Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
c921579
updating security solution to use kibana.alert.consumer
yctercero Aug 8, 2021
3b2fa1f
removing unused fields
yctercero Aug 8, 2021
206a9f6
get timeline search strategy using the correct fields
yctercero Aug 9, 2021
864e746
updating snapshots and types
yctercero Aug 9, 2021
9820d67
Merge branch 'master' of github.com:elastic/kibana into update_ss_fie…
yctercero Aug 9, 2021
008a886
updating signals template version
yctercero Aug 9, 2021
e4a767a
update fields for rule type id across the board
yctercero Aug 9, 2021
18540ec
update per feedback
yctercero Aug 9, 2021
58072bf
updating tests and types, removing use of rule.* in alert doc as thos…
yctercero Aug 9, 2021
c5b6630
updating names to align with convention
yctercero Aug 9, 2021
5fb400e
Merge branch 'master' of github.com:elastic/kibana into update_ss_fie…
yctercero Aug 9, 2021
0ef93cc
types and tests not yet passing, but wanted to see what CI throws
yctercero Aug 10, 2021
15b9719
updating tests
yctercero Aug 10, 2021
c7382f3
cleanup
yctercero Aug 10, 2021
37614f4
Merge branch 'master' of github.com:elastic/kibana into update_ss_fie…
yctercero Aug 10, 2021
fc44fcc
tweaks to tests, please pass ci
yctercero Aug 11, 2021
e4b9d3c
you know what they say, 150th try's the charm
yctercero Aug 11, 2021
4f1f4f9
updating snapshots, ci you win
yctercero Aug 11, 2021
759decb
Merge branch 'master' of github.com:yctercero/kibana into update_ss_f…
yctercero Aug 11, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 20 additions & 27 deletions packages/kbn-rule-data-utils/src/technical_field_names.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,25 +17,18 @@ const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const;
const ECS_VERSION = 'ecs.version' as const;
const EVENT_ACTION = 'event.action' as const;
const EVENT_KIND = 'event.kind' as const;
const RULE_CATEGORY = 'rule.category' as const;
Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rule.* should only refer to source/event document fields, not our kibana rules.

const RULE_CONSUMERS = 'rule.consumers' as const;
const RULE_ID = 'rule.id' as const;
const RULE_NAME = 'rule.name' as const;
const RULE_UUID = 'rule.uuid' as const;
const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const;
const TAGS = 'tags' as const;
const TIMESTAMP = '@timestamp' as const;
const VERSION = `${KIBANA_NAMESPACE}.version` as const;

// Fields pertaining to the alert
const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
const ALERT_OWNER = `${ALERT_NAMESPACE}.owner` as const;
const ALERT_CONSUMERS = `${ALERT_NAMESPACE}.consumers` as const;
const ALERT_PRODUCER = `${ALERT_NAMESPACE}.producer` as const;
const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
Expand All @@ -49,8 +42,8 @@ const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;

// Fields pertaining to the rule associated with the alert
const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const;
const ALERT_RULE_CONSUMERS = `${ALERT_RULE_NAMESPACE}.consumers` as const;
const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
Expand All @@ -59,6 +52,7 @@ const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
const ALERT_RULE_ID = `${ALERT_RULE_NAMESPACE}.id` as const;
const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const;
const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
Expand All @@ -75,6 +69,15 @@ const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const;
const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;
// the feature instantiating a rule type.
// Rule created in stack --> alerts
// Rule created in siem --> siem
const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const;
// the plugin that registered the rule type.
// Rule type apm.error_rate --> apm
// Rule type siem.signals --> siem
const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const;
const ALERT_RULE_UUID = `${ALERT_RULE_NAMESPACE}.uuid` as const;

const namespaces = {
KIBANA_NAMESPACE,
Expand All @@ -87,11 +90,6 @@ const fields = {
ECS_VERSION,
EVENT_KIND,
EVENT_ACTION,
RULE_CATEGORY,
RULE_CONSUMERS,
RULE_ID,
RULE_NAME,
RULE_UUID,
TAGS,
TIMESTAMP,
ALERT_ACTION_GROUP,
Expand All @@ -100,13 +98,11 @@ const fields = {
ALERT_EVALUATION_THRESHOLD,
ALERT_EVALUATION_VALUE,
ALERT_ID,
ALERT_OWNER,
ALERT_CONSUMERS,
ALERT_PRODUCER,
ALERT_RULE_CONSUMER,
ALERT_RULE_PRODUCER,
ALERT_REASON,
ALERT_RISK_SCORE,
ALERT_RULE_AUTHOR,
ALERT_RULE_CONSUMERS,
ALERT_RULE_CREATED_AT,
ALERT_RULE_CREATED_BY,
ALERT_RULE_DESCRIPTION,
Expand Down Expand Up @@ -141,6 +137,8 @@ const fields = {
ALERT_WORKFLOW_REASON,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_USER,
ALERT_RULE_UUID,
ALERT_RULE_CATEGORY,
SPACE_IDS,
VERSION,
};
Expand All @@ -154,17 +152,15 @@ export {
ALERT_ID,
ALERT_NAMESPACE,
ALERT_RULE_NAMESPACE,
ALERT_OWNER,
ALERT_CONSUMERS,
ALERT_PRODUCER,
ALERT_RULE_CONSUMER,
ALERT_RULE_PRODUCER,
ALERT_REASON,
ALERT_RISK_SCORE,
ALERT_STATUS,
ALERT_WORKFLOW_REASON,
ALERT_WORKFLOW_STATUS,
ALERT_WORKFLOW_USER,
ALERT_RULE_AUTHOR,
ALERT_RULE_CONSUMERS,
ALERT_RULE_CREATED_AT,
ALERT_RULE_CREATED_BY,
ALERT_RULE_DESCRIPTION,
Expand Down Expand Up @@ -200,11 +196,8 @@ export {
EVENT_ACTION,
EVENT_KIND,
KIBANA_NAMESPACE,
RULE_CATEGORY,
RULE_CONSUMERS,
RULE_ID,
RULE_NAME,
RULE_UUID,
ALERT_RULE_UUID,
ALERT_RULE_CATEGORY,
TAGS,
TIMESTAMP,
SPACE_IDS,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1013,14 +1013,14 @@ describe('AlertingAuthorization', () => {
await alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, {
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
})
).filter
).toEqual(
esKuery.fromKueryExpression(
`((path.to.rule.id:myAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:mySecondAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)))`
`((path.to.rule_type_id:myAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:mySecondAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)))`
)
);
expect(auditLogger.logAuthorizationSuccess).not.toHaveBeenCalled();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,16 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
'space1'
)
).toEqual(
esKuery.fromKueryExpression(`((path.to.rule.id:myAppAlertType and consumer-field:(myApp)))`)
esKuery.fromKueryExpression(
`((path.to.rule_type_id:myAppAlertType and consumer-field:(myApp)))`
)
);
});

Expand Down Expand Up @@ -72,15 +74,15 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
'space1'
)
).toEqual(
esKuery.fromKueryExpression(
`((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp)))`
`((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp)))`
)
);
});
Expand Down Expand Up @@ -144,15 +146,15 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
'space1'
)
).toEqual(
esKuery.fromKueryExpression(
`((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:mySecondAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))`
`((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:mySecondAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))`
)
);
});
Expand Down Expand Up @@ -199,7 +201,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
spaceIds: 'path.to.spaceIds',
},
Expand All @@ -208,7 +210,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
)
).toEqual(
esKuery.fromKueryExpression(
`((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1))`
`((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1))`
)
);
});
Expand Down Expand Up @@ -255,7 +257,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
spaceIds: 'path.to.spaceIds',
},
Expand All @@ -264,7 +266,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => {
)
).toEqual(
esKuery.fromKueryExpression(
`((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))`
`((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))`
)
);
});
Expand Down Expand Up @@ -293,7 +295,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.ESDSL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
Expand All @@ -307,7 +309,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
should: [
{
match: {
'path.to.rule.id': 'myAppAlertType',
'path.to.rule_type_id': 'myAppAlertType',
},
},
],
Expand Down Expand Up @@ -355,7 +357,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.ESDSL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
Expand All @@ -366,7 +368,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
filter: [
{
bool: {
should: [{ match: { 'path.to.rule.id': 'myAppAlertType' } }],
should: [{ match: { 'path.to.rule_type_id': 'myAppAlertType' } }],
minimum_should_match: 1,
},
},
Expand Down Expand Up @@ -459,7 +461,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
{
type: AlertingAuthorizationFilterType.ESDSL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
Expand All @@ -473,7 +475,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
filter: [
{
bool: {
should: [{ match: { 'path.to.rule.id': 'myAppAlertType' } }],
should: [{ match: { 'path.to.rule_type_id': 'myAppAlertType' } }],
minimum_should_match: 1,
},
},
Expand Down Expand Up @@ -516,7 +518,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
filter: [
{
bool: {
should: [{ match: { 'path.to.rule.id': 'myOtherAppAlertType' } }],
should: [{ match: { 'path.to.rule_type_id': 'myOtherAppAlertType' } }],
minimum_should_match: 1,
},
},
Expand Down Expand Up @@ -559,7 +561,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => {
filter: [
{
bool: {
should: [{ match: { 'path.to.rule.id': 'mySecondAppAlertType' } }],
should: [{ match: { 'path.to.rule_type_id': 'mySecondAppAlertType' } }],
minimum_should_match: 1,
},
},
Expand Down Expand Up @@ -611,7 +613,7 @@ describe('asFiltersBySpaceId', () => {
{
type: AlertingAuthorizationFilterType.ESDSL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
spaceIds: 'path.to.space.id',
},
Expand All @@ -629,7 +631,7 @@ describe('asFiltersBySpaceId', () => {
{
type: AlertingAuthorizationFilterType.KQL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
spaceIds: 'path.to.space.id',
},
Expand All @@ -645,7 +647,7 @@ describe('asFiltersBySpaceId', () => {
{
type: AlertingAuthorizationFilterType.ESDSL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
},
},
Expand All @@ -660,7 +662,7 @@ describe('asFiltersBySpaceId', () => {
{
type: AlertingAuthorizationFilterType.ESDSL,
fieldNames: {
ruleTypeId: 'path.to.rule.id',
ruleTypeId: 'path.to.rule_type_id',
consumer: 'consumer-field',
spaceIds: 'path.to.space.id',
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import {
import { EuiTitle } from '@elastic/eui';
import d3 from 'd3';
import React, { Suspense, useState } from 'react';
import { RULE_ID } from '@kbn/rule-data-utils/target/technical_field_names';
import { ALERT_RULE_TYPE_ID } from '@kbn/rule-data-utils/target/technical_field_names';
import { useApmServiceContext } from '../../../../context/apm_service/use_apm_service_context';
import { APIReturnType } from '../../../../services/rest/createCallApmApi';
import { asRelativeDateTimeRange } from '../../../../../common/utils/formatters';
Expand Down Expand Up @@ -124,7 +124,7 @@ export function ErrorDistribution({ distribution, title }: Props) {
/>
{getAlertAnnotations({
alerts: alerts?.filter(
(alert) => alert[RULE_ID]?.[0] === AlertType.ErrorCount
(alert) => alert[ALERT_RULE_TYPE_ID]?.[0] === AlertType.ErrorCount
),
chartStartTime: buckets[0]?.x0,
getFormatter,
Expand Down
Loading