Skip to content

Commit

Permalink
[Security Solution][Detections] Extend alerts schema to accommodate t…
Browse files Browse the repository at this point in the history
…he list of assigned users (elastic#7647)
  • Loading branch information
e40pud committed Sep 20, 2023
1 parent 82306ea commit b79f3f8
Show file tree
Hide file tree
Showing 21 changed files with 119 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import {
ALERT_TIME_RANGE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
SPACE_IDS,
Expand Down Expand Up @@ -182,6 +183,11 @@ export const alertFieldMap = {
array: true,
required: false,
},
[ALERT_WORKFLOW_ASSIGNEES]: {
type: 'keyword',
array: true,
required: false,
},
[EVENT_ACTION]: {
type: 'keyword',
array: false,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ const AlertOptional = rt.partial({
start: schemaDate,
time_range: schemaDateRange,
url: schemaString,
workflow_assignees: schemaStringArray,
workflow_status: schemaString,
workflow_tags: schemaStringArray,
}),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,7 @@ const SecurityAlertOptional = rt.partial({
}),
time_range: schemaDateRange,
url: schemaString,
workflow_assignees: schemaStringArray,
workflow_reason: schemaString,
workflow_status: schemaString,
workflow_tags: schemaStringArray,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import {
ALERT_RISK_SCORE,
ALERT_SEVERITY,
ALERT_RULE_PARAMETERS,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_TAGS,
} from '@kbn/rule-data-utils';

Expand Down Expand Up @@ -46,6 +47,7 @@ export const ALERT_EVENTS_FIELDS = [
ALERT_RULE_CONSUMER,
'@timestamp',
'kibana.alert.ancestors.index',
ALERT_WORKFLOW_ASSIGNEES,
'kibana.alert.workflow_status',
ALERT_WORKFLOW_TAGS,
'kibana.alert.group.id',
Expand Down
5 changes: 5 additions & 0 deletions packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,9 @@ const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
// kibana.alert.workflow_tags - user workflow alert tags
const ALERT_WORKFLOW_TAGS = `${ALERT_NAMESPACE}.workflow_tags` as const;

// kibana.alert.workflow_assignees - user workflow alert assignees
const ALERT_WORKFLOW_ASSIGNEES = `${ALERT_NAMESPACE}.workflow_assignees` as const;

// kibana.alert.rule.category - rule type name for rule that generated this alert
const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;

Expand Down Expand Up @@ -135,6 +138,7 @@ const fields = {
ALERT_TIME_RANGE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
SPACE_IDS,
Expand Down Expand Up @@ -174,6 +178,7 @@ export {
ALERT_TIME_RANGE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
SPACE_IDS,
Expand Down
2 changes: 2 additions & 0 deletions packages/kbn-rule-data-utils/src/technical_field_names.ts
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import {
ALERT_STATUS,
ALERT_TIME_RANGE,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
SPACE_IDS,
Expand Down Expand Up @@ -168,6 +169,7 @@ const fields = {
ALERT_STATUS,
ALERT_SYSTEM_STATUS,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_REASON,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
Expand Down
1 change: 1 addition & 0 deletions packages/kbn-securitysolution-ecs/src/signal/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ export type SignalEcsAAD = Exclude<SignalEcs, 'rule' | 'status'> & {
building_block_type?: string[];
workflow_status?: string[];
workflow_tags?: string[];
workflow_assignees?: string[];
suppression?: {
docs_count: string[];
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,9 @@ describe('mappingFromFieldMap', () => {
workflow_tags: {
type: 'keyword',
},
workflow_assignees: {
type: 'keyword',
},
},
},
space_ids: {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,11 @@ it('matches snapshot', () => {
"required": true,
"type": "keyword",
},
"kibana.alert.workflow_assignees": Object {
"array": true,
"required": false,
"type": "keyword",
},
"kibana.alert.workflow_reason": Object {
"array": false,
"required": false,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import type { ALERT_WORKFLOW_ASSIGNEES } from '@kbn/rule-data-utils';
import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
import type {
Ancestor890,
BaseFields890,
EqlBuildingBlockFields890,
EqlShellFields890,
NewTermsFields890,
} from '../8.9.0';

/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.11.0.
Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.11.0.
If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
for the version to be released and add the field(s) to the schema in that folder.
Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
*/

export type { Ancestor890 as Ancestor8110 };

export interface BaseFields8110 extends BaseFields890 {
[ALERT_WORKFLOW_ASSIGNEES]: string[];
}

export interface WrappedFields8110<T extends BaseFields8110> {
_id: string;
_index: string;
_source: T;
}

export type GenericAlert8110 = AlertWithCommonFields800<BaseFields8110>;

export type EqlShellFields8110 = EqlShellFields890 & BaseFields8110;

export type EqlBuildingBlockFields8110 = EqlBuildingBlockFields890 & BaseFields8110;

export type NewTermsFields8110 = NewTermsFields890 & BaseFields8110;

export type NewTermsAlert8110 = NewTermsFields890 & BaseFields8110;

export type EqlBuildingBlockAlert8110 = AlertWithCommonFields800<EqlBuildingBlockFields890>;

export type EqlShellAlert8110 = AlertWithCommonFields800<EqlShellFields8110>;

export type DetectionAlert8110 =
| GenericAlert8110
| EqlShellAlert8110
| EqlBuildingBlockAlert8110
| NewTermsAlert8110;
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,16 @@ import type { DetectionAlert840 } from './8.4.0';
import type { DetectionAlert860 } from './8.6.0';
import type { DetectionAlert870 } from './8.7.0';
import type { DetectionAlert880 } from './8.8.0';
import type { DetectionAlert890 } from './8.9.0';
import type {
Ancestor890,
BaseFields890,
DetectionAlert890,
EqlBuildingBlockFields890,
EqlShellFields890,
NewTermsFields890,
WrappedFields890,
} from './8.9.0';
Ancestor8110,
BaseFields8110,
DetectionAlert8110,
EqlBuildingBlockFields8110,
EqlShellFields8110,
NewTermsFields8110,
WrappedFields8110,
} from './8.11.0';

// When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
// here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
Expand All @@ -29,14 +30,15 @@ export type DetectionAlert =
| DetectionAlert860
| DetectionAlert870
| DetectionAlert880
| DetectionAlert890;
| DetectionAlert890
| DetectionAlert8110;

export type {
Ancestor890 as AncestorLatest,
BaseFields890 as BaseFieldsLatest,
DetectionAlert890 as DetectionAlertLatest,
WrappedFields890 as WrappedFieldsLatest,
EqlBuildingBlockFields890 as EqlBuildingBlockFieldsLatest,
EqlShellFields890 as EqlShellFieldsLatest,
NewTermsFields890 as NewTermsFieldsLatest,
Ancestor8110 as AncestorLatest,
BaseFields8110 as BaseFieldsLatest,
DetectionAlert8110 as DetectionAlertLatest,
WrappedFields8110 as WrappedFieldsLatest,
EqlBuildingBlockFields8110 as EqlBuildingBlockFieldsLatest,
EqlShellFields8110 as EqlShellFieldsLatest,
NewTermsFields8110 as NewTermsFieldsLatest,
};
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ export const requiredFieldsForActions = [
'@timestamp',
'kibana.alert.workflow_status',
'kibana.alert.workflow_tags',
'kibana.alert.workflow_assignees',
'kibana.alert.group.id',
'kibana.alert.original_time',
'kibana.alert.building_block_type',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ import {
ALERT_STATUS_ACTIVE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
EVENT_KIND,
Expand Down Expand Up @@ -322,6 +323,7 @@ export const sampleAlertDocAADNoSortId = (
},
[ALERT_URL]: 'http://example.com/docID',
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
},
fields: {
someKey: ['someValue'],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import {
ALERT_STATUS_ACTIVE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
EVENT_ACTION,
Expand Down Expand Up @@ -233,6 +234,7 @@ describe('buildAlert', () => {
[ALERT_URL]: expectedAlertUrl,
[ALERT_UUID]: alertUuid,
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
};
expect(alert).toEqual(expected);
});
Expand Down Expand Up @@ -426,6 +428,7 @@ describe('buildAlert', () => {
[ALERT_URL]: expectedAlertUrl,
[ALERT_UUID]: alertUuid,
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
};
expect(alert).toEqual(expected);
});
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ import {
ALERT_STATUS_ACTIVE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
EVENT_KIND,
Expand Down Expand Up @@ -248,6 +249,7 @@ export const buildAlert = (
[ALERT_URL]: alertUrl,
[ALERT_UUID]: alertUuid,
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
...flattenWithPrefix(ALERT_RULE_META, params.meta),
// These fields don't exist in the mappings, but leaving here for now to limit changes to the alert building logic
'kibana.alert.rule.risk_score': params.riskScore,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import {
ALERT_STATUS_ACTIVE,
ALERT_URL,
ALERT_UUID,
ALERT_WORKFLOW_ASSIGNEES,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
EVENT_KIND,
Expand Down Expand Up @@ -96,6 +97,7 @@ export const createAlert = (
[ALERT_STATUS]: ALERT_STATUS_ACTIVE,
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
[ALERT_DEPTH]: 1,
[ALERT_REASON]: 'reasonable reason',
[ALERT_SEVERITY]: 'high',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,7 @@ export default ({ getService }: FtrProviderContext) => {
'kibana.alert.status': 'active',
'kibana.alert.workflow_status': 'open',
'kibana.alert.workflow_tags': [],
'kibana.alert.workflow_assignees': [],
'kibana.alert.depth': 2,
'kibana.alert.reason':
'event on security-linux-1 created high alert Signal Testing Query.',
Expand Down Expand Up @@ -483,6 +484,7 @@ export default ({ getService }: FtrProviderContext) => {
'kibana.alert.status': 'active',
'kibana.alert.workflow_status': 'open',
'kibana.alert.workflow_tags': [],
'kibana.alert.workflow_assignees': [],
'kibana.alert.depth': 2,
'kibana.alert.reason':
'event on security-linux-1 created high alert Signal Testing Query.',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import {
ALERT_RULE_UUID,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
ALERT_WORKFLOW_ASSIGNEES,
EVENT_KIND,
} from '@kbn/rule-data-utils';
import { flattenWithPrefix } from '@kbn/securitysolution-rules';
Expand Down Expand Up @@ -150,6 +151,7 @@ export default ({ getService }: FtrProviderContext) => {
[ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME],
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
[ALERT_DEPTH]: 1,
[ALERT_ANCESTORS]: [
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import {
ALERT_UUID,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_TAGS,
ALERT_WORKFLOW_ASSIGNEES,
SPACE_IDS,
VERSION,
} from '@kbn/rule-data-utils';
Expand Down Expand Up @@ -120,6 +121,7 @@ export default ({ getService }: FtrProviderContext) => {
[ALERT_ANCESTORS]: expect.any(Array),
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
[ALERT_STATUS]: 'active',
[SPACE_IDS]: ['default'],
[ALERT_SEVERITY]: 'critical',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ export default ({ getService }: FtrProviderContext) => {
'kibana.alert.status': 'active',
'kibana.alert.workflow_status': 'open',
'kibana.alert.workflow_tags': [],
'kibana.alert.workflow_assignees': [],
'kibana.alert.depth': 1,
'kibana.alert.reason':
'authentication event with source 8.42.77.171 by root on zeek-newyork-sha-aa8df15 created high alert Query with a rule id.',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import {
SPACE_IDS,
VERSION,
ALERT_WORKFLOW_TAGS,
ALERT_WORKFLOW_ASSIGNEES,
} from '@kbn/rule-data-utils';
import { flattenWithPrefix } from '@kbn/securitysolution-rules';
import { ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types';
Expand Down Expand Up @@ -289,6 +290,7 @@ export default ({ getService }: FtrProviderContext) => {
[ALERT_UUID]: fullSignal[ALERT_UUID],
[ALERT_WORKFLOW_STATUS]: 'open',
[ALERT_WORKFLOW_TAGS]: [],
[ALERT_WORKFLOW_ASSIGNEES]: [],
[SPACE_IDS]: ['default'],
[VERSION]: fullSignal[VERSION],
threat: {
Expand Down

0 comments on commit b79f3f8

Please sign in to comment.