Skip to content

Commit

Permalink
[SecuritySolution][Threat Hunting] Use correct field ids for ML, rans…
Browse files Browse the repository at this point in the history 
…omware, indicator alerts (#125937) (#126131)

* fix: use correct field ids for ML, ransomware, threat matching events

* copy: remove unused translations

Co-authored-by: Kibana Machine <[email protected]>
(cherry picked from commit be4caac)

Co-authored-by: Jan Monschke <[email protected]>
  • Loading branch information
@kibanamachine @janmonschke
kibanamachine and janmonschke authored Feb 22, 2022
1 parent 8e27ea5 commit 3111982
Show file tree
Hide file tree
Showing 5 changed files with 109 additions and 19 deletions.
99 changes: 99 additions & 0 deletions ...gins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,105 @@ describe('AlertSummaryView', () => {
});
});

test('Ransomware event code shows correct fields', () => {
const enhancedData = [
...mockAlertDetailsData.map((item) => {
if (item.category === 'event' && item.field === 'event.code') {
return {
...item,
values: ['ransomware'],
originalValue: ['ransomware'],
};
}
return item;
}),
{ category: 'Ransomware', field: 'Ransomware.feature', values: ['mbr'] },
{
category: 'process',
field: 'process.hash.sha256',
values: ['3287rhf3847gb38fb3o984g9384g7b3b847gb'],
},
] as TimelineEventsDetailsItem[];
const renderProps = {
...props,
data: enhancedData,
};
const { getByText } = render(
<TestProvidersComponent>
<AlertSummaryView {...renderProps} />
</TestProvidersComponent>
);
['process.hash.sha256', 'Ransomware.feature'].forEach((fieldId) => {
expect(getByText(fieldId));
});
});

test('Machine learning events show correct fields', () => {
const enhancedData = [
...mockAlertDetailsData.map((item) => {
if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
return {
...item,
values: ['machine_learning'],
originalValue: ['machine_learning'],
};
}
return item;
}),
{
category: 'kibana',
field: 'kibana.alert.rule.parameters.machine_learning_job_id',
values: ['i_am_the_ml_job_id'],
},
{ category: 'kibana', field: 'kibana.alert.rule.parameters.anomaly_threshold', values: [2] },
] as TimelineEventsDetailsItem[];
const renderProps = {
...props,
data: enhancedData,
};
const { getByText } = render(
<TestProvidersComponent>
<AlertSummaryView {...renderProps} />
</TestProvidersComponent>
);
['i_am_the_ml_job_id', 'kibana.alert.rule.parameters.anomaly_threshold'].forEach((fieldId) => {
expect(getByText(fieldId));
});
});

test('Threat match events show correct fields', () => {
const enhancedData = [
...mockAlertDetailsData.map((item) => {
if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
return {
...item,
values: ['threat_match'],
originalValue: ['threat_match'],
};
}
return item;
}),
{
category: 'kibana',
field: 'kibana.alert.rule.threat_index',
values: ['threat_index*'],
},
{ category: 'kibana', field: 'kibana.alert.rule.threat_query', values: ['*query*'] },
] as TimelineEventsDetailsItem[];
const renderProps = {
...props,
data: enhancedData,
};
const { getByText } = render(
<TestProvidersComponent>
<AlertSummaryView {...renderProps} />
</TestProvidersComponent>
);
['threat_index*', '*query*'].forEach((fieldId) => {
expect(getByText(fieldId));
});
});

test('Ransomware event code resolves fields from the source event', () => {
const renderProps = {
...props,
Expand Down
20 changes: 10 additions & 10 deletions ...ugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,14 @@
*/

import { find, isEmpty, uniqBy } from 'lodash/fp';
import { ALERT_RULE_NAMESPACE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import { ALERT_RULE_NAMESPACE, ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';

import * as i18n from './translations';
import { BrowserFields } from '../../../../common/search_strategy/index_fields';
import {
ALERTS_HEADERS_THRESHOLD_CARDINALITY,
ALERTS_HEADERS_THRESHOLD_COUNT,
ALERTS_HEADERS_THRESHOLD_TERMS,
ALERTS_HEADERS_TARGET_IMPORT_HASH,
ALERTS_HEADERS_RULE_DESCRIPTION,
} from '../../../detections/components/alerts_table/translations';
import { ALERT_THRESHOLD_RESULT } from '../../../../common/field_maps/field_names';
Expand Down Expand Up @@ -111,16 +110,17 @@ function getFieldsByEventCode(
case EventCode.SHELLCODE_THREAD:
return [
{ id: 'Target.process.executable' },
{
id: 'Target.process.thread.Ext.start_address_detaiuls.memory_pe.imphash',
label: ALERTS_HEADERS_TARGET_IMPORT_HASH,
},
{
id: 'Memory_protection.unique_key_v1',
},
];
case EventCode.MEMORY_SIGNATURE:
case EventCode.RANSOMWARE:
return [
{ id: 'Ransomware.feature' },
{ id: 'process.hash.sha256' },
...getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined }),
];
case EventCode.MEMORY_SIGNATURE:
// Resolve more fields based on the source event
return getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined });
default:
Expand All @@ -145,10 +145,10 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
case 'machine_learning':
return [
{
id: `${ALERT_RULE_NAMESPACE}.machine_learning_job_id`,
id: `${ALERT_RULE_PARAMETERS}.machine_learning_job_id`,
},
{
id: `${ALERT_RULE_NAMESPACE}.anomaly_threshold`,
id: `${ALERT_RULE_PARAMETERS}.anomaly_threshold`,
},
];
case 'threat_match':
Expand All @@ -157,7 +157,7 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
id: `${ALERT_RULE_NAMESPACE}.threat_index`,
},
{
id: `${ALERT_RULE_NAMESPACE}.index`,
id: `${ALERT_RULE_NAMESPACE}.threat_query`,
},
];
default:
Expand Down
7 changes: 0 additions & 7 deletions x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,13 +136,6 @@ export const ALERTS_HEADERS_THRESHOLD_CARDINALITY = i18n.translate(
}
);

export const ALERTS_HEADERS_TARGET_IMPORT_HASH = i18n.translate(
'xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash',
{
defaultMessage: 'Import Hash',
}
);

export const ACTION_OPEN_ALERT = i18n.translate(
'xpack.securitySolution.detectionEngine.alerts.actions.openAlertTitle',
{
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/translations/translations/ja-JP.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23345,7 +23345,6 @@
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.triggeredTitle": "実行済み",
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.versionTitle": "バージョン",
"xpack.securitySolution.eventsViewer.alerts.overviewTable.signalStatusTitle": "ステータス",
"xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash": "ハッシュのインポート",
"xpack.securitySolution.eventsViewer.errorFetchingEventsData": "イベントデータをクエリできませんでした",
"xpack.securitySolution.eventsViewer.eventsLabel": "イベント",
"xpack.securitySolution.eventsViewer.showingLabel": "表示中",
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/translations/translations/zh-CN.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23721,7 +23721,6 @@
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.triggeredTitle": "已触发",
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.versionTitle": "版本",
"xpack.securitySolution.eventsViewer.alerts.overviewTable.signalStatusTitle": "状态",
"xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash": "导入哈希",
"xpack.securitySolution.eventsViewer.errorFetchingEventsData": "无法查询事件数据",
"xpack.securitySolution.eventsViewer.eventsLabel": "事件",
"xpack.securitySolution.eventsViewer.showingLabel": "正在显示",
Expand Down

0 comments on commit 3111982

Please sign in to comment.