From 887f9d1b0c7d2c3f068cdf58819fb173b0625039 Mon Sep 17 00:00:00 2001 From: PhilippeOberti Date: Mon, 9 Oct 2023 13:16:36 -0500 Subject: [PATCH] [Security Solution] use kibana.alert.ancestors.id instead of kibana.alert.original_event.id for same source even related alerts --- .../flyout/shared/constants/field_names.ts | 1 - ...tch_related_alerts_by_same_source_event.ts | 4 +- .../use_show_related_alerts_by_ancestry.ts | 8 +-- ...how_related_alerts_by_same_source_event.ts | 4 +- ..._details_left_panel_correlations_tab.cy.ts | 59 +++++++++++-------- 5 files changed, 42 insertions(+), 34 deletions(-) diff --git a/x-pack/plugins/security_solution/public/flyout/shared/constants/field_names.ts b/x-pack/plugins/security_solution/public/flyout/shared/constants/field_names.ts index b663ea41e2069..fd6551394a5a2 100644 --- a/x-pack/plugins/security_solution/public/flyout/shared/constants/field_names.ts +++ b/x-pack/plugins/security_solution/public/flyout/shared/constants/field_names.ts @@ -8,7 +8,6 @@ export const ANCESTOR_ID = 'kibana.alert.ancestors.id'; export const RULE_PARAMETERS_INDEX = 'kibana.alert.rule.parameters.index'; export const RULE_INDICES = 'kibana.alert.rule.indices'; -export const ORIGINAL_EVENT_ID = 'kibana.alert.original_event.id'; export const ENTRY_LEADER_ENTITY_ID = 'process.entry_leader.entity_id'; export const ENTRY_LEADER_START = 'process.entry_leader.start'; export const ANCESTOR_INDEX = 'kibana.alert.ancestors.index'; diff --git a/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_fetch_related_alerts_by_same_source_event.ts b/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_fetch_related_alerts_by_same_source_event.ts index 7e3fde3796c94..990c25fed9f26 100644 --- a/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_fetch_related_alerts_by_same_source_event.ts +++ b/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_fetch_related_alerts_by_same_source_event.ts @@ -6,7 +6,7 @@ */ import { useMemo } from 'react'; -import { ORIGINAL_EVENT_ID } from '../constants/field_names'; +import { ANCESTOR_ID } from '../constants/field_names'; import { useAlertPrevalence } from '../../../common/containers/alerts/use_alert_prevalence'; import { isActiveTimeline } from '../../../helpers'; @@ -47,7 +47,7 @@ export const useFetchRelatedAlertsBySameSourceEvent = ({ scopeId, }: UseFetchRelatedAlertsBySameSourceEventParams): UseFetchRelatedAlertsBySameSourceEventResult => { const { loading, error, count, alertIds } = useAlertPrevalence({ - field: ORIGINAL_EVENT_ID, + field: ANCESTOR_ID, value: originalEventId, isActiveTimelines: isActiveTimeline(scopeId), signalIndexName: null, diff --git a/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_ancestry.ts b/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_ancestry.ts index fe2ccb518abe0..c87c93c833f14 100644 --- a/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_ancestry.ts +++ b/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_ancestry.ts @@ -14,7 +14,7 @@ import { isInvestigateInResolverActionEnabled } from '../../../detections/compon import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features'; import { useLicense } from '../../../common/hooks/use_license'; import { getField } from '../utils'; -import { ANCESTOR_ID } from '../constants/field_names'; +import { ANCESTOR_ID, RULE_PARAMETERS_INDEX } from '../constants/field_names'; export interface UseShowRelatedAlertsByAncestryParams { /** @@ -63,11 +63,7 @@ export const useShowRelatedAlertsByAncestry = ({ // can't use getFieldsData here as the kibana.alert.rule.parameters is different and can be nested const originalDocumentIndex = useMemo( - () => - find( - { category: 'kibana', field: 'kibana.alert.rule.parameters.index' }, - dataFormattedForFieldBrowser - ), + () => find({ category: 'kibana', field: RULE_PARAMETERS_INDEX }, dataFormattedForFieldBrowser), [dataFormattedForFieldBrowser] ); diff --git a/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_same_source_event.ts b/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_same_source_event.ts index 0de1af516aad4..7d24fd483482f 100644 --- a/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_same_source_event.ts +++ b/x-pack/plugins/security_solution/public/flyout/shared/hooks/use_show_related_alerts_by_same_source_event.ts @@ -6,7 +6,7 @@ */ import type { GetFieldsData } from '../../../common/hooks/use_get_fields_data'; -import { ORIGINAL_EVENT_ID } from '../constants/field_names'; +import { ANCESTOR_ID } from '../constants/field_names'; import { getField } from '../utils'; export interface ShowRelatedAlertsBySameSourceEventParams { @@ -33,7 +33,7 @@ export interface ShowRelatedAlertsBySameSourceEventResult { export const useShowRelatedAlertsBySameSourceEvent = ({ getFieldsData, }: ShowRelatedAlertsBySameSourceEventParams): ShowRelatedAlertsBySameSourceEventResult => { - const originalEventId = getField(getFieldsData(ORIGINAL_EVENT_ID)); + const originalEventId = getField(getFieldsData(ANCESTOR_ID)); return { show: originalEventId != null, ...(originalEventId && { originalEventId }), diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/alerts/expandable_flyout/alert_details_left_panel_correlations_tab.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/alerts/expandable_flyout/alert_details_left_panel_correlations_tab.cy.ts index 7a63d5ec09e18..c7692f5703c73 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/investigations/alerts/expandable_flyout/alert_details_left_panel_correlations_tab.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/investigations/alerts/expandable_flyout/alert_details_left_panel_correlations_tab.cy.ts @@ -15,6 +15,9 @@ import { CORRELATIONS_SESSION_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON, CORRELATIONS_SESSION_SECTION_TABLE, CORRELATIONS_SESSION_SECTION_TITLE, + CORRELATIONS_SOURCE_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON, + CORRELATIONS_SOURCE_SECTION_TABLE, + CORRELATIONS_SOURCE_SECTION_TITLE, DOCUMENT_DETAILS_FLYOUT_INSIGHTS_TAB_CORRELATIONS_BUTTON, } from '../../../../screens/expandable_flyout/alert_details_left_panel_correlations_tab'; import { @@ -66,20 +69,33 @@ describe('Expandable flyout left panel correlations', { tags: ['@ess', '@serverl cy.log('should render all the correlations sections'); - cy.get(CORRELATIONS_ANCESTRY_SECTION_TITLE).scrollIntoView(); - cy.get(CORRELATIONS_ANCESTRY_SECTION_TITLE) - .should('be.visible') - .and('contain.text', '1 alert related by ancestry'); - cy.get(CORRELATIONS_ANCESTRY_SECTION_TABLE).should('be.visible'); - cy.get(CORRELATIONS_ANCESTRY_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); + cy.log('suppressed alerts'); - // TODO get proper data to test this section - // cy.get(CORRELATIONS_SOURCE_SECTION).scrollIntoView(); - // cy.get(CORRELATIONS_SOURCE_SECTION) + // TODO get proper data to test suppressed alerts + // cy.get(CORRELATIONS_SUPPRESSED_ALERTS_TITLE).scrollIntoView(); + // cy.get(CORRELATIONS_SUPPRESSED_ALERTS_TITLE) // .should('be.visible') - // .and('contain.text', '0 alerts related by source event'); - // cy.get(CORRELATIONS_SOURCE_SECTION_TABLE).should('be.visible'); - // cy.get(CORRELATIONS_SESSION_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); + // .and('contain.text', '1 suppressed alert'); + // cy.get(CORRELATIONS_SUPPRESSED_ALERTS_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); + + cy.log('related cases'); + + cy.get(CORRELATIONS_CASES_SECTION_TITLE).scrollIntoView(); + cy.get(CORRELATIONS_CASES_SECTION_TITLE) + .should('be.visible') + .and('contain.text', '1 related case'); + cy.get(CORRELATIONS_CASES_SECTION_TABLE).should('be.visible'); + + cy.log('related alerts by source event'); + + cy.get(CORRELATIONS_SOURCE_SECTION_TITLE).scrollIntoView(); + cy.get(CORRELATIONS_SOURCE_SECTION_TITLE) + .should('be.visible') + .and('contain.text', '1 alert related by source event'); + cy.get(CORRELATIONS_SOURCE_SECTION_TABLE).should('be.visible'); + cy.get(CORRELATIONS_SOURCE_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); + + cy.log('related alerts by session'); cy.get(CORRELATIONS_SESSION_SECTION_TITLE).scrollIntoView(); cy.get(CORRELATIONS_SESSION_SECTION_TITLE) @@ -88,17 +104,14 @@ describe('Expandable flyout left panel correlations', { tags: ['@ess', '@serverl cy.get(CORRELATIONS_SESSION_SECTION_TABLE).should('be.visible'); cy.get(CORRELATIONS_SESSION_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); - cy.get(CORRELATIONS_CASES_SECTION_TITLE).scrollIntoView(); - cy.get(CORRELATIONS_CASES_SECTION_TITLE) - .should('be.visible') - .and('contain.text', '1 related case'); - cy.get(CORRELATIONS_CASES_SECTION_TABLE).should('be.visible'); + cy.log('related alerts by ancestry'); - // TODO get proper data to test suppressed alerts - // cy.get(CORRELATIONS_SUPPRESSED_ALERTS_TITLE).scrollIntoView(); - // cy.get(CORRELATIONS_SUPPRESSED_ALERTS_TITLE) - // .should('be.visible') - // .and('contain.text', '1 suppressed alert'); - // cy.get(CORRELATIONS_SUPPRESSED_ALERTS_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); + cy.get(CORRELATIONS_ANCESTRY_SECTION_TITLE).scrollIntoView(); + cy.get(CORRELATIONS_ANCESTRY_SECTION_TITLE) + .should('be.visible') + .and('contain.text', '1 alert related by ancestry'); + cy.get(CORRELATIONS_ANCESTRY_SECTION_TABLE).scrollIntoView(); + cy.get(CORRELATIONS_ANCESTRY_SECTION_TABLE).should('be.visible'); + cy.get(CORRELATIONS_ANCESTRY_SECTION_INVESTIGATE_IN_TIMELINE_BUTTON).should('be.visible'); }); });