[Security Solution][Detection Alerts] Alert tagging (#157786)

elastic · Jun 21, 2023 · 0f57260 · 0f57260
1 parent bed4609
commit 0f57260
Show file tree

Hide file tree

Showing 78 changed files with 2,073 additions and 374 deletions.
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts
@@ -33,6 +33,7 @@ import {
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -173,6 +174,11 @@ export const alertFieldMap = {
     array: false,
     required: false,
   },
+  [ALERT_WORKFLOW_TAGS]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
   [SPACE_IDS]: {
     type: 'keyword',
     array: true,

diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts
@@ -113,6 +113,7 @@ const AlertOptional = rt.partial({
       time_range: schemaDateRange,
       url: schemaString,
       workflow_status: schemaString,
+      workflow_tags: schemaStringArray,
     }),
     version: schemaString,
   }),

diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts
@@ -236,6 +236,7 @@ const SecurityAlertOptional = rt.partial({
       url: schemaString,
       workflow_reason: schemaString,
       workflow_status: schemaString,
+      workflow_tags: schemaStringArray,
       workflow_user: schemaString,
     }),
     version: schemaString,

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -67,6 +67,9 @@ const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
 // kibana.alert.workflow_status - open/closed status of alert
 const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 
+// kibana.alert.workflow_tags - user workflow alert tags
+const ALERT_WORKFLOW_TAGS = `${ALERT_NAMESPACE}.workflow_tags` as const;
+
 // kibana.alert.rule.category - rule type name for rule that generated this alert
 const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
 
@@ -133,6 +136,7 @@ const fields = {
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -171,6 +175,7 @@ export {
   ALERT_URL,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,

diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -33,6 +33,7 @@ import {
   ALERT_TIME_RANGE,
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
   TIMESTAMP,
   VERSION,
@@ -169,6 +170,7 @@ const fields = {
   ALERT_UUID,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_STATUS,
+  ALERT_WORKFLOW_TAGS,
   ALERT_WORKFLOW_USER,
   ALERT_RULE_UUID,
   ALERT_RULE_CATEGORY,

diff --git a/packages/kbn-securitysolution-ecs/src/signal/index.ts b/packages/kbn-securitysolution-ecs/src/signal/index.ts
@@ -23,6 +23,7 @@ export type SignalEcsAAD = Exclude<SignalEcs, 'rule' | 'status'> & {
   severity?: string[];
   building_block_type?: string[];
   workflow_status?: string[];
+  workflow_tags?: string[];
   suppression?: {
     docs_count: string[];
   };

diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts
@@ -18,6 +18,10 @@ export const stackManagementSchema: MakeSchemaFrom<UsageStats> = {
     type: 'keyword',
     _meta: { description: 'Default value of the setting was changed.' },
   },
+  'securitySolution:alertTags': {
+    type: 'keyword',
+    _meta: { description: 'Default value of the setting was changed.' },
+  },
   'securitySolution:newsFeedUrl': {
     type: 'keyword',
     _meta: { description: 'Default value of the setting was changed.' },

diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts
@@ -12,6 +12,7 @@ export interface UsageStats {
    */
   'securitySolution:defaultIndex': string;
   'securitySolution:defaultThreatIndex': string;
+  'securitySolution:alertTags': string;
   'securitySolution:newsFeedUrl': string;
   'xpackReporting:customPdfLogo': string;
   'notifications:banner': string;

diff --git a/src/plugins/telemetry/schema/oss_plugins.json b/src/plugins/telemetry/schema/oss_plugins.json
@@ -8945,6 +8945,12 @@
             "description": "Non-default value of setting."
           }
         },
+        "securitySolution:alertTags": {
+          "type": "keyword",
+          "_meta": {
+            "description": "Default value of the setting was changed."
+          }
+        },
         "search:includeFrozen": {
           "type": "boolean",
           "_meta": {

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -292,6 +292,9 @@ describe('mappingFromFieldMap', () => {
                 workflow_status: {
                   type: 'keyword',
                 },
+                workflow_tags: {
+                  type: 'keyword',
+                },
               },
             },
             space_ids: {

diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
@@ -296,6 +296,11 @@ it('matches snapshot', () => {
         "required": false,
         "type": "keyword",
       },
+      "kibana.alert.workflow_tags": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
       "kibana.alert.workflow_user": Object {
         "array": false,
         "required": false,

diff --git a/x-pack/plugins/security_solution/common/constants.ts b/x-pack/plugins/security_solution/common/constants.ts
@@ -6,6 +6,7 @@
  */
 
 import { RuleNotifyWhen } from '@kbn/alerting-plugin/common';
+import * as i18n from './translations';
 
 /**
  * as const
@@ -361,6 +362,7 @@ export const DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL =
   `${DETECTION_ENGINE_SIGNALS_URL}/migration_status` as const;
 export const DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL =
   `${DETECTION_ENGINE_SIGNALS_URL}/finalize_migration` as const;
+export const DETECTION_ENGINE_ALERT_TAGS_URL = `${DETECTION_ENGINE_SIGNALS_URL}/tags` as const;
 
 export const ALERTS_AS_DATA_URL = '/internal/rac/alerts' as const;
 export const ALERTS_AS_DATA_FIND_URL = `${ALERTS_AS_DATA_URL}/find` as const;
@@ -537,3 +539,10 @@ export const ALERTS_TABLE_REGISTRY_CONFIG_IDS = {
   RULE_DETAILS: `${APP_ID}-rule-details`,
   CASE: `${APP_ID}-case`,
 } as const;
+
+export const DEFAULT_ALERT_TAGS_KEY = 'securitySolution:alertTags' as const;
+export const DEFAULT_ALERT_TAGS_VALUE = [
+  i18n.DUPLICATE,
+  i18n.FALSE_POSITIVE,
+  i18n.FURTHER_INVESTIGATION_REQUIRED,
+] as const;
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/8.9.0/index.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/8.9.0/index.ts
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ALERT_WORKFLOW_TAGS } from '@kbn/rule-data-utils';
+import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
+import type {
+  Ancestor880,
+  BaseFields880,
+  EqlBuildingBlockFields880,
+  EqlShellFields880,
+  NewTermsFields880,
+} from '../8.8.0';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.9.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.9.0.
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export type { Ancestor880 as Ancestor890 };
+
+export interface BaseFields890 extends BaseFields880 {
+  [ALERT_WORKFLOW_TAGS]: string[];
+}
+
+export interface WrappedFields890<T extends BaseFields890> {
+  _id: string;
+  _index: string;
+  _source: T;
+}
+
+export type GenericAlert890 = AlertWithCommonFields800<BaseFields890>;
+
+export type EqlShellFields890 = EqlShellFields880 & BaseFields890;
+
+export type EqlBuildingBlockFields890 = EqlBuildingBlockFields880 & BaseFields890;
+
+export type NewTermsFields890 = NewTermsFields880 & BaseFields890;
+
+export type NewTermsAlert890 = NewTermsFields880 & BaseFields890;
+
+export type EqlBuildingBlockAlert890 = AlertWithCommonFields800<EqlBuildingBlockFields880>;
+
+export type EqlShellAlert890 = AlertWithCommonFields800<EqlShellFields890>;
+
+export type DetectionAlert890 =
+  | GenericAlert890
+  | EqlShellAlert890
+  | EqlBuildingBlockAlert890
+  | NewTermsAlert890;
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/index.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/index.ts
@@ -10,15 +10,16 @@ import type { DetectionAlert800 } from './8.0.0';
 import type { DetectionAlert840 } from './8.4.0';
 import type { DetectionAlert860 } from './8.6.0';
 import type { DetectionAlert870 } from './8.7.0';
+import type { DetectionAlert880 } from './8.8.0';
 import type {
-  Ancestor880,
-  BaseFields880,
-  DetectionAlert880,
-  EqlBuildingBlockFields880,
-  EqlShellFields880,
-  NewTermsFields880,
-  WrappedFields880,
-} from './8.8.0';
+  Ancestor890,
+  BaseFields890,
+  DetectionAlert890,
+  EqlBuildingBlockFields890,
+  EqlShellFields890,
+  NewTermsFields890,
+  WrappedFields890,
+} from './8.9.0';
 
 // When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
 // here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
@@ -27,14 +28,15 @@ export type DetectionAlert =
   | DetectionAlert840
   | DetectionAlert860
   | DetectionAlert870
-  | DetectionAlert880;
+  | DetectionAlert880
+  | DetectionAlert890;
 
 export type {
-  Ancestor880 as AncestorLatest,
-  BaseFields880 as BaseFieldsLatest,
-  DetectionAlert880 as DetectionAlertLatest,
-  WrappedFields880 as WrappedFieldsLatest,
-  EqlBuildingBlockFields880 as EqlBuildingBlockFieldsLatest,
-  EqlShellFields880 as EqlShellFieldsLatest,
-  NewTermsFields880 as NewTermsFieldsLatest,
+  Ancestor890 as AncestorLatest,
+  BaseFields890 as BaseFieldsLatest,
+  DetectionAlert890 as DetectionAlertLatest,
+  WrappedFields890 as WrappedFieldsLatest,
+  EqlBuildingBlockFields890 as EqlBuildingBlockFieldsLatest,
+  EqlShellFields890 as EqlShellFieldsLatest,
+  NewTermsFields890 as NewTermsFieldsLatest,
 };
diff --git a/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts b/x-pack/plugins/security_solution/common/detection_engine/schemas/common/schemas.ts
@@ -45,6 +45,9 @@ export type SignalIds = t.TypeOf<typeof signal_ids>;
 // TODO: Can this be more strict or is this is the set of all Elastic Queries?
 export const signal_status_query = t.object;
 
+export const alert_tag_query = t.record(t.string, t.unknown);
+export type AlertTagQuery = t.TypeOf<typeof alert_tag_query>;
+
 export const fields = t.array(t.string);
 export type Fields = t.TypeOf<typeof fields>;
 export const fieldsOrUndefined = t.union([fields, t.undefined]);
@@ -125,3 +128,10 @@ export const privilege = t.type({
 });
 
 export type Privilege = t.TypeOf<typeof privilege>;
+
+export const alert_tags = t.type({
+  tags_to_add: t.array(t.string),
+  tags_to_remove: t.array(t.string),
+});
+
+export type AlertTags = t.TypeOf<typeof alert_tags>;
diff --git a/...s/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.mock.ts b/...s/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.mock.ts
@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { SetAlertTagsSchema } from './set_alert_tags_schema';
+
+export const getSetAlertTagsRequestMock = (
+  tagsToAdd: string[] = [],
+  tagsToRemove: string[] = []
+): SetAlertTagsSchema => ({ tags: { tags_to_add: tagsToAdd, tags_to_remove: tagsToRemove } });
diff --git a/...lugins/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.ts b/...lugins/security_solution/common/detection_engine/schemas/request/set_alert_tags_schema.ts
@@ -0,0 +1,22 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as t from 'io-ts';
+
+import { alert_tag_query, alert_tags } from '../common/schemas';
+
+export const setAlertTagsSchema = t.intersection([
+  t.type({
+    tags: alert_tags,
+  }),
+  t.partial({
+    query: alert_tag_query,
+  }),
+]);
+
+export type SetAlertTagsSchema = t.TypeOf<typeof setAlertTagsSchema>;
+export type SetAlertTagsSchemaDecoded = SetAlertTagsSchema;
diff --git a/x-pack/plugins/security_solution/common/translations.ts b/x-pack/plugins/security_solution/common/translations.ts
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+
+export const DUPLICATE = i18n.translate('xpack.securitySolution.defaultAlertTags.duplicate', {
+  defaultMessage: 'Duplicate',
+});
+
+export const FALSE_POSITIVE = i18n.translate(
+  'xpack.securitySolution.defaultAlertTags.falsePositive',
+  {
+    defaultMessage: 'False Positive',
+  }
+);
+
+export const FURTHER_INVESTIGATION_REQUIRED = i18n.translate(
+  'xpack.securitySolution.defaultAlertTags.furtherInvestigationRequired',
+  {
+    defaultMessage: 'Further investigation required',
+  }
+);