From fabefb778d5c176157fd7a1626bbe8247f1c512d Mon Sep 17 00:00:00 2001
From: Ryland Herrick <ryalnd@gmail.com>
Date: Mon, 28 Jun 2021 18:10:33 -0500
Subject: [PATCH] Extract the concept of "enrichment identifiers"

This was already partially codified with 'buildEnrichmentId,' which is
used to dedup enrichments; this extends the idea to all fields that
could uniquely identify a given indicator.
---
 .../security_solution/cti/index.ts            |  8 +++++++
 .../event_details/cti_details/helpers.tsx     | 17 ++++++++++++---
 .../cti_details/threat_details_view.tsx       | 21 ++++---------------
 .../cti_details/threat_summary_view.tsx       | 13 ++----------
 4 files changed, 28 insertions(+), 31 deletions(-)

diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.ts
index da6f4abef7109..69a6841c7c14f 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/cti/index.ts
@@ -21,6 +21,14 @@ export interface CtiEventEnrichmentRequestOptions extends RequestBasicOptions {
 export type CtiEnrichment = Record<string, unknown[]>;
 export type EventFields = Record<string, unknown>;
 
+export interface CtiEnrichmentIdentifiers {
+  id: string | undefined;
+  field: string | undefined;
+  value: string | undefined;
+  type: string | undefined;
+  provider: string | undefined;
+}
+
 export interface CtiEventEnrichmentStrategyResponse extends IEsSearchResponse {
   enrichments: CtiEnrichment[];
   inspect: Inspect;
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx
index 91674852aabe8..b048bb076e2d3 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/helpers.tsx
@@ -12,13 +12,16 @@ import {
 } from '../../../../../common/constants';
 import {
   ENRICHMENT_TYPES,
+  MATCHED_ATOMIC,
   MATCHED_FIELD,
   MATCHED_ID,
   MATCHED_TYPE,
+  PROVIDER,
 } from '../../../../../common/cti/constants';
 import { TimelineEventsDetailsItem } from '../../../../../common/search_strategy';
 import {
   CtiEnrichment,
+  CtiEnrichmentIdentifiers,
   EventFields,
   isValidEventField,
 } from '../../../../../common/search_strategy/security_solution/cti';
@@ -74,11 +77,19 @@ export const getShimmedIndicatorValue = (enrichment: CtiEnrichment, field: strin
   getEnrichmentValue(enrichment, field) ||
   getEnrichmentValue(enrichment, `${DEFAULT_INDICATOR_SOURCE_PATH}.${field}`);
 
+export const getEnrichmentIdentifiers = (enrichment: CtiEnrichment): CtiEnrichmentIdentifiers => ({
+  id: getEnrichmentValue(enrichment, MATCHED_ID),
+  field: getEnrichmentValue(enrichment, MATCHED_FIELD),
+  value: getEnrichmentValue(enrichment, MATCHED_ATOMIC),
+  type: getEnrichmentValue(enrichment, MATCHED_TYPE),
+  provider: getShimmedIndicatorValue(enrichment, PROVIDER),
+});
+
 const buildEnrichmentId = (enrichment: CtiEnrichment): string => {
-  const matchedId = getEnrichmentValue(enrichment, MATCHED_ID);
-  const matchedField = getEnrichmentValue(enrichment, MATCHED_FIELD);
-  return `${matchedId}${matchedField}`;
+  const { id, field } = getEnrichmentIdentifiers(enrichment);
+  return `${id}${field}`;
 };
+
 /**
  * This function receives an array of enrichments and removes
  * investigation-time enrichments if that exact indicator already exists
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.tsx
index 47bf182ec2160..d5e985c5757a6 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_details_view.tsx
@@ -21,23 +21,14 @@ import React, { Fragment } from 'react';
 import { StyledEuiInMemoryTable } from '../summary_view';
 import { getSummaryColumns, SummaryRow, ThreatDetailsRow } from '../helpers';
 import { EmptyThreatDetailsView } from './empty_threat_details_view';
-import {
-  FIRSTSEEN,
-  EVENT_URL,
-  EVENT_REFERENCE,
-  MATCHED_ID,
-  MATCHED_FIELD,
-  MATCHED_ATOMIC,
-  MATCHED_TYPE,
-  PROVIDER,
-} from '../../../../../common/cti/constants';
+import { FIRSTSEEN, EVENT_URL, EVENT_REFERENCE } from '../../../../../common/cti/constants';
 import { DEFAULT_INDICATOR_SOURCE_PATH } from '../../../../../common/constants';
 import { getFirstElement } from '../../../../../common/utils/data_retrieval';
 import { CtiEnrichment } from '../../../../../common/search_strategy/security_solution/cti';
 import {
   getShimmedIndicatorValue,
-  getEnrichmentValue,
   isInvestigationTimeEnrichment,
+  getEnrichmentIdentifiers,
 } from './helpers';
 import * as i18n from './translations';
 import { EnrichmentIcon } from './enrichment_icon';
@@ -150,14 +141,10 @@ const ThreatDetailsViewComponent: React.FC<{
     <>
       <EuiSpacer size="m" />
       {sortedEnrichments.map((enrichment, index) => {
-        const key = getEnrichmentValue(enrichment, MATCHED_ID);
-        const field = getEnrichmentValue(enrichment, MATCHED_FIELD);
-        const value = getEnrichmentValue(enrichment, MATCHED_ATOMIC);
-        const type = getEnrichmentValue(enrichment, MATCHED_TYPE);
-        const provider = getShimmedIndicatorValue(enrichment, PROVIDER);
+        const { id, field, provider, type, value } = getEnrichmentIdentifiers(enrichment);
 
         return (
-          <Fragment key={key}>
+          <Fragment key={id}>
             <ThreatDetailsHeader field={field} provider={provider} value={value} type={type} />
             <StyledEuiInMemoryTable
               columns={columns}
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_summary_view.tsx
index 837d3b0fe8ed4..ae70bdcdb0701 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_summary_view.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/cti_details/threat_summary_view.tsx
@@ -12,14 +12,8 @@ import { EuiBasicTableColumn, EuiText, EuiTitle } from '@elastic/eui';
 import * as i18n from './translations';
 import { StyledEuiInMemoryTable } from '../summary_view';
 import { FormattedFieldValue } from '../../../../timelines/components/timeline/body/renderers/formatted_field';
-import {
-  MATCHED_ATOMIC,
-  MATCHED_FIELD,
-  MATCHED_TYPE,
-  PROVIDER,
-} from '../../../../../common/cti/constants';
 import { CtiEnrichment } from '../../../../../common/search_strategy/security_solution/cti';
-import { getEnrichmentValue, getShimmedIndicatorValue } from './helpers';
+import { getEnrichmentIdentifiers } from './helpers';
 import { EnrichmentIcon } from './enrichment_icon';
 
 export interface ThreatSummaryItem {
@@ -103,10 +97,7 @@ const buildThreatSummaryItems = (
   eventId: string
 ) => {
   return enrichments.map((enrichment, index) => {
-    const field = getEnrichmentValue(enrichment, MATCHED_FIELD);
-    const value = getEnrichmentValue(enrichment, MATCHED_ATOMIC);
-    const type = getEnrichmentValue(enrichment, MATCHED_TYPE);
-    const provider = getShimmedIndicatorValue(enrichment, PROVIDER);
+    const { field, type, value, provider } = getEnrichmentIdentifiers(enrichment);
 
     return {
       title: {