diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
index 24b907e6bd938..4bb4c4809764a 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
@@ -258,6 +258,105 @@ describe('AlertSummaryView', () => {
});
});
+ test('Ransomware event code shows correct fields', () => {
+ const enhancedData = [
+ ...mockAlertDetailsData.map((item) => {
+ if (item.category === 'event' && item.field === 'event.code') {
+ return {
+ ...item,
+ values: ['ransomware'],
+ originalValue: ['ransomware'],
+ };
+ }
+ return item;
+ }),
+ { category: 'Ransomware', field: 'Ransomware.feature', values: ['mbr'] },
+ {
+ category: 'process',
+ field: 'process.hash.sha256',
+ values: ['3287rhf3847gb38fb3o984g9384g7b3b847gb'],
+ },
+ ] as TimelineEventsDetailsItem[];
+ const renderProps = {
+ ...props,
+ data: enhancedData,
+ };
+ const { getByText } = render(
+
+
+
+ );
+ ['process.hash.sha256', 'Ransomware.feature'].forEach((fieldId) => {
+ expect(getByText(fieldId));
+ });
+ });
+
+ test('Machine learning events show correct fields', () => {
+ const enhancedData = [
+ ...mockAlertDetailsData.map((item) => {
+ if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
+ return {
+ ...item,
+ values: ['machine_learning'],
+ originalValue: ['machine_learning'],
+ };
+ }
+ return item;
+ }),
+ {
+ category: 'kibana',
+ field: 'kibana.alert.rule.parameters.machine_learning_job_id',
+ values: ['i_am_the_ml_job_id'],
+ },
+ { category: 'kibana', field: 'kibana.alert.rule.parameters.anomaly_threshold', values: [2] },
+ ] as TimelineEventsDetailsItem[];
+ const renderProps = {
+ ...props,
+ data: enhancedData,
+ };
+ const { getByText } = render(
+
+
+
+ );
+ ['i_am_the_ml_job_id', 'kibana.alert.rule.parameters.anomaly_threshold'].forEach((fieldId) => {
+ expect(getByText(fieldId));
+ });
+ });
+
+ test('Threat match events show correct fields', () => {
+ const enhancedData = [
+ ...mockAlertDetailsData.map((item) => {
+ if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
+ return {
+ ...item,
+ values: ['threat_match'],
+ originalValue: ['threat_match'],
+ };
+ }
+ return item;
+ }),
+ {
+ category: 'kibana',
+ field: 'kibana.alert.rule.threat_index',
+ values: ['threat_index*'],
+ },
+ { category: 'kibana', field: 'kibana.alert.rule.threat_query', values: ['*query*'] },
+ ] as TimelineEventsDetailsItem[];
+ const renderProps = {
+ ...props,
+ data: enhancedData,
+ };
+ const { getByText } = render(
+
+
+
+ );
+ ['threat_index*', '*query*'].forEach((fieldId) => {
+ expect(getByText(fieldId));
+ });
+ });
+
test('Ransomware event code resolves fields from the source event', () => {
const renderProps = {
...props,
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
index af93393e5b8a4..9f0dfb53a5c4b 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
@@ -6,7 +6,7 @@
*/
import { find, isEmpty, uniqBy } from 'lodash/fp';
-import { ALERT_RULE_NAMESPACE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
+import { ALERT_RULE_NAMESPACE, ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import * as i18n from './translations';
import { BrowserFields } from '../../../../common/search_strategy/index_fields';
@@ -14,7 +14,6 @@ import {
ALERTS_HEADERS_THRESHOLD_CARDINALITY,
ALERTS_HEADERS_THRESHOLD_COUNT,
ALERTS_HEADERS_THRESHOLD_TERMS,
- ALERTS_HEADERS_TARGET_IMPORT_HASH,
ALERTS_HEADERS_RULE_DESCRIPTION,
} from '../../../detections/components/alerts_table/translations';
import { ALERT_THRESHOLD_RESULT } from '../../../../common/field_maps/field_names';
@@ -111,16 +110,17 @@ function getFieldsByEventCode(
case EventCode.SHELLCODE_THREAD:
return [
{ id: 'Target.process.executable' },
- {
- id: 'Target.process.thread.Ext.start_address_detaiuls.memory_pe.imphash',
- label: ALERTS_HEADERS_TARGET_IMPORT_HASH,
- },
{
id: 'Memory_protection.unique_key_v1',
},
];
- case EventCode.MEMORY_SIGNATURE:
case EventCode.RANSOMWARE:
+ return [
+ { id: 'Ransomware.feature' },
+ { id: 'process.hash.sha256' },
+ ...getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined }),
+ ];
+ case EventCode.MEMORY_SIGNATURE:
// Resolve more fields based on the source event
return getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined });
default:
@@ -145,10 +145,10 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
case 'machine_learning':
return [
{
- id: `${ALERT_RULE_NAMESPACE}.machine_learning_job_id`,
+ id: `${ALERT_RULE_PARAMETERS}.machine_learning_job_id`,
},
{
- id: `${ALERT_RULE_NAMESPACE}.anomaly_threshold`,
+ id: `${ALERT_RULE_PARAMETERS}.anomaly_threshold`,
},
];
case 'threat_match':
@@ -157,7 +157,7 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
id: `${ALERT_RULE_NAMESPACE}.threat_index`,
},
{
- id: `${ALERT_RULE_NAMESPACE}.index`,
+ id: `${ALERT_RULE_NAMESPACE}.threat_query`,
},
];
default:
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
index 1897ad45fe7ff..590b5759ecae4 100644
--- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
+++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/translations.ts
@@ -136,13 +136,6 @@ export const ALERTS_HEADERS_THRESHOLD_CARDINALITY = i18n.translate(
}
);
-export const ALERTS_HEADERS_TARGET_IMPORT_HASH = i18n.translate(
- 'xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash',
- {
- defaultMessage: 'Import Hash',
- }
-);
-
export const ACTION_OPEN_ALERT = i18n.translate(
'xpack.securitySolution.detectionEngine.alerts.actions.openAlertTitle',
{
diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json
index c62e8cfc237de..cf434780c4db1 100644
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@@ -23343,7 +23343,6 @@
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.triggeredTitle": "実行済み",
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.versionTitle": "バージョン",
"xpack.securitySolution.eventsViewer.alerts.overviewTable.signalStatusTitle": "ステータス",
- "xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash": "ハッシュのインポート",
"xpack.securitySolution.eventsViewer.errorFetchingEventsData": "イベントデータをクエリできませんでした",
"xpack.securitySolution.eventsViewer.eventsLabel": "イベント",
"xpack.securitySolution.eventsViewer.showingLabel": "表示中",
diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json
index a26abde5f10a6..d6fd6eda4ff49 100644
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@@ -23472,7 +23472,6 @@
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.triggeredTitle": "已触发",
"xpack.securitySolution.eventsViewer.alerts.defaultHeaders.versionTitle": "版本",
"xpack.securitySolution.eventsViewer.alerts.overviewTable.signalStatusTitle": "状态",
- "xpack.securitySolution.eventsViewer.alerts.overviewTable.targetImportHash": "导入哈希",
"xpack.securitySolution.eventsViewer.errorFetchingEventsData": "无法查询事件数据",
"xpack.securitySolution.eventsViewer.eventsLabel": "事件",
"xpack.securitySolution.eventsViewer.showingLabel": "正在显示",