From b557f3c7806e4b6005230ec13a167834e3a1fe6a Mon Sep 17 00:00:00 2001
From: Jan Monschke <jan.monschke@elastic.co>
Date: Thu, 17 Feb 2022 14:47:23 +0100
Subject: [PATCH] fix: use correct field ids for ML, ransomware, threat
 matching events

---
 .../event_details/alert_summary_view.test.tsx | 99 +++++++++++++++++++
 .../event_details/get_alert_summary_rows.tsx  | 20 ++--
 .../components/alerts_table/translations.ts   |  7 --
 3 files changed, 109 insertions(+), 17 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
index 24b907e6bd938..4bb4c4809764a 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
@@ -258,6 +258,105 @@ describe('AlertSummaryView', () => {
     });
   });
 
+  test('Ransomware event code shows correct fields', () => {
+    const enhancedData = [
+      ...mockAlertDetailsData.map((item) => {
+        if (item.category === 'event' && item.field === 'event.code') {
+          return {
+            ...item,
+            values: ['ransomware'],
+            originalValue: ['ransomware'],
+          };
+        }
+        return item;
+      }),
+      { category: 'Ransomware', field: 'Ransomware.feature', values: ['mbr'] },
+      {
+        category: 'process',
+        field: 'process.hash.sha256',
+        values: ['3287rhf3847gb38fb3o984g9384g7b3b847gb'],
+      },
+    ] as TimelineEventsDetailsItem[];
+    const renderProps = {
+      ...props,
+      data: enhancedData,
+    };
+    const { getByText } = render(
+      <TestProvidersComponent>
+        <AlertSummaryView {...renderProps} />
+      </TestProvidersComponent>
+    );
+    ['process.hash.sha256', 'Ransomware.feature'].forEach((fieldId) => {
+      expect(getByText(fieldId));
+    });
+  });
+
+  test('Machine learning events show correct fields', () => {
+    const enhancedData = [
+      ...mockAlertDetailsData.map((item) => {
+        if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
+          return {
+            ...item,
+            values: ['machine_learning'],
+            originalValue: ['machine_learning'],
+          };
+        }
+        return item;
+      }),
+      {
+        category: 'kibana',
+        field: 'kibana.alert.rule.parameters.machine_learning_job_id',
+        values: ['i_am_the_ml_job_id'],
+      },
+      { category: 'kibana', field: 'kibana.alert.rule.parameters.anomaly_threshold', values: [2] },
+    ] as TimelineEventsDetailsItem[];
+    const renderProps = {
+      ...props,
+      data: enhancedData,
+    };
+    const { getByText } = render(
+      <TestProvidersComponent>
+        <AlertSummaryView {...renderProps} />
+      </TestProvidersComponent>
+    );
+    ['i_am_the_ml_job_id', 'kibana.alert.rule.parameters.anomaly_threshold'].forEach((fieldId) => {
+      expect(getByText(fieldId));
+    });
+  });
+
+  test('Threat match events show correct fields', () => {
+    const enhancedData = [
+      ...mockAlertDetailsData.map((item) => {
+        if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
+          return {
+            ...item,
+            values: ['threat_match'],
+            originalValue: ['threat_match'],
+          };
+        }
+        return item;
+      }),
+      {
+        category: 'kibana',
+        field: 'kibana.alert.rule.threat_index',
+        values: ['threat_index*'],
+      },
+      { category: 'kibana', field: 'kibana.alert.rule.threat_query', values: ['*query*'] },
+    ] as TimelineEventsDetailsItem[];
+    const renderProps = {
+      ...props,
+      data: enhancedData,
+    };
+    const { getByText } = render(
+      <TestProvidersComponent>
+        <AlertSummaryView {...renderProps} />
+      </TestProvidersComponent>
+    );
+    ['threat_index*', '*query*'].forEach((fieldId) => {
+      expect(getByText(fieldId));
+    });
+  });
+
   test('Ransomware event code resolves fields from the source event', () => {
     const renderProps = {
       ...props,
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
index af93393e5b8a4..9f0dfb53a5c4b 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
@@ -6,7 +6,7 @@
  */
 
 import { find, isEmpty, uniqBy } from 'lodash/fp';
-import { ALERT_RULE_NAMESPACE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
+import { ALERT_RULE_NAMESPACE, ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
 
 import * as i18n from './translations';
 import { BrowserFields } from '../../../../common/search_strategy/index_fields';
@@ -14,7 +14,6 @@ import {
   ALERTS_HEADERS_THRESHOLD_CARDINALITY,
   ALERTS_HEADERS_THRESHOLD_COUNT,
   ALERTS_HEADERS_THRESHOLD_TERMS,
-  ALERTS_HEADERS_TARGET_IMPORT_HASH,
   ALERTS_HEADERS_RULE_DESCRIPTION,
 } from '../../../detections/components/alerts_table/translations';
 import { ALERT_THRESHOLD_RESULT } from '../../../../common/field_maps/field_names';
@@ -111,16 +110,17 @@ function getFieldsByEventCode(
     case EventCode.SHELLCODE_THREAD:
       return [
         { id: 'Target.process.executable' },
-        {
-          id: 'Target.process.thread.Ext.start_address_detaiuls.memory_pe.imphash',
-          label: ALERTS_HEADERS_TARGET_IMPORT_HASH,
-        },
         {
           id: 'Memory_protection.unique_key_v1',
         },
       ];
-    case EventCode.MEMORY_SIGNATURE:
     case EventCode.RANSOMWARE:
+      return [
+        { id: 'Ransomware.feature' },
+        { id: 'process.hash.sha256' },
+        ...getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined }),
+      ];
+    case EventCode.MEMORY_SIGNATURE:
       // Resolve more fields based on the source event
       return getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined });
     default:
@@ -145,10 +145,10 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
     case 'machine_learning':
       return [
         {
-          id: `${ALERT_RULE_NAMESPACE}.machine_learning_job_id`,
+          id: `${ALERT_RULE_PARAMETERS}.machine_learning_job_id`,
         },
         {
-          id: `${ALERT_RULE_NAMESPACE}.anomaly_threshold`,
+          id: `${ALERT_RULE_PARAMETERS}.anomaly_threshold`,
         },
       ];
     case 'threat_match':
@@ -157,7 +157,7 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
           id: `${ALERT_RULE_NAMESPACE}.threat_index`,
         },
         {
-          id: `${ALERT_RULE_NAMESPACE}.index`,
+          id: `${ALERT_RULE_NAMESPACE}.threat_query`,
         },
       ];
     default:
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
index 1897ad45fe7ff..590b5759ecae4 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
@@ -136,13 +136,6 @@ export const ALERTS_HEADERS_THRESHOLD_CARDINALITY = i18n.translate(
   }
 );
 
-export const ALERTS_HEADERS_TARGET_IMPORT_HASH = i18n.translate(
-  'xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash',
-  {
-    defaultMessage: 'Import Hash',
-  }
-);
-
 export const ACTION_OPEN_ALERT = i18n.translate(
   'xpack.securitySolution.detectionEngine.alerts.actions.openAlertTitle',
   {