-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Populates threat.indicator.event with _source.event (#951) #95697
Conversation
Pinging @elastic/security-solution (Team: SecuritySolution) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, just a small change to the mappings and this should be good to go.
It would be great if you could add/update an integration test to account for this new behavior, as well.
...ecsMapping.mappings.properties.threat, | ||
properties: { | ||
...ecsMapping.mappings.properties.threat.properties, | ||
...indicatorMapping, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is correct; we want these to be part of the nested threat.indicator
objects, e.g. threat.indicator[].event.*
, and this looks to generate threat.event.*
mappings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey thanks for the catch
@@ -57,9 +57,11 @@ export const buildMatchedIndicator = ({ | |||
} | |||
const atomic = get(matchedThreat?._source, query.value) as unknown; | |||
const type = get(indicator, 'type') as unknown; | |||
const event = get(matchedThreat?._source, 'event') as unknown; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 this logic is correct, it's just the mappings that are off.
latest changes
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! Glad we have those integration and cypress tests for coverage here, and appreciate the added unit tests as well 👍
@@ -7,6 +7,7 @@ | |||
|
|||
import signalsMapping from './signals_mapping.json'; | |||
import ecsMapping from './ecs_mapping.json'; | |||
import indicatorMapping from './indicator_mapping.json'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this file is just currently "ECS event mappings," what do you think about using ecsMapping.mappings.properties.event
instead of this new file? I expect we'll want these indicator mappings to be in sync with the latest from ECS, so that might be the best way to accomplish this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
excellent point!
@@ -117,6 +118,16 @@ describe('buildMatchedIndicator', () => { | |||
expect(get(indicator, 'matched.atomic')).toEqual('domain_1'); | |||
}); | |||
|
|||
it('returns event values as a part of threat', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: cc @ecezalp |
…nt (elastic#951) (elastic#95697) * [Security Solution] Add event data to threat.indicator (elastic/security_team/elastic#951) * fixes mappings, updates tests * refactor mappings
Summary
This change copies all
event
details from the source event to the alert underthreat.indicator.event
.Closes elastic/security-team#951.
Relates to elastic/security-team#946.
Images
Notes
I am not entirely sure if the changes to
x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/indicator_mapping.json
andx-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts
were necessary, please let me know if they should be reverted to their original state.Checklist
Delete any items that are not applicable to this PR.