of the highest-risk documents contributing to this risk
+            score. Useful for investigative purposes.
+          items:
+            $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput'
+          type: array
+        notes:
+          items:
+            type: string
+          type: array
+      required:
+        - '@timestamp'
+        - id_field
+        - id_value
+        - calculated_level
+        - calculated_score
+        - calculated_score_norm
+        - category_1_score
+        - category_1_count
+        - inputs
+        - notes
     Security_Entity_Analytics_API_EntityType:
       enum:
         - user
@@ -29724,6 +29814,14 @@ components:
     Security_Entity_Analytics_API_HostEntity:
       type: object
       properties:
+        asset:
+          type: object
+          properties:
+            criticality:
+              $ref: >-
+                #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel
+          required:
+            - criticality
         entity:
           type: object
           properties:
@@ -29747,6 +29845,8 @@ components:
               type: string
             schemaVersion:
               type: string
+            source:
+              type: string
             type:
               enum:
                 - node
@@ -29790,6 +29890,9 @@ components:
               type: array
             name:
               type: string
+            risk:
+              $ref: >-
+                #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord
             type:
               items:
                 type: string
@@ -29832,6 +29935,44 @@ components:
       properties:
         success:
           type: boolean
+    Security_Entity_Analytics_API_RiskScoreInput:
+      description: A generic representation of a document contributing to a Risk Score.
+      type: object
+      properties:
+        category:
+          description: The risk category of the risk input document.
+          example: category_1
+          type: string
+        contribution_score:
+          format: double
+          type: number
+        description:
+          description: A human-readable description of the risk input document.
+          example: 'Generated from Detection Engine Rule: Malware Prevention Alert'
+          type: string
+        id:
+          description: The unique identifier (`_id`) of the original source document
+          example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c
+          type: string
+        index:
+          description: The unique index (`_index`) of the original source document
+          example: .internal.alerts-security.alerts-default-000001
+          type: string
+        risk_score:
+          description: The weighted risk score of the risk input document.
+          format: double
+          maximum: 100
+          minimum: 0
+          type: number
+        timestamp:
+          description: The @timestamp of the risk input document.
+          example: '2017-07-21T17:32:28Z'
+          type: string
+      required:
+        - id
+        - index
+        - description
+        - category
     Security_Entity_Analytics_API_TaskManagerUnavailableResponse:
       description: Task manager is unavailable
       type: object
@@ -29847,6 +29988,14 @@ components:
     Security_Entity_Analytics_API_UserEntity:
       type: object
       properties:
+        asset:
+          type: object
+          properties:
+            criticality:
+              $ref: >-
+                #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel
+          required:
+            - criticality
         entity:
           type: object
           properties:
@@ -29870,6 +30019,8 @@ components:
               type: string
             schemaVersion:
               type: string
+            source:
+              type: string
             type:
               enum:
                 - node
@@ -29884,6 +30035,7 @@ components:
             - type
             - firstSeenTimestamp
             - definitionId
+            - source
         user:
           type: object
           properties:
@@ -29909,6 +30061,9 @@ components:
               type: array
             name:
               type: string
+            risk:
+              $ref: >-
+                #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord
             roles:
               items:
                 type: string