bringing back unmapped field timeline

elastic · May 3, 2021 · 376725f · 376725f
1 parent d1fc0dd
commit 376725f
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 44 deletions.
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/columns.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/columns.tsx
@@ -186,40 +186,56 @@ export const getColumns = ({
     name: i18n.VALUE,
     sortable: true,
     truncateText: false,
-    render: (values: string[] | null | undefined, data: EventFieldsData) => (
-      <FullWidthFlexGroup
-        direction="column"
-        alignItems="flexStart"
-        component="span"
-        gutterSize="none"
-      >
-        {values != null &&
-          values.map((value, i) => (
-            <FullWidthFlexItem
-              grow={false}
-              component="span"
-              key={`event-details-value-flex-item-${contextId}-${eventId}-${data.field}-${i}-${value}`}
-            >
-              <div data-colindex={3} onFocus={onFocusReFocusDraggable} role="button" tabIndex={0}>
-                {data.field === MESSAGE_FIELD_NAME ? (
-                  <OverflowField value={value} />
-                ) : (
-                  <FormattedFieldValue
-                    contextId={`event-details-value-formatted-field-value-${contextId}-${eventId}-${data.field}-${i}-${value}`}
-                    eventId={eventId}
-                    fieldFormat={data.format}
-                    fieldName={data.field}
-                    fieldType={data.type}
-                    isObjectArray={data.isObjectArray}
-                    value={value}
-                    linkValue={getLinkValue(data.field)}
-                  />
-                )}
-              </div>
-            </FullWidthFlexItem>
-          ))}
-      </FullWidthFlexGroup>
-    ),
+    render: (values: string[] | null | undefined, data: EventFieldsData) => {
+      const fieldFromBrowserField = getFieldFromBrowserField(
+        [data.category, 'fields', data.field],
+        browserFields
+      );
+      return (
+        <FullWidthFlexGroup
+          direction="column"
+          alignItems="flexStart"
+          component="span"
+          gutterSize="none"
+        >
+          {values != null &&
+            values.map((value, i) => {
+              if (fieldFromBrowserField == null) {
+                return <EuiText size="s">{value}</EuiText>;
+              }
+              return (
+                <FullWidthFlexItem
+                  grow={false}
+                  component="span"
+                  key={`event-details-value-flex-item-${contextId}-${eventId}-${data.field}-${i}-${value}`}
+                >
+                  <div
+                    data-colindex={3}
+                    onFocus={onFocusReFocusDraggable}
+                    role="button"
+                    tabIndex={0}
+                  >
+                    {data.field === MESSAGE_FIELD_NAME ? (
+                      <OverflowField value={value} />
+                    ) : (
+                      <FormattedFieldValue
+                        contextId={`event-details-value-formatted-field-value-${contextId}-${eventId}-${data.field}-${i}-${value}`}
+                        eventId={eventId}
+                        fieldFormat={data.format}
+                        fieldName={data.field}
+                        fieldType={data.type}
+                        isObjectArray={data.isObjectArray}
+                        value={value}
+                        linkValue={getLinkValue(data.field)}
+                      />
+                    )}
+                  </div>
+                </FullWidthFlexItem>
+              );
+            })}
+        </FullWidthFlexGroup>
+      );
+    },
   },
   {
     field: 'valuesConcatenated',

diff --git a/...gins/security_solution/public/timelines/components/timeline/body/renderers/cti/helpers.ts b/...gins/security_solution/public/timelines/components/timeline/body/renderers/cti/helpers.ts
@@ -13,8 +13,15 @@ import { INDICATOR_MATCH_SUBFIELDS } from '../../../../../../../common/cti/const
 import { Ecs } from '../../../../../../../common/ecs';
 import { ThreatIndicatorEcs } from '../../../../../../../common/ecs/threat';
 
-const getIndicatorEcs = (data: Ecs): ThreatIndicatorEcs[] =>
-  get(data, INDICATOR_DESTINATION_PATH) ?? [];
+const getIndicatorEcs = (data: Ecs): ThreatIndicatorEcs[] => {
+  const threatData = get(data, INDICATOR_DESTINATION_PATH);
+  if (threatData == null) {
+    return [];
+  } else if (!Array.isArray(threatData)) {
+    return [threatData];
+  }
+  return threatData;
+};
 
 export const hasThreatMatchValue = (data: Ecs): boolean =>
   getIndicatorEcs(data).some((indicator) =>

diff --git a/...k/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts b/...k/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts
@@ -19,6 +19,7 @@ import {
   getDataFromFieldsHits,
   getDataSafety,
 } from '../../../../../../common/utils/field_formatters';
+import { TIMELINE_EVENTS_FIELDS } from './constants';
 
 const getTimestamp = (hit: EventHit): string => {
   if (hit.fields && hit.fields['@timestamp']) {
@@ -29,6 +30,12 @@ const getTimestamp = (hit: EventHit): string => {
   return '';
 };
 
+export const buildFieldsRequest = (fields: string[]) =>
+  uniq([...fields.filter((f) => !f.startsWith('_')), ...TIMELINE_EVENTS_FIELDS]).map((field) => ({
+    field,
+    include_unmapped: true,
+  }));
+
 export const formatTimelineData = async (
   dataFields: readonly string[],
   ecsFields: readonly string[],

diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/index.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { cloneDeep, uniq } from 'lodash/fp';
+import { cloneDeep } from 'lodash/fp';
 
 import { DEFAULT_MAX_TABLE_QUERY_SIZE } from '../../../../../../common/constants';
 import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
@@ -20,26 +20,23 @@ import { inspectStringifyObject } from '../../../../../utils/build_query';
 import { SecuritySolutionTimelineFactory } from '../../types';
 import { buildTimelineEventsAllQuery } from './query.events_all.dsl';
 import { TIMELINE_EVENTS_FIELDS } from './constants';
-import { formatTimelineData } from './helpers';
+import { buildFieldsRequest, formatTimelineData } from './helpers';
 
 export const timelineEventsAll: SecuritySolutionTimelineFactory<TimelineEventsQueries.all> = {
   buildDsl: (options: TimelineEventsAllRequestOptions) => {
     if (options.pagination && options.pagination.querySize >= DEFAULT_MAX_TABLE_QUERY_SIZE) {
       throw new Error(`No query size above ${DEFAULT_MAX_TABLE_QUERY_SIZE}`);
     }
     const { fieldRequested, ...queryOptions } = cloneDeep(options);
-    queryOptions.fields = uniq([...fieldRequested, ...TIMELINE_EVENTS_FIELDS]);
+    queryOptions.fields = buildFieldsRequest(fieldRequested);
     return buildTimelineEventsAllQuery(queryOptions);
   },
   parse: async (
     options: TimelineEventsAllRequestOptions,
     response: IEsSearchResponse<unknown>
   ): Promise<TimelineEventsAllStrategyResponse> => {
     const { fieldRequested, ...queryOptions } = cloneDeep(options);
-    queryOptions.fields = uniq([
-      ...fieldRequested.filter((f) => !f.startsWith('_')),
-      ...TIMELINE_EVENTS_FIELDS,
-    ]).map((field) => ({ field, include_unmapped: true }));
+    queryOptions.fields = buildFieldsRequest(fieldRequested);
     const { activePage, querySize } = options.pagination;
     const totalCount = response.rawResponse.hits.total || 0;
     const hits = response.rawResponse.hits.hits;

diff --git a/...lution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts b/...lution/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts
@@ -22,7 +22,7 @@ export const buildTimelineDetailsQuery = (
         _id: [id],
       },
     },
-    fields: ['*'],
+    fields: [{ field: '*', include_unmapped: true }],
     _source: true,
   },
   size: 1,