[TIP] add more safety checks to investigate in timeline hook

elastic · Nov 4, 2022 · 23b4da9 · 23b4da9
1 parent 5d319e2
commit 23b4da9
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/x-pack/plugins/threat_intelligence/common/types/indicator.ts b/x-pack/plugins/threat_intelligence/common/types/indicator.ts
@@ -70,7 +70,7 @@ export const IndicatorFieldEventEnrichmentMap: { [id: string]: string[] } = {
   [RawIndicatorFieldId.FileSha512256]: ['file.hash.sha512/256'],
   [RawIndicatorFieldId.FileSSDeep]: ['file.ssdeep'],
   [RawIndicatorFieldId.FileTlsh]: ['file.tlsh'],
-  [RawIndicatorFieldId.FileImpfuzzy]: ['file.impfuzzy.'],
+  [RawIndicatorFieldId.FileImpfuzzy]: ['file.impfuzzy'],
   [RawIndicatorFieldId.FileImphash]: ['file.imphash'],
   [RawIndicatorFieldId.FilePehash]: ['file.pehash'],
   [RawIndicatorFieldId.FileVhash]: ['file.vhash'],

diff --git a/...ns/threat_intelligence/public/modules/timeline/hooks/use_investigate_in_timeline.test.tsx b/...ns/threat_intelligence/public/modules/timeline/hooks/use_investigate_in_timeline.test.tsx
@@ -27,6 +27,28 @@ describe('useInvestigateInTimeline()', () => {
     expect(hookResult.result.current).toEqual({});
   });
 
+  it('should return empty object if name_origin value is missing on the mapping investigate in timeline mapping', () => {
+    const indicator: Indicator = generateMockUrlIndicator();
+    indicator.fields['threat.indicator.name_origin'] = ['threat.indicator.url.missing'];
+
+    hookResult = renderHook(() => useInvestigateInTimeline({ indicator }), {
+      wrapper: TestProvidersComponent,
+    });
+
+    expect(hookResult.result.current).toEqual({});
+  });
+
+  it('should return empty object if @timestamp is missing', () => {
+    const indicator: Indicator = generateMockUrlIndicator();
+    indicator.fields['@timestamp'] = undefined;
+
+    hookResult = renderHook(() => useInvestigateInTimeline({ indicator }), {
+      wrapper: TestProvidersComponent,
+    });
+
+    expect(hookResult.result.current).toEqual({});
+  });
+
   it('should return investigateInTimelineFn', () => {
     const indicator: Indicator = generateMockUrlIndicator();
 

diff --git a/.../plugins/threat_intelligence/public/modules/timeline/hooks/use_investigate_in_timeline.ts b/.../plugins/threat_intelligence/public/modules/timeline/hooks/use_investigate_in_timeline.ts
@@ -42,17 +42,23 @@ export const useInvestigateInTimeline = ({
   const securitySolutionContext = useContext(SecuritySolutionContext);
 
   const { key, value } = getIndicatorFieldAndValue(indicator, RawIndicatorFieldId.Name);
-  if (!fieldAndValueValid(key, value)) {
+  const sourceEventField = IndicatorFieldEventEnrichmentMap[key];
+
+  if (!fieldAndValueValid(key, value) || !sourceEventField) {
     return {} as unknown as UseInvestigateInTimelineValue;
   }
 
-  const dataProviders: DataProvider[] = [...IndicatorFieldEventEnrichmentMap[key], key].map(
-    (e: string) => generateDataProvider(e, value as string)
+  const dataProviders: DataProvider[] = [...sourceEventField, key].map((e: string) =>
+    generateDataProvider(e, value as string)
   );
 
   const to = unwrapValue(indicator, RawIndicatorFieldId.TimeStamp) as string;
   const from = moment(to).subtract(10, 'm').toISOString();
 
+  if (!to || !from) {
+    return {} as unknown as UseInvestigateInTimelineValue;
+  }
+
   const investigateInTimelineFn = securitySolutionContext?.getUseInvestigateInTimeline({
     dataProviders,
     from,