Skip to content

Commit

Permalink
[Security Solution][Detections][Threshold Rules][7.12] Threshold summ…
Browse files Browse the repository at this point in the history
…ary view (elastic#94345) (elastic#95025)

* Add threshold summary view items

* Add threshold field desgination

* Add threshold fields to signal doc

* Fix unit test

* Handle error
  • Loading branch information
madirey authored Mar 21, 2021
1 parent c0c6272 commit 17cdb81
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ import {
ALERTS_HEADERS_RISK_SCORE,
ALERTS_HEADERS_RULE,
ALERTS_HEADERS_SEVERITY,
ALERTS_HEADERS_THRESHOLD_COUNT,
ALERTS_HEADERS_THRESHOLD_TERMS,
ALERTS_HEADERS_THRESHOLD_CARDINALITY,
} from '../../../detections/components/alerts_table/translations';
import {
IP_FIELD_TYPE,
Expand Down Expand Up @@ -61,6 +64,9 @@ const fields = [
{ id: 'user.name' },
{ id: SOURCE_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE },
{ id: DESTINATION_IP_FIELD_NAME, fieldType: IP_FIELD_TYPE },
{ id: 'signal.threshold_result.count', label: ALERTS_HEADERS_THRESHOLD_COUNT },
{ id: 'signal.threshold_result.terms', label: ALERTS_HEADERS_THRESHOLD_TERMS },
{ id: 'signal.threshold_result.cardinality', label: ALERTS_HEADERS_THRESHOLD_CARDINALITY },
];

// eslint-disable-next-line @typescript-eslint/no-explicit-any
Expand Down Expand Up @@ -135,6 +141,45 @@ const getSummary = ({
linkValue: linkValue ?? undefined,
};

if (item.id === 'signal.threshold_result.terms') {
try {
const terms = getOr(null, 'originalValue', field);
const parsedValue = terms.map((term: string) => JSON.parse(term));
const thresholdTerms = (parsedValue ?? []).map(
(entry: { field: string; value: string }) => {
return {
title: `${entry.field} [threshold]`,
description: {
...description,
value: entry.value,
},
};
}
);
return [...acc, ...thresholdTerms];
} catch (err) {
return acc;
}
}

if (item.id === 'signal.threshold_result.cardinality') {
try {
const parsedValue = JSON.parse(value);
return [
...acc,
{
title: ALERTS_HEADERS_THRESHOLD_CARDINALITY,
description: {
...description,
value: `count(${parsedValue.field}) == ${parsedValue.value}`,
},
},
];
} catch (err) {
return acc;
}
}

return [
...acc,
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,27 @@ export const ALERTS_HEADERS_RISK_SCORE = i18n.translate(
}
);

export const ALERTS_HEADERS_THRESHOLD_COUNT = i18n.translate(
'xpack.securitySolution.eventsViewer.alerts.defaultHeaders.thresholdCount',
{
defaultMessage: 'Threshold Count',
}
);

export const ALERTS_HEADERS_THRESHOLD_TERMS = i18n.translate(
'xpack.securitySolution.eventsViewer.alerts.defaultHeaders.thresholdTerms',
{
defaultMessage: 'Threshold Terms',
}
);

export const ALERTS_HEADERS_THRESHOLD_CARDINALITY = i18n.translate(
'xpack.securitySolution.eventsViewer.alerts.defaultHeaders.thresholdCardinality',
{
defaultMessage: 'Threshold Cardinality',
}
);

export const ACTION_OPEN_ALERT = i18n.translate(
'xpack.securitySolution.detectionEngine.alerts.actions.openAlertTitle',
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ describe('transformThresholdNormalizedResultsToEcs', () => {
_id,
_index: 'test',
_source: {
'source.ip': '127.0.0.1',
'@timestamp': '2020-04-20T21:27:45+0000',
threshold_result: {
from: new Date('2020-12-17T16:27:00.000Z'),
Expand Down Expand Up @@ -256,6 +257,8 @@ describe('transformThresholdNormalizedResultsToEcs', () => {
_index: 'test',
_source: {
'@timestamp': '2020-04-20T21:27:45+0000',
'host.name': 'garden-gnomes',
'source.ip': '127.0.0.1',
threshold_result: {
from: new Date('2020-12-17T16:28:00.000Z'), // from threshold signal history
terms: [
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,15 @@ const getTransformedHits = (

const source = {
'@timestamp': timestamp,
...bucket.terms.reduce<object>((termAcc, term) => {
if (!term.field.startsWith('signal.')) {
return {
...termAcc,
[term.field]: term.value,
};
}
return termAcc;
}, {}),
threshold_result: {
terms: bucket.terms,
cardinality: bucket.cardinality,
Expand Down

0 comments on commit 17cdb81

Please sign in to comment.