Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Open alerts with an associated template in the template view #123333

Merged
merged 16 commits into from
Jan 25, 2022
Merged

[Security Solution] Open alerts with an associated template in the template view #123333

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
1c6d772
Open alerts with a template, with a template
kqualters-elastic Jan 18, 2022
0e616ba
Add default values back instead of template derived ones
kqualters-elastic Jan 19, 2022
5be2880
Use data providers over filters always, set timeline description to a…
kqualters-elastic Jan 19, 2022
2c32e9f
Remove prepopulated description from non threshold alerts
kqualters-elastic Jan 19, 2022
30fa320
Merge branch 'main' into open-in-timeline-cleanup
kibanamachine Jan 24, 2022
597b4c9
Open any event in timeline, use correct timestamp
kqualters-elastic Jan 24, 2022
6f72615
Remove unneeded @timestamp, make sure alertsEcsData is not empty array
kqualters-elastic Jan 24, 2022
c8a86da
Add basic getField tests
kqualters-elastic Jan 25, 2022
f590124
Explicity check if alertGroupId is an array instead of using length
kqualters-elastic Jan 25, 2022
6fa41a9
Always use a valid date for time range
kqualters-elastic Jan 25, 2022
59ab4aa
Only use filter if more than 1 alert is present
kqualters-elastic Jan 25, 2022
6fd6265
Possibly controversial change to calculate threshold time range with …
kqualters-elastic Jan 25, 2022
9b2b89e
Create threshold timeline in separate function
kqualters-elastic Jan 25, 2022
5e5ab70
Use better type for createTimeline passed to createThresholdTimeline
kqualters-elastic Jan 25, 2022
84dd174
Invert negation as suggested in pr comment
kqualters-elastic Jan 25, 2022
12c42d3
Use template timeline filters/query/data providers for threshold alerts
kqualters-elastic Jan 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.test.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,8 +289,7 @@ describe('alert actions', () => {
signal: {
rule: {
...mockEcsDataWithAlert.signal?.rule,
// @ts-expect-error
timeline_id: null,
timeline_id: [''],
},
},
};
Expand Down Expand Up @@ -362,6 +361,7 @@ describe('alert actions', () => {
...defaultTimelineProps,
timeline: {
...defaultTimelineProps.timeline,
resolveTimelineConfig: undefined,
dataProviders: [
{
and: [],
Expand All @@ -370,7 +370,7 @@ describe('alert actions', () => {
id: 'send-alert-to-timeline-action-default-draggable-event-details-value-formatted-field-value-timeline-1-alert-id-my-group-id',
kqlQuery: '',
name: '1',
queryMatch: { field: 'signal.group.id', operator: ':', value: 'my-group-id' },
queryMatch: { field: 'signal.group.id', operator: ':', value: ['my-group-id'] },
},
],
},
Expand Down
34 changes: 18 additions & 16 deletions x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,17 +258,18 @@ export const getThresholdAggregationData = (ecsData: Ecs | Ecs[]): ThresholdAggr
);
};

export const isEqlRuleWithGroupId = (ecsData: Ecs) => {
export const isEqlRuleWithGroupId = (ecsData: Ecs): boolean => {
const ruleType = getField(ecsData, ALERT_RULE_TYPE);
const groupId = getField(ecsData, ALERT_GROUP_ID);
return ruleType?.length && ruleType[0] === 'eql' && groupId?.length;
const isEql = ruleType === 'eql' || (Array.isArray(ruleType) && ruleType[0] === 'eql');
return isEql && groupId?.length > 0;
};

export const isThresholdRule = (ecsData: Ecs) => {
export const isThresholdRule = (ecsData: Ecs): boolean => {
const ruleType = getField(ecsData, ALERT_RULE_TYPE);
return (
ruleType === 'threshold' ||
(Array.isArray(ruleType) && ruleType.length && ruleType[0] === 'threshold')
(Array.isArray(ruleType) && ruleType.length > 0 && ruleType[0] === 'threshold')
);
};

Expand All @@ -288,7 +289,7 @@ export const buildAlertsKqlFilter = (
},
},
meta: {
alias: 'Alert Ids',
alias: `Alert Ids: ${alertIds.join()}`,
negate: false,
disabled: false,
type: 'phrases',
Expand Down Expand Up @@ -333,9 +334,9 @@ export const buildTimelineDataProviderOrFilter = (
};
};

export const buildEqlDataProviderOrFilter = (
const buildEqlDataProviderOrFilter = (
alertsIds: string[],
ecs: Ecs[] | Ecs
ecs: Ecs
): { filters: Filter[]; dataProviders: DataProvider[] } => {
if (!isEmpty(alertsIds) && Array.isArray(ecs)) {
return {
Expand All @@ -344,9 +345,7 @@ export const buildEqlDataProviderOrFilter = (
'signal.group.id',
Copy link
Contributor

@michaelolo24 michaelolo24 Jan 20, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thing, can we update this to ALERT_GROUP_ID per the sync from yesterday? Thanks!

ecs.reduce<string[]>((acc, ecsData) => {
const alertGroupIdField = getField(ecsData, ALERT_GROUP_ID);
const alertGroupId = alertGroupIdField?.length
? alertGroupIdField[0]
: 'unknown-group-id';
const alertGroupId = alertGroupIdField?.length ? alertGroupIdField : 'unknown-group-id';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alertGroupIdField ?? 'unknown-group-id'?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to @madirey suggestion.

if (!acc.includes(alertGroupId)) {
return [...acc, alertGroupId];
}
Expand All @@ -355,9 +354,9 @@ export const buildEqlDataProviderOrFilter = (
),
};
} else if (!Array.isArray(ecs)) {
const alertGroupIdField: string[] = getField(ecs, ALERT_GROUP_ID);
const alertGroupIdField = getField(ecs, ALERT_GROUP_ID);
const queryMatchField = getFieldKey(ecs, ALERT_GROUP_ID);
const alertGroupId = alertGroupIdField?.length ? alertGroupIdField[0] : 'unknown-group-id';
const alertGroupId = alertGroupIdField?.length ? alertGroupIdField : 'unknown-group-id';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If alertGroupIdField is not array any more, why we have this length check alertGroupIdField?.length?

return {
dataProviders: [
{
Expand Down Expand Up @@ -395,12 +394,15 @@ export const sendAlertToTimelineAction = async ({
const ruleNote = getField(ecsData, ALERT_RULE_NOTE);
const noteContent = Array.isArray(ruleNote) && ruleNote.length > 0 ? ruleNote[0] : '';
const ruleTimelineId = getField(ecsData, ALERT_RULE_TIMELINE_ID);
const timelineId =
Array.isArray(ruleTimelineId) && ruleTimelineId.length > 0 ? ruleTimelineId[0] : '';
const timelineId = !isEmpty(ruleTimelineId)
? Array.isArray(ruleTimelineId)
? ruleTimelineId[0]
: ruleTimelineId
: '';
const { to, from } = determineToAndFrom({ ecs });

// For now we do not want to populate the template timeline if we have alertIds
if (!isEmpty(timelineId) && isEmpty(alertIds)) {
if (!isEmpty(timelineId) && isThresholdRule(ecsData) === false) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to ensure the template is applied to threshold rules, consider the following change suggested by @michaelolo24 :

if (!isEmpty(timelineId) && !isEmpty(alertIds)) {

try {
updateTimelineIsLoading({ id: TimelineId.active, isLoading: true });
const [responseTimeline, eventDataResp] = await Promise.all([
Expand Down Expand Up @@ -518,7 +520,7 @@ export const sendAlertToTimelineAction = async ({
} else {
let { dataProviders, filters } = buildTimelineDataProviderOrFilter(alertIds ?? [], ecsData._id);
if (isEqlRuleWithGroupId(ecsData)) {
const tempEql = buildEqlDataProviderOrFilter(alertIds ?? [], ecs);
const tempEql = buildEqlDataProviderOrFilter(alertIds ?? [], ecsData);
dataProviders = tempEql.dataProviders;
filters = tempEql.filters;
}
Expand Down
7 changes: 1 addition & 6 deletions x-pack/plugins/security_solution/public/helpers.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,14 +258,9 @@ export const getField = (ecsData: Ecs, field: string) => {
const paramsField = parts.slice(0, parts.length - 1).join('.');
const params = get(paramsField, ecsData);
const value = get(parts[parts.length - 1], params);
if (isEmpty(value)) {
return [];
}
return value;
}
const value = get(aadField, ecsData) ?? get(siemSignalsField, ecsData);
if (isEmpty(value)) {
return [];
}

return value;
};