Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][RAC] - Add reason field #107532

Merged
merged 20 commits into from
Aug 11, 2021
Merged

[Security Solution][RAC] - Add reason field #107532

merged 20 commits into from
Aug 11, 2021

Conversation

michaelolo24
Copy link
Contributor

@michaelolo24 michaelolo24 commented Aug 3, 2021
edited
Loading

Summary

  • This PR indexes the signal.reason/kibana.alert.reason field in security_solution as seen below.
  • It adds the signal.reason field to the default columns in Security Solution
  • The reason field is viewable in the table as well as flyout.
  • The hostname and username are only shown when available

image

image

@michaelolo24 michaelolo24 added release_note:enhancement v8.0.0 Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete v7.15.0 labels Aug 3, 2021
@michaelolo24 michaelolo24 force-pushed the add-security-reason-field branch from d264522 to 2218a3b Compare August 9, 2021 04:41
@michaelolo24 michaelolo24 added the auto-backport Deprecated - use backport:version if exact versions are needed label Aug 10, 2021
@michaelolo24 michaelolo24 force-pushed the add-security-reason-field branch from 1cf3196 to 8d40ac5 Compare August 10, 2021 16:33
@michaelolo24 michaelolo24 marked this pull request as ready for review August 10, 2021 16:38
@michaelolo24 michaelolo24 requested review from a team as code owners August 10, 2021 16:38
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

marshallmain
marshallmain reviewed Aug 10, 2021
View reviewed changes
Copy link
Contributor

@marshallmain marshallmain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! There's one small potential change regarding risk score and severity overrides. Great to see we'll be able to easily define different reason messages for each rule type!

.../security_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts Outdated Show resolved Hide resolved
@michaelolo24 michaelolo24 enabled auto-merge (squash) August 11, 2021 08:07
machadoum
machadoum reviewed Aug 11, 2021
View reviewed changes
Copy link
Member

@machadoum machadoum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good to me. Good work!

I left two minor nitpicking comments. Could you take a look?

x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts Outdated
export type BuildReasonMessage = (args: BuildReasonMessageArgs) => string;

/**
* Currently all security solution rule types share a commone reason message string. This function composes that string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commone typo ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated, thanks!

x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts Outdated
if (mergedDoc?.fields) {
hostName = mergedDoc.fields['host.name'] != null ? mergedDoc.fields['host.name'] : hostName;
userName = mergedDoc.fields['user.name'] != null ? mergedDoc.fields['user.name'] : userName;
timestampForReason =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: This ternary operator chain is a bit hard to read. I think that a simple if/else statement might be more readable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I changed it. Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should just be the passed in timestamp. So removed all this logic

This was referenced Aug 11, 2021
Closed
Closed
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.5MB 6.5MB -574.0B
timelines 267.5KB 267.5KB +16.0B
total -558.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@michaelolo24 michaelolo24 merged commit 09470dc into elastic:master Aug 11, 2021
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 107532

michaelolo24 added a commit to michaelolo24/kibana that referenced this pull request Aug 11, 2021
@michaelolo24
[Security Solution][RAC] - Add reason field (elastic#107532)
86944df 
# Conflicts:
#	x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
This was referenced Aug 11, 2021
Closed
Merged
michaelolo24 added a commit to michaelolo24/kibana that referenced this pull request Aug 12, 2021
@michaelolo24
[Security Solution][RAC] - Add reason field (elastic#107532)
412dce8 
# Conflicts:
#	x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
michaelolo24 added a commit that referenced this pull request Aug 12, 2021
@michaelolo24
[Security Solution][RAC] - Add reason field (#107532) (#108319)
3e85170 
# Conflicts:
#	x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
@marshallmain marshallmain mentioned this pull request Aug 13, 2021
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marshallmain marshallmain marshallmain left review comments

@machadoum machadoum machadoum approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team Theme: rac label obsolete v7.15.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@michaelolo24 @elasticmachine @kibanamachine @machadoum @marshallmain