Skip to content

Commit

Permalink
[8.5] [Security Solution][Investigations][Timeline] - Update getExcep…
Browse files Browse the repository at this point in the history 
…tions to use parameters (#145889) (#146414)

# Backport

This will backport the following commits from `main` to `8.5`:
- [[Security Solution][Investigations][Timeline] - Update getExceptions
to use parameters
(#145889)](#145889)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Michael
Olorunnisola","email":"[email protected]"},"sourceCommit":{"committedDate":"2022-11-28T15:08:48Z","message":"[Security
Solution][Investigations][Timeline] - Update getExceptions to use
parameters (#145889)\n\n## Summary\r\n\r\nFixes:
https://github.com/elastic/kibana/issues/136772\r\n\r\nThe issue was
introduced by a couple of
changes:\r\n\r\nFirst:\r\nhttps://github.com//pull/136163/files#diff-02d33a1ed6679f7775dc01941ca21b085d7c008ecffe5e029f5967407a5e5b13L23\r\nin
8.4.\r\n\r\nThe bug: A filter on the timeline UI relied on the
`exceptions_list`\r\nfield provided on `_source` to auto-generate a
filter when investigating\r\nin timeline labelled `Not Exceptions` which
would filter out the\r\nexceptions from the timeline. This PR resolves
that issue by pulling the\r\n`exceptions_list` field from
`kibana.alert.rule.parameters`.\r\n\r\nSecond:\r\nhttps://github.com//pull/133254/files#diff-0f69b69fd9cefef6ed04a048d7df86b7e385e816bdf17309212437dc3f69726cL74\r\n\r\nThe
filter actually stopped being passed to timeline entirely because
of\r\nthe above change.\r\n\r\nWith the fixes in
place:\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/203111748-7a0c2eb5-a46f-4f88-9d77-3628204625ac.mov","sha":"b32c8b9df89188cdcb149bd1d9494d3f99999ad6","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","backport","release_note:fix","Team:Threat
Hunting:Investigations","v8.5.0","v8.6.0","v8.7.0"],"number":145889,"url":"https://github.com/elastic/kibana/pull/145889","mergeCommit":{"message":"[Security
Solution][Investigations][Timeline] - Update getExceptions to use
parameters (#145889)\n\n## Summary\r\n\r\nFixes:
https://github.com/elastic/kibana/issues/136772\r\n\r\nThe issue was
introduced by a couple of
changes:\r\n\r\nFirst:\r\nhttps://github.com//pull/136163/files#diff-02d33a1ed6679f7775dc01941ca21b085d7c008ecffe5e029f5967407a5e5b13L23\r\nin
8.4.\r\n\r\nThe bug: A filter on the timeline UI relied on the
`exceptions_list`\r\nfield provided on `_source` to auto-generate a
filter when investigating\r\nin timeline labelled `Not Exceptions` which
would filter out the\r\nexceptions from the timeline. This PR resolves
that issue by pulling the\r\n`exceptions_list` field from
`kibana.alert.rule.parameters`.\r\n\r\nSecond:\r\nhttps://github.com//pull/133254/files#diff-0f69b69fd9cefef6ed04a048d7df86b7e385e816bdf17309212437dc3f69726cL74\r\n\r\nThe
filter actually stopped being passed to timeline entirely because
of\r\nthe above change.\r\n\r\nWith the fixes in
place:\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/203111748-7a0c2eb5-a46f-4f88-9d77-3628204625ac.mov","sha":"b32c8b9df89188cdcb149bd1d9494d3f99999ad6"}},"sourceBranch":"main","suggestedTargetBranches":["8.5","8.6"],"targetPullRequestStates":[{"branch":"8.5","label":"v8.5.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/145889","number":145889,"mergeCommit":{"message":"[Security
Solution][Investigations][Timeline] - Update getExceptions to use
parameters (#145889)\n\n## Summary\r\n\r\nFixes:
https://github.com/elastic/kibana/issues/136772\r\n\r\nThe issue was
introduced by a couple of
changes:\r\n\r\nFirst:\r\nhttps://github.com//pull/136163/files#diff-02d33a1ed6679f7775dc01941ca21b085d7c008ecffe5e029f5967407a5e5b13L23\r\nin
8.4.\r\n\r\nThe bug: A filter on the timeline UI relied on the
`exceptions_list`\r\nfield provided on `_source` to auto-generate a
filter when investigating\r\nin timeline labelled `Not Exceptions` which
would filter out the\r\nexceptions from the timeline. This PR resolves
that issue by pulling the\r\n`exceptions_list` field from
`kibana.alert.rule.parameters`.\r\n\r\nSecond:\r\nhttps://github.com//pull/133254/files#diff-0f69b69fd9cefef6ed04a048d7df86b7e385e816bdf17309212437dc3f69726cL74\r\n\r\nThe
filter actually stopped being passed to timeline entirely because
of\r\nthe above change.\r\n\r\nWith the fixes in
place:\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17211684/203111748-7a0c2eb5-a46f-4f88-9d77-3628204625ac.mov","sha":"b32c8b9df89188cdcb149bd1d9494d3f99999ad6"}}]}]
BACKPORT-->

Co-authored-by: Michael Olorunnisola <[email protected]>
  • Loading branch information
@kibanamachine @michaelolo24
kibanamachine and michaelolo24 authored Nov 28, 2022
1 parent 5553d90 commit 608ee1b
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 53 deletions.
35 changes: 27 additions & 8 deletions ...ublic/detections/components/alerts_table/timeline_actions/use_investigate_in_timeline.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import { useDispatch } from 'react-redux';
import { EuiContextMenuItem } from '@elastic/eui';

import { i18n } from '@kbn/i18n';
import { ALERT_RULE_EXCEPTIONS_LIST } from '@kbn/rule-data-utils';
import { ALERT_RULE_EXCEPTIONS_LIST, ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils';
import type { ExceptionListId } from '@kbn/securitysolution-io-ts-list-types';
import { useApi } from '@kbn/securitysolution-list-hooks';

Expand Down Expand Up @@ -51,9 +51,27 @@ export const useInvestigateInTimeline = ({

const getExceptionFilter = useCallback(
async (ecsData: Ecs): Promise<Filter | undefined> => {
const exceptionsLists = (getField(ecsData, ALERT_RULE_EXCEPTIONS_LIST) ?? []).reduce(
(acc: ExceptionListId[], next: string) => {
const parsedList = JSON.parse(next);
// This pulls exceptions list information from `_source`
// This primarily matters for the old `signal` alerts a user may be viewing
// as new exception lists are pulled from kibana.alert.rule.parameters[0].exception_lists;
// Source was removed in favour of the fields api which passes the exceptions_list via `kibana.alert.rule.parameters`
let exceptionsList = getField(ecsData, ALERT_RULE_EXCEPTIONS_LIST) ?? [];

if (exceptionsList.length === 0) {
try {
const ruleParameters = getField(ecsData, ALERT_RULE_PARAMETERS) ?? {};
if (ruleParameters.length > 0) {
const parametersObject = JSON.parse(ruleParameters[0]);
exceptionsList = parametersObject?.exceptions_list ?? [];
}
} catch (error) {
// do nothing, just fail silently as parametersObject is initialized
}
}
const detectionExceptionsLists = exceptionsList.reduce(
(acc: ExceptionListId[], next: string | object) => {
// parsed rule.parameters returns an object else use the default string representation
const parsedList = typeof next === 'string' ? JSON.parse(next) : next;
if (parsedList.type === 'detection') {
const formattedList = {
exception_list_id: parsedList.list_id,
Expand All @@ -66,14 +84,15 @@ export const useInvestigateInTimeline = ({
[]
);

if (exceptionsLists.length > 0) {
let exceptionFilter;
if (detectionExceptionsLists.length > 0) {
await getExceptionFilterFromIds({
exceptionListIds: exceptionsLists,
exceptionListIds: detectionExceptionsLists,
excludeExceptions: true,
chunkSize: 20,
alias: 'Exceptions',
onSuccess: (filter) => {
return filter;
exceptionFilter = filter;
},
onError: (err: string[]) => {
addError(err, {
Expand All @@ -85,7 +104,7 @@ export const useInvestigateInTimeline = ({
},
});
}
return undefined;
return exceptionFilter;
},
[addError, getExceptionFilterFromIds]
);
Expand Down
9 changes: 8 additions & 1 deletion x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/constants.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,12 @@
* 2.0.
*/

import { ALERT_RULE_CONSUMER, ALERT_RISK_SCORE, ALERT_SEVERITY } from '@kbn/rule-data-utils';
import {
ALERT_RULE_CONSUMER,
ALERT_RISK_SCORE,
ALERT_SEVERITY,
ALERT_RULE_PARAMETERS,
} from '@kbn/rule-data-utils';
import { ENRICHMENT_DESTINATION_PATH } from '../../../../../common/constants';

export const MATCHED_ATOMIC = 'matched.atomic';
Expand Down Expand Up @@ -40,6 +45,7 @@ export const CTI_ROW_RENDERER_FIELDS = [
FEED_NAME_REFERENCE,
];

// TODO: update all of these fields to use the constants from technical field names
export const TIMELINE_EVENTS_FIELDS = [
ALERT_RULE_CONSUMER,
'@timestamp',
Expand All @@ -57,6 +63,7 @@ export const TIMELINE_EVENTS_FIELDS = [
'kibana.alert.rule.version',
ALERT_SEVERITY,
ALERT_RISK_SCORE,
ALERT_RULE_PARAMETERS,
'kibana.alert.threshold_result',
'kibana.alert.building_block_type',
'event.code',
Expand Down
91 changes: 47 additions & 44 deletions ...ns/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -414,6 +414,50 @@ describe('formatTimelineData', () => {
field: 'kibana.alert.rule.uuid',
value: ['15d82f10-0926-11ed-bece-6b0c033d0075'],
},
{
field: 'kibana.alert.rule.parameters.sourceId',
value: ['default'],
},
{
field: 'kibana.alert.rule.parameters.nodeType',
value: ['host'],
},
{
field: 'kibana.alert.rule.parameters.criteria.comparator',
value: ['>'],
},
{
field: 'kibana.alert.rule.parameters.criteria.timeSize',
value: ['1'],
},
{
field: 'kibana.alert.rule.parameters.criteria.metric',
value: ['cpu'],
},
{
field: 'kibana.alert.rule.parameters.criteria.threshold',
value: ['10'],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.aggregation',
value: ['avg'],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.id',
value: ['alert-custom-metric'],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.field',
value: [''],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.type',
value: ['custom'],
},
{
field: 'kibana.alert.rule.parameters.criteria.timeUnit',
value: ['d'],
},
{
field: 'event.action',
value: ['active'],
Expand Down Expand Up @@ -466,50 +510,6 @@ describe('formatTimelineData', () => {
field: 'kibana.version',
value: ['8.4.0'],
},
{
field: 'kibana.alert.rule.parameters.sourceId',
value: ['default'],
},
{
field: 'kibana.alert.rule.parameters.nodeType',
value: ['host'],
},
{
field: 'kibana.alert.rule.parameters.criteria.comparator',
value: ['>'],
},
{
field: 'kibana.alert.rule.parameters.criteria.timeSize',
value: ['1'],
},
{
field: 'kibana.alert.rule.parameters.criteria.metric',
value: ['cpu'],
},
{
field: 'kibana.alert.rule.parameters.criteria.threshold',
value: ['10'],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.aggregation',
value: ['avg'],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.id',
value: ['alert-custom-metric'],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.field',
value: [''],
},
{
field: 'kibana.alert.rule.parameters.criteria.customMetric.type',
value: ['custom'],
},
{
field: 'kibana.alert.rule.parameters.criteria.timeUnit',
value: ['d'],
},
],
ecs: {
'@timestamp': ['2022-07-21T22:38:57.888Z'],
Expand All @@ -528,6 +528,9 @@ describe('formatTimelineData', () => {
consumer: ['infrastructure'],
name: ['test 1212'],
uuid: ['15d82f10-0926-11ed-bece-6b0c033d0075'],
parameters: [
'{"sourceId":"default","nodeType":"host","criteria":[{"comparator":">","timeSize":1,"metric":"cpu","threshold":[10],"customMetric":{"aggregation":"avg","id":"alert-custom-metric","field":"","type":"custom"},"timeUnit":"d"}]}',
],
},
workflow_status: ['open'],
},
Expand Down

0 comments on commit 608ee1b

Please sign in to comment.