-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Adds Nested CTI row renderer #96275
Merged
Merged
Changes from all commits
Commits
Show all changes
33 commits
Select commit
Hold shift + click to select a range
20dd329
Move alert-specific mocks to more declarative mock file
rylnd 6a1a613
Add placeholder interface for ECS threat fields
rylnd 9b12c87
Test and implement CTI row renderer
rylnd e373e78
Pass full fields data to our row renderers
rylnd f42ba60
Rewrite existing row renderer in terms of flattened data
rylnd 10a53f8
Moving logic into discrete files
rylnd 9d7afd0
Register threat match row rendere
rylnd adf7067
WIP: Rendering draggable fields but hit the data loss issue with nest…
rylnd 6fc1d90
WIP: implementing row renderer against new data format
rylnd c2eb905
Updating based on new data
rylnd b20b71b
Revert "Pass full fields data to our row renderers"
rylnd 39f1880
Fix draggables
rylnd 3477d27
Move indicator field strings to constants
rylnd 0a6f6fd
Fix example data for CTI row renderer
rylnd f6f887c
Move CTI field constants to common folder
rylnd 72b5b3f
Remove redundant CTI fields from client request
rylnd f95f8e3
Add missing graphQL type
rylnd 838e548
Updates tests
rylnd 73a3d1d
Merge branch 'master' into nested_row_renderer
rylnd 90f6004
Split ThreatMatchRow into subcomponents
rylnd d625b2c
Make CTI row renderer look nice
rylnd d14f795
Make indicator reference field an external link
rylnd 5fbcf64
Back to consistent horizontal spacing, here
rylnd d7cce75
Add hr as a visual separator between each match "row" of the row rend…
rylnd 5a04c28
Fix tests broken due to addition of a new row renderer
rylnd d8bf839
Full-width hr
rylnd 2f7433f
More descriptive constant
rylnd d49d692
More realistic data
rylnd 542052b
Remove useless comment
rylnd 9295afc
Add threat_match row renderer type to GQL client
rylnd b115dfe
Ensure contextId is unique for each CTI subrow
rylnd 8f667c7
Merge branch 'master' into nested_row_renderer
kibanamachine 37d737b
Merge branch 'master' into nested_row_renderer
kibanamachine File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { INDICATOR_DESTINATION_PATH } from '../constants'; | ||
|
||
export const MATCHED_ATOMIC = 'matched.atomic'; | ||
export const MATCHED_FIELD = 'matched.field'; | ||
export const MATCHED_TYPE = 'matched.type'; | ||
export const INDICATOR_MATCH_SUBFIELDS = [MATCHED_ATOMIC, MATCHED_FIELD, MATCHED_TYPE]; | ||
|
||
export const INDICATOR_MATCHED_ATOMIC = `${INDICATOR_DESTINATION_PATH}.${MATCHED_ATOMIC}`; | ||
export const INDICATOR_MATCHED_FIELD = `${INDICATOR_DESTINATION_PATH}.${MATCHED_FIELD}`; | ||
export const INDICATOR_MATCHED_TYPE = `${INDICATOR_DESTINATION_PATH}.${MATCHED_TYPE}`; | ||
|
||
export const EVENT_DATASET = 'event.dataset'; | ||
export const EVENT_REFERENCE = 'event.reference'; | ||
export const PROVIDER = 'provider'; | ||
|
||
export const INDICATOR_DATASET = `${INDICATOR_DESTINATION_PATH}.${EVENT_DATASET}`; | ||
export const INDICATOR_REFERENCE = `${INDICATOR_DESTINATION_PATH}.${EVENT_REFERENCE}`; | ||
export const INDICATOR_PROVIDER = `${INDICATOR_DESTINATION_PATH}.${PROVIDER}`; | ||
|
||
export const CTI_ROW_RENDERER_FIELDS = [ | ||
INDICATOR_MATCHED_ATOMIC, | ||
INDICATOR_MATCHED_FIELD, | ||
INDICATOR_MATCHED_TYPE, | ||
INDICATOR_DATASET, | ||
INDICATOR_REFERENCE, | ||
INDICATOR_PROVIDER, | ||
]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
x-pack/plugins/security_solution/common/ecs/threat/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { EventEcs } from '../event'; | ||
|
||
interface ThreatMatchEcs { | ||
atomic?: string[]; | ||
field?: string[]; | ||
type?: string[]; | ||
} | ||
|
||
export interface ThreatIndicatorEcs { | ||
matched?: ThreatMatchEcs; | ||
event?: EventEcs & { reference?: string[] }; | ||
provider?: string[]; | ||
type?: string[]; | ||
} | ||
|
||
export interface ThreatEcs { | ||
indicator: ThreatIndicatorEcs[]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
112 changes: 112 additions & 0 deletions
112
x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { Ecs } from '../../../common/ecs'; | ||
import { TimelineNonEcsData } from '../../../common/search_strategy'; | ||
|
||
export const mockEcsDataWithAlert: Ecs = { | ||
_id: '1', | ||
timestamp: '2018-11-05T19:03:25.937Z', | ||
host: { | ||
name: ['apache'], | ||
ip: ['192.168.0.1'], | ||
}, | ||
event: { | ||
id: ['1'], | ||
action: ['Action'], | ||
category: ['Access'], | ||
module: ['nginx'], | ||
severity: [3], | ||
}, | ||
source: { | ||
ip: ['192.168.0.1'], | ||
port: [80], | ||
}, | ||
destination: { | ||
ip: ['192.168.0.3'], | ||
port: [6343], | ||
}, | ||
user: { | ||
id: ['1'], | ||
name: ['john.dee'], | ||
}, | ||
geo: { | ||
region_name: ['xx'], | ||
country_iso_code: ['xx'], | ||
}, | ||
signal: { | ||
rule: { | ||
created_at: ['2020-01-10T21:11:45.839Z'], | ||
updated_at: ['2020-01-10T21:11:45.839Z'], | ||
created_by: ['elastic'], | ||
description: ['24/7'], | ||
enabled: [true], | ||
false_positives: ['test-1'], | ||
filters: [], | ||
from: ['now-300s'], | ||
id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'], | ||
immutable: [false], | ||
index: ['auditbeat-*'], | ||
interval: ['5m'], | ||
rule_id: ['rule-id-1'], | ||
language: ['kuery'], | ||
output_index: ['.siem-signals-default'], | ||
max_signals: [100], | ||
risk_score: ['21'], | ||
query: ['user.name: root or user.name: admin'], | ||
references: ['www.test.co'], | ||
saved_id: ["Garrett's IP"], | ||
timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'], | ||
timeline_title: ['Untitled timeline'], | ||
severity: ['low'], | ||
updated_by: ['elastic'], | ||
tags: [], | ||
to: ['now'], | ||
type: ['saved_query'], | ||
threat: [], | ||
note: ['# this is some markdown documentation'], | ||
version: ['1'], | ||
}, | ||
}, | ||
}; | ||
|
||
export const getDetectionAlertMock = (overrides: Partial<Ecs> = {}): Ecs => ({ | ||
...mockEcsDataWithAlert, | ||
...overrides, | ||
}); | ||
|
||
export const getThreatMatchDetectionAlert = (overrides: Partial<Ecs> = {}): Ecs => ({ | ||
...mockEcsDataWithAlert, | ||
signal: { | ||
...mockEcsDataWithAlert.signal, | ||
rule: { | ||
...mockEcsDataWithAlert.rule, | ||
name: ['mock threat_match rule'], | ||
type: ['threat_match'], | ||
}, | ||
}, | ||
threat: { | ||
indicator: [ | ||
{ | ||
matched: { | ||
atomic: ['matched.atomic'], | ||
field: ['matched.atomic'], | ||
type: ['matched.domain'], | ||
}, | ||
}, | ||
], | ||
}, | ||
...overrides, | ||
}); | ||
|
||
export const getDetectionAlertFieldsMock = ( | ||
fields: TimelineNonEcsData[] = [] | ||
): TimelineNonEcsData[] => [ | ||
{ field: '@timestamp', value: ['2021-03-27T06:28:47.292Z'] }, | ||
{ field: 'signal.rule.type', value: ['threat_match'] }, | ||
...fields, | ||
]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are these truly optional? if you have an atomic, shouldn't you always have a field and a type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The existing
*Ecs
types seemed to be very defensive, where almost everything was optional. If it's one of our detection alerts then it should have all three, but I think these are meant to be general to anything "compliant" with ECS.