-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][CTI] Investigation time enrichment UI #103383
Commits on Jun 24, 2021
-
Add pure fn and consuming hook to fetch event enrichment
It's not being invoked yet, but I've added a placeholder where it's going.
Configuration menu - View commit details
-
Copy full SHA for 2b68cc3 - Browse repository at this point
Copy the full SHA 2b68cc3View commit details -
Move existing enrichment tests to new spec file
This is a rough copy/paste, I'll clean up as I flesh out the new tests.
Configuration menu - View commit details
-
Copy full SHA for a85aa96 - Browse repository at this point
Copy the full SHA a85aa96View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7978796 - Browse repository at this point
Copy the full SHA 7978796View commit details -
Configuration menu - View commit details
-
Copy full SHA for 18b22fc - Browse repository at this point
Copy the full SHA 18b22fcView commit details -
Configuration menu - View commit details
-
Copy full SHA for 7d6ffc9 - Browse repository at this point
Copy the full SHA 7d6ffc9View commit details -
Solidifying enrichment types on the backend
* Declares an enum for our types * Sets type during indicator match rule enrichment * Sets type during investigation-time enrichment
Configuration menu - View commit details
-
Copy full SHA for 3dafc7c - Browse repository at this point
Copy the full SHA 3dafc7cView commit details -
WIP: Enrichment rows are rendered on the alerts summary
There are lots of TODOs here, but this implements the following: * Fetching investigation-time enrichments from the backend * Parsing existing enrichments from timeline data * Merging the two enrichment types together, and rendering them in rows as specified Much of the data-fetching is hardcoded, and this broke the existing pattern with SummaryView/SummaryRow so that got a little messy; I may end up just using my own EuiTable but we'll see. Threat Intel tab is currently broken; that's up next.
Configuration menu - View commit details
-
Copy full SHA for d7e6f9d - Browse repository at this point
Copy the full SHA d7e6f9dView commit details -
Updates ThreatDetailsView to accept an array of enrichments
The investigation-time enrichments are a little messy because they contain all the non-ECS fields that indicators contain; other than that, this is looking good. Still need to add the new header, and potentially sort the fields.
Configuration menu - View commit details
-
Copy full SHA for 7216655 - Browse repository at this point
Copy the full SHA 7216655View commit details -
Configuration menu - View commit details
-
Copy full SHA for ebd1b9d - Browse repository at this point
Copy the full SHA ebd1b9dView commit details -
Add "view threat intel data" button
This simply opens the threat intel tab.
Configuration menu - View commit details
-
Copy full SHA for dcfa72c - Browse repository at this point
Copy the full SHA dcfa72cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1e1690f - Browse repository at this point
Copy the full SHA 1e1690fView commit details
Commits on Jun 25, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 2a76394 - Browse repository at this point
Copy the full SHA 2a76394View commit details -
Fix remaining tests for components we modified
This also addresses a bug where we were not properly sorting new enrichments by first_seen; this is covered under the tests that were fixed.
Configuration menu - View commit details
-
Copy full SHA for 6a2adf3 - Browse repository at this point
Copy the full SHA 6a2adf3View commit details -
Filter out duplicate investigation-time enrichments
Because the enrichment endpoint is dumb and doesn't know about the existing event or its enrichments, we need to merge these together on the client to reduce noise and redundant data.
Configuration menu - View commit details
-
Copy full SHA for c823df1 - Browse repository at this point
Copy the full SHA c823df1View commit details -
Add inspect button to investigation enrichments
* Massages the response into the format that the inspect component uses * Moves stateful fetching of query and persisting in redux to new, more specialized hook * Moves existing enrichment hook to a more suitable location in containers/
Configuration menu - View commit details
-
Copy full SHA for 57e5fe3 - Browse repository at this point
Copy the full SHA 57e5fe3View commit details
Commits on Jun 26, 2021
-
* indicator match rule now specifies `matched.type` as coming from the rule * Inspecting the enrichment query requires use of the redux store, which was not previously mocked
Configuration menu - View commit details
-
Copy full SHA for 0bc1eaf - Browse repository at this point
Copy the full SHA 0bc1eafView commit details -
Fix existing CTI cypress tests
This covers the basics of the Alert Summary and Threat Intel tabs; the investigation-time enrichment functionality is up next.
Configuration menu - View commit details
-
Copy full SHA for 67033bc - Browse repository at this point
Copy the full SHA 67033bcView commit details
Commits on Jun 28, 2021
-
Adds a cypress test exercising investigation time enrichment
* Loads more indicators (filebeat data, `threat_indicator2` archive) AFTER the rule has executed * Asserts that those indicators are also found on the alert summary.
Configuration menu - View commit details
-
Copy full SHA for 35eb550 - Browse repository at this point
Copy the full SHA 35eb550View commit details -
Populate event enrichment call with actual alert fields
This was previously hardcoded during development.
Configuration menu - View commit details
-
Copy full SHA for 09b7f7c - Browse repository at this point
Copy the full SHA 09b7f7cView commit details -
Add a new field to our suspicious event to trigger enrichment
The existing myhash field will generate an alert due to the way the rule is written, but the alert had no other fields that would match the investigation time enrichment. This gives it a source.ip, and updates the indicator to match.
Configuration menu - View commit details
-
Copy full SHA for 7838a5c - Browse repository at this point
Copy the full SHA 7838a5cView commit details -
Only fetch enrichments data if there are valid event fields
If none of the alert's fields would be relevant to the enrichment query, then we don't make the request at all.
Configuration menu - View commit details
-
Copy full SHA for ba91b57 - Browse repository at this point
Copy the full SHA ba91b57View commit details -
Update enrichments matched.typed in integration tests
This field was updated to reflect the source of the match, in this case: indicator match rules.
Configuration menu - View commit details
-
Copy full SHA for 14a0978 - Browse repository at this point
Copy the full SHA 14a0978View commit details -
Configuration menu - View commit details
-
Copy full SHA for 7193073 - Browse repository at this point
Copy the full SHA 7193073View commit details -
Ensure draggable fields are unique in a multi-match scenario
If a given field matched multiple indicators, then the previous contextId was not unique as it was based on field/value that matched. Adding provider to the mix would fix it, except that we're not guaranteed to have a provider. I've added both provider (if present) and an index value to the key to ensure that it's unique.
Configuration menu - View commit details
-
Copy full SHA for f48ffe8 - Browse repository at this point
Copy the full SHA f48ffe8View commit details -
This field can never be null, as we always set it in our response.
Configuration menu - View commit details
-
Copy full SHA for accb629 - Browse repository at this point
Copy the full SHA accb629View commit details -
Move helper functioons out of shared location and into consuming comp…
…onent These are unlikely to be used elsewhere.
Configuration menu - View commit details
-
Copy full SHA for 5a94f99 - Browse repository at this point
Copy the full SHA 5a94f99View commit details -
Clean up data parsing logic using reduce
This obviates the need for our filter/guard function and the extra loop that it entails. We have to specify the return value of our reduce fn, however, but that's mostly equivalent to our type guard.
Configuration menu - View commit details
-
Copy full SHA for 18c96fa - Browse repository at this point
Copy the full SHA 18c96faView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0196d72 - Browse repository at this point
Copy the full SHA 0196d72View commit details -
Extract the concept of "enrichment identifiers"
This was already partially codified with 'buildEnrichmentId,' which is used to dedup enrichments; this extends the idea to all fields that could uniquely identify a given indicator.
Configuration menu - View commit details
-
Copy full SHA for fabefb7 - Browse repository at this point
Copy the full SHA fabefb7View commit details -
Use existing constant as the source of our enrichments query
This is now used by both the overview card and the enrichment query.
Configuration menu - View commit details
-
Copy full SHA for 81dd927 - Browse repository at this point
Copy the full SHA 81dd927View commit details -
Configuration menu - View commit details
-
Copy full SHA for 48d3f6b - Browse repository at this point
Copy the full SHA 48d3f6bView commit details
Commits on Jun 29, 2021
-
The generic SummaryView component previously had to deal with multi-valued CTI fields, representing the multiple values coming from the multiple nested objects with that field. However, with the new UI we no longer have that constraint, and so the default columnar style, and the corresponding overriding styles, are no longer necessary.
Configuration menu - View commit details
-
Copy full SHA for 866cb27 - Browse repository at this point
Copy the full SHA 866cb27View commit details -
Filter out partial responses in the event enrichment observable
The UI does not currently handle these. We need to test the behavior of long-running queries with this filter, but this should simplify the behavior to complete/error until we handle partial responses.
Configuration menu - View commit details
-
Copy full SHA for f1e843c - Browse repository at this point
Copy the full SHA f1e843cView commit details -
Display placeholders while event enrichment is loading
Displays a loading spinner in the Threat Intel tab title, and some loading lines where the enrichments summary is.
Configuration menu - View commit details
-
Copy full SHA for d2aa4cd - Browse repository at this point
Copy the full SHA d2aa4cdView commit details -
Update our indicator data to be within the last 30 days
This fixes our cypress test, but it's going to start failing again in 30 days. However, by that time I'll have implemented the absolute data picker, which will allow for a more comprehensive test in addition to us sidestepping this issue.
Configuration menu - View commit details
-
Copy full SHA for 811174c - Browse repository at this point
Copy the full SHA 811174cView commit details -
Fix type error with our details tabs
The name prop on a Tab will be rendered as a node, so both strings and elements are acceptable. This relaxes the types to inherit from the component itself.
Configuration menu - View commit details
-
Copy full SHA for 3fdd33b - Browse repository at this point
Copy the full SHA 3fdd33bView commit details -
The addition of our filtering of the search observable broke this test, since we now need to implement the search observable. Rather than do that, we'll instead mock our local hook as that's more likely to change.
Configuration menu - View commit details
-
Copy full SHA for 9381125 - Browse repository at this point
Copy the full SHA 9381125View commit details -
Merge branch 'master' into ad_hoc_enrichment_ui
Conflicts: x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts
Configuration menu - View commit details
-
Copy full SHA for ea1128d - Browse repository at this point
Copy the full SHA ea1128dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 52bdb2f - Browse repository at this point
Copy the full SHA 52bdb2fView commit details -
Configuration menu - View commit details
-
Copy full SHA for afe8d70 - Browse repository at this point
Copy the full SHA afe8d70View commit details
Commits on Jun 30, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 8275e05 - Browse repository at this point
Copy the full SHA 8275e05View commit details -
Fix archive mappings to fix cypress test failure
This override test is failing due to a mapping conflict, which causes the rule name override field to be invalid and not persisted. The mapping conflict is due to a typo in the threat_indicator2 archive, where the document declares one index but the mappings declare another. While es_archive happily loads the document into the index it specifies, the mappings already exist via the threat_indicator archive, and thus the new threat_indicator2 index receives dynamic mappings. Additionally, because the index created by threat_indicator2 is not the index specified in threat_indicator2's mappings, the behavior seems to be to leave that index when calling unload! Thus, on the next test that cares (override.spec.ts), we have an errant filebeat (threat_indicator2) index with default mappings, causing mapping conflicts with our other ECS indexes.
Configuration menu - View commit details
-
Copy full SHA for e007972 - Browse repository at this point
Copy the full SHA e007972View commit details