Removing rule registry FieldMap and mappingFromFieldMap in favor of a…

…lerting version
elastic · Feb 7, 2023 · f24a0be · f24a0be
1 parent a0b331d
commit f24a0be
Show file tree

Hide file tree

Showing 31 changed files with 207 additions and 166 deletions.
diff --git a/packages/kbn-rule-data-utils/index.ts b/packages/kbn-rule-data-utils/index.ts
@@ -8,7 +8,7 @@
 
 export * from './src/default_alerts_as_data';
 export * from './src/legacy_alerts_as_data';
-export { type TechnicalRuleDataFieldName } from './src/technical_field_names';
+export * from './src/technical_field_names';
 export * from './src/alerts_as_data_rbac';
 export * from './src/alerts_as_data_severity';
 export * from './src/alerts_as_data_status';

diff --git a/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts
@@ -13,7 +13,11 @@ const EVENT_ACTION = 'event.action' as const;
 const EVENT_KIND = 'event.kind' as const;
 const TAGS = 'tags' as const;
 
-// these are in the technical component template
+// These are the fields that are in the rule registry technical component template
+// that are NOT in the framework alerts as data common component template
+
+// We will maintain a legacy component template that can be used by legacy
+// rule registry rules with these fields.
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
 const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const;
 const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
@@ -44,52 +48,16 @@ const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
 const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
 const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
 
-// // these fields are not in the technical component template
-// // namespaces
-// const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const;
-
-// const EVENT_MODULE = 'event.module' as const;
-
-// // Fields pertaining to the alert
-// const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const;
-// const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
-// const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
-
-// // Fields pertaining to the rule associated with the alert
-// const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const;
-// const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const;
-
-// // Fields pertaining to the threat tactic associated with the rule
-// const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const;
-// const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const;
-// const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const;
-// const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const;
-// const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const;
-// const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const;
-// const ALERT_THREAT_TECHNIQUE_REFERENCE =
-//   `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const;
-// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID =
-//   `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const;
-// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME =
-//   `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const;
-// const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE =
-//   `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const;
-
 export {
-  // ALERT_BUILDING_BLOCK_TYPE,
-  // ALERT_EVALUATION_THRESHOLD,
-  // ALERT_EVALUATION_VALUE,
   ALERT_RISK_SCORE,
   ALERT_RULE_AUTHOR,
   ALERT_RULE_CREATED_AT,
   ALERT_RULE_CREATED_BY,
   ALERT_RULE_DESCRIPTION,
   ALERT_RULE_ENABLED,
-  // ALERT_RULE_EXCEPTIONS_LIST,
   ALERT_RULE_FROM,
   ALERT_RULE_INTERVAL,
   ALERT_RULE_LICENSE,
-  // ALERT_RULE_NAMESPACE_FIELD,
   ALERT_RULE_NOTE,
   ALERT_RULE_REFERENCES,
   ALERT_RULE_RULE_ID,
@@ -107,21 +75,10 @@ export {
   ALERT_SUPPRESSION_TERMS,
   ALERT_SUPPRESSION_VALUE,
   ALERT_SYSTEM_STATUS,
-  // ALERT_THREAT_FRAMEWORK,
-  // ALERT_THREAT_TACTIC_ID,
-  // ALERT_THREAT_TACTIC_NAME,
-  // ALERT_THREAT_TACTIC_REFERENCE,
-  // ALERT_THREAT_TECHNIQUE_ID,
-  // ALERT_THREAT_TECHNIQUE_NAME,
-  // ALERT_THREAT_TECHNIQUE_REFERENCE,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_USER,
   ECS_VERSION,
   EVENT_ACTION,
   EVENT_KIND,
-  // EVENT_MODULE,
   TAGS,
 };
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -38,20 +38,15 @@ import {
 } from './default_alerts_as_data';
 
 import {
-  // ALERT_BUILDING_BLOCK_TYPE,
-  // ALERT_EVALUATION_THRESHOLD,
-  // ALERT_EVALUATION_VALUE,
   ALERT_RISK_SCORE,
   ALERT_RULE_AUTHOR,
   ALERT_RULE_CREATED_AT,
   ALERT_RULE_CREATED_BY,
   ALERT_RULE_DESCRIPTION,
   ALERT_RULE_ENABLED,
-  // ALERT_RULE_EXCEPTIONS_LIST,
   ALERT_RULE_FROM,
   ALERT_RULE_INTERVAL,
   ALERT_RULE_LICENSE,
-  // ALERT_RULE_NAMESPACE_FIELD,
   ALERT_RULE_NOTE,
   ALERT_RULE_REFERENCES,
   ALERT_RULE_RULE_ID,
@@ -69,25 +64,47 @@ import {
   ALERT_SUPPRESSION_TERMS,
   ALERT_SUPPRESSION_VALUE,
   ALERT_SYSTEM_STATUS,
-  // ALERT_THREAT_FRAMEWORK,
-  // ALERT_THREAT_TACTIC_ID,
-  // ALERT_THREAT_TACTIC_NAME,
-  // ALERT_THREAT_TACTIC_REFERENCE,
-  // ALERT_THREAT_TECHNIQUE_ID,
-  // ALERT_THREAT_TECHNIQUE_NAME,
-  // ALERT_THREAT_TECHNIQUE_REFERENCE,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_USER,
   ECS_VERSION,
   EVENT_ACTION,
   EVENT_KIND,
-  // EVENT_MODULE,
   TAGS,
 } from './legacy_alerts_as_data';
 
+// The following fields were identified as technical field names but were not defined in the
+// rule registry technical component template. We will leave these here for backwards
+// compatibility but these consts should be moved to the plugin that uses them
+
+const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const;
+
+const EVENT_MODULE = 'event.module' as const;
+
+// Fields pertaining to the alert
+const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const;
+const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
+const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
+
+// Fields pertaining to the rule associated with the alert
+const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const;
+const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const;
+
+// Fields pertaining to the threat tactic associated with the rule
+const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const;
+const ALERT_THREAT_TACTIC_ID = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.id` as const;
+const ALERT_THREAT_TACTIC_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.name` as const;
+const ALERT_THREAT_TACTIC_REFERENCE = `${ALERT_RULE_THREAT_NAMESPACE}.tactic.reference` as const;
+const ALERT_THREAT_TECHNIQUE_ID = `${ALERT_RULE_THREAT_NAMESPACE}.technique.id` as const;
+const ALERT_THREAT_TECHNIQUE_NAME = `${ALERT_RULE_THREAT_NAMESPACE}.technique.name` as const;
+const ALERT_THREAT_TECHNIQUE_REFERENCE =
+  `${ALERT_RULE_THREAT_NAMESPACE}.technique.reference` as const;
+const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID =
+  `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.id` as const;
+const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME =
+  `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.name` as const;
+const ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE =
+  `${ALERT_RULE_THREAT_NAMESPACE}.technique.subtechnique.reference` as const;
+
 const namespaces = {
   KIBANA_NAMESPACE,
   ALERT_NAMESPACE,
@@ -98,15 +115,15 @@ const fields = {
   ECS_VERSION,
   EVENT_KIND,
   EVENT_ACTION,
-  // EVENT_MODULE,
+  EVENT_MODULE,
   TAGS,
   TIMESTAMP,
   ALERT_ACTION_GROUP,
-  // ALERT_BUILDING_BLOCK_TYPE,
+  ALERT_BUILDING_BLOCK_TYPE,
   ALERT_DURATION,
   ALERT_END,
-  // ALERT_EVALUATION_THRESHOLD,
-  // ALERT_EVALUATION_VALUE,
+  ALERT_EVALUATION_THRESHOLD,
+  ALERT_EVALUATION_VALUE,
   ALERT_FLAPPING,
   ALERT_INSTANCE_ID,
   ALERT_RULE_CONSUMER,
@@ -119,13 +136,13 @@ const fields = {
   ALERT_RULE_CREATED_BY,
   ALERT_RULE_DESCRIPTION,
   ALERT_RULE_ENABLED,
-  // ALERT_RULE_EXCEPTIONS_LIST,
+  ALERT_RULE_EXCEPTIONS_LIST,
   ALERT_RULE_EXECUTION_UUID,
   ALERT_RULE_FROM,
   ALERT_RULE_INTERVAL,
   ALERT_RULE_LICENSE,
   ALERT_RULE_NAME,
-  // ALERT_RULE_NAMESPACE_FIELD,
+  ALERT_RULE_NAMESPACE_FIELD,
   ALERT_RULE_NOTE,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_REFERENCES,
@@ -149,16 +166,16 @@ const fields = {
   ALERT_WORKFLOW_USER,
   ALERT_RULE_UUID,
   ALERT_RULE_CATEGORY,
-  // ALERT_THREAT_FRAMEWORK,
-  // ALERT_THREAT_TACTIC_ID,
-  // ALERT_THREAT_TACTIC_NAME,
-  // ALERT_THREAT_TACTIC_REFERENCE,
-  // ALERT_THREAT_TECHNIQUE_ID,
-  // ALERT_THREAT_TECHNIQUE_NAME,
-  // ALERT_THREAT_TECHNIQUE_REFERENCE,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
-  // ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
+  ALERT_THREAT_FRAMEWORK,
+  ALERT_THREAT_TACTIC_ID,
+  ALERT_THREAT_TACTIC_NAME,
+  ALERT_THREAT_TACTIC_REFERENCE,
+  ALERT_THREAT_TECHNIQUE_ID,
+  ALERT_THREAT_TECHNIQUE_NAME,
+  ALERT_THREAT_TECHNIQUE_REFERENCE,
+  ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
+  ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
+  ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
   ALERT_SUPPRESSION_TERMS,
   ALERT_SUPPRESSION_FIELD,
   ALERT_SUPPRESSION_VALUE,
@@ -169,4 +186,22 @@ const fields = {
   VERSION,
 };
 
+export {
+  ALERT_BUILDING_BLOCK_TYPE,
+  ALERT_EVALUATION_THRESHOLD,
+  ALERT_EVALUATION_VALUE,
+  ALERT_RULE_EXCEPTIONS_LIST,
+  ALERT_RULE_NAMESPACE_FIELD,
+  ALERT_THREAT_FRAMEWORK,
+  ALERT_THREAT_TACTIC_ID,
+  ALERT_THREAT_TACTIC_NAME,
+  ALERT_THREAT_TACTIC_REFERENCE,
+  ALERT_THREAT_TECHNIQUE_ID,
+  ALERT_THREAT_TECHNIQUE_NAME,
+  ALERT_THREAT_TECHNIQUE_REFERENCE,
+  ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
+  ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
+  ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
+};
+
 export type TechnicalRuleDataFieldName = ValuesType<typeof fields & typeof namespaces>;
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -7,6 +7,7 @@
 import { mappingFromFieldMap } from './mapping_from_field_map';
 import { FieldMap } from './types';
 import { alertFieldMap } from './alert_field_map';
+import { legacyAlertFieldMap } from './legacy_alert_field_map';
 
 describe('mappingFromFieldMap', () => {
   const fieldMap: FieldMap = {
@@ -184,13 +185,19 @@ describe('mappingFromFieldMap', () => {
     expect(mappingFromFieldMap(alertFieldMap)).toEqual({
       dynamic: 'strict',
       properties: {
+        '@timestamp': {
+          type: 'date',
+        },
         kibana: {
           properties: {
             alert: {
               properties: {
                 action_group: {
                   type: 'keyword',
                 },
+                case_ids: {
+                  type: 'keyword',
+                },
                 duration: {
                   properties: {
                     us: {
@@ -204,8 +211,18 @@ describe('mappingFromFieldMap', () => {
                 flapping: {
                   type: 'boolean',
                 },
-                id: {
-                  type: 'keyword',
+                flapping_history: {
+                  type: 'boolean',
+                },
+                instance: {
+                  properties: {
+                    id: {
+                      type: 'keyword',
+                    },
+                  },
+                },
+                last_detected: {
+                  type: 'date',
                 },
                 reason: {
                   type: 'keyword',
@@ -274,6 +291,58 @@ describe('mappingFromFieldMap', () => {
         },
       },
     });
+    expect(mappingFromFieldMap(legacyAlertFieldMap)).toEqual({
+      dynamic: 'strict',
+      properties: {
+        kibana: {
+          properties: {
+            alert: {
+              properties: {
+                risk_score: { type: 'float' },
+                rule: {
+                  properties: {
+                    author: { type: 'keyword' },
+                    created_at: { type: 'date' },
+                    created_by: { type: 'keyword' },
+                    description: { type: 'keyword' },
+                    enabled: { type: 'keyword' },
+                    from: { type: 'keyword' },
+                    interval: { type: 'keyword' },
+                    license: { type: 'keyword' },
+                    note: { type: 'keyword' },
+                    references: { type: 'keyword' },
+                    rule_id: { type: 'keyword' },
+                    rule_name_override: { type: 'keyword' },
+                    to: { type: 'keyword' },
+                    type: { type: 'keyword' },
+                    updated_at: { type: 'date' },
+                    updated_by: { type: 'keyword' },
+                    version: { type: 'keyword' },
+                  },
+                },
+                severity: { type: 'keyword' },
+                suppression: {
+                  properties: {
+                    docs_count: { type: 'long' },
+                    end: { type: 'date' },
+                    terms: {
+                      properties: { field: { type: 'keyword' }, value: { type: 'keyword' } },
+                    },
+                    start: { type: 'date' },
+                  },
+                },
+                system_status: { type: 'keyword' },
+                workflow_reason: { type: 'keyword' },
+                workflow_user: { type: 'keyword' },
+              },
+            },
+          },
+        },
+        ecs: { properties: { version: { type: 'keyword' } } },
+        event: { properties: { action: { type: 'keyword' }, kind: { type: 'keyword' } } },
+        tags: { type: 'keyword' },
+      },
+    });
   });
 
   it('uses dynamic setting if specified', () => {

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/types.ts
@@ -24,6 +24,6 @@ export interface FieldMap {
     multi_fields?: MultiField[];
     path?: string;
     scaling_factor?: number;
-    dynamic?: boolean | string;
+    dynamic?: boolean | 'strict';
   };
 }
diff --git a/x-pack/plugins/alerting/common/alert_schema/index.ts b/x-pack/plugins/alerting/common/alert_schema/index.ts
@@ -7,4 +7,6 @@
 
 export { alertFieldMap } from './field_maps/alert_field_map';
 export { legacyAlertFieldMap } from './field_maps/legacy_alert_field_map';
+export { mappingFromFieldMap } from './field_maps/mapping_from_field_map';
+export { type FieldMap } from './field_maps/types';
 export { getComponentTemplateFromFieldMap } from './field_maps/component_template_from_field_map';