From 7bb838910829bcadae9072950c07c94f55fe279f Mon Sep 17 00:00:00 2001
From: Garrett Spong <garrett.spong@elastic.co>
Date: Fri, 24 Jul 2020 17:59:26 -0600
Subject: [PATCH 1/2] Updates siem grouping to security, and adds cloudtrail
 module

---
 .../public/common/components/ml_popover/api.tsx             | 2 +-
 .../common/components/ml_popover/hooks/translations.ts      | 2 +-
 .../components/ml_popover/hooks/use_siem_jobs_helpers.tsx   | 2 +-
 .../ml_popover/jobs_table/filters/groups_filter_popover.tsx | 6 +++---
 .../public/common/components/ml_popover/ml_modules.tsx      | 1 +
 .../detections/components/rules/ml_job_select/index.tsx     | 2 +-
 .../server/usage/detections/detections_helpers.ts           | 4 +++-
 7 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx
index b4da4fa79e035..7c72098209a06 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx
@@ -71,7 +71,7 @@ export const setupMlJob = async ({
   configTemplate,
   indexPatternName = 'auditbeat-*',
   jobIdErrorFilter = [],
-  groups = ['siem'],
+  groups = ['security'],
   prefix = '',
 }: MlSetupArgs): Promise<SetupMlResponse> => {
   const response = await KibanaServices.get().http.fetch<SetupMlResponse>(
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts
index 2b37c437866e0..7b29bab2e38f3 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts
@@ -9,6 +9,6 @@ import { i18n } from '@kbn/i18n';
 export const SIEM_JOB_FETCH_FAILURE = i18n.translate(
   'xpack.securitySolution.components.mlPopup.hooks.errors.siemJobFetchFailureTitle',
   {
-    defaultMessage: 'SIEM job fetch failure',
+    defaultMessage: 'Security job fetch failure',
   }
 );
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx
index 658d2659282ce..adbd712ffeb3e 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx
@@ -104,7 +104,7 @@ export const getInstalledJobs = (
   compatibleModuleIds: string[]
 ): SiemJob[] =>
   jobSummaryData
-    .filter(({ groups }) => groups.includes('siem'))
+    .filter(({ groups }) => groups.includes('siem') || groups.includes('security'))
     .map<SiemJob>((jobSummary) => ({
       ...jobSummary,
       ...getAugmentedFields(jobSummary.id, moduleJobs, compatibleModuleIds),
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx
index 1aa3ad630306e..d879942b8b101 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx
@@ -25,8 +25,8 @@ interface GroupsFilterPopoverProps {
 
 /**
  * Popover for selecting which SiemJob groups to filter on. Component extracts unique groups and
- * their counts from the provided SiemJobs. The 'siem' group is filtered out as all jobs will be
- * siem jobs
+ * their counts from the provided SiemJobs. The 'siem' & 'security' groups are filtered out as all jobs will be
+ * siem/security jobs
  *
  * @param siemJobs jobs to fetch groups from to display for filtering
  * @param onSelectedGroupsChanged change listener to be notified when group selection changes
@@ -41,7 +41,7 @@ export const GroupsFilterPopoverComponent = ({
   const groups = siemJobs
     .map((j) => j.groups)
     .flat()
-    .filter((g) => g !== 'siem');
+    .filter((g) => g !== 'siem' && g !== 'security');
   const uniqueGroups = Array.from(new Set(groups));
 
   useEffect(() => {
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
index b956cf2c1494c..4dccba08590a4 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
@@ -12,6 +12,7 @@
 export const mlModules: string[] = [
   'siem_auditbeat',
   'siem_auditbeat_auth',
+  'siem_cloudtrail',
   'siem_packetbeat',
   'siem_winlogbeat',
   'siem_winlogbeat_auth',
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
index cb084d4daa782..cdfdf4ca6b66b 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
@@ -41,7 +41,7 @@ const HelpText: React.FC<{ href: string; showEnableWarning: boolean }> = ({
   <>
     <FormattedMessage
       id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdHelpText"
-      defaultMessage="We've provided a few common jobs to get you started. To add your own custom jobs, assign a group of “siem” to those jobs in the {machineLearning} application to make them appear here."
+      defaultMessage="We've provided a few common jobs to get you started. To add your own custom jobs, assign a group of “security” to those jobs in the {machineLearning} application to make them appear here."
       values={{
         machineLearning: (
           <EuiLink href={href} target="_blank">
diff --git a/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts b/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts
index e9d4f3aa426f4..f9905c373291c 100644
--- a/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts
+++ b/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts
@@ -176,7 +176,9 @@ export const getMlJobsUsage = async (ml: MlPluginSetup | undefined): Promise<MlJ
         .modulesProvider(internalMlClient, fakeRequest, fakeSOClient)
         .listModules();
       const moduleJobs = modules.flatMap((module) => module.jobs);
-      const jobs = await ml.jobServiceProvider(internalMlClient, fakeRequest).jobsSummary(['siem']);
+      const jobs = await ml
+        .jobServiceProvider(internalMlClient, fakeRequest)
+        .jobsSummary(['siem', 'security']);
 
       jobsUsage = jobs.reduce((usage, job) => {
         const isElastic = moduleJobs.some((moduleJob) => moduleJob.id === job.id);

From 87fa461c90689f696d888b5682820cd3b541eb4c Mon Sep 17 00:00:00 2001
From: Garrett Spong <garrett.spong@elastic.co>
Date: Mon, 27 Jul 2020 15:10:02 -0600
Subject: [PATCH 2/2] Standardizing icons

---
 .../models/data_recognizer/modules/siem_auditbeat/logo.json   | 2 +-
 .../data_recognizer/modules/siem_auditbeat_auth/logo.json     | 4 ++--
 .../models/data_recognizer/modules/siem_packetbeat/logo.json  | 4 ++--
 .../models/data_recognizer/modules/siem_winlogbeat/logo.json  | 2 +-
 .../data_recognizer/modules/siem_winlogbeat_auth/logo.json    | 4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
index 40a5c59677147..dfd22f6b1140b 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
+	"icon": "logoSecurity"
 }
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json
index 6b02648ccf287..dfd22f6b1140b 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
-}
\ No newline at end of file
+	"icon": "logoSecurity"
+}
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json
index 6b02648ccf287..dfd22f6b1140b 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
-}
\ No newline at end of file
+	"icon": "logoSecurity"
+}
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json
index 40a5c59677147..dfd22f6b1140b 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
+	"icon": "logoSecurity"
 }
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json
index 6b02648ccf287..dfd22f6b1140b 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
-}
\ No newline at end of file
+	"icon": "logoSecurity"
+}