Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate Host risk and User risk UI to ECS schema #140080

Merged
merged 10 commits into from
Sep 9, 2022
Merged

Migrate Host risk and User risk UI to ECS schema #140080

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
3e4a5a5
Migrate Host risk and User risk indices to ECS schema
machadoum Sep 6, 2022
925b3f9
Update i18n
machadoum Sep 6, 2022
8a2900c
Fix typing issues
machadoum Sep 6, 2022
90b91f2
Fix lower-upper case mistakes
machadoum Sep 6, 2022
bddac3f
Fix another test
machadoum Sep 7, 2022
b2b4525
Update risk UI to match calculated_level new type
machadoum Sep 7, 2022
173f936
Improve risk table loading
machadoum Sep 7, 2022
3c1d36d
Fix type issue
machadoum Sep 7, 2022
47a0b7d
Update es_archiver to match new calculated_level type
machadoum Sep 8, 2022
48842e7
Use enums everywhere
machadoum Sep 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 26 additions & 15 deletions ...lugins/security_solution/common/search_strategy/security_solution/risk_score/all/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,33 +25,35 @@ export interface RiskScoreRequestOptions extends IEsSearchRequest {
export interface HostsRiskScoreStrategyResponse extends IEsSearchResponse {
inspect?: Maybe<Inspect>;
totalCount: number;
data: HostsRiskScore[] | undefined;
data: HostRiskScore[] | undefined;
}

export interface UsersRiskScoreStrategyResponse extends IEsSearchResponse {
inspect?: Maybe<Inspect>;
totalCount: number;
data: UsersRiskScore[] | undefined;
data: UserRiskScore[] | undefined;
}

export interface RiskScore {
'@timestamp': string;
risk: string;
risk_stats: {
rule_risks: RuleRisk[];
risk_score: number;
};
export interface RiskStats {
rule_risks: RuleRisk[];
calculated_score_norm: number;
multipliers: string[];
calculated_level: string;
machadoum marked this conversation as resolved.
Show resolved Hide resolved
}

export interface HostsRiskScore extends RiskScore {
export interface HostRiskScore {
'@timestamp': string;
host: {
name: string;
risk: RiskStats;
};
}

export interface UsersRiskScore extends RiskScore {
export interface UserRiskScore {
'@timestamp': string;
user: {
name: string;
risk: RiskStats;
};
}

Expand All @@ -66,17 +68,23 @@ export type RiskScoreSortField = SortField<RiskScoreFields>;
export const enum RiskScoreFields {
timestamp = '@timestamp',
hostName = 'host.name',
hostRiskScore = 'host.risk.calculated_score_norm',
hostRisk = 'host.risk.calculated_level',
userName = 'user.name',
riskScore = 'risk_stats.risk_score',
risk = 'risk',
userRiskScore = 'user.risk.calculated_score_norm',
userRisk = 'user.risk.calculated_level',
}

export interface RiskScoreItem {
_id?: Maybe<string>;
[RiskScoreFields.hostName]: Maybe<string>;
[RiskScoreFields.userName]: Maybe<string>;
[RiskScoreFields.risk]: Maybe<RiskSeverity>;
[RiskScoreFields.riskScore]: Maybe<number>;

[RiskScoreFields.hostRisk]: Maybe<RiskSeverity>;
[RiskScoreFields.userRisk]: Maybe<RiskSeverity>;

[RiskScoreFields.hostRiskScore]: Maybe<number>;
[RiskScoreFields.userRiskScore]: Maybe<number>;
}

export const enum RiskSeverity {
Expand All @@ -86,3 +94,6 @@ export const enum RiskSeverity {
high = 'High',
critical = 'Critical',
}

export const isUserRiskScore = (risk: HostRiskScore | UserRiskScore): risk is UserRiskScore =>
'user' in risk;
5 changes: 4 additions & 1 deletion ...ins/security_solution/common/search_strategy/security_solution/risk_score/common/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,7 @@ export enum RiskQueries {
kpiRiskScore = 'kpiRiskScore',
}

export type RiskScoreAggByFields = 'host.name' | 'user.name';
export enum RiskScoreEntity {
host = 'host',
user = 'user',
}
machadoum marked this conversation as resolved.
Show resolved Hide resolved
4 changes: 2 additions & 2 deletions ...lugins/security_solution/common/search_strategy/security_solution/risk_score/kpi/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/

import type { IEsSearchRequest, IEsSearchResponse } from '@kbn/data-plugin/common';
import type { FactoryQueryTypes, RiskScoreAggByFields, RiskSeverity } from '../..';
import type { FactoryQueryTypes, RiskScoreEntity, RiskSeverity } from '../..';
import type { ESQuery } from '../../../../typed_json';

import type { Inspect, Maybe } from '../../../common';
Expand All @@ -15,7 +15,7 @@ export interface KpiRiskScoreRequestOptions extends IEsSearchRequest {
defaultIndex: string[];
factoryQueryType?: FactoryQueryTypes;
filterQuery?: ESQuery | string | undefined;
aggBy: RiskScoreAggByFields;
entity: RiskScoreEntity;
}

export interface KpiRiskScoreStrategyResponse extends IEsSearchResponse {
Expand Down
4 changes: 2 additions & 2 deletions .../plugins/security_solution/common/search_strategy/security_solution/users/common/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ import type { UserEcs } from '../../../../ecs/user';
export const enum UserRiskScoreFields {
timestamp = '@timestamp',
userName = 'user.name',
riskScore = 'risk_stats.risk_score',
risk = 'risk',
riskScore = 'user.risk.calculated_score_norm',
risk = 'user.risk.calculated_level',
}

export interface UserRiskScoreItem {
Expand Down
22 changes: 12 additions & 10 deletions ...ty_solution/public/common/components/event_details/cti_details/host_risk_summary.test.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,12 @@ describe('HostRiskSummary', () => {
'@timestamp': '1641902481',
host: {
name: 'test-host-name',
},
risk: riskKeyword,
risk_stats: {
risk_score: 9999,
rule_risks: [],
risk: {
multipliers: [],
calculated_score_norm: 9999,
calculated_level: riskKeyword,
rule_risks: [],
},
},
},
],
Expand Down Expand Up @@ -67,11 +68,12 @@ describe('HostRiskSummary', () => {
'@timestamp': '1641902530',
host: {
name: 'test-host-name',
},
risk: 'test-risk',
risk_stats: {
risk_score: 9999,
rule_risks: [],
risk: {
multipliers: [],
calculated_score_norm: 9999,
calculated_level: 'test-risk',
rule_risks: [],
},
},
},
],
Expand Down
11 changes: 7 additions & 4 deletions ...ecurity_solution/public/common/components/event_details/cti_details/host_risk_summary.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ const HostRiskSummaryComponent: React.FC<{
toolTipContent={
<FormattedMessage
id="xpack.securitySolution.alertDetails.overview.hostDataTooltipContent"
defaultMessage="Risk classification is displayed only when available for a host. Ensure {hostsRiskScoreDocumentationLink} is enabled within your environment."
defaultMessage="Risk classification is displayed only when available for a host. Ensure {hostRiskScoreDocumentationLink} is enabled within your environment."
values={{
hostsRiskScoreDocumentationLink: (
hostRiskScoreDocumentationLink: (
<EuiLink href={RISKY_HOSTS_DOC_LINK} target="_blank">
<FormattedMessage
id="xpack.securitySolution.alertDetails.overview.hostsRiskScoreLink"
id="xpack.securitySolution.alertDetails.overview.HostRiskScoreLink"
machadoum marked this conversation as resolved.
Show resolved Hide resolved
defaultMessage="Host Risk Score"
/>
</EuiLink>
Expand All @@ -56,7 +56,10 @@ const HostRiskSummaryComponent: React.FC<{
<EnrichedDataRow
field={i18n.HOST_RISK_CLASSIFICATION}
value={
<RiskScore severity={hostRisk.result[0].risk as RiskSeverity} hideBackgroundColor />
<RiskScore
severity={hostRisk.result[0].host.risk.calculated_level as RiskSeverity}
hideBackgroundColor
/>
}
/>
</>
Expand Down
7 changes: 4 additions & 3 deletions x-pack/plugins/security_solution/public/common/components/risk_score_over_time/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,14 @@ import { HeaderSection } from '../header_section';
import { InspectButton, InspectButtonContainer } from '../inspect';
import * as i18n from './translations';
import { PreferenceFormattedDate } from '../formatted_date';
import type { RiskScore } from '../../../../common/search_strategy';
import type { HostRiskScore, UserRiskScore } from '../../../../common/search_strategy';
import { isUserRiskScore } from '../../../../common/search_strategy';

export interface RiskScoreOverTimeProps {
from: string;
to: string;
loading: boolean;
riskScore?: RiskScore[];
riskScore?: Array<HostRiskScore | UserRiskScore>;
queryId: string;
title: string;
toggleStatus: boolean;
Expand Down Expand Up @@ -81,7 +82,7 @@ const RiskScoreOverTimeComponent: React.FC<RiskScoreOverTimeProps> = ({
riskScore
?.map((data) => ({
x: data['@timestamp'],
y: data.risk_stats.risk_score,
y: (isUserRiskScore(data) ? data.user : data.host).risk.calculated_score_norm,
}))
.reverse() ?? [],
[riskScore]
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/public/common/mock/global_state.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ export const mockGlobalState: State = {
hostRisk: {
activePage: 0,
limit: 10,
sort: { field: RiskScoreFields.riskScore, direction: Direction.desc },
sort: { field: RiskScoreFields.hostRiskScore, direction: Direction.desc },
severitySelection: [],
},
sessions: { activePage: 0, limit: 10 },
Expand All @@ -106,7 +106,7 @@ export const mockGlobalState: State = {
hostRisk: {
activePage: 0,
limit: 10,
sort: { field: RiskScoreFields.riskScore, direction: Direction.desc },
sort: { field: RiskScoreFields.hostRiskScore, direction: Direction.desc },
severitySelection: [],
},
sessions: { activePage: 0, limit: 10 },
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/public/hosts/components/host_risk_information/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,9 +129,9 @@ const HostRiskInformationFlyout = ({ handleOnClose }: { handleOnClose: () => voi
<EuiSpacer size="l" />
<FormattedMessage
id="xpack.securitySolution.hosts.hostRiskInformation.learnMore"
defaultMessage="You can learn more about host risk {hostsRiskScoreDocumentationLink}"
defaultMessage="You can learn more about host risk {HostRiskScoreDocumentationLink}"
values={{
hostsRiskScoreDocumentationLink: (
HostRiskScoreDocumentationLink: (
<EuiLink href={RISKY_HOSTS_DOC_LINK} target="_blank">
<FormattedMessage
id="xpack.securitySolution.hosts.hostRiskInformation.link"
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/public/hosts/components/host_risk_score_table/columns.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ export const getHostRiskScoreColumns = ({
},
},
{
field: 'risk_stats.risk_score',
field: 'host.risk.calculated_score_norm',
machadoum marked this conversation as resolved.
Show resolved Hide resolved
name: i18n.HOST_RISK_SCORE,
truncateText: true,
mobileOptions: { show: true },
Expand All @@ -84,7 +84,7 @@ export const getHostRiskScoreColumns = ({
},
},
{
field: 'risk',
field: 'host.risk.calculated_level',
machadoum marked this conversation as resolved.
Show resolved Hide resolved
name: (
<EuiToolTip content={i18n.HOST_RISK_TOOLTIP}>
<>
Expand Down
8 changes: 4 additions & 4 deletions x-pack/plugins/security_solution/public/hosts/components/host_risk_score_table/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import { useDeepEqualSelector } from '../../../common/hooks/use_selector';
import { hostsActions, hostsModel, hostsSelectors } from '../../store';
import { getHostRiskScoreColumns } from './columns';
import type {
HostsRiskScore,
HostRiskScore,
RiskScoreItem,
RiskScoreSortField,
RiskSeverity,
Expand Down Expand Up @@ -50,7 +50,7 @@ const IconWrapper = styled.span`
const tableType = hostsModel.HostsTableType.risk;

interface HostRiskScoreTableProps {
data: HostsRiskScore[];
data: HostRiskScore[];
id: string;
isInspect: boolean;
loading: boolean;
Expand All @@ -63,8 +63,8 @@ interface HostRiskScoreTableProps {

export type HostRiskScoreColumns = [
Columns<RiskScoreItem[RiskScoreFields.hostName]>,
Columns<RiskScoreItem[RiskScoreFields.riskScore]>,
Columns<RiskScoreItem[RiskScoreFields.risk]>
Columns<RiskScoreItem[RiskScoreFields.hostRiskScore]>,
Columns<RiskScoreItem[RiskScoreFields.hostRisk]>
];

const HostRiskScoreTableComponent: React.FC<HostRiskScoreTableProps> = ({
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/security_solution/public/hosts/pages/hosts.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ const HostsComponent = () => {
}

if (tabName === HostsTableType.risk) {
const severityFilter = generateSeverityFilter(severitySelection);
const severityFilter = generateSeverityFilter(severitySelection, 'host');
machadoum marked this conversation as resolved.
Show resolved Hide resolved

return [...severityFilter, ...hostNameExistsFilter, ...filters];
}
Expand Down
5 changes: 4 additions & 1 deletion x-pack/plugins/security_solution/public/hosts/pages/navigation/host_risk_tab_body.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import type { HostsComponentsQueryProps } from './types';
import * as i18n from '../translations';
import { HostRiskInformationButtonEmpty } from '../../components/host_risk_information';
import { HostRiskScoreQueryId, useHostRiskScore } from '../../../risk_score/containers';
import type { HostRiskScore } from '../../../../common/search_strategy';
import { buildHostNamesFilter } from '../../../../common/search_strategy';
import { useQueryInspector } from '../../../common/components/page/manage_query';
import { RiskScoreOverTime } from '../../../common/components/risk_score_over_time';
Expand Down Expand Up @@ -86,7 +87,9 @@ const HostRiskTabBodyComponent: React.FC<
[setOverTimeToggleStatus]
);

const rules = data && data.length > 0 ? data[data.length - 1].risk_stats.rule_risks : [];
const lastHosttRiskItem: HostRiskScore | null =
data && data.length > 0 ? data[data.length - 1] : null;
const rules = lastHosttRiskItem ? lastHosttRiskItem.host.risk.rule_risks : [];
machadoum marked this conversation as resolved.
Show resolved Hide resolved

return (
<>
Expand Down
8 changes: 4 additions & 4 deletions x-pack/plugins/security_solution/public/hosts/store/helpers.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ export const mockHostsState: HostsModel = {
activePage: DEFAULT_TABLE_ACTIVE_PAGE,
limit: DEFAULT_TABLE_LIMIT,
sort: {
field: RiskScoreFields.riskScore,
field: RiskScoreFields.hostRiskScore,
direction: Direction.desc,
},
severitySelection: [],
Expand Down Expand Up @@ -79,7 +79,7 @@ export const mockHostsState: HostsModel = {
activePage: DEFAULT_TABLE_ACTIVE_PAGE,
limit: DEFAULT_TABLE_LIMIT,
sort: {
field: RiskScoreFields.riskScore,
field: RiskScoreFields.hostRiskScore,
direction: Direction.desc,
},
severitySelection: [],
Expand Down Expand Up @@ -124,7 +124,7 @@ describe('Hosts redux store', () => {
severitySelection: [],
sort: {
direction: 'desc',
field: 'risk_stats.risk_score',
field: RiskScoreFields.hostRiskScore,
},
},
[HostsTableType.sessions]: {
Expand Down Expand Up @@ -164,7 +164,7 @@ describe('Hosts redux store', () => {
severitySelection: [],
sort: {
direction: 'desc',
field: 'risk_stats.risk_score',
field: RiskScoreFields.hostRiskScore,
},
},
[HostsTableType.sessions]: {
Expand Down
12 changes: 8 additions & 4 deletions x-pack/plugins/security_solution/public/hosts/store/helpers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,17 +60,21 @@ export const setHostsQueriesActivePageToZero = (state: HostsModel, type: HostsTy
throw new Error(`HostsType ${type} is unknown`);
};

export const generateSeverityFilter = (severitySelection: RiskSeverity[]) =>
export const generateSeverityFilter = (
severitySelection: RiskSeverity[],
entity: 'user' | 'host'
machadoum marked this conversation as resolved.
Show resolved Hide resolved
) =>
severitySelection.length > 0
? [
{
query: {
bool: {
should: severitySelection.map((query) => ({
match_phrase: {
'risk.keyword': {
query,
},
[entity === 'user' ? 'user.risk.calculated_level' : 'host.risk.calculated_level']:
machadoum marked this conversation as resolved.
Show resolved Hide resolved
{
query,
},
},
})),
},
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/public/hosts/store/reducer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ export const initialHostsState: HostsState = {
activePage: DEFAULT_TABLE_ACTIVE_PAGE,
limit: DEFAULT_TABLE_LIMIT,
sort: {
field: RiskScoreFields.riskScore,
field: RiskScoreFields.hostRiskScore,
direction: Direction.desc,
},
severitySelection: [],
Expand Down Expand Up @@ -98,7 +98,7 @@ export const initialHostsState: HostsState = {
activePage: DEFAULT_TABLE_ACTIVE_PAGE,
limit: DEFAULT_TABLE_LIMIT,
sort: {
field: RiskScoreFields.riskScore,
field: RiskScoreFields.hostRiskScore,
direction: Direction.desc,
},
severitySelection: [],
Expand Down
Loading