[SecuritySolution][Threat Hunting] Fix a couple of field ids for high…

…lighted fields (#124941) (#125688) * fix: use correct DNS field id * fix: for behavior alerts we should display rule.description (cherry picked from commit 8fabaf3) Co-authored-by: Jan Monschke <jan.monschke@elastic.co>
elastic · Feb 21, 2022 · 81f308c · 81f308c
1 parent dfe33f5
commit 81f308c
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 25 deletions.
diff --git a/...gins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx b/...gins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
@@ -128,6 +128,40 @@ describe('AlertSummaryView', () => {
       expect(getByText(fieldId));
     });
   });
+
+  test('DNS event renders the correct summary rows', () => {
+    const renderProps = {
+      ...props,
+      data: [
+        ...(mockAlertDetailsData.map((item) => {
+          if (item.category === 'event' && item.field === 'event.category') {
+            return {
+              ...item,
+              values: ['dns'],
+              originalValue: ['dns'],
+            };
+          }
+          return item;
+        }) as TimelineEventsDetailsItem[]),
+        {
+          category: 'dns',
+          field: 'dns.question.name',
+          values: ['www.example.com'],
+          originalValue: ['www.example.com'],
+        } as TimelineEventsDetailsItem,
+      ],
+    };
+    const { getByText } = render(
+      <TestProvidersComponent>
+        <AlertSummaryView {...renderProps} />
+      </TestProvidersComponent>
+    );
+
+    ['dns.question.name', 'process.name'].forEach((fieldId) => {
+      expect(getByText(fieldId));
+    });
+  });
+
   test('Memory event code renders additional summary rows', () => {
     const renderProps = {
       ...props,
@@ -152,32 +186,41 @@ describe('AlertSummaryView', () => {
     });
   });
   test('Behavior event code renders additional summary rows', () => {
+    const actualRuleDescription = 'The actual rule description';
     const renderProps = {
       ...props,
-      data: mockAlertDetailsData.map((item) => {
-        if (item.category === 'event' && item.field === 'event.code') {
-          return {
-            ...item,
-            values: ['behavior'],
-            originalValue: ['behavior'],
-          };
-        }
-        if (item.category === 'event' && item.field === 'event.category') {
-          return {
-            ...item,
-            values: ['malware', 'process', 'file'],
-            originalValue: ['malware', 'process', 'file'],
-          };
-        }
-        return item;
-      }) as TimelineEventsDetailsItem[],
+      data: [
+        ...mockAlertDetailsData.map((item) => {
+          if (item.category === 'event' && item.field === 'event.code') {
+            return {
+              ...item,
+              values: ['behavior'],
+              originalValue: ['behavior'],
+            };
+          }
+          if (item.category === 'event' && item.field === 'event.category') {
+            return {
+              ...item,
+              values: ['malware', 'process', 'file'],
+              originalValue: ['malware', 'process', 'file'],
+            };
+          }
+          return item;
+        }),
+        {
+          category: 'rule',
+          field: 'rule.description',
+          values: [actualRuleDescription],
+          originalValue: [actualRuleDescription],
+        },
+      ] as TimelineEventsDetailsItem[],
     };
     const { getByText } = render(
       <TestProvidersComponent>
         <AlertSummaryView {...renderProps} />
       </TestProvidersComponent>
     );
-    ['host.name', 'user.name', 'process.name'].forEach((fieldId) => {
+    ['host.name', 'user.name', 'process.name', actualRuleDescription].forEach((fieldId) => {
       expect(getByText(fieldId));
     });
   });

diff --git a/...ugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx b/...ugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
@@ -6,11 +6,7 @@
  */
 
 import { find, isEmpty, uniqBy } from 'lodash/fp';
-import {
-  ALERT_RULE_NAMESPACE,
-  ALERT_RULE_TYPE,
-  ALERT_RULE_DESCRIPTION,
-} from '@kbn/rule-data-utils';
+import { ALERT_RULE_NAMESPACE, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
 
 import * as i18n from './translations';
 import { BrowserFields } from '../../../../common/search_strategy/index_fields';
@@ -70,7 +66,7 @@ function getFieldsByCategory({
         { id: 'process.name' },
       ];
     case EventCategory.DNS:
-      return [{ id: 'dns.query.name' }, { id: 'process.name' }];
+      return [{ id: 'dns.question.name' }, { id: 'process.name' }];
     case EventCategory.REGISTRY:
       return [{ id: 'registry.key' }, { id: 'registry.value' }, { id: 'process.name' }];
     case EventCategory.MALWARE:
@@ -108,7 +104,7 @@ function getFieldsByEventCode(
   switch (eventCode) {
     case EventCode.BEHAVIOR:
       return [
-        { id: ALERT_RULE_DESCRIPTION, label: ALERTS_HEADERS_RULE_DESCRIPTION },
+        { id: 'rule.description', label: ALERTS_HEADERS_RULE_DESCRIPTION },
         // Resolve more fields based on the source event
         ...getFieldsByCategory({ ...eventCategories, primaryEventCategory: undefined }),
       ];