[Security Solution][RAC] - Add reason field (#107532) (#108319)

# Conflicts:
#	x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts

x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts

@@ -54,7 +54,7 @@ describe('Alert details with unmapped fields', () => {
 
   it('Displays the unmapped field on the table', () => {
     const expectedUnmmappedField = {
-      row: 89,
+      row: 91,
       field: 'unmapped',
       text: 'This is the unmapped field',
     };

x-pack/plugins/security_solution/cypress/integration/detection_rules/custom_query_rule.spec.ts

@@ -14,11 +14,9 @@ import {
   getNewOverrideRule,
 } from '../../objects/rule';
 import {
-  ALERT_RULE_METHOD,
   ALERT_RULE_NAME,
   ALERT_RULE_RISK_SCORE,
   ALERT_RULE_SEVERITY,
-  ALERT_RULE_VERSION,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 
@@ -223,8 +221,6 @@ describe('Custom detection rules creation', () => {
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text()).to.be.gte(1));
     cy.get(ALERT_RULE_NAME).first().should('have.text', this.rule.name);
-    cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
-    cy.get(ALERT_RULE_METHOD).first().should('have.text', 'query');
     cy.get(ALERT_RULE_SEVERITY).first().should('have.text', this.rule.severity.toLowerCase());
     cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', this.rule.riskScore);
   });

x-pack/plugins/security_solution/cypress/integration/detection_rules/event_correlation_rule.spec.ts

@@ -9,11 +9,9 @@ import { formatMitreAttackDescription } from '../../helpers/rules';
 import { getEqlRule, getEqlSequenceRule, getIndexPatterns } from '../../objects/rule';
 
 import {
-  ALERT_RULE_METHOD,
   ALERT_RULE_NAME,
   ALERT_RULE_RISK_SCORE,
   ALERT_RULE_SEVERITY,
-  ALERT_RULE_VERSION,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 import {
@@ -169,8 +167,6 @@ describe('Detection rules, EQL', () => {
 
     cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
     cy.get(ALERT_RULE_NAME).first().should('have.text', this.rule.name);
-    cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
-    cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql');
     cy.get(ALERT_RULE_SEVERITY).first().should('have.text', this.rule.severity.toLowerCase());
     cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', this.rule.riskScore);
   });
@@ -221,8 +217,6 @@ describe('Detection rules, sequence EQL', () => {
 
     cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfSequenceAlerts);
     cy.get(ALERT_RULE_NAME).first().should('have.text', this.rule.name);
-    cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
-    cy.get(ALERT_RULE_METHOD).first().should('have.text', 'eql');
     cy.get(ALERT_RULE_SEVERITY).first().should('have.text', this.rule.severity.toLowerCase());
     cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', this.rule.riskScore);
   });

x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts

@@ -9,11 +9,9 @@ import { formatMitreAttackDescription } from '../../helpers/rules';
 import { getIndexPatterns, getNewThreatIndicatorRule } from '../../objects/rule';
 
 import {
-  ALERT_RULE_METHOD,
   ALERT_RULE_NAME,
   ALERT_RULE_RISK_SCORE,
   ALERT_RULE_SEVERITY,
-  ALERT_RULE_VERSION,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 import {
@@ -482,8 +480,6 @@ describe('indicator match', () => {
 
         cy.get(NUMBER_OF_ALERTS).should('have.text', expectedNumberOfAlerts);
         cy.get(ALERT_RULE_NAME).first().should('have.text', getNewThreatIndicatorRule().name);
-        cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
-        cy.get(ALERT_RULE_METHOD).first().should('have.text', 'threat_match');
         cy.get(ALERT_RULE_SEVERITY)
           .first()
           .should('have.text', getNewThreatIndicatorRule().severity.toLowerCase());

x-pack/plugins/security_solution/cypress/integration/detection_rules/override.spec.ts

@@ -16,10 +16,8 @@ import {
 import {
   NUMBER_OF_ALERTS,
   ALERT_RULE_NAME,
-  ALERT_RULE_METHOD,
   ALERT_RULE_RISK_SCORE,
   ALERT_RULE_SEVERITY,
-  ALERT_RULE_VERSION,
 } from '../../screens/alerts';
 
 import {
@@ -196,8 +194,6 @@ describe('Detection rules, override', () => {
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text()).to.be.gte(1));
     cy.get(ALERT_RULE_NAME).first().should('have.text', 'auditbeat');
-    cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
-    cy.get(ALERT_RULE_METHOD).first().should('have.text', 'query');
     cy.get(ALERT_RULE_SEVERITY).first().should('have.text', 'critical');
 
     sortRiskScore();

x-pack/plugins/security_solution/cypress/integration/detection_rules/threshold_rule.spec.ts

@@ -14,11 +14,9 @@ import {
 } from '../../objects/rule';
 
 import {
-  ALERT_RULE_METHOD,
   ALERT_RULE_NAME,
   ALERT_RULE_RISK_SCORE,
   ALERT_RULE_SEVERITY,
-  ALERT_RULE_VERSION,
   NUMBER_OF_ALERTS,
 } from '../../screens/alerts';
 
@@ -179,8 +177,6 @@ describe('Detection rules, threshold', () => {
 
     cy.get(NUMBER_OF_ALERTS).should(($count) => expect(+$count.text()).to.be.lt(100));
     cy.get(ALERT_RULE_NAME).first().should('have.text', rule.name);
-    cy.get(ALERT_RULE_VERSION).first().should('have.text', '1');
-    cy.get(ALERT_RULE_METHOD).first().should('have.text', 'threshold');
     cy.get(ALERT_RULE_SEVERITY).first().should('have.text', rule.severity.toLowerCase());
     cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', rule.riskScore);
   });

x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts

@@ -35,18 +35,6 @@ export const columns: Array<
     initialWidth: DEFAULT_COLUMN_MIN_WIDTH,
     linkField: 'signal.rule.id',
   },
-  {
-    columnHeaderType: defaultColumnHeaderType,
-    displayAsText: i18n.ALERTS_HEADERS_VERSION,
-    id: 'signal.rule.version',
-    initialWidth: 95,
-  },
-  {
-    columnHeaderType: defaultColumnHeaderType,
-    displayAsText: i18n.ALERTS_HEADERS_METHOD,
-    id: 'signal.rule.type',
-    initialWidth: 100,
-  },
   {
     columnHeaderType: defaultColumnHeaderType,
     displayAsText: i18n.ALERTS_HEADERS_SEVERITY,
@@ -57,31 +45,29 @@ export const columns: Array<
     columnHeaderType: defaultColumnHeaderType,
     displayAsText: i18n.ALERTS_HEADERS_RISK_SCORE,
     id: 'signal.rule.risk_score',
-    initialWidth: 115,
+    initialWidth: 100,
   },
   {
     columnHeaderType: defaultColumnHeaderType,
-    id: 'event.module',
-    linkField: 'rule.reference',
+    displayAsText: i18n.ALERTS_HEADERS_REASON,
+    id: 'signal.reason',
+    initialWidth: 450,
   },
   {
-    aggregatable: true,
-    category: 'event',
     columnHeaderType: defaultColumnHeaderType,
-    id: 'event.action',
-    type: 'string',
+    id: 'host.name',
   },
   {
     columnHeaderType: defaultColumnHeaderType,
-    id: 'event.category',
+    id: 'user.name',
   },
   {
     columnHeaderType: defaultColumnHeaderType,
-    id: 'host.name',
+    id: 'process.name',
   },
   {
     columnHeaderType: defaultColumnHeaderType,
-    id: 'user.name',
+    id: 'file.name',
   },
   {
     columnHeaderType: defaultColumnHeaderType,

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json

@@ -17,6 +17,7 @@
   "signal.original_event.module": "kibana.alert.original_event.module",
   "signal.original_event.outcome": "kibana.alert.original_event.outcome",
   "signal.original_event.provider": "kibana.alert.original_event.provider",
+  "signal.original_event.reason": "kibana.alert.original_event.reason",
   "signal.original_event.risk_score": "kibana.alert.original_event.risk_score",
   "signal.original_event.risk_score_norm": "kibana.alert.original_event.risk_score_norm",
   "signal.original_event.sequence": "kibana.alert.original_event.sequence",
@@ -25,6 +26,7 @@
   "signal.original_event.timezone": "kibana.alert.original_event.timezone",
   "signal.original_event.type": "kibana.alert.original_event.type",
   "signal.original_time": "kibana.alert.original_time",
+  "signal.reason": "kibana.alert.reason",
   "signal.rule.author": "kibana.alert.rule.author",
   "signal.rule.building_block_type": "kibana.alert.rule.building_block_type",
   "signal.rule.created_at": "kibana.alert.rule.created_at",

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json

@@ -43,6 +43,9 @@
           }
         }
       },
+      "reason": {
+        "type": "keyword"
+      },
       "rule": {
         "type": "object",
         "properties": {

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signals_mapping.json

@@ -360,6 +360,9 @@
               "provider": {
                 "type": "keyword"
               },
+              "reason": {
+                "type": "keyword"
+              },
               "risk_score": {
                 "type": "float"
               },
@@ -421,6 +424,9 @@
           },
           "depth": {
             "type": "integer"
+          },
+          "reason": {
+            "type": "keyword"
           }
         }
       }

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts

@@ -6,6 +6,7 @@
  */
 
 import {
+  ALERT_REASON,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAMESPACE,
   ALERT_STATUS,
@@ -50,8 +51,9 @@ describe('buildAlert', () => {
     const doc = sampleDocNoSortIdWithTimestamp('d5e8eb51-a6a0-456d-8a15-4b79bfec3d71');
     delete doc._source.event;
     const rule = getRulesSchemaMock();
+    const reason = 'alert reasonable reason';
     const alert = {
-      ...buildAlert([doc], rule, SPACE_ID),
+      ...buildAlert([doc], rule, SPACE_ID, reason),
       ...additionalAlertFields(doc),
     };
     const timestamp = alert['@timestamp'];
@@ -68,6 +70,7 @@ describe('buildAlert', () => {
         },
       ],
       [ALERT_ORIGINAL_TIME]: '2020-04-20T21:27:45.000Z',
+      [ALERT_REASON]: 'alert reasonable reason',
       [ALERT_STATUS]: 'open',
       [ALERT_WORKFLOW_STATUS]: 'open',
       ...flattenWithPrefix(ALERT_RULE_NAMESPACE, {
@@ -119,8 +122,9 @@ describe('buildAlert', () => {
       module: 'system',
     };
     const rule = getRulesSchemaMock();
+    const reason = 'alert reasonable reason';
     const alert = {
-      ...buildAlert([doc], rule, SPACE_ID),
+      ...buildAlert([doc], rule, SPACE_ID, reason),
       ...additionalAlertFields(doc),
     };
     const timestamp = alert['@timestamp'];
@@ -143,6 +147,7 @@ describe('buildAlert', () => {
         kind: 'event',
         module: 'system',
       },
+      [ALERT_REASON]: 'alert reasonable reason',
       [ALERT_STATUS]: 'open',
       [ALERT_WORKFLOW_STATUS]: 'open',
       ...flattenWithPrefix(ALERT_RULE_NAMESPACE, {

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts

@@ -6,6 +6,7 @@
  */
 
 import {
+  ALERT_REASON,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAMESPACE,
   ALERT_STATUS,
@@ -92,7 +93,8 @@ export const removeClashes = (doc: SimpleHit) => {
 export const buildAlert = (
   docs: SimpleHit[],
   rule: RulesSchema,
-  spaceId: string | null | undefined
+  spaceId: string | null | undefined,
+  reason: string
 ): RACAlert => {
   const removedClashes = docs.map(removeClashes);
   const parents = removedClashes.map(buildParent);
@@ -110,6 +112,7 @@ export const buildAlert = (
     [ALERT_STATUS]: 'open',
     [ALERT_WORKFLOW_STATUS]: 'open',
     [ALERT_DEPTH]: depth,
+    [ALERT_REASON]: reason,
     ...flattenWithPrefix(ALERT_RULE_NAMESPACE, rule),
   } as unknown) as RACAlert;
 };

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts

@@ -9,6 +9,7 @@ import { SavedObject } from 'src/core/types';
 import { BaseHit } from '../../../../../../common/detection_engine/types';
 import type { ConfigType } from '../../../../../config';
 import { buildRuleWithOverrides, buildRuleWithoutOverrides } from '../../../signals/build_rule';
+import { BuildReasonMessage } from '../../../signals/reason_formatters';
 import { getMergeStrategy } from '../../../signals/source_fields_merging/strategies';
 import { AlertAttributes, SignalSource, SignalSourceHit } from '../../../signals/types';
 import { RACAlert } from '../../types';
@@ -35,19 +36,23 @@ export const buildBulkBody = (
   ruleSO: SavedObject<AlertAttributes>,
   doc: SignalSourceHit,
   mergeStrategy: ConfigType['alertMergeStrategy'],
-  applyOverrides: boolean
+  applyOverrides: boolean,
+  buildReasonMessage: BuildReasonMessage
 ): RACAlert => {
   const mergedDoc = getMergeStrategy(mergeStrategy)({ doc });
   const rule = applyOverrides
     ? buildRuleWithOverrides(ruleSO, mergedDoc._source ?? {})
     : buildRuleWithoutOverrides(ruleSO);
   const filteredSource = filterSource(mergedDoc);
+  const timestamp = new Date().toISOString();
+
+  const reason = buildReasonMessage({ mergedDoc, rule, timestamp });
   if (isSourceDoc(mergedDoc)) {
     return {
       ...filteredSource,
-      ...buildAlert([mergedDoc], rule, spaceId),
+      ...buildAlert([mergedDoc], rule, spaceId, reason),
       ...additionalAlertFields(mergedDoc),
-      '@timestamp': new Date().toISOString(),
+      '@timestamp': timestamp,
     };
   }