Moved related.entity to security's alerts only

Author: kfirpeled

src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts

@@ -10,16 +10,15 @@
 import {
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
-  ALERT_CONSECUTIVE_MATCHES,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_FLAPPING_HISTORY,
   ALERT_FLAPPING,
-  ALERT_INSTANCE_ID,
-  ALERT_INTENDED_TIMESTAMP,
-  ALERT_LAST_DETECTED,
+  ALERT_FLAPPING_HISTORY,
   ALERT_MAINTENANCE_WINDOW_IDS,
+  ALERT_CONSECUTIVE_MATCHES,
   ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_INSTANCE_ID,
+  ALERT_LAST_DETECTED,
   ALERT_PREVIOUS_ACTION_GROUP,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
@@ -46,14 +45,14 @@ import {
   ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
+  SPACE_IDS,
+  TIMESTAMP,
+  VERSION,
   EVENT_ACTION,
   EVENT_KIND,
   EVENT_ORIGINAL,
-  RELATED_ENTITY,
-  SPACE_IDS,
   TAGS,
-  TIMESTAMP,
-  VERSION,
+  ALERT_INTENDED_TIMESTAMP,
 } from '@kbn/rule-data-utils';
 import type { MultiField } from './types';
 
@@ -277,11 +276,6 @@ export const alertFieldMap = {
     required: false,
     ignore_above: 1024,
   },
-  [RELATED_ENTITY]: {
-    type: 'keyword',
-    array: true,
-    required: false,
-  },
   [SPACE_IDS]: {
     type: 'keyword',
     array: true,

src/platform/packages/shared/kbn-rule-data-utils/src/default_alerts_as_data.ts

@@ -10,7 +10,6 @@
 import type { ValuesType } from 'utility-types';
 
 const TIMESTAMP = '@timestamp' as const;
-const RELATED_ENTITY = 'related.entity';
 
 // namespaces
 const KIBANA_NAMESPACE = 'kibana' as const;
@@ -147,22 +146,22 @@ const namespaces = {
 export const fields = {
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
-  ALERT_CONSECUTIVE_MATCHES,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_FLAPPING_HISTORY,
   ALERT_FLAPPING,
-  ALERT_INSTANCE_ID,
-  ALERT_INTENDED_TIMESTAMP,
-  ALERT_LAST_DETECTED,
+  ALERT_FLAPPING_HISTORY,
   ALERT_MAINTENANCE_WINDOW_IDS,
   ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_CONSECUTIVE_MATCHES,
+  ALERT_INSTANCE_ID,
+  ALERT_LAST_DETECTED,
   ALERT_PREVIOUS_ACTION_GROUP,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_TYPE,
+  ALERT_INTENDED_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
@@ -183,7 +182,6 @@ export const fields = {
   ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
-  RELATED_ENTITY,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -198,22 +196,22 @@ export {
   // fields
   ALERT_ACTION_GROUP,
   ALERT_CASE_IDS,
-  ALERT_CONSECUTIVE_MATCHES,
   ALERT_DURATION,
   ALERT_END,
-  ALERT_FLAPPING_HISTORY,
   ALERT_FLAPPING,
-  ALERT_INSTANCE_ID,
-  ALERT_INTENDED_TIMESTAMP,
-  ALERT_LAST_DETECTED,
+  ALERT_FLAPPING_HISTORY,
   ALERT_MAINTENANCE_WINDOW_IDS,
+  ALERT_CONSECUTIVE_MATCHES,
   ALERT_PENDING_RECOVERED_COUNT,
+  ALERT_INSTANCE_ID,
+  ALERT_LAST_DETECTED,
   ALERT_PREVIOUS_ACTION_GROUP,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_EXECUTION_TIMESTAMP,
   ALERT_RULE_EXECUTION_TYPE,
+  ALERT_INTENDED_TIMESTAMP,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
@@ -234,7 +232,6 @@ export {
   ALERT_WORKFLOW_ASSIGNEE_IDS,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
-  RELATED_ENTITY,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,

x-pack/platform/plugins/shared/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts

@@ -368,13 +368,6 @@ describe('mappingFromFieldMap', () => {
             },
           },
         },
-        related: {
-          properties: {
-            entity: {
-              type: 'keyword',
-            },
-          },
-        },
         tags: {
           type: 'keyword',
         },

x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/alert_as_data_fields.test.ts.snap

@@ -391,11 +391,6 @@ it('matches snapshot', () => {
         "required": false,
         "type": "version",
       },
-      "related.entity": Object {
-        "array": true,
-        "required": false,
-        "type": "keyword",
-      },
       "tags": Object {
         "array": true,
         "required": false,

x-pack/platform/plugins/shared/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts

@@ -69,9 +69,9 @@ export default function createAlertsAsDataDynamicTemplatesTest({ getService }: F
         const numberOfExistingFields = Object.keys(existingFields).length;
         // there is no way to get the real number of fields from ES.
         // Eventhough we have only as many as alertFieldMap fields,
-        // ES counts each child of the nested objects and multi_fields as separate fields.
-        // therefore we add 12 to get the real number.
-        const nestedObjectsAndMultiFields = 12;
+        // ES counts the each childs of the nested objects and multi_fields as seperate fields.
+        // therefore we add 11 to get the real number.
+        const nestedObjectsAndMultiFields = 11;
         // Number of free slots that we want to have, so we can add dynamic fields as many
         const numberofFreeSlots = 2;
         const totalFields =

x-pack/platform/test/alerting_api_integration/spaces_only/tests/alerting/group4/alerts_as_data/alerts_as_data_dynamic_templates.ts

@@ -0,0 +1,134 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { Logger, IScopedClusterClient } from '@kbn/core/server';
+import {
+  DOCUMENT_TYPE_ALERT,
+  DOCUMENT_TYPE_EVENT,
+} from '@kbn/cloud-security-posture-common/types/graph/v1';
+import type { EsqlToRecords } from '@elastic/elasticsearch/lib/helpers';
+import type { EsQuery, GraphEdge, OriginEventId } from './types';
+
+export const fetchGraph = async ({
+  esClient,
+  logger,
+  start,
+  end,
+  originEventIds,
+  showUnknownTarget,
+  esQuery,
+}: {
+  esClient: IScopedClusterClient;
+  logger: Logger;
+  start: string | number;
+  end: string | number;
+  originEventIds: OriginEventId[];
+  showUnknownTarget: boolean;
+  esQuery?: EsQuery;
+}): Promise<EsqlToRecords<GraphEdge>> => {
+  const originAlertIds = originEventIds.filter((originEventId) => originEventId.isAlert);
+  const query = `FROM logs-* METADATA _id, _index
+| WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
+// Origin event and alerts allow us to identify the start position of graph traversal
+| EVAL isOrigin = ${
+    originEventIds.length > 0
+      ? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
+      : 'false'
+  }
+| EVAL isOriginAlert = isOrigin AND ${
+    originAlertIds.length > 0
+      ? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
+      : 'false'
+  }
+// Aggregate document's data for popover expansion and metadata enhancements
+// We format it as JSON string, the best alternative so far. Tried to use tuple using MV_APPEND
+// but it flattens the data and we lose the structure
+| EVAL docType = CASE (_index LIKE "*.alerts-security.alerts-*", "${DOCUMENT_TYPE_ALERT}", "${DOCUMENT_TYPE_EVENT}")
+| EVAL docData = CONCAT("{",
+    "\\"id\\":\\"", _id, "\\"",
+    ",\\"type\\":\\"", docType, "\\"",
+    ",\\"index\\":\\"", _index, "\\"",
+  "}")
+| STATS badge = COUNT(*),
+  docs = VALUES(docData),
+  ips = VALUES(related.ip),
+  // hosts = VALUES(related.hosts),
+  users = VALUES(related.user)
+    BY actorIds = actor.entity.id,
+      action = event.action,
+      targetIds = target.entity.id,
+      isOrigin,
+      isOriginAlert
+| LIMIT 1000
+| SORT isOrigin DESC, action`;
+
+  logger.trace(`Executing query [${query}]`);
+
+  const eventIds = originEventIds.map((originEventId) => originEventId.id);
+  return await esClient.asCurrentUser.helpers
+    .esql({
+      columnar: false,
+      filter: buildDslFilter(eventIds, showUnknownTarget, start, end, esQuery),
+      query,
+      // @ts-ignore - types are not up to date
+      params: [
+        ...originEventIds.map((originEventId, idx) => ({ [`og_id${idx}`]: originEventId.id })),
+        ...originEventIds
+          .filter((originEventId) => originEventId.isAlert)
+          .map((originEventId, idx) => ({ [`og_alrt_id${idx}`]: originEventId.id })),
+      ],
+    })
+    .toRecords<GraphEdge>();
+};
+
+const buildDslFilter = (
+  eventIds: string[],
+  showUnknownTarget: boolean,
+  start: string | number,
+  end: string | number,
+  esQuery?: EsQuery
+) => ({
+  bool: {
+    filter: [
+      {
+        range: {
+          '@timestamp': {
+            gte: start,
+            lte: end,
+          },
+        },
+      },
+      ...(showUnknownTarget
+        ? []
+        : [
+            {
+              exists: {
+                field: 'target.entity.id',
+              },
+            },
+          ]),
+      {
+        bool: {
+          should: [
+            ...(esQuery?.bool.filter?.length ||
+            esQuery?.bool.must?.length ||
+            esQuery?.bool.should?.length ||
+            esQuery?.bool.must_not?.length
+              ? [esQuery]
+              : []),
+            {
+              terms: {
+                'event.id': eventIds,
+              },
+            },
+          ],
+          minimum_should_match: 1,
+        },
+      },
+    ],
+  },
+});