diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
index be65593364593..eac578fa65b17 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
@@ -7,15 +7,14 @@
import React from 'react';
import { FormattedMessage } from '@kbn/i18n-react';
+import moment from 'moment';
import { useDocumentDetailsContext } from '../../shared/context';
import { GRAPH_PREVIEW_TEST_ID } from './test_ids';
import { GraphPreview } from './graph_preview';
import { useFetchGraphData } from '../hooks/use_fetch_graph_data';
import { useGraphPreview } from '../hooks/use_graph_preview';
import { ExpandablePanel } from '../../../shared/components/expandable_panel';
-
-const DEFAULT_FROM = 'now-60d/d';
-const DEFAULT_TO = 'now/d';
+import { getField } from '../../shared/utils';
/**
* Graph preview under Overview, Visualizations. It shows a graph representation of entities.
@@ -28,16 +27,21 @@ export const GraphPreviewContainer: React.FC = () => {
ecsData: dataAsNestedObject,
});
+ const timestamp = getField(getFieldsData('@timestamp'));
+
// TODO: default start and end might not capture the original event
- const graphFetchQuery = useFetchGraphData({
+ const { isLoading, isError, data } = useFetchGraphData({
req: {
query: {
actorIds: [],
eventIds,
- start: DEFAULT_FROM,
- end: DEFAULT_TO,
+ start: moment(timestamp).subtract(30, 'minutes').toISOString(),
+ end: moment(timestamp).add(30, 'minutes').toISOString(),
},
},
+ options: {
+ refetchOnWindowFocus: false,
+ },
});
return (
@@ -53,18 +57,14 @@ export const GraphPreviewContainer: React.FC = () => {
}}
data-test-subj={GRAPH_PREVIEW_TEST_ID}
content={
- !graphFetchQuery.isLoading && !graphFetchQuery.isError
+ !isLoading && !isError
? {
paddingSize: 'none',
}
: undefined
}
>
-
+
);
};
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts
index 2304cfb8d4fd2..f35c5dca71cd7 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_fetch_graph_data.ts
@@ -30,6 +30,11 @@ export interface UseFetchGraphDataParams {
* Defaults to true.
*/
enabled?: boolean;
+ /**
+ * If true, the query will refetch on window focus.
+ * Defaults to true.
+ */
+ refetchOnWindowFocus?: boolean;
};
}
@@ -72,7 +77,10 @@ export const useFetchGraphData = ({
body: JSON.stringify(req),
});
},
- options
+ {
+ enabled: options?.enabled ?? true,
+ refetchOnWindowFocus: options?.refetchOnWindowFocus ?? true,
+ }
);
return {
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx
index ff6118ec9b743..d0ebb2427a0b5 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.test.tsx
@@ -83,6 +83,34 @@ describe('useGraphPreview', () => {
expect(hookResult.result.current.isAuditLog).toEqual(false);
});
+ it(`should return false when timestamp is missing`, () => {
+ const getFieldsData: GetFieldsData = (field: string) => {
+ if (field === '@timestamp') {
+ return;
+ } else if (field === 'kibana.alert.original_event.id') {
+ return 'eventId';
+ } else if (field === 'actor.entity.id') {
+ return 'actorId';
+ }
+
+ return mockFieldData[field];
+ };
+
+ hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+ initialProps: {
+ getFieldsData,
+ ecsData: {
+ _id: 'id',
+ event: {
+ action: ['action'],
+ },
+ },
+ },
+ });
+
+ expect(hookResult.result.current.isAuditLog).toEqual(false);
+ });
+
it(`should return true when alert is has graph preview`, () => {
const getFieldsData: GetFieldsData = (field: string) => {
if (field === 'kibana.alert.original_event.id') {
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts
index d833c0aa86dbc..8df553afbd25f 100644
--- a/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts
+++ b/x-pack/plugins/security_solution/public/flyout/document_details/right/hooks/use_graph_preview.ts
@@ -8,7 +8,7 @@
import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs';
import { get } from 'lodash/fp';
import type { GetFieldsData } from '../../shared/hooks/use_get_fields_data';
-import { getFieldArray } from '../../shared/utils';
+import { getField, getFieldArray } from '../../shared/utils';
export interface UseGraphPreviewParams {
/**
@@ -25,6 +25,11 @@ export interface UseGraphPreviewParams {
* Interface for the result of the useGraphPreview hook
*/
export interface UseGraphPreviewResult {
+ /**
+ * The timestamp of the event
+ */
+ timestamp: string | null;
+
/**
* Array of event IDs associated with the alert
*/
@@ -53,13 +58,15 @@ export const useGraphPreview = ({
getFieldsData,
ecsData,
}: UseGraphPreviewParams): UseGraphPreviewResult => {
+ const timestamp = getField(getFieldsData('@timestamp'));
const originalEventId = getFieldsData('kibana.alert.original_event.id');
const eventId = getFieldsData('event.id');
const eventIds = originalEventId ? getFieldArray(originalEventId) : getFieldArray(eventId);
const actorIds = getFieldArray(getFieldsData('actor.entity.id'));
const action = get(['event', 'action'], ecsData);
- const isAuditLog = actorIds.length > 0 && action?.length > 0 && eventIds.length > 0;
+ const isAuditLog =
+ Boolean(timestamp) && actorIds.length > 0 && action?.length > 0 && eventIds.length > 0;
- return { eventIds, actorIds, action, isAuditLog };
+ return { timestamp, eventIds, actorIds, action, isAuditLog };
};
diff --git a/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json
new file mode 100644
index 0000000000000..94ecc85bfd234
--- /dev/null
+++ b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json
@@ -0,0 +1,708 @@
+{
+ "type": "doc",
+ "value": {
+ "id": "589e086d7ceec7d4b353340578bd607e96fbac7eab9e2926f110990be15122f1",
+ "index": ".internal.alerts-security.alerts-default-000001",
+ "source": {
+ "@timestamp": "2024-09-01T20:44:02.109Z",
+ "actor": {
+ "entity": {
+ "id": "admin@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "dataset": "gcp.audit",
+ "id": "kabcd1234efgh5678",
+ "ingested": "2024-09-01T20:40:17Z",
+ "module": "gcp",
+ "outcome": "success",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "event.kind": "signal",
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "kibana.alert.ancestors": [
+ {
+ "depth": 0,
+ "id": "MhKch5IBGYRrfvcTQNbO",
+ "index": ".ds-logs-gcp.audit-default-2024.10.13-000001",
+ "type": "event"
+ }
+ ],
+ "kibana.alert.depth": 1,
+ "kibana.alert.intended_timestamp": "2024-09-01T20:44:02.117Z",
+ "kibana.alert.last_detected": "2024-09-01T20:44:02.117Z",
+ "kibana.alert.original_event.action": "google.iam.admin.v1.CreateRole",
+ "kibana.alert.original_event.agent_id_status": "missing",
+ "kibana.alert.original_event.category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "kibana.alert.original_event.dataset": "gcp.audit",
+ "kibana.alert.original_event.id": "kabcd1234efgh5678",
+ "kibana.alert.original_event.ingested": "2024-09-01T20:40:17Z",
+ "kibana.alert.original_event.kind": "event",
+ "kibana.alert.original_event.module": "gcp",
+ "kibana.alert.original_event.outcome": "success",
+ "kibana.alert.original_event.provider": "activity",
+ "kibana.alert.original_event.type": [
+ "end",
+ "access",
+ "allowed"
+ ],
+ "kibana.alert.original_time": "2024-09-01T12:34:56.789Z",
+ "kibana.alert.reason": "session, network, configuration event with source 10.0.0.1 created medium alert GCP IAM Custom Role Creation.",
+ "kibana.alert.risk_score": 47,
+ "kibana.alert.rule.actions": [
+ ],
+ "kibana.alert.rule.author": [
+ "Elastic"
+ ],
+ "kibana.alert.rule.category": "Custom Query Rule",
+ "kibana.alert.rule.consumer": "siem",
+ "kibana.alert.rule.created_at": "2024-09-01T20:38:49.650Z",
+ "kibana.alert.rule.created_by": "elastic",
+ "kibana.alert.rule.description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+ "kibana.alert.rule.enabled": true,
+ "kibana.alert.rule.exceptions_list": [
+ ],
+ "kibana.alert.rule.execution.timestamp": "2024-09-01T20:44:02.117Z",
+ "kibana.alert.rule.execution.uuid": "a440f349-1900-4087-b507-f2b98c6cfa79",
+ "kibana.alert.rule.false_positives": [
+ "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+ ],
+ "kibana.alert.rule.from": "now-6m",
+ "kibana.alert.rule.immutable": true,
+ "kibana.alert.rule.indices": [
+ "filebeat-*",
+ "logs-gcp*"
+ ],
+ "kibana.alert.rule.interval": "5m",
+ "kibana.alert.rule.license": "Elastic License v2",
+ "kibana.alert.rule.max_signals": 100,
+ "kibana.alert.rule.name": "GCP IAM Custom Role Creation",
+ "kibana.alert.rule.note": "",
+ "kibana.alert.rule.parameters": {
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+ "exceptions_list": [
+ ],
+ "false_positives": [
+ "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+ ],
+ "from": "now-6m",
+ "immutable": true,
+ "index": [
+ "filebeat-*",
+ "logs-gcp*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License v2",
+ "max_signals": 100,
+ "note": "",
+ "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n",
+ "references": [
+ "https://cloud.google.com/iam/docs/understanding-custom-roles"
+ ],
+ "related_integrations": [
+ {
+ "integration": "audit",
+ "package": "gcp",
+ "version": "^2.0.0"
+ }
+ ],
+ "required_fields": [
+ {
+ "ecs": true,
+ "name": "event.action",
+ "type": "keyword"
+ },
+ {
+ "ecs": true,
+ "name": "event.dataset",
+ "type": "keyword"
+ },
+ {
+ "ecs": true,
+ "name": "event.outcome",
+ "type": "keyword"
+ }
+ ],
+ "risk_score": 47,
+ "risk_score_mapping": [
+ ],
+ "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+ "rule_source": {
+ "is_customized": false,
+ "type": "external"
+ },
+ "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+ "severity": "medium",
+ "severity_mapping": [
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0001",
+ "name": "Initial Access",
+ "reference": "https://attack.mitre.org/tactics/TA0001/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ },
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0003",
+ "name": "Persistence",
+ "reference": "https://attack.mitre.org/tactics/TA0003/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ }
+ ],
+ "timestamp_override": "event.ingested",
+ "to": "now",
+ "type": "query",
+ "version": 104
+ },
+ "kibana.alert.rule.producer": "siem",
+ "kibana.alert.rule.references": [
+ "https://cloud.google.com/iam/docs/understanding-custom-roles"
+ ],
+ "kibana.alert.rule.revision": 0,
+ "kibana.alert.rule.risk_score": 47,
+ "kibana.alert.rule.risk_score_mapping": [
+ ],
+ "kibana.alert.rule.rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+ "kibana.alert.rule.rule_type_id": "siem.queryRule",
+ "kibana.alert.rule.severity": "medium",
+ "kibana.alert.rule.severity_mapping": [
+ ],
+ "kibana.alert.rule.tags": [
+ "Domain: Cloud",
+ "Data Source: GCP",
+ "Data Source: Google Cloud Platform",
+ "Use Case: Identity and Access Audit",
+ "Tactic: Initial Access"
+ ],
+ "kibana.alert.rule.threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0001",
+ "name": "Initial Access",
+ "reference": "https://attack.mitre.org/tactics/TA0001/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ },
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0003",
+ "name": "Persistence",
+ "reference": "https://attack.mitre.org/tactics/TA0003/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ }
+ ],
+ "kibana.alert.rule.timestamp_override": "event.ingested",
+ "kibana.alert.rule.to": "now",
+ "kibana.alert.rule.type": "query",
+ "kibana.alert.rule.updated_at": "2024-09-01T20:39:00.099Z",
+ "kibana.alert.rule.updated_by": "elastic",
+ "kibana.alert.rule.uuid": "c6f64115-5941-46ef-bfa3-61a4ecb4f3ba",
+ "kibana.alert.rule.version": 104,
+ "kibana.alert.severity": "medium",
+ "kibana.alert.start": "2024-09-01T20:44:02.117Z",
+ "kibana.alert.status": "active",
+ "kibana.alert.uuid": "589e086d7ceec7d4b353340578bd607e96fbac7eab9e2926f110990be15122f1",
+ "kibana.alert.workflow_assignee_ids": [
+ ],
+ "kibana.alert.workflow_status": "open",
+ "kibana.alert.workflow_tags": [
+ ],
+ "kibana.space_ids": [
+ "default"
+ ],
+ "kibana.version": "9.0.0",
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "target": {
+ "entity": {
+ "id": "projects/your-project-id/roles/customRole"
+ }
+ },
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
+
+{
+ "type": "doc",
+ "value": {
+ "id": "838ea37ab43ab7d2754d007fbe8191be53d7d637bea62f6189f8db1503c0e250",
+ "index": ".internal.alerts-security.alerts-default-000001",
+ "source": {
+ "@timestamp": "2024-09-01T20:39:03.646Z",
+ "actor": {
+ "entity": {
+ "id": "admin@example.com"
+ }
+ },
+ "client": {
+ "user": {
+ "email": "admin@example.com"
+ }
+ },
+ "cloud": {
+ "project": {
+ "id": "your-project-id"
+ },
+ "provider": "gcp"
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "google.iam.admin.v1.CreateRole",
+ "agent_id_status": "missing",
+ "category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "dataset": "gcp.audit",
+ "id": "kabcd1234efgh5678",
+ "ingested": "2024-09-01T20:38:13Z",
+ "module": "gcp",
+ "outcome": "success",
+ "provider": "activity",
+ "type": [
+ "end",
+ "access",
+ "allowed"
+ ]
+ },
+ "event.kind": "signal",
+ "gcp": {
+ "audit": {
+ "authorization_info": [
+ {
+ "granted": true,
+ "permission": "iam.roles.create",
+ "resource": "projects/your-project-id"
+ }
+ ],
+ "logentry_operation": {
+ "id": "operation-0987654321"
+ },
+ "request": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.CreateRoleRequest",
+ "parent": "projects/your-project-id",
+ "role": {
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "title": "Custom Role"
+ },
+ "roleId": "customRole"
+ },
+ "resource_name": "projects/your-project-id/roles/customRole",
+ "response": {
+ "@type": "type.googleapis.com/google.iam.admin.v1.Role",
+ "description": "A custom role with specific permissions",
+ "includedPermissions": [
+ "resourcemanager.projects.get",
+ "resourcemanager.projects.list"
+ ],
+ "name": "projects/your-project-id/roles/customRole",
+ "stage": "GA",
+ "title": "Custom Role"
+ },
+ "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+ }
+ },
+ "kibana.alert.ancestors": [
+ {
+ "depth": 0,
+ "id": "rhKah5IBGYRrfvcTXtWe",
+ "index": ".ds-logs-gcp.audit-default-2024.10.13-000001",
+ "type": "event"
+ }
+ ],
+ "kibana.alert.depth": 1,
+ "kibana.alert.intended_timestamp": "2024-09-01T20:39:03.657Z",
+ "kibana.alert.last_detected": "2024-09-01T20:39:03.657Z",
+ "kibana.alert.original_event.action": "google.iam.admin.v1.CreateRole",
+ "kibana.alert.original_event.agent_id_status": "missing",
+ "kibana.alert.original_event.category": [
+ "session",
+ "network",
+ "configuration"
+ ],
+ "kibana.alert.original_event.dataset": "gcp.audit",
+ "kibana.alert.original_event.id": "kabcd1234efgh5678",
+ "kibana.alert.original_event.ingested": "2024-09-01T20:38:13Z",
+ "kibana.alert.original_event.kind": "event",
+ "kibana.alert.original_event.module": "gcp",
+ "kibana.alert.original_event.outcome": "success",
+ "kibana.alert.original_event.provider": "activity",
+ "kibana.alert.original_event.type": [
+ "end",
+ "access",
+ "allowed"
+ ],
+ "kibana.alert.original_time": "2024-09-01T12:34:56.789Z",
+ "kibana.alert.reason": "session, network, configuration event with source 10.0.0.1 created medium alert GCP IAM Custom Role Creation.",
+ "kibana.alert.risk_score": 47,
+ "kibana.alert.rule.actions": [
+ ],
+ "kibana.alert.rule.author": [
+ "Elastic"
+ ],
+ "kibana.alert.rule.category": "Custom Query Rule",
+ "kibana.alert.rule.consumer": "siem",
+ "kibana.alert.rule.created_at": "2024-09-01T20:38:49.650Z",
+ "kibana.alert.rule.created_by": "elastic",
+ "kibana.alert.rule.description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+ "kibana.alert.rule.enabled": true,
+ "kibana.alert.rule.exceptions_list": [
+ ],
+ "kibana.alert.rule.execution.timestamp": "2024-09-01T20:39:03.657Z",
+ "kibana.alert.rule.execution.uuid": "939d34e1-1e74-480d-90ae-24079d9b40d3",
+ "kibana.alert.rule.false_positives": [
+ "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+ ],
+ "kibana.alert.rule.from": "now-6m",
+ "kibana.alert.rule.immutable": true,
+ "kibana.alert.rule.indices": [
+ "filebeat-*",
+ "logs-gcp*"
+ ],
+ "kibana.alert.rule.interval": "5m",
+ "kibana.alert.rule.license": "Elastic License v2",
+ "kibana.alert.rule.max_signals": 100,
+ "kibana.alert.rule.name": "GCP IAM Custom Role Creation",
+ "kibana.alert.rule.note": "",
+ "kibana.alert.rule.parameters": {
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.",
+ "exceptions_list": [
+ ],
+ "false_positives": [
+ "Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
+ ],
+ "from": "now-6m",
+ "immutable": true,
+ "index": [
+ "filebeat-*",
+ "logs-gcp*"
+ ],
+ "language": "kuery",
+ "license": "Elastic License v2",
+ "max_signals": 100,
+ "note": "",
+ "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n",
+ "references": [
+ "https://cloud.google.com/iam/docs/understanding-custom-roles"
+ ],
+ "related_integrations": [
+ {
+ "integration": "audit",
+ "package": "gcp",
+ "version": "^2.0.0"
+ }
+ ],
+ "required_fields": [
+ {
+ "ecs": true,
+ "name": "event.action",
+ "type": "keyword"
+ },
+ {
+ "ecs": true,
+ "name": "event.dataset",
+ "type": "keyword"
+ },
+ {
+ "ecs": true,
+ "name": "event.outcome",
+ "type": "keyword"
+ }
+ ],
+ "risk_score": 47,
+ "risk_score_mapping": [
+ ],
+ "rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+ "rule_source": {
+ "is_customized": false,
+ "type": "external"
+ },
+ "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
+ "severity": "medium",
+ "severity_mapping": [
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0001",
+ "name": "Initial Access",
+ "reference": "https://attack.mitre.org/tactics/TA0001/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ },
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0003",
+ "name": "Persistence",
+ "reference": "https://attack.mitre.org/tactics/TA0003/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ }
+ ],
+ "timestamp_override": "event.ingested",
+ "to": "now",
+ "type": "query",
+ "version": 104
+ },
+ "kibana.alert.rule.producer": "siem",
+ "kibana.alert.rule.references": [
+ "https://cloud.google.com/iam/docs/understanding-custom-roles"
+ ],
+ "kibana.alert.rule.revision": 0,
+ "kibana.alert.rule.risk_score": 47,
+ "kibana.alert.rule.risk_score_mapping": [
+ ],
+ "kibana.alert.rule.rule_id": "aa8007f0-d1df-49ef-8520-407857594827",
+ "kibana.alert.rule.rule_type_id": "siem.queryRule",
+ "kibana.alert.rule.severity": "medium",
+ "kibana.alert.rule.severity_mapping": [
+ ],
+ "kibana.alert.rule.tags": [
+ "Domain: Cloud",
+ "Data Source: GCP",
+ "Data Source: Google Cloud Platform",
+ "Use Case: Identity and Access Audit",
+ "Tactic: Initial Access"
+ ],
+ "kibana.alert.rule.threat": [
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0001",
+ "name": "Initial Access",
+ "reference": "https://attack.mitre.org/tactics/TA0001/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ },
+ {
+ "framework": "MITRE ATT&CK",
+ "tactic": {
+ "id": "TA0003",
+ "name": "Persistence",
+ "reference": "https://attack.mitre.org/tactics/TA0003/"
+ },
+ "technique": [
+ {
+ "id": "T1078",
+ "name": "Valid Accounts",
+ "reference": "https://attack.mitre.org/techniques/T1078/"
+ }
+ ]
+ }
+ ],
+ "kibana.alert.rule.timestamp_override": "event.ingested",
+ "kibana.alert.rule.to": "now",
+ "kibana.alert.rule.type": "query",
+ "kibana.alert.rule.updated_at": "2024-09-01T20:39:00.099Z",
+ "kibana.alert.rule.updated_by": "elastic",
+ "kibana.alert.rule.uuid": "c6f64115-5941-46ef-bfa3-61a4ecb4f3ba",
+ "kibana.alert.rule.version": 104,
+ "kibana.alert.severity": "medium",
+ "kibana.alert.start": "2024-09-01T20:39:03.657Z",
+ "kibana.alert.status": "active",
+ "kibana.alert.uuid": "838ea37ab43ab7d2754d007fbe8191be53d7d637bea62f6189f8db1503c0e250",
+ "kibana.alert.workflow_assignee_ids": [
+ ],
+ "kibana.alert.workflow_status": "open",
+ "kibana.alert.workflow_tags": [
+ ],
+ "kibana.space_ids": [
+ "default"
+ ],
+ "kibana.version": "9.0.0",
+ "log": {
+ "level": "NOTICE",
+ "logger": "projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+ },
+ "related": {
+ "ip": [
+ "10.0.0.1"
+ ],
+ "user": [
+ "admin@example.com"
+ ]
+ },
+ "service": {
+ "name": "iam.googleapis.com"
+ },
+ "source": {
+ "ip": "10.0.0.1"
+ },
+ "tags": [
+ "_geoip_database_unavailable_GeoLite2-City.mmdb",
+ "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
+ ],
+ "user_agent": {
+ "device": {
+ "name": "Other"
+ },
+ "name": "Other",
+ "original": "google-cloud-sdk/324.0.0"
+ }
+ }
+ }
+}
diff --git a/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json.gz b/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json.gz
deleted file mode 100644
index 93b2c20b81c86..0000000000000
Binary files a/x-pack/test/cloud_security_posture_functional/es_archives/security_alerts/data.json.gz and /dev/null differ
diff --git a/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts b/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts
index 9657c0f212f9b..63eafc4107bc1 100644
--- a/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts
+++ b/x-pack/test/cloud_security_posture_functional/pages/alerts_flyout.ts
@@ -17,8 +17,7 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
const pageObjects = getPageObjects(['common', 'header', 'alerts']);
const alertsPage = pageObjects.alerts;
- // Failing: See https://github.com/elastic/kibana/issues/198632
- describe.skip('Security Alerts Page - Graph visualization', function () {
+ describe('Security Alerts Page - Graph visualization', function () {
this.tags(['cloud_security_posture_graph_viz']);
before(async () => {
@@ -34,8 +33,8 @@ export default function ({ getPageObjects, getService }: FtrProviderContext) {
// Setting the timerange to fit the data and open the flyout for a specific alert
await alertsPage.navigateToAlertsPage(
`${alertsPage.getAbsoluteTimerangeFilter(
- '2024-10-13T00:00:00.000Z',
- '2024-10-14T00:00:00.000Z'
+ '2024-09-01T00:00:00.000Z',
+ '2024-09-02T00:00:00.000Z'
)}&${alertsPage.getFlyoutFilter(
'589e086d7ceec7d4b353340578bd607e96fbac7eab9e2926f110990be15122f1'
)}`