diff --git a/x-pack/plugins/security_solution/common/ecs/event/index.ts b/x-pack/plugins/security_solution/common/ecs/event/index.ts
index f38ebdc29c1fe50..56f7d3e84dfa0b5 100644
--- a/x-pack/plugins/security_solution/common/ecs/event/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/event/index.ts
@@ -62,7 +62,6 @@ export enum EventCategory {
PROCESS = 'process',
FILE = 'file',
NETWORK = 'network',
- DNS = 'dns',
REGISTRY = 'registry',
MALWARE = 'malware',
}
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
index 4bb4c4809764a69..53c0d143600fb79 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
@@ -129,7 +129,7 @@ describe('AlertSummaryView', () => {
});
});
- test('DNS event renders the correct summary rows', () => {
+ test('DNS network event renders the correct summary rows', () => {
const renderProps = {
...props,
data: [
@@ -137,8 +137,8 @@ describe('AlertSummaryView', () => {
if (item.category === 'event' && item.field === 'event.category') {
return {
...item,
- values: ['dns'],
- originalValue: ['dns'],
+ values: ['network'],
+ originalValue: ['network'],
};
}
return item;
@@ -324,6 +324,39 @@ describe('AlertSummaryView', () => {
});
});
+ test('[legacy] Machine learning events show correct fields', () => {
+ const enhancedData = [
+ ...mockAlertDetailsData.map((item) => {
+ if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
+ return {
+ ...item,
+ values: ['machine_learning'],
+ originalValue: ['machine_learning'],
+ };
+ }
+ return item;
+ }),
+ {
+ category: 'signal',
+ field: 'signal.rule.machine_learning_job_id',
+ values: ['i_am_the_ml_job_id'],
+ },
+ { category: 'signal', field: 'signal.rule.anomaly_threshold', values: [2] },
+ ] as TimelineEventsDetailsItem[];
+ const renderProps = {
+ ...props,
+ data: enhancedData,
+ };
+ const { getByText } = render(
+
+
+
+ );
+ ['i_am_the_ml_job_id', 'signal.rule.anomaly_threshold'].forEach((fieldId) => {
+ expect(getByText(fieldId));
+ });
+ });
+
test('Threat match events show correct fields', () => {
const enhancedData = [
...mockAlertDetailsData.map((item) => {
@@ -338,10 +371,51 @@ describe('AlertSummaryView', () => {
}),
{
category: 'kibana',
- field: 'kibana.alert.rule.threat_index',
+ field: 'kibana.alert.rule.parameters.threat_index',
+ values: ['threat_index*'],
+ },
+ {
+ category: 'kibana',
+ field: 'kibana.alert.rule.parameters.threat_query',
+ values: ['*query*'],
+ },
+ ] as TimelineEventsDetailsItem[];
+ const renderProps = {
+ ...props,
+ data: enhancedData,
+ };
+ const { getByText } = render(
+
+
+
+ );
+ ['threat_index*', '*query*'].forEach((fieldId) => {
+ expect(getByText(fieldId));
+ });
+ });
+
+ test('[legacy] Threat match events show correct fields', () => {
+ const enhancedData = [
+ ...mockAlertDetailsData.map((item) => {
+ if (item.category === 'kibana' && item.field === 'kibana.alert.rule.type') {
+ return {
+ ...item,
+ values: ['threat_match'],
+ originalValue: ['threat_match'],
+ };
+ }
+ return item;
+ }),
+ {
+ category: 'signal',
+ field: 'signal.rule.threat_index',
values: ['threat_index*'],
},
- { category: 'kibana', field: 'kibana.alert.rule.threat_query', values: ['*query*'] },
+ {
+ category: 'signal',
+ field: 'signal.rule.threat_query',
+ values: ['*query*'],
+ },
] as TimelineEventsDetailsItem[];
const renderProps = {
...props,
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
index 9f0dfb53a5c4bef..8550cd84351242e 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/get_alert_summary_rows.tsx
@@ -6,7 +6,7 @@
*/
import { find, isEmpty, uniqBy } from 'lodash/fp';
-import { ALERT_RULE_NAMESPACE, ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
+import { ALERT_RULE_PARAMETERS, ALERT_RULE_TYPE } from '@kbn/rule-data-utils';
import * as i18n from './translations';
import { BrowserFields } from '../../../../common/search_strategy/index_fields';
@@ -62,10 +62,9 @@ function getFieldsByCategory({
{ id: 'destination.port' },
{ id: 'source.address' },
{ id: 'source.port' },
+ { id: 'dns.question.name' },
{ id: 'process.name' },
];
- case EventCategory.DNS:
- return [{ id: 'dns.question.name' }, { id: 'process.name' }];
case EventCategory.REGISTRY:
return [{ id: 'registry.key' }, { id: 'registry.value' }, { id: 'process.name' }];
case EventCategory.MALWARE:
@@ -146,18 +145,22 @@ function getFieldsByRuleType(ruleType?: string): EventSummaryField[] {
return [
{
id: `${ALERT_RULE_PARAMETERS}.machine_learning_job_id`,
+ legacyId: 'signal.rule.machine_learning_job_id',
},
{
id: `${ALERT_RULE_PARAMETERS}.anomaly_threshold`,
+ legacyId: 'signal.rule.anomaly_threshold',
},
];
case 'threat_match':
return [
{
- id: `${ALERT_RULE_NAMESPACE}.threat_index`,
+ id: `${ALERT_RULE_PARAMETERS}.threat_index`,
+ legacyId: 'signal.rule.threat_index',
},
{
- id: `${ALERT_RULE_NAMESPACE}.threat_query`,
+ id: `${ALERT_RULE_PARAMETERS}.threat_query`,
+ legacyId: 'signal.rule.threat_query',
},
];
default:
@@ -251,11 +254,18 @@ export const getSummaryRows = ({
return data != null
? tableFields.reduce((acc, field) => {
- const item = data.find((d) => d.field === field.id);
- if (!item || isEmpty(item?.values)) {
+ const item = data.find(
+ (d) => d.field === field.id || (field.legacyId && d.field === field.legacyId)
+ );
+ if (!item || isEmpty(item.values)) {
return acc;
}
+ // If we found the data by its legacy id we swap the ids to display the correct one
+ if (item.field === field.legacyId) {
+ field.id = field.legacyId;
+ }
+
const linkValueField =
field.linkField != null && data.find((d) => d.field === field.linkField);
const description = {
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/types.ts b/x-pack/plugins/security_solution/public/common/components/event_details/types.ts
index 0e2eef882594ad7..9b64ddd4db5d08d 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/types.ts
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/types.ts
@@ -30,6 +30,7 @@ export type EnrichedFieldInfoWithValues = EnrichedFieldInfo & { values: string[]
export interface EventSummaryField {
id: string;
+ legacyId?: string;
label?: string;
linkField?: string;
fieldType?: string;