Asset criticality alert enrichment

packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts

@@ -131,6 +131,7 @@ const SecurityAlertOptional = rt.partial({
   'kibana.alert.flapping_history': schemaBooleanArray,
   'kibana.alert.group.id': schemaString,
   'kibana.alert.group.index': schemaNumber,
+  'kibana.alert.host.criticality_level': schemaString,
   'kibana.alert.last_detected': schemaDate,
   'kibana.alert.maintenance_window_ids': schemaStringArray,
   'kibana.alert.new_terms': schemaStringArray,
@@ -193,6 +194,7 @@ const SecurityAlertOptional = rt.partial({
   ),
   'kibana.alert.time_range': schemaDateRange,
   'kibana.alert.url': schemaString,
+  'kibana.alert.user.criticality_level': schemaString,
   'kibana.alert.workflow_assignee_ids': schemaStringArray,
   'kibana.alert.workflow_reason': schemaString,
   'kibana.alert.workflow_status': schemaString,

x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/8.13.0/index.ts

@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
+import type {
+  ALERT_HOST_CRITICALITY,
+  ALERT_USER_CRITICALITY,
+} from '../../../../../field_maps/field_names';
+import type {
+  Ancestor8120,
+  BaseFields8120,
+  EqlBuildingBlockFields8120,
+  EqlShellFields8120,
+  NewTermsFields8120,
+} from '../8.12.0';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.13.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.13.0.
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export type { Ancestor8120 as Ancestor8130 };
+
+export interface BaseFields8130 extends BaseFields8120 {
+  [ALERT_HOST_CRITICALITY]: string | undefined;
+  [ALERT_USER_CRITICALITY]: string | undefined;
+}
+
+export interface WrappedFields8130<T extends BaseFields8130> {
+  _id: string;
+  _index: string;
+  _source: T;
+}
+
+export type GenericAlert8130 = AlertWithCommonFields800<BaseFields8130>;
+
+export type EqlShellFields8130 = EqlShellFields8120 & BaseFields8130;
+
+export type EqlBuildingBlockFields8130 = EqlBuildingBlockFields8120 & BaseFields8130;
+
+export type NewTermsFields8130 = NewTermsFields8120 & BaseFields8130;
+
+export type NewTermsAlert8130 = NewTermsFields8120 & BaseFields8130;
+
+export type EqlBuildingBlockAlert8130 = AlertWithCommonFields800<EqlBuildingBlockFields8120>;
+
+export type EqlShellAlert8130 = AlertWithCommonFields800<EqlShellFields8130>;
+
+export type DetectionAlert8130 =
+  | GenericAlert8130
+  | EqlShellAlert8130
+  | EqlBuildingBlockAlert8130
+  | NewTermsAlert8130;

x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/index.ts

@@ -12,15 +12,16 @@ import type { DetectionAlert860 } from './8.6.0';
 import type { DetectionAlert870 } from './8.7.0';
 import type { DetectionAlert880 } from './8.8.0';
 import type { DetectionAlert890 } from './8.9.0';
+import type { DetectionAlert8120 } from './8.12.0';
 import type {
-  Ancestor8120,
-  BaseFields8120,
-  DetectionAlert8120,
-  EqlBuildingBlockFields8120,
-  EqlShellFields8120,
-  NewTermsFields8120,
-  WrappedFields8120,
-} from './8.12.0';
+  Ancestor8130,
+  BaseFields8130,
+  DetectionAlert8130,
+  EqlBuildingBlockFields8130,
+  EqlShellFields8130,
+  NewTermsFields8130,
+  WrappedFields8130,
+} from './8.13.0';
 
 // When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
 // here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
@@ -31,14 +32,15 @@ export type DetectionAlert =
   | DetectionAlert870
   | DetectionAlert880
   | DetectionAlert890
-  | DetectionAlert8120;
+  | DetectionAlert8120
+  | DetectionAlert8130;
 
 export type {
-  Ancestor8120 as AncestorLatest,
-  BaseFields8120 as BaseFieldsLatest,
-  DetectionAlert8120 as DetectionAlertLatest,
-  WrappedFields8120 as WrappedFieldsLatest,
-  EqlBuildingBlockFields8120 as EqlBuildingBlockFieldsLatest,
-  EqlShellFields8120 as EqlShellFieldsLatest,
-  NewTermsFields8120 as NewTermsFieldsLatest,
+  Ancestor8130 as AncestorLatest,
+  BaseFields8130 as BaseFieldsLatest,
+  DetectionAlert8130 as DetectionAlertLatest,
+  WrappedFields8130 as WrappedFieldsLatest,
+  EqlBuildingBlockFields8130 as EqlBuildingBlockFieldsLatest,
+  EqlShellFields8130 as EqlShellFieldsLatest,
+  NewTermsFields8130 as NewTermsFieldsLatest,
 };

x-pack/plugins/security_solution/common/field_maps/8.13.0/alerts.ts

@@ -0,0 +1,33 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { alertsFieldMap840 } from '../8.4.0';
+import { ALERT_HOST_CRITICALITY, ALERT_USER_CRITICALITY } from '../field_names';
+
+export const alertsFieldMap8130 = {
+  ...alertsFieldMap840,
+  /**
+   * Stores the criticality level for the host, as determined by analysts, in relation to the alert.
+   * The Criticality level is copied from the asset criticality index.
+   */
+  [ALERT_HOST_CRITICALITY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  /**
+   * Stores the criticality level for the user, as determined by analysts, in relation to the alert.
+   * The Criticality level is copied from the asset criticality index.
+   */
+  [ALERT_USER_CRITICALITY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+} as const;
+
+export type AlertsFieldMap8130 = typeof alertsFieldMap8130;

x-pack/plugins/security_solution/common/field_maps/8.13.0/index.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { AlertsFieldMap8130 } from './alerts';
+import { alertsFieldMap8130 } from './alerts';
+export type { AlertsFieldMap8130 };
+export { alertsFieldMap8130 };

x-pack/plugins/security_solution/common/field_maps/field_names.ts

@@ -17,6 +17,8 @@ export const ALERT_THRESHOLD_RESULT = `${ALERT_NAMESPACE}.threshold_result` as c
 export const ALERT_THRESHOLD_RESULT_COUNT = `${ALERT_THRESHOLD_RESULT}.count` as const;
 export const ALERT_NEW_TERMS = `${ALERT_NAMESPACE}.new_terms` as const;
 export const ALERT_NEW_TERMS_FIELDS = `${ALERT_RULE_PARAMETERS}.new_terms_fields` as const;
+export const ALERT_HOST_CRITICALITY = `${ALERT_NAMESPACE}.host.criticality_level` as const;
+export const ALERT_USER_CRITICALITY = `${ALERT_NAMESPACE}.user.criticality_level` as const;
 
 export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event` as const;
 export const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT}.action` as const;

x-pack/plugins/security_solution/common/field_maps/index.ts

@@ -5,9 +5,9 @@
  * 2.0.
  */
 
-import type { AlertsFieldMap840 } from './8.4.0';
-import { alertsFieldMap840 } from './8.4.0';
+import type { AlertsFieldMap8130 } from './8.13.0';
+import { alertsFieldMap8130 } from './8.13.0';
 import type { RulesFieldMap } from './8.0.0/rules';
 import { rulesFieldMap } from './8.0.0/rules';
-export type { AlertsFieldMap840 as AlertsFieldMap, RulesFieldMap };
-export { alertsFieldMap840 as alertsFieldMap, rulesFieldMap };
+export type { AlertsFieldMap8130 as AlertsFieldMap, RulesFieldMap };
+export { alertsFieldMap8130 as alertsFieldMap, rulesFieldMap };

x-pack/plugins/security_solution/public/detections/configurations/security_solution_detections/columns.ts

@@ -6,6 +6,10 @@
  */
 
 import type { EuiDataGridColumn } from '@elastic/eui';
+import {
+  ALERT_HOST_CRITICALITY,
+  ALERT_USER_CRITICALITY,
+} from '../../../../common/field_maps/field_names';
 import type { LicenseService } from '../../../../common/license';
 import type { ColumnHeaderOptions } from '../../../../common/types';
 
@@ -72,6 +76,18 @@ const getBaseColumns = (
           id: 'user.risk.calculated_level',
         }
       : null,
+    isPlatinumPlus
+      ? {
+          columnHeaderType: defaultColumnHeaderType,
+          id: ALERT_HOST_CRITICALITY,
+        }
+      : null,
+    isPlatinumPlus
+      ? {
+          columnHeaderType: defaultColumnHeaderType,
+          id: ALERT_USER_CRITICALITY,
+        }
+      : null,
     {
       columnHeaderType: defaultColumnHeaderType,
       id: 'process.name',

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts

@@ -80,6 +80,8 @@ import {
   ALERT_RULE_THREAT,
   ALERT_RULE_EXCEPTIONS_LIST,
   ALERT_RULE_IMMUTABLE,
+  ALERT_HOST_CRITICALITY,
+  ALERT_USER_CRITICALITY,
 } from '../../../../../../common/field_maps/field_names';
 import type { CompleteRule, RuleParams } from '../../../rule_schema';
 import { commonParamsCamelToSnake, typeSpecificCamelToSnake } from '../../../rule_management';
@@ -256,6 +258,9 @@ export const buildAlert = (
     'kibana.alert.rule.risk_score': params.riskScore,
     'kibana.alert.rule.severity': params.severity,
     'kibana.alert.rule.building_block_type': params.buildingBlockType,
+    // asset criticality fields will be enriched before ingestion
+    [ALERT_HOST_CRITICALITY]: undefined,
+    [ALERT_USER_CRITICALITY]: undefined,
   };
 };
 

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/enrichments/__mocks__/alerts.ts

@@ -68,6 +68,8 @@ import {
   ALERT_RULE_TIMELINE_TITLE,
   ALERT_RULE_INDICES,
   ALERT_RULE_TIMESTAMP_OVERRIDE,
+  ALERT_HOST_CRITICALITY,
+  ALERT_USER_CRITICALITY,
 } from '../../../../../../../common/field_maps/field_names';
 
 export const createAlert = (
@@ -194,6 +196,8 @@ export const createAlert = (
       rule_name_override: undefined,
       timestamp_override: undefined,
     },
+    [ALERT_HOST_CRITICALITY]: undefined,
+    [ALERT_USER_CRITICALITY]: undefined,
     ...data,
   },
 });

x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/enrichments/create_single_field_match_enrichment.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { flatten, chunk } from 'lodash';
+import { chunk } from 'lodash';
 import { searchEnrichments } from './search_enrichments';
 import { makeSingleFieldMatchQuery } from './utils/requests';
 import { getEventValue, getFieldValue } from './utils/events';
@@ -22,12 +22,14 @@ export const createSingleFieldMatchEnrichment: CreateFieldsMatchEnrichment = asy
   createEnrichmentFunction,
   name,
   enrichmentResponseFields,
+  extraFilters,
 }) => {
   try {
     logger.debug(`Enrichment ${name}: started`);
 
-    const eventsWithField = events.filter((event) => getEventValue(event, mappingField.eventField));
-    const eventsMapByFieldValue = eventsWithField.reduce((acc, event) => {
+    const eventsToEnrich = events.filter((event) => getEventValue(event, mappingField.eventField));
+
+    const eventsMapByFieldValue = eventsToEnrich.reduce((acc, event) => {
       const eventFieldValue = getEventValue(event, mappingField.eventField);
 
       if (!eventFieldValue) return {};
@@ -39,13 +41,15 @@ export const createSingleFieldMatchEnrichment: CreateFieldsMatchEnrichment = asy
     }, {} as { [key: string]: typeof events });
 
     const uniqueEventsValuesToSearchBy = Object.keys(eventsMapByFieldValue);
+
     const chunksUniqueEventsValuesToSearchBy = chunk(uniqueEventsValuesToSearchBy, MAX_CLAUSES);
 
     const getAllEnrichment = chunksUniqueEventsValuesToSearchBy
       .map((enrichmentValuesChunk) =>
         makeSingleFieldMatchQuery({
           values: enrichmentValuesChunk,
           searchByField: mappingField.enrichmentField,
+          extraFilters,
         })
       )
       .filter((query) => query.query?.bool?.should?.length > 0)
@@ -59,11 +63,9 @@ export const createSingleFieldMatchEnrichment: CreateFieldsMatchEnrichment = asy
         })
       );
 
-    const enrichmentsResults = (await Promise.allSettled(getAllEnrichment))
+    const enrichments = (await Promise.allSettled(getAllEnrichment))
       .filter((result) => result.status === 'fulfilled')
-      .map((result) => (result as PromiseFulfilledResult<EnrichmentType[]>)?.value);
-
-    const enrichments = flatten(enrichmentsResults);
+      .flatMap((result) => (result as PromiseFulfilledResult<EnrichmentType[]>)?.value);
 
     if (enrichments.length === 0) {
       logger.debug(`Enrichment ${name}: no enrichment found`);