From d83e1b2b4943f06e1c8c7bf5d059762f012751ee Mon Sep 17 00:00:00 2001 From: Frank Hassanabad Date: Tue, 4 Jun 2019 13:18:45 -0600 Subject: [PATCH] [SIEM] Authentication fixes for winlogbeat and ordering (#37718) ## Summary * Enabled winlogbeat to work with workaround for authentication_failed (until that is fixed) * Fixed ordering to be successes first, failures second * https://github.com/elastic/ingest-dev/issues/491 * https://github.com/elastic/ingest-dev/issues/469 ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ --- .../hosts/authentications_table/index.tsx | 114 +++++++++--------- .../plugins/siem/public/pages/hosts/hosts.tsx | 36 +++--- .../server/lib/authentications/query.dsl.ts | 3 +- 3 files changed, 76 insertions(+), 77 deletions(-) diff --git a/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx b/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx index 26454215cf793..d539005736f69 100644 --- a/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx +++ b/x-pack/plugins/siem/public/components/page/hosts/authentications_table/index.tsx @@ -135,12 +135,12 @@ const getAuthenticationColumns = (): [ }), }, { - name: i18n.FAILURES, + name: i18n.SUCCESSES, truncateText: false, hideForMobile: false, render: ({ node }) => { const id = escapeDataProviderId( - `authentications-table-${node._id}-failures-${node.failures}` + `authentications-table-${node._id}-node-successes-${node.successes}` ); return ( ) : ( - node.failures + node.successes ) } /> @@ -172,59 +172,12 @@ const getAuthenticationColumns = (): [ }, }, { - name: i18n.LAST_FAILED_TIME, - truncateText: false, - hideForMobile: false, - render: ({ node }) => - has('lastFailure.timestamp', node) && node.lastFailure!.timestamp != null ? ( - - - - ) : ( - getEmptyTagValue() - ), - }, - { - name: i18n.LAST_FAILED_SOURCE, - truncateText: false, - hideForMobile: false, - render: ({ node }) => - getRowItemDraggables({ - rowItems: - node.lastFailure != null && - node.lastFailure.source != null && - node.lastFailure.source.ip != null - ? node.lastFailure.source.ip - : null, - attrName: 'source.ip', - idPrefix: `authentications-table-${node._id}-lastFailureSource`, - render: item => , - }), - }, - { - name: i18n.LAST_FAILED_DESTINATION, - truncateText: false, - hideForMobile: false, - render: ({ node }) => - getRowItemDraggables({ - rowItems: - node.lastFailure != null && - node.lastFailure.host != null && - node.lastFailure.host.name != null - ? node.lastFailure.host.name - : null, - attrName: 'host.name', - idPrefix: `authentications-table-${node._id}-lastFailureDestination`, - render: item => , - }), - }, - { - name: i18n.SUCCESSES, + name: i18n.FAILURES, truncateText: false, hideForMobile: false, render: ({ node }) => { const id = escapeDataProviderId( - `authentications-table-${node._id}-node-successes-${node.successes}` + `authentications-table-${node._id}-failures-${node.failures}` ); return ( ) : ( - node.successes + node.failures ) } /> @@ -302,4 +255,51 @@ const getAuthenticationColumns = (): [ render: item => , }), }, + { + name: i18n.LAST_FAILED_TIME, + truncateText: false, + hideForMobile: false, + render: ({ node }) => + has('lastFailure.timestamp', node) && node.lastFailure!.timestamp != null ? ( + + + + ) : ( + getEmptyTagValue() + ), + }, + { + name: i18n.LAST_FAILED_SOURCE, + truncateText: false, + hideForMobile: false, + render: ({ node }) => + getRowItemDraggables({ + rowItems: + node.lastFailure != null && + node.lastFailure.source != null && + node.lastFailure.source.ip != null + ? node.lastFailure.source.ip + : null, + attrName: 'source.ip', + idPrefix: `authentications-table-${node._id}-lastFailureSource`, + render: item => , + }), + }, + { + name: i18n.LAST_FAILED_DESTINATION, + truncateText: false, + hideForMobile: false, + render: ({ node }) => + getRowItemDraggables({ + rowItems: + node.lastFailure != null && + node.lastFailure.host != null && + node.lastFailure.host.name != null + ? node.lastFailure.host.name + : null, + attrName: 'host.name', + idPrefix: `authentications-table-${node._id}-lastFailureDestination`, + render: item => , + }), + }, ]; diff --git a/x-pack/plugins/siem/public/pages/hosts/hosts.tsx b/x-pack/plugins/siem/public/pages/hosts/hosts.tsx index c03bf2a6b3232..7f5b937c581fb 100644 --- a/x-pack/plugins/siem/public/pages/hosts/hosts.tsx +++ b/x-pack/plugins/siem/public/pages/hosts/hosts.tsx @@ -111,28 +111,20 @@ const HostsComponent = pure(({ filterQuery }) => ( - - {({ - uncommonProcesses, - totalCount, - loading, - pageInfo, - loadMore, - id, - refetch, - }) => ( - ( + (({ filterQuery }) => ( type={hostsModel.HostsType.page} /> )} - + - - {({ authentications, totalCount, loading, pageInfo, loadMore, id, refetch }) => ( - ( + (({ filterQuery }) => ( type={hostsModel.HostsType.page} /> )} - + diff --git a/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts b/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts index efde40485b1fa..b2216861de378 100644 --- a/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts +++ b/x-pack/plugins/siem/server/lib/authentications/query.dsl.ts @@ -34,7 +34,6 @@ export const buildQuery = ({ const filter = [ ...createQueryFilterClauses(filterQuery), - { term: { 'event.module': 'system' } }, { term: { 'event.category': 'authentication' } }, { range: { @@ -65,7 +64,7 @@ export const buildQuery = ({ terms: { size: limit + 1, field: 'user.name', - order: { 'failures.doc_count': 'desc' }, + order: [{ 'successes.doc_count': 'desc' }, { 'failures.doc_count': 'desc' }], }, aggs: { failures: {