[Security Solution][Detections] Adds Nested CTI row renderer

x-pack/plugins/security_solution/common/cti/constants.ts

@@ -0,0 +1,35 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { INDICATOR_DESTINATION_PATH } from '../constants';
+
+export const MATCHED_ATOMIC = 'matched.atomic';
+export const MATCHED_FIELD = 'matched.field';
+export const MATCHED_TYPE = 'matched.type';
+export const INDICATOR_MATCH_SUBFIELDS = [MATCHED_ATOMIC, MATCHED_FIELD, MATCHED_TYPE];
+
+export const INDICATOR_MATCHED_ATOMIC = `${INDICATOR_DESTINATION_PATH}.${MATCHED_ATOMIC}`;
+export const INDICATOR_MATCHED_FIELD = `${INDICATOR_DESTINATION_PATH}.${MATCHED_FIELD}`;
+export const INDICATOR_MATCHED_TYPE = `${INDICATOR_DESTINATION_PATH}.${MATCHED_TYPE}`;
+
+export const EVENT_DATASET = 'event.dataset';
+export const EVENT_REFERENCE = 'event.reference';
+export const PROVIDER = 'provider';
+
+export const INDICATOR_DATASET = `${INDICATOR_DESTINATION_PATH}.${EVENT_DATASET}`;
+export const INDICATOR_REFERENCE = `${INDICATOR_DESTINATION_PATH}.${EVENT_REFERENCE}`;
+export const INDICATOR_PROVIDER = `${INDICATOR_DESTINATION_PATH}.${PROVIDER}`;
+
+// fields used to populate the CTI row renderer
+export const REQUIRED_INDICATOR_MATCH_FIELDS = [
+  INDICATOR_MATCHED_ATOMIC,
+  INDICATOR_MATCHED_FIELD,
+  INDICATOR_MATCHED_TYPE,
+  INDICATOR_DATASET,
+  INDICATOR_REFERENCE,
+  INDICATOR_PROVIDER,
+];

x-pack/plugins/security_solution/common/ecs/index.ts

@@ -28,6 +28,7 @@ import { UserEcs } from './user';
 import { WinlogEcs } from './winlog';
 import { ProcessEcs } from './process';
 import { SystemEcs } from './system';
+import { ThreatEcs } from './threat';
 import { Ransomware } from './ransomware';
 
 export interface Ecs {
@@ -58,6 +59,7 @@ export interface Ecs {
   process?: ProcessEcs;
   file?: FileEcs;
   system?: SystemEcs;
+  threat?: ThreatEcs;
   // This should be temporary
   eql?: { parentId: string; sequenceNumber: string };
   Ransomware?: Ransomware;

x-pack/plugins/security_solution/common/ecs/rule/index.ts

@@ -9,7 +9,7 @@ export interface RuleEcs {
   id?: string[];
   rule_id?: string[];
   name?: string[];
-  false_positives: string[];
+  false_positives?: string[];
   saved_id?: string[];
   timeline_id?: string[];
   timeline_title?: string[];

x-pack/plugins/security_solution/common/ecs/threat/index.ts

@@ -0,0 +1,25 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { EventEcs } from '../event';
+
+interface ThreatMatchEcs {
+  atomic?: string[];
+  field?: string[];
+  type?: string[];
+}
+
+export interface ThreatIndicatorEcs {
+  matched?: ThreatMatchEcs;
+  event?: EventEcs & { reference?: string[] };
+  provider?: string[];
+  type?: string[];
+}
+
+export interface ThreatEcs {
+  indicator: ThreatIndicatorEcs[];
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram/events/index.ts

@@ -26,7 +26,9 @@ export interface EventsActionGroupData {
   doc_count: number;
 }
 
-export type Fields = Record<string, unknown[] | Fields[]>;
+export interface Fields<T = unknown[]> {
+  [x: string]: T | Array<Fields<T>>;
+}
 
 export interface EventHit extends SearchHit {
   sort: string[];

x-pack/plugins/security_solution/common/types/timeline/index.ts

@@ -206,6 +206,7 @@ export enum RowRendererId {
   system_fim = 'system_fim',
   system_security_event = 'system_security_event',
   system_socket = 'system_socket',
+  threat_match = 'threat_match',
   zeek = 'zeek',
 }
 

x-pack/plugins/security_solution/public/common/mock/index.ts

@@ -10,6 +10,7 @@ export * from './header';
 export * from './hook_wrapper';
 export * from './index_pattern';
 export * from './mock_detail_item';
+export * from './mock_detection_alerts';
 export * from './mock_ecs';
 export * from './mock_local_storage';
 export * from './mock_timeline_data';

x-pack/plugins/security_solution/public/common/mock/mock_detection_alerts.ts

@@ -0,0 +1,112 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Ecs } from '../../../common/ecs';
+import { TimelineNonEcsData } from '../../../common/search_strategy';
+
+export const mockEcsDataWithAlert: Ecs = {
+  _id: '1',
+  timestamp: '2018-11-05T19:03:25.937Z',
+  host: {
+    name: ['apache'],
+    ip: ['192.168.0.1'],
+  },
+  event: {
+    id: ['1'],
+    action: ['Action'],
+    category: ['Access'],
+    module: ['nginx'],
+    severity: [3],
+  },
+  source: {
+    ip: ['192.168.0.1'],
+    port: [80],
+  },
+  destination: {
+    ip: ['192.168.0.3'],
+    port: [6343],
+  },
+  user: {
+    id: ['1'],
+    name: ['john.dee'],
+  },
+  geo: {
+    region_name: ['xx'],
+    country_iso_code: ['xx'],
+  },
+  signal: {
+    rule: {
+      created_at: ['2020-01-10T21:11:45.839Z'],
+      updated_at: ['2020-01-10T21:11:45.839Z'],
+      created_by: ['elastic'],
+      description: ['24/7'],
+      enabled: [true],
+      false_positives: ['test-1'],
+      filters: [],
+      from: ['now-300s'],
+      id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'],
+      immutable: [false],
+      index: ['auditbeat-*'],
+      interval: ['5m'],
+      rule_id: ['rule-id-1'],
+      language: ['kuery'],
+      output_index: ['.siem-signals-default'],
+      max_signals: [100],
+      risk_score: ['21'],
+      query: ['user.name: root or user.name: admin'],
+      references: ['www.test.co'],
+      saved_id: ["Garrett's IP"],
+      timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'],
+      timeline_title: ['Untitled timeline'],
+      severity: ['low'],
+      updated_by: ['elastic'],
+      tags: [],
+      to: ['now'],
+      type: ['saved_query'],
+      threat: [],
+      note: ['# this is some markdown documentation'],
+      version: ['1'],
+    },
+  },
+};
+
+export const getDetectionAlertMock = (overrides: Partial<Ecs> = {}): Ecs => ({
+  ...mockEcsDataWithAlert,
+  ...overrides,
+});
+
+export const getThreatMatchDetectionAlert = (overrides: Partial<Ecs> = {}): Ecs => ({
+  ...mockEcsDataWithAlert,
+  signal: {
+    ...mockEcsDataWithAlert.signal,
+    rule: {
+      ...mockEcsDataWithAlert.rule,
+      name: ['mock threat_match rule'],
+      type: ['threat_match'],
+    },
+  },
+  threat: {
+    indicator: [
+      {
+        matched: {
+          atomic: ['matched.atomic'],
+          field: ['matched.atomic'],
+          type: ['matched.domain'],
+        },
+      },
+    ],
+  },
+  ...overrides,
+});
+
+export const getDetectionAlertFieldsMock = (
+  fields: TimelineNonEcsData[] = []
+): TimelineNonEcsData[] => [
+  { field: '@timestamp', value: ['2021-03-27T06:28:47.292Z'] },
+  { field: 'signal.rule.type', value: ['threat_match'] },
+  ...fields,
+];

x-pack/plugins/security_solution/public/common/mock/mock_ecs.ts

@@ -1026,69 +1026,3 @@ export const mockEcsData: Ecs[] = [
     },
   },
 ];
-
-export const mockEcsDataWithAlert: Ecs = {
-  _id: '1',
-  timestamp: '2018-11-05T19:03:25.937Z',
-  host: {
-    name: ['apache'],
-    ip: ['192.168.0.1'],
-  },
-  event: {
-    id: ['1'],
-    action: ['Action'],
-    category: ['Access'],
-    module: ['nginx'],
-    severity: [3],
-  },
-  source: {
-    ip: ['192.168.0.1'],
-    port: [80],
-  },
-  destination: {
-    ip: ['192.168.0.3'],
-    port: [6343],
-  },
-  user: {
-    id: ['1'],
-    name: ['john.dee'],
-  },
-  geo: {
-    region_name: ['xx'],
-    country_iso_code: ['xx'],
-  },
-  signal: {
-    rule: {
-      created_at: ['2020-01-10T21:11:45.839Z'],
-      updated_at: ['2020-01-10T21:11:45.839Z'],
-      created_by: ['elastic'],
-      description: ['24/7'],
-      enabled: [true],
-      false_positives: ['test-1'],
-      filters: [],
-      from: ['now-300s'],
-      id: ['b5ba41ab-aaf3-4f43-971b-bdf9434ce0ea'],
-      immutable: [false],
-      index: ['auditbeat-*'],
-      interval: ['5m'],
-      rule_id: ['rule-id-1'],
-      language: ['kuery'],
-      output_index: ['.siem-signals-default'],
-      max_signals: [100],
-      risk_score: ['21'],
-      query: ['user.name: root or user.name: admin'],
-      references: ['www.test.co'],
-      saved_id: ["Garrett's IP"],
-      timeline_id: ['1234-2136-11ea-9864-ebc8cc1cb8c2'],
-      timeline_title: ['Untitled timeline'],
-      severity: ['low'],
-      updated_by: ['elastic'],
-      tags: [],
-      to: ['now'],
-      type: ['saved_query'],
-      threat: [],
-      note: ['# this is some markdown documentation'],
-      version: ['1'],
-    },
-  },
-};

x-pack/plugins/security_solution/public/common/mock/mock_timeline_data.ts

@@ -1088,6 +1088,31 @@ export const mockTimelineData: TimelineItem[] = [
       geo: { region_name: ['xx'], country_iso_code: ['xx'] },
     },
   },
+  {
+    _id: '32',
+    data: [],
+    ecs: {
+      _id: 'BuBP4W0BOpWiDweSoYSg',
+      timestamp: '2019-10-18T23:59:15.091Z',
+      // TODO use more realistic data
+      threat: {
+        indicator: [
+          {
+            matched: {
+              atomic: ['laptop.local'],
+              field: ['host.name'],
+              type: ['domain'],
+            },
+            event: {
+              dataset: ['threatintel.abuseurl'],
+              reference: ['https://urlhaus.abuse.ch/url/1055419/'],
+            },
+            provider: ['indicator_provider'],
+          },
+        ],
+      },
+    },
+  },
 ];
 
 export const mockFimFileCreatedEvent: Ecs = {

x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/catalog/index.tsx

@@ -24,6 +24,7 @@ import {
   SystemFimExample,
   SystemSecurityEventExample,
   SystemSocketExample,
+  ThreatMatchExample,
   ZeekExample,
 } from '../examples';
 import * as i18n from './translations';
@@ -204,6 +205,13 @@ export const renderers: RowRendererOption[] = [
     example: SuricataExample,
     searchableDescription: `${i18n.SURICATA_DESCRIPTION_PART1} ${i18n.SURICATA_NAME} ${i18n.SURICATA_DESCRIPTION_PART2}`,
   },
+  {
+    id: RowRendererId.threat_match,
+    name: i18n.THREAT_MATCH_NAME,
+    description: i18n.THREAT_MATCH_DESCRIPTION,
+    example: ThreatMatchExample,
+    searchableDescription: `${i18n.THREAT_MATCH_NAME} ${i18n.THREAT_MATCH_DESCRIPTION}`,
+  },
   {
     id: RowRendererId.zeek,
     name: i18n.ZEEK_NAME,

x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/catalog/translations.ts

@@ -230,6 +230,19 @@ export const SYSTEM_DESCRIPTION_PART3 = i18n.translate(
       'All datasets send both periodic state information (e.g. all currently running processes) and real-time changes (e.g. when a new process starts or stops).',
   }
 );
+export const THREAT_MATCH_NAME = i18n.translate(
+  'xpack.securitySolution.eventRenderers.threatMatchName',
+  {
+    defaultMessage: 'Threat Indicator Match',
+  }
+);
+
+export const THREAT_MATCH_DESCRIPTION = i18n.translate(
+  'xpack.securitySolution.eventRenderers.threatMatchDescription',
+  {
+    defaultMessage: 'Summarizes events that matched threat indicators',
+  }
+);
 
 export const ZEEK_NAME = i18n.translate('xpack.securitySolution.eventRenderers.zeekName', {
   defaultMessage: 'Zeek (formerly Bro)',

x-pack/plugins/security_solution/public/timelines/components/row_renderers_browser/examples/index.tsx

@@ -19,4 +19,5 @@ export * from './system_file';
 export * from './system_fim';
 export * from './system_security_event';
 export * from './system_socket';
+export * from './threat_match';
 export * from './zeek';