Skip to content

Commit

Permalink
[Security Solution][RAC] Flatten alert fields (#107581)
Browse files Browse the repository at this point in the history
* incremental changes

* No more type errors

* Type guards

* Begin adding tests

* Flatten

* Reduce scope of branch

* Remove extraneous argument to filter_duplicate_signals
  • Loading branch information
madirey authored Aug 5, 2021
1 parent d187259 commit d34cd91
Show file tree
Hide file tree
Showing 21 changed files with 710 additions and 150 deletions.
11 changes: 10 additions & 1 deletion packages/kbn-rule-data-utils/src/technical_field_names.ts
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;

const namespaces = {
KIBANA_NAMESPACE,
ALERT_NAMESPACE,
ALERT_RULE_NAMESPACE,
};

const fields = {
CONSUMERS,
ECS_VERSION,
Expand Down Expand Up @@ -142,6 +148,8 @@ export {
ALERT_EVALUATION_THRESHOLD,
ALERT_EVALUATION_VALUE,
ALERT_ID,
ALERT_NAMESPACE,
ALERT_RULE_NAMESPACE,
ALERT_OWNER,
ALERT_PRODUCER,
ALERT_REASON,
Expand Down Expand Up @@ -185,6 +193,7 @@ export {
ECS_VERSION,
EVENT_ACTION,
EVENT_KIND,
KIBANA_NAMESPACE,
RULE_CATEGORY,
RULE_CONSUMERS,
RULE_ID,
Expand All @@ -196,4 +205,4 @@ export {
VERSION,
};

export type TechnicalRuleDataFieldName = ValuesType<typeof fields>;
export type TechnicalRuleDataFieldName = ValuesType<typeof fields & typeof namespaces>;
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,12 @@ import {
ALERT_EVALUATION_VALUE,
ALERT_ID,
ALERT_PRODUCER,
ALERT_OWNER,
ALERT_SEVERITY_LEVEL,
ALERT_START,
ALERT_STATUS,
ALERT_UUID,
SPACE_IDS,
} from '@kbn/rule-data-utils';
import { ValuesType } from 'utility-types';
import { EuiTheme } from '../../../../../../../../src/plugins/kibana_react/common';
Expand All @@ -32,6 +34,7 @@ const theme = ({
eui: { euiColorDanger, euiColorWarning },
} as unknown) as EuiTheme;
const alert: Alert = {
[SPACE_IDS]: ['space-id'],
'rule.id': ['apm.transaction_duration'],
[ALERT_EVALUATION_VALUE]: [2057657.39],
'service.name': ['frontend-rum'],
Expand All @@ -42,6 +45,7 @@ const alert: Alert = {
'transaction.type': ['page-load'],
[ALERT_PRODUCER]: ['apm'],
[ALERT_UUID]: ['af2ae371-df79-4fca-b0eb-a2dbd9478180'],
[ALERT_OWNER]: ['apm'],
'rule.uuid': ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
'event.action': ['active'],
'@timestamp': ['2021-06-01T16:16:05.183Z'],
Expand Down
1 change: 0 additions & 1 deletion x-pack/plugins/rule_registry/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,6 @@ The following fields are defined in the technical field component template and s
- `rule.uuid`: the saved objects id of the rule.
- `rule.name`: the name of the rule (as specified by the user).
- `rule.category`: the name of the rule type (as defined by the rule type producer)
- `kibana.alert.producer`: the producer of the rule type. Usually a Kibana plugin. e.g., `APM`.
- `kibana.alert.owner`: the feature which produced the alert. Usually a Kibana feature id like `apm`, `siem`...
- `kibana.alert.id`: the id of the alert, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
- `kibana.alert.uuid`: the unique identifier for the alert during its lifespan. If an alert recovers (or closes), this identifier is re-generated when it is opened again.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2148,7 +2148,7 @@ export const ecsFieldMap = {
'rule.id': {
type: 'keyword',
array: false,
required: false,
required: true,
},
'rule.license': {
type: 'keyword',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ export const technicalRuleFieldMap = {
Fields.RULE_CATEGORY,
Fields.TAGS
),
[Fields.ALERT_OWNER]: { type: 'keyword' },
[Fields.ALERT_OWNER]: { type: 'keyword', required: true },
[Fields.ALERT_PRODUCER]: { type: 'keyword' },
[Fields.SPACE_IDS]: { type: 'keyword', array: true },
[Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
[Fields.ALERT_UUID]: { type: 'keyword' },
[Fields.ALERT_ID]: { type: 'keyword' },
[Fields.ALERT_START]: { type: 'date' },
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import {
CONSUMERS,
ECS_VERSION,
RULE_ID,
SPACE_IDS,
TIMESTAMP,
VERSION,
} from '@kbn/rule-data-utils';
Expand All @@ -33,6 +34,7 @@ const getMockAlert = (): ParsedTechnicalFields => ({
[ALERT_OWNER]: 'apm',
[ALERT_STATUS]: 'open',
[ALERT_RULE_RISK_SCORE]: 20,
[SPACE_IDS]: ['fake-space-id'],
[ALERT_RULE_SEVERITY]: 'warning',
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ import {
ALERT_STATUS,
EVENT_ACTION,
EVENT_KIND,
RULE_ID,
ALERT_OWNER,
SPACE_IDS,
} from '../../common/technical_rule_data_field_names';
import { createRuleDataClientMock } from '../rule_data_client/create_rule_data_client_mock';
import { createLifecycleExecutor } from './create_lifecycle_executor';
Expand Down Expand Up @@ -128,12 +131,16 @@ describe('createLifecycleExecutor', () => {
{
fields: {
[ALERT_ID]: 'TEST_ALERT_0',
[ALERT_OWNER]: 'CONSUMER',
[RULE_ID]: 'RULE_TYPE_ID',
labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc
},
},
{
fields: {
[ALERT_ID]: 'TEST_ALERT_1',
[ALERT_OWNER]: 'CONSUMER',
[RULE_ID]: 'RULE_TYPE_ID',
labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc
},
},
Expand Down Expand Up @@ -222,13 +229,19 @@ describe('createLifecycleExecutor', () => {
fields: {
'@timestamp': '',
[ALERT_ID]: 'TEST_ALERT_0',
[ALERT_OWNER]: 'CONSUMER',
[RULE_ID]: 'RULE_TYPE_ID',
[SPACE_IDS]: ['fake-space-id'],
labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must show up in the written doc
},
},
{
fields: {
'@timestamp': '',
[ALERT_ID]: 'TEST_ALERT_1',
[ALERT_OWNER]: 'CONSUMER',
[RULE_ID]: 'RULE_TYPE_ID',
[SPACE_IDS]: ['fake-space-id'],
labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc
},
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import {
EVENT_ACTION,
EVENT_KIND,
ALERT_OWNER,
RULE_ID,
RULE_UUID,
TIMESTAMP,
SPACE_IDS,
Expand Down Expand Up @@ -154,6 +155,8 @@ export const createLifecycleExecutor = (
currentAlerts[id] = {
...fields,
[ALERT_ID]: id,
[RULE_ID]: rule.ruleTypeId,
[ALERT_OWNER]: rule.consumer,
};
return alertInstanceFactory(id);
},
Expand Down Expand Up @@ -226,6 +229,8 @@ export const createLifecycleExecutor = (
alertsDataMap[alertId] = {
...fields,
[ALERT_ID]: alertId,
[RULE_ID]: rule.ruleTypeId,
[ALERT_OWNER]: rule.consumer,
};
});
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,14 @@
*/

import { estypes } from '@elastic/elasticsearch';
import { EVENT_ACTION, EVENT_KIND, RULE_ID, SPACE_IDS, TIMESTAMP } from '@kbn/rule-data-utils';
import {
ALERT_OWNER,
EVENT_ACTION,
EVENT_KIND,
RULE_ID,
SPACE_IDS,
TIMESTAMP,
} from '@kbn/rule-data-utils';
import { once } from 'lodash/fp';
import moment from 'moment';
import { RuleDataClient } from '../../../../../../rule_registry/server';
Expand Down Expand Up @@ -221,6 +228,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient {
[getMetricField(metric)]: value,
[RULE_ID]: ruleId,
[TIMESTAMP]: new Date().toISOString(),
[ALERT_OWNER]: 'siem',
},
namespace
);
Expand All @@ -244,6 +252,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient {
[RULE_STATUS_SEVERITY]: statusSeverityDict[newStatus],
[RULE_STATUS]: newStatus,
[TIMESTAMP]: new Date().toISOString(),
[ALERT_OWNER]: 'siem',
},
namespace
);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -191,8 +191,10 @@ export const createSecurityRuleTypeFactory: CreateSecurityRuleTypeFactory = ({
);

const wrapHits = wrapHitsFactory({
ruleSO,
logger,
mergeStrategy,
ruleSO,
spaceId,
});

for (const tuple of tuples) {
Expand Down
Loading

0 comments on commit d34cd91

Please sign in to comment.