From 9e31e87d86ed1d9d8bb8bc33e3d0e30236cfaff8 Mon Sep 17 00:00:00 2001 From: Jan Monschke Date: Tue, 22 Feb 2022 10:20:18 +0100 Subject: [PATCH] [SecuritySolution][Threat Hunting] Use correct field ids for ML, ransomware, indicator alerts (#125937) * fix: use correct field ids for ML, ransomware, threat matching events * copy: remove unused translations Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit be4caac5006658c4efd1358db6ca42187d9c6560) --- .../event_details/alert_summary_view.test.tsx | 99 +++++++++++++++++++ .../event_details/get_alert_summary_rows.tsx | 20 ++-- .../components/alerts_table/translations.ts | 7 -- .../translations/translations/ja-JP.json | 1 - .../translations/translations/zh-CN.json | 1 - 5 files changed, 109 insertions(+), 19 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx index 24b907e6bd938..4bb4c4809764a 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx @@ -258,6 +258,105 @@ describe('AlertSummaryView', () => { }); }); + test('Ransomware event code shows correct fields', () => { + const enhancedData = [ + ...mockAlertDetailsData.map((item) => { + if (item.category === 'event' && item.field === 'event.code') { + return { + ...item, + values: ['ransomware'], + originalValue: ['ransomware'], + }; + } + return item; + }), + { category: 'Ransomware', field: 'Ransomware.feature', values: ['mbr'] }, + { + category: 'process', + field: 'process.hash.sha256', + values: ['3287rhf3847gb38fb3o984g9384g7b3b847gb'], + }, + ] as TimelineEventsDetailsItem[]; + const renderProps = { + ...props, + data: enhancedData, + }; + const { getByText } = render( + + + + ); + ['process.hash.sha256', 'Ransomware.feature'].forEach((fieldId) => { + expect(getByText(fieldId)); + }); + }); + + test('Machine learning events show correct fields', () => { + const enhancedData = [ + ...mockAlertDetailsData.map((item) => { + if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') { + return { + ...item, + values: ['machine_learning'], + originalValue: ['machine_learning'], + }; + } + return item; + }), + { + category: 'kibana', + field: 'kibana.alert.rule.parameters.machine_learning_job_id', + values: ['i_am_the_ml_job_id'], + }, + { category: 'kibana', field: 'kibana.alert.rule.parameters.anomaly_threshold', values: [2] }, + ] as TimelineEventsDetailsItem[]; + const renderProps = { + ...props, + data: enhancedData, + }; + const { getByText } = render( + + + + ); + ['i_am_the_ml_job_id', 'kibana.alert.rule.parameters.anomaly_threshold'].forEach((fieldId) => { + expect(getByText(fieldId)); + }); + }); + + test('Threat match events show correct fields', () => { + const enhancedData = [ + ...mockAlertDetailsData.map((item) => { + if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') { + return { + ...item, + values: ['threat_match'], + originalValue: ['threat_match'], + }; + } + return item; + }), + { + category: 'kibana', + field: 'kibana.alert.rule.threat_index', + values: ['threat_index*'], + }, + { category: 'kibana', field: 'kibana.alert.rule.threat_query', values: ['*query*'] }, + ] as TimelineEventsDetailsItem[]; + const renderProps = { + ...props, + data: enhancedData, + }; + const { getByText } = render( + + + + ); + ['threat_index*', '*query*'].forEach((fieldId) => { + expect(getByText(fieldId)); + }); + }); + test('Ransomware event code resolves fields from the source event', () => { const renderProps = { ...props, diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx index af93393e5b8a4..9f0dfb53a5c4b 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx @@ -6,7 +6,7 @@ */ import { find, isEmpty, uniqBy } from 'lodash/fp'; -import { ALERT_RULE_NAMESPACE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; +import { ALERT_RULE_NAMESPACE, ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils'; import * as i18n from './translations'; import { BrowserFields } from '../../../../common/search_strategy/index_fields'; @@ -14,7 +14,6 @@ import { ALERTS_HEADERS_THRESHOLD_CARDINALITY, ALERTS_HEADERS_THRESHOLD_COUNT, ALERTS_HEADERS_THRESHOLD_TERMS, - ALERTS_HEADERS_TARGET_IMPORT_HASH, ALERTS_HEADERS_RULE_DESCRIPTION, } from '../../../detections/components/alerts_table/translations'; import { ALERT_THRESHOLD_RESULT } from '../../../../common/field_maps/field_names'; @@ -111,16 +110,17 @@ function getFieldsByEventCode( case EventCode.SHELLCODE_THREAD: return [ { id: 'Target.process.executable' }, - { - id: 'Target.process.thread.Ext.start_address_detaiuls.memory_pe.imphash', - label: ALERTS_HEADERS_TARGET_IMPORT_HASH, - }, { id: 'Memory_protection.unique_key_v1', }, ]; - case EventCode.MEMORY_SIGNATURE: case EventCode.RANSOMWARE: + return [ + { id: 'Ransomware.feature' }, + { id: 'process.hash.sha256' }, + ...getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined }), + ]; + case EventCode.MEMORY_SIGNATURE: // Resolve more fields based on the source event return getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined }); default: @@ -145,10 +145,10 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] { case 'machine_learning': return [ { - id: `${ALERT_RULE_NAMESPACE}.machine_learning_job_id`, + id: `${ALERT_RULE_PARAMETERS}.machine_learning_job_id`, }, { - id: `${ALERT_RULE_NAMESPACE}.anomaly_threshold`, + id: `${ALERT_RULE_PARAMETERS}.anomaly_threshold`, }, ]; case 'threat_match': @@ -157,7 +157,7 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] { id: `${ALERT_RULE_NAMESPACE}.threat_index`, }, { - id: `${ALERT_RULE_NAMESPACE}.index`, + id: `${ALERT_RULE_NAMESPACE}.threat_query`, }, ]; default: diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts index 1897ad45fe7ff..590b5759ecae4 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts @@ -136,13 +136,6 @@ export const ALERTS_HEADERS_THRESHOLD_CARDINALITY = i18n.translate( } ); -export const ALERTS_HEADERS_TARGET_IMPORT_HASH = i18n.translate( - 'xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash', - { - defaultMessage: 'Import Hash', - } -); - export const ACTION_OPEN_ALERT = i18n.translate( 'xpack.securitySolution.detectionEngine.alerts.actions.openAlertTitle', { diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index 45ad4b8579d38..3a2208dba6471 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -23345,7 +23345,6 @@ "xpack.securitySolution.eventsViewer.alerts.defaultHeaders.triggeredTitle": "実行済み", "xpack.securitySolution.eventsViewer.alerts.defaultHeaders.versionTitle": "バージョン", "xpack.securitySolution.eventsViewer.alerts.overviewTable.signalStatusTitle": "ステータス", - "xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash": "ハッシュのインポート", "xpack.securitySolution.eventsViewer.errorFetchingEventsData": "イベントデータをクエリできませんでした", "xpack.securitySolution.eventsViewer.eventsLabel": "イベント", "xpack.securitySolution.eventsViewer.showingLabel": "表示中", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index cf128c7f4d48f..7cd2b764c5d7f 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -23721,7 +23721,6 @@ "xpack.securitySolution.eventsViewer.alerts.defaultHeaders.triggeredTitle": "已触发", "xpack.securitySolution.eventsViewer.alerts.defaultHeaders.versionTitle": "版本", "xpack.securitySolution.eventsViewer.alerts.overviewTable.signalStatusTitle": "状态", - "xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash": "导入哈希", "xpack.securitySolution.eventsViewer.errorFetchingEventsData": "无法查询事件数据", "xpack.securitySolution.eventsViewer.eventsLabel": "事件", "xpack.securitySolution.eventsViewer.showingLabel": "正在显示",