-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asset criticality alert enrichment #171241
Changes from 36 commits
ee2fac5
5f13e85
37e1dbf
243c117
8fd21de
c692d33
887764a
0f6d337
29f7513
12aa184
e3b7020
c9b2cf1
2111edf
219ba82
070b43d
0b77a96
b31beb6
f862201
78a3694
c4a461e
c97c330
d3c5122
fe33f17
10ee114
c58cf48
498e965
bd872e1
78a5b2b
d7d2c6c
4cf765e
744aace
7b2e1ea
00fdef5
fa8df5c
0695181
9ca2fa7
81142da
08611bf
81ca783
ffeb96e
35a9be3
c296a4c
b44541a
ed77987
84c8da9
5c1de12
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0'; | ||
import type { | ||
ALERT_HOST_CRITICALITY, | ||
ALERT_USER_CRITICALITY, | ||
} from '../../../../../field_maps/field_names'; | ||
import type { | ||
Ancestor8120, | ||
BaseFields8120, | ||
EqlBuildingBlockFields8120, | ||
EqlShellFields8120, | ||
NewTermsFields8120, | ||
} from '../8.12.0'; | ||
|
||
/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.13.0. | ||
Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.13.0. | ||
If you are adding new fields for a new release of Kibana, create a new sibling folder to this one | ||
for the version to be released and add the field(s) to the schema in that folder. | ||
Then, update `../index.ts` to import from the new folder that has the latest schemas, add the | ||
new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas. | ||
*/ | ||
|
||
export type { Ancestor8120 as Ancestor8130 }; | ||
|
||
export interface BaseFields8130 extends BaseFields8120 { | ||
[ALERT_HOST_CRITICALITY]: string | undefined; | ||
[ALERT_USER_CRITICALITY]: string | undefined; | ||
} | ||
|
||
export interface WrappedFields8130<T extends BaseFields8130> { | ||
_id: string; | ||
_index: string; | ||
_source: T; | ||
} | ||
|
||
export type GenericAlert8130 = AlertWithCommonFields800<BaseFields8130>; | ||
|
||
export type EqlShellFields8130 = EqlShellFields8120 & BaseFields8130; | ||
|
||
export type EqlBuildingBlockFields8130 = EqlBuildingBlockFields8120 & BaseFields8130; | ||
|
||
export type NewTermsFields8130 = NewTermsFields8120 & BaseFields8130; | ||
|
||
export type NewTermsAlert8130 = NewTermsFields8120 & BaseFields8130; | ||
|
||
export type EqlBuildingBlockAlert8130 = AlertWithCommonFields800<EqlBuildingBlockFields8120>; | ||
|
||
export type EqlShellAlert8130 = AlertWithCommonFields800<EqlShellFields8130>; | ||
|
||
export type DetectionAlert8130 = | ||
| GenericAlert8130 | ||
| EqlShellAlert8130 | ||
| EqlBuildingBlockAlert8130 | ||
| NewTermsAlert8130; |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { alertsFieldMap840 } from '../8.4.0'; | ||
import { ALERT_HOST_CRITICALITY, ALERT_USER_CRITICALITY } from '../field_names'; | ||
|
||
export const alertsFieldMap8130 = { | ||
...alertsFieldMap840, | ||
/** | ||
* Stores the criticality level for the host, as determined by analysts, in relation to the alert. | ||
* The Criticality level is copied from the asset criticality index. | ||
*/ | ||
[ALERT_HOST_CRITICALITY]: { | ||
type: 'keyword', | ||
array: false, | ||
required: false, | ||
}, | ||
/** | ||
* Stores the criticality level for the user, as determined by analysts, in relation to the alert. | ||
* The Criticality level is copied from the asset criticality index. | ||
*/ | ||
[ALERT_USER_CRITICALITY]: { | ||
type: 'keyword', | ||
array: false, | ||
required: false, | ||
}, | ||
} as const; | ||
|
||
export type AlertsFieldMap8130 = typeof alertsFieldMap8130; |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { AlertsFieldMap8130 } from './alerts'; | ||
import { alertsFieldMap8130 } from './alerts'; | ||
export type { AlertsFieldMap8130 }; | ||
export { alertsFieldMap8130 }; |
Original file line number | Diff line number | Diff line change | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
@@ -22,11 +22,15 @@ export const createSingleFieldMatchEnrichment: CreateFieldsMatchEnrichment = asy | |||||||||||
createEnrichmentFunction, | ||||||||||||
name, | ||||||||||||
enrichmentResponseFields, | ||||||||||||
extraFilters, | ||||||||||||
}) => { | ||||||||||||
try { | ||||||||||||
logger.debug(`Enrichment ${name}: started`); | ||||||||||||
|
||||||||||||
// gets just the events we will enrich | ||||||||||||
const eventsWithField = events.filter((event) => getEventValue(event, mappingField.eventField)); | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @oatkiller were these meant to stick around, or were these just notes for you? Typically when I see comments like this in the code, it's making up for an unhelpful variable name. IMO these variables are good at describing what they are, but not why they are. Perhaps the comments wouldn't be needed if the intention was more clear?
Suggested change
|
||||||||||||
|
||||||||||||
// gets the values for that field, and makes a map of field_value to event | ||||||||||||
const eventsMapByFieldValue = eventsWithField.reduce((acc, event) => { | ||||||||||||
const eventFieldValue = getEventValue(event, mappingField.eventField); | ||||||||||||
|
||||||||||||
|
@@ -38,14 +42,18 @@ export const createSingleFieldMatchEnrichment: CreateFieldsMatchEnrichment = asy | |||||||||||
return acc; | ||||||||||||
}, {} as { [key: string]: typeof events }); | ||||||||||||
|
||||||||||||
// list of e.g. user.name's of host.names | ||||||||||||
const uniqueEventsValuesToSearchBy = Object.keys(eventsMapByFieldValue); | ||||||||||||
|
||||||||||||
// array of arrays of e.g. user.name's of host.names | ||||||||||||
const chunksUniqueEventsValuesToSearchBy = chunk(uniqueEventsValuesToSearchBy, MAX_CLAUSES); | ||||||||||||
|
||||||||||||
const getAllEnrichment = chunksUniqueEventsValuesToSearchBy | ||||||||||||
.map((enrichmentValuesChunk) => | ||||||||||||
makeSingleFieldMatchQuery({ | ||||||||||||
values: enrichmentValuesChunk, | ||||||||||||
searchByField: mappingField.enrichmentField, | ||||||||||||
extraFilters, | ||||||||||||
}) | ||||||||||||
) | ||||||||||||
.filter((query) => query.query?.bool?.should?.length > 0) | ||||||||||||
|
@@ -63,6 +71,7 @@ export const createSingleFieldMatchEnrichment: CreateFieldsMatchEnrichment = asy | |||||||||||
.filter((result) => result.status === 'fulfilled') | ||||||||||||
.map((result) => (result as PromiseFulfilledResult<EnrichmentType[]>)?.value); | ||||||||||||
|
||||||||||||
// search hits. | ||||||||||||
const enrichments = flatten(enrichmentsResults); | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
(you'd also need to rename |
||||||||||||
|
||||||||||||
if (enrichments.length === 0) { | ||||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elastic/actionable-observability since these two fields are being added at the
kibana.alert.*
level, we'd like approval from you all that this will not conflict with any future fields you all plan to add.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nkhristinin unless we want different fields for risk enrichment than we do for risk score docs themselves (which we hadn't up until this point), this seems like a placeholder field added in the absence of an official ECS one.
If it helps, I've just added those fields to the Risk Score Extensions RFC; in that case I think these would be
host.risk.criticality_level
anduser.risk.criticality_level
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kobelb We discussed adding severity to our rules, but we don't have a plan for it atm.
@simianhacker Do you have any input?
Just a question about the naming: How does criticality differ from severity?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kobelb We don't have any immediate plans so from a conflict perspective, I think we are good if you're good.
@maryam-saeidi I think when we (ResponseOps and Observability) work on alert severity levels, we'll probably need something similar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kibana.alert.host.criticality_level
andkibana.alert.user.criticality_level
- are used to store the Asset Criticality level which can be assigned by the user in UI for entities.Values can be
very important
,not important
,normal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @simianhacker and @maryam-saeidi. While I think the severity that we've discussed is similar to the asset criticality fields that are being added, I currently think they're two unique aspects, so I don't think we should have any conflicts here.