[Security Solution][RAC] - Update UI signal references

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts

@@ -49,6 +49,11 @@ export const technicalRuleFieldMap = {
     array: false,
     required: false,
   },
+  [Fields.ALERT_RISK_SCORE]: {
+    type: 'float',
+    array: false,
+    required: false,
+  },
   [Fields.ALERT_WORKFLOW_STATUS]: {
     type: 'keyword',
     array: false,

x-pack/plugins/security_solution/common/constants.ts

@@ -8,6 +8,7 @@
 import type { TransformConfigSchema } from './transforms/types';
 import { ENABLE_CASE_CONNECTOR } from '../../cases/common';
 import { metadataTransformPattern } from './endpoint/constants';
+import { ALERT_RULE_THREAT_TACTIC_NAME } from '../../timelines/common/alerts';
 
 export const APP_ID = 'securitySolution';
 export const SERVER_APP_ID = 'siem';
@@ -299,7 +300,7 @@ export const showAllOthersBucket: string[] = [
   'event.category',
   'event.dataset',
   'event.module',
-  'signal.rule.threat.tactic.name',
+  ALERT_RULE_THREAT_TACTIC_NAME,
   'source.ip',
   'destination.ip',
   'user.name',

x-pack/plugins/security_solution/common/ecs/ecs_fields/index.ts

@@ -5,6 +5,43 @@
  * 2.0.
  */
 
+import {
+  ALERT_RULE_CREATED_AT,
+  ALERT_RULE_CREATED_BY,
+  ALERT_RULE_DESCRIPTION,
+  ALERT_RULE_ENABLED,
+  ALERT_RULE_FROM,
+  ALERT_RULE_UUID,
+  ALERT_RULE_NAME,
+  ALERT_RULE_NOTE,
+  ALERT_RULE_REFERENCES,
+  ALERT_RULE_RULE_ID,
+  ALERT_RULE_TAGS,
+  ALERT_RULE_TO,
+  ALERT_RULE_TYPE,
+  ALERT_RULE_UPDATED_AT,
+  ALERT_RULE_UPDATED_BY,
+  ALERT_RULE_VERSION,
+  ALERT_RISK_SCORE,
+  ALERT_SEVERITY,
+} from '@kbn/rule-data-utils';
+import {
+  ALERT_ORIGINAL_TIME,
+  ALERT_RULE_EXCEPTIONS_LIST,
+  ALERT_RULE_FALSE_POSITIVES,
+  ALERT_RULE_FILTERS,
+  ALERT_RULE_IMMUTABLE,
+  ALERT_RULE_INDEX,
+  ALERT_RULE_LANGUAGE,
+  ALERT_RULE_MAX_SIGNALS,
+  ALERT_RULE_QUERY,
+  ALERT_RULE_SAVED_ID,
+  ALERT_RULE_SIZE,
+  ALERT_RULE_THREAT,
+  ALERT_RULE_THRESHOLD,
+  ALERT_RULE_TIMELINE_ID,
+  ALERT_RULE_TIMELINE_TITLE,
+} from '../../../../timelines/common/alerts';
 import { extendMap } from './extend_map';
 
 export const auditdMap: Readonly<Record<string, string>> = {
@@ -290,41 +327,40 @@ export const systemFieldsMap: Readonly<Record<string, string>> = {
   'system.auth.ssh.method': 'system.auth.ssh.method',
 };
 
-export const signalFieldsMap: Readonly<Record<string, string>> = {
-  'signal.original_time': 'signal.original_time',
-  'signal.rule.id': 'signal.rule.id',
-  'signal.rule.saved_id': 'signal.rule.saved_id',
-  'signal.rule.timeline_id': 'signal.rule.timeline_id',
-  'signal.rule.timeline_title': 'signal.rule.timeline_title',
-  'signal.rule.output_index': 'signal.rule.output_index',
-  'signal.rule.from': 'signal.rule.from',
-  'signal.rule.index': 'signal.rule.index',
-  'signal.rule.language': 'signal.rule.language',
-  'signal.rule.query': 'signal.rule.query',
-  'signal.rule.to': 'signal.rule.to',
-  'signal.rule.filters': 'signal.rule.filters',
-  'signal.rule.rule_id': 'signal.rule.rule_id',
-  'signal.rule.false_positives': 'signal.rule.false_positives',
-  'signal.rule.max_signals': 'signal.rule.max_signals',
-  'signal.rule.risk_score': 'signal.rule.risk_score',
-  'signal.rule.description': 'signal.rule.description',
-  'signal.rule.name': 'signal.rule.name',
-  'signal.rule.immutable': 'signal.rule.immutable',
-  'signal.rule.references': 'signal.rule.references',
-  'signal.rule.severity': 'signal.rule.severity',
-  'signal.rule.tags': 'signal.rule.tags',
-  'signal.rule.threat': 'signal.rule.threat',
-  'signal.rule.type': 'signal.rule.type',
-  'signal.rule.size': 'signal.rule.size',
-  'signal.rule.enabled': 'signal.rule.enabled',
-  'signal.rule.created_at': 'signal.rule.created_at',
-  'signal.rule.updated_at': 'signal.rule.updated_at',
-  'signal.rule.created_by': 'signal.rule.created_by',
-  'signal.rule.updated_by': 'signal.rule.updated_by',
-  'signal.rule.version': 'signal.rule.version',
-  'signal.rule.note': 'signal.rule.note',
-  'signal.rule.threshold': 'signal.rule.threshold',
-  'signal.rule.exceptions_list': 'signal.rule.exceptions_list',
+export const alertFieldsMap: Readonly<Record<string, string>> = {
+  [ALERT_ORIGINAL_TIME]: ALERT_ORIGINAL_TIME,
+  [ALERT_RULE_UUID]: ALERT_RULE_UUID,
+  [ALERT_RULE_SAVED_ID]: ALERT_RULE_SAVED_ID,
+  [ALERT_RULE_TIMELINE_ID]: ALERT_RULE_TIMELINE_ID,
+  [ALERT_RULE_TIMELINE_TITLE]: ALERT_RULE_TIMELINE_TITLE,
+  [ALERT_RULE_FROM]: ALERT_RULE_FROM,
+  [ALERT_RULE_INDEX]: ALERT_RULE_INDEX,
+  [ALERT_RULE_LANGUAGE]: ALERT_RULE_LANGUAGE,
+  [ALERT_RULE_QUERY]: ALERT_RULE_QUERY,
+  [ALERT_RULE_TO]: ALERT_RULE_TO,
+  [ALERT_RULE_FILTERS]: ALERT_RULE_FILTERS,
+  [ALERT_RULE_RULE_ID]: ALERT_RULE_RULE_ID,
+  [ALERT_RULE_FALSE_POSITIVES]: ALERT_RULE_FALSE_POSITIVES,
+  [ALERT_RULE_MAX_SIGNALS]: ALERT_RULE_MAX_SIGNALS,
+  [ALERT_RULE_DESCRIPTION]: ALERT_RULE_DESCRIPTION,
+  [ALERT_RULE_NAME]: ALERT_RULE_NAME,
+  [ALERT_RULE_IMMUTABLE]: ALERT_RULE_IMMUTABLE,
+  [ALERT_RULE_REFERENCES]: ALERT_RULE_REFERENCES,
+  [ALERT_RULE_TAGS]: ALERT_RULE_TAGS,
+  [ALERT_RULE_THREAT]: ALERT_RULE_THREAT,
+  [ALERT_RULE_TYPE]: ALERT_RULE_TYPE,
+  [ALERT_RULE_SIZE]: ALERT_RULE_SIZE,
+  [ALERT_RULE_ENABLED]: ALERT_RULE_ENABLED,
+  [ALERT_RULE_CREATED_AT]: ALERT_RULE_CREATED_AT,
+  [ALERT_RULE_UPDATED_AT]: ALERT_RULE_UPDATED_AT,
+  [ALERT_RULE_CREATED_BY]: ALERT_RULE_CREATED_BY,
+  [ALERT_RULE_UPDATED_BY]: ALERT_RULE_UPDATED_BY,
+  [ALERT_RULE_VERSION]: ALERT_RULE_VERSION,
+  [ALERT_RULE_NOTE]: ALERT_RULE_NOTE,
+  [ALERT_RULE_THRESHOLD]: ALERT_RULE_THRESHOLD,
+  [ALERT_RULE_EXCEPTIONS_LIST]: ALERT_RULE_EXCEPTIONS_LIST,
+  [ALERT_SEVERITY]: ALERT_SEVERITY,
+  [ALERT_RISK_SCORE]: ALERT_RISK_SCORE,
 };
 
 export const ruleFieldsMap: Readonly<Record<string, string>> = {
@@ -336,6 +372,7 @@ export const eventFieldsMap: Readonly<Record<string, string>> = {
   '@timestamp': '@timestamp',
   message: 'message',
   ...{ ...agentFieldsMap },
+  ...{ ...alertFieldsMap },
   ...{ ...auditdMap },
   ...{ ...destinationFieldsMap },
   ...{ ...dnsFieldsMap },
@@ -346,7 +383,6 @@ export const eventFieldsMap: Readonly<Record<string, string>> = {
   ...{ ...hostFieldsMap },
   ...{ ...networkFieldsMap },
   ...{ ...ruleFieldsMap },
-  ...{ ...signalFieldsMap },
   ...{ ...sourceFieldsMap },
   ...{ ...suricataFieldsMap },
   ...{ ...systemFieldsMap },

x-pack/plugins/security_solution/common/ecs/index.ts

@@ -15,6 +15,7 @@ import { EventEcs } from './event';
 import { FileEcs } from './file';
 import { GeoEcs } from './geo';
 import { HostEcs } from './host';
+import { KibanaEcs } from './kibana';
 import { NetworkEcs } from './network';
 import { RegistryEcs } from './registry';
 import { RuleEcs } from './rule';
@@ -45,6 +46,7 @@ export interface Ecs {
   event?: EventEcs;
   geo?: GeoEcs;
   host?: HostEcs;
+  kibana?: KibanaEcs;
   network?: NetworkEcs;
   registry?: RegistryEcs;
   rule?: RuleEcs;

x-pack/plugins/security_solution/common/ecs/kibana/index.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { RuleEcs } from '../rule';
+
+export interface KibanaEcs {
+  alert?: {
+    risk_score?: string[];
+    severity?: string[];
+    rule?: RuleEcs;
+    original_time?: string[];
+    status?: string[];
+    group?: {
+      id?: string[];
+    };
+    threshold_result?: unknown;
+    workflow_status?: string[];
+  };
+}

x-pack/plugins/security_solution/common/ecs/rule/index.ts

@@ -6,8 +6,8 @@
  */
 
 export interface RuleEcs {
-  id?: string[];
   rule_id?: string[];
+  uuid?: string[];
   name?: string[];
   false_positives?: string[];
   saved_id?: string[];

x-pack/plugins/security_solution/common/utils/field_formatters.test.ts

@@ -5,9 +5,10 @@
  * 2.0.
  */
 
+import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid';
+import { ALERT_RULE_NAME, ALERT_WORKFLOW_STATUS } from '@kbn/rule-data-utils';
 import { EventHit, EventSource } from '../search_strategy';
 import { getDataFromFieldsHits, getDataFromSourceHits, getDataSafety } from './field_formatters';
-import { eventDetailsFormattedFields, eventHit } from '@kbn/securitysolution-t-grid';
 
 describe('Events Details Helpers', () => {
   const fields: EventHit['fields'] = eventHit.fields;
@@ -135,8 +136,8 @@ describe('Events Details Helpers', () => {
   it('#getDataFromSourceHits', () => {
     const _source: EventSource = {
       '@timestamp': '2021-02-24T00:41:06.527Z',
-      'signal.status': 'open',
-      'signal.rule.name': 'Rawr',
+      [ALERT_WORKFLOW_STATUS]: 'open',
+      [ALERT_RULE_NAME]: 'Rawr',
       'threat.indicator': [
         {
           provider: 'yourself',
@@ -161,15 +162,15 @@ describe('Events Details Helpers', () => {
         isObjectArray: false,
       },
       {
-        category: 'signal',
-        field: 'signal.status',
+        category: 'kibana',
+        field: ALERT_WORKFLOW_STATUS,
         values: ['open'],
         originalValue: ['open'],
         isObjectArray: false,
       },
       {
-        category: 'signal',
-        field: 'signal.rule.name',
+        category: 'kibana',
+        field: ALERT_RULE_NAME,
         values: ['Rawr'],
         originalValue: ['Rawr'],
         isObjectArray: false,

x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts

@@ -13,7 +13,13 @@ import {
   getEditedRule,
   getNewOverrideRule,
 } from '../../objects/rule';
-import { ALERT_GRID_CELL, NUMBER_OF_ALERTS } from '../../screens/alerts';
+import {
+  ALERT_GRID_CELL,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_NAME,
+  ALERT_SEVERITY,
+  NUMBER_OF_ALERTS,
+} from '../../screens/alerts';
 
 import {
   CUSTOM_RULES_BTN,
@@ -215,9 +221,9 @@ describe('Custom detection rules creation', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1));
-    cy.get(ALERT_GRID_CELL).eq(3).contains(this.rule.name);
-    cy.get(ALERT_GRID_CELL).eq(4).contains(this.rule.severity.toLowerCase());
-    cy.get(ALERT_GRID_CELL).eq(5).contains(this.rule.riskScore);
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains(this.rule.name);
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains(this.rule.severity.toLowerCase());
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE}`).contains(this.rule.riskScore);
   });
 });
 

x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts

@@ -14,8 +14,8 @@ import {
 
 import {
   ALERT_RULE_NAME,
-  ALERT_RULE_RISK_SCORE,
-  ALERT_RULE_SEVERITY,
+  ALERT_RISK_SCORE,
+  ALERT_SEVERITY,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 import {
@@ -480,12 +480,10 @@ describe('indicator match', () => {
 
         cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
         cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
-        cy.get(ALERT_RULE_SEVERITY)
+        cy.get(ALERT_SEVERITY)
           .first()
           .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());
-        cy.get(ALERT_RULE_RISK_SCORE)
-          .first()
-          .should('have.text', getNewThreatIndicatorRule().riskScore);
+        cy.get(ALERT_RISK_SCORE).first().should('have.text', getNewThreatIndicatorRule().riskScore);
       });
 
       it('Investigate alert in timeline', () => {

x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { ALERT_RISK_SCORE } from '@kbn/rule-data-utils';
 import { formatMitreAttackDescription } from '../../helpers/rules';
 import {
   getIndexPatterns,
@@ -13,7 +14,13 @@ import {
   OverrideRule,
 } from '../../objects/rule';
 
-import { NUMBER_OF_ALERTS, ALERT_GRID_CELL } from '../../screens/alerts';
+import {
+  NUMBER_OF_ALERTS,
+  ALERT_GRID_CELL,
+  ALERT_RISK_SCORE as ALERT_RISK_SCORE_FIELD,
+  ALERT_RULE_NAME,
+  ALERT_SEVERITY,
+} from '../../screens/alerts';
 
 import {
   CUSTOM_RULES_BTN,
@@ -139,7 +146,7 @@ describe('Detection rules, override', () => {
       getDetails(RISK_SCORE_DETAILS).should('have.text', this.rule.riskScore);
       getDetails(RISK_SCORE_OVERRIDE_DETAILS).should(
         'have.text',
-        `${this.rule.riskOverride}signal.rule.risk_score`
+        `${this.rule.riskOverride}${ALERT_RISK_SCORE}`
       );
       getDetails(RULE_NAME_OVERRIDE_DETAILS).should('have.text', this.rule.nameOverride);
       getDetails(REFERENCE_URLS_DETAILS).should((details) => {
@@ -187,12 +194,8 @@ describe('Detection rules, override', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.gte(1));
-    cy.get(ALERT_GRID_CELL).eq(3).contains('auditbeat');
-    cy.get(ALERT_GRID_CELL).eq(4).contains('critical');
-
-    // TODO: Is this necessary?
-    // sortRiskScore();
-
-    cy.get(ALERT_GRID_CELL).eq(5).contains('80');
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains('auditbeat');
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains('critical');
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE_FIELD}`).contains('80');
   });
 });

x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts

@@ -13,7 +13,13 @@ import {
   ThresholdRule,
 } from '../../objects/rule';
 
-import { ALERT_GRID_CELL, NUMBER_OF_ALERTS } from '../../screens/alerts';
+import {
+  ALERT_GRID_CELL,
+  ALERT_RISK_SCORE,
+  ALERT_RULE_NAME,
+  ALERT_SEVERITY,
+  NUMBER_OF_ALERTS,
+} from '../../screens/alerts';
 
 import {
   CUSTOM_RULES_BTN,
@@ -171,9 +177,9 @@ describe('Detection rules, threshold', () => {
     waitForAlertsToPopulate();
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text().split(' ')[0]).to.be.lt(100));
-    cy.get(ALERT_GRID_CELL).eq(3).contains(rule.name);
-    cy.get(ALERT_GRID_CELL).eq(4).contains(rule.severity.toLowerCase());
-    cy.get(ALERT_GRID_CELL).eq(5).contains(rule.riskScore);
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_RULE_NAME}`).contains(rule.name);
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_SEVERITY}`).contains(rule.severity.toLowerCase());
+    cy.get(`${ALERT_GRID_CELL} ${ALERT_RISK_SCORE}`).contains(rule.riskScore);
   });
 
   it('Preview results of keyword using "host.name"', () => {