[Security Solution][RAC] - Remove timestamp from reason field (#109492)

* remove timestamp from reason * fix test type errors * update tests
elastic · Aug 23, 2021 · d495191 · d495191
1 parent d07c733
commit d495191
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 36 deletions.
diff --git a/...curity_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts b/...curity_solution/server/lib/detection_engine/rule_types/factories/utils/build_bulk_body.ts
@@ -46,7 +46,7 @@ export const buildBulkBody = (
   const filteredSource = filterSource(mergedDoc);
   const timestamp = new Date().toISOString();
 
-  const reason = buildReasonMessage({ mergedDoc, rule, timestamp });
+  const reason = buildReasonMessage({ mergedDoc, rule });
   if (isSourceDoc(mergedDoc)) {
     return {
       ...filteredSource,

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts
@@ -42,7 +42,7 @@ export const buildBulkBody = (
   const mergedDoc = getMergeStrategy(mergeStrategy)({ doc });
   const rule = buildRuleWithOverrides(ruleSO, mergedDoc._source ?? {});
   const timestamp = new Date().toISOString();
-  const reason = buildReasonMessage({ mergedDoc, rule, timestamp });
+  const reason = buildReasonMessage({ mergedDoc, rule });
   const signal: Signal = {
     ...buildSignal([mergedDoc], rule, reason),
     ...additionalSignalFields(mergedDoc),
@@ -122,7 +122,7 @@ export const buildSignalFromSequence = (
   const rule = buildRuleWithoutOverrides(ruleSO);
   const timestamp = new Date().toISOString();
 
-  const reason = buildReasonMessage({ rule, timestamp });
+  const reason = buildReasonMessage({ rule });
   const signal: Signal = buildSignal(events, rule, reason);
   const mergedEvents = objectArrayIntersection(events.map((event) => event._source));
   return {
@@ -154,7 +154,7 @@ export const buildSignalFromEvent = (
     ? buildRuleWithOverrides(ruleSO, mergedEvent._source ?? {})
     : buildRuleWithoutOverrides(ruleSO);
   const timestamp = new Date().toISOString();
-  const reason = buildReasonMessage({ mergedDoc: mergedEvent, rule, timestamp });
+  const reason = buildReasonMessage({ mergedDoc: mergedEvent, rule });
   const signal: Signal = {
     ...buildSignal([mergedEvent], rule, reason),
     ...additionalSignalFields(mergedEvent),

diff --git a/...ck/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts b/...ck/plugins/security_solution/server/lib/detection_engine/signals/reason_formatter.test.ts
@@ -12,7 +12,6 @@ import { SignalSourceHit } from './types';
 describe('reason_formatter', () => {
   let rule: RulesSchema;
   let mergedDoc: SignalSourceHit;
-  let timestamp: string;
   beforeAll(() => {
     rule = {
       name: 'What is in a name',
@@ -28,18 +27,17 @@ describe('reason_formatter', () => {
         '@timestamp': '2021-08-11T02:28:59.101Z',
       },
     };
-    timestamp = '2021-08-11T02:28:59.401Z';
   });
 
   describe('buildCommonReasonMessage', () => {
-    describe('when rule, mergedDoc, and timestamp are provided', () => {
+    describe('when rule and mergedDoc are provided', () => {
       it('should return the full reason message', () => {
-        expect(buildCommonReasonMessage({ rule, mergedDoc, timestamp })).toEqual(
-          'Alert What is in a name created at 2021-08-11T02:28:59.401Z with a medium severity and risk score of 9000 by ferris bueller on party host.'
+        expect(buildCommonReasonMessage({ rule, mergedDoc })).toEqual(
+          'Alert What is in a name created with a medium severity and risk score of 9000 by ferris bueller on party host.'
         );
       });
     });
-    describe('when rule, mergedDoc, and timestamp are provided and host.name is missing', () => {
+    describe('when rule and mergedDoc are provided, but host.name is missing', () => {
       it('should return the reason message without the host name', () => {
         const updatedMergedDoc = {
           ...mergedDoc,
@@ -48,12 +46,12 @@ describe('reason_formatter', () => {
             'host.name': ['-'],
           },
         };
-        expect(buildCommonReasonMessage({ rule, mergedDoc: updatedMergedDoc, timestamp })).toEqual(
-          'Alert What is in a name created at 2021-08-11T02:28:59.401Z with a medium severity and risk score of 9000 by ferris bueller.'
+        expect(buildCommonReasonMessage({ rule, mergedDoc: updatedMergedDoc })).toEqual(
+          'Alert What is in a name created with a medium severity and risk score of 9000 by ferris bueller.'
         );
       });
     });
-    describe('when rule, mergedDoc, and timestamp are provided and user.name is missing', () => {
+    describe('when rule and mergedDoc are provided, but user.name is missing', () => {
       it('should return the reason message without the user name', () => {
         const updatedMergedDoc = {
           ...mergedDoc,
@@ -62,15 +60,15 @@ describe('reason_formatter', () => {
             'user.name': ['-'],
           },
         };
-        expect(buildCommonReasonMessage({ rule, mergedDoc: updatedMergedDoc, timestamp })).toEqual(
-          'Alert What is in a name created at 2021-08-11T02:28:59.401Z with a medium severity and risk score of 9000 on party host.'
+        expect(buildCommonReasonMessage({ rule, mergedDoc: updatedMergedDoc })).toEqual(
+          'Alert What is in a name created with a medium severity and risk score of 9000 on party host.'
         );
       });
     });
-    describe('when only rule and timestamp are provided', () => {
+    describe('when only rule is provided', () => {
       it('should return the reason message without host name or user name', () => {
-        expect(buildCommonReasonMessage({ rule, timestamp })).toEqual(
-          'Alert What is in a name created at 2021-08-11T02:28:59.401Z with a medium severity and risk score of 9000.'
+        expect(buildCommonReasonMessage({ rule })).toEqual(
+          'Alert What is in a name created with a medium severity and risk score of 9000.'
         );
       });
     });

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/reason_formatters.ts
@@ -12,7 +12,6 @@ import { SignalSourceHit } from './types';
 export interface BuildReasonMessageArgs {
   rule: RulesSchema;
   mergedDoc?: SignalSourceHit;
-  timestamp: string;
 }
 
 export type BuildReasonMessage = (args: BuildReasonMessageArgs) => string;
@@ -23,11 +22,7 @@ export type BuildReasonMessage = (args: BuildReasonMessageArgs) => string;
  * to more easily allow for this in the future.
  * @export buildCommonReasonMessage - is only exported for testing purposes, and only used internally here.
  */
-export const buildCommonReasonMessage = ({
-  rule,
-  mergedDoc,
-  timestamp,
-}: BuildReasonMessageArgs) => {
+export const buildCommonReasonMessage = ({ rule, mergedDoc }: BuildReasonMessageArgs) => {
   if (!rule) {
     // This should never happen, but in case, better to not show a malformed string
     return '';
@@ -44,13 +39,12 @@ export const buildCommonReasonMessage = ({
 
   return i18n.translate('xpack.securitySolution.detectionEngine.signals.alertReasonDescription', {
     defaultMessage:
-      'Alert {alertName} created at {timestamp} with a {alertSeverity} severity and risk score of {alertRiskScore}{userName, select, null {} other {{whitespace}by {userName}} }{hostName, select, null {} other {{whitespace}on {hostName}} }.',
+      'Alert {alertName} created with a {alertSeverity} severity and risk score of {alertRiskScore}{userName, select, null {} other {{whitespace}by {userName}} }{hostName, select, null {} other {{whitespace}on {hostName}} }.',
     values: {
       alertName: rule.name,
       alertSeverity: rule.severity,
       alertRiskScore: rule.risk_score,
       hostName: isFieldEmpty(hostName) ? 'null' : hostName,
-      timestamp,
       userName: isFieldEmpty(userName) ? 'null' : userName,
       whitespace: ' ', // there isn't support for the unicode /u0020 for whitespace, and leading spaces are deleted, so to prevent double-whitespace explicitly passing the space in.
     },

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/create_ml.ts
@@ -193,7 +193,7 @@ export default ({ getService }: FtrProviderContext) => {
             index: '.ml-anomalies-custom-linux_anomalous_network_activity_ecs',
             depth: 0,
           },
-          reason: `Alert Test ML rule created at ${signal._source['@timestamp']} with a critical severity and risk score of 50 by root on mothra.`,
+          reason: `Alert Test ML rule created with a critical severity and risk score of 50 by root on mothra.`,
           original_time: '2020-11-16T22:58:08.000Z',
         },
         all_field_values: [

diff --git a/...test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts b/...test/detection_engine_api_integration/security_and_spaces/tests/create_threat_matching.ts
@@ -275,7 +275,7 @@ export default ({ getService }: FtrProviderContext) => {
                 depth: 0,
               },
             ],
-            reason: `Alert Query with a rule id created at ${fullSignal['@timestamp']} with a high severity and risk score of 55 by root on zeek-sensor-amsterdam.`,
+            reason: `Alert Query with a rule id created with a high severity and risk score of 55 by root on zeek-sensor-amsterdam.`,
             rule: fullSignal.signal.rule,
             status: 'open',
           },

diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/generating_signals.ts
@@ -362,7 +362,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
             },
             signal: {
-              reason: `Alert Signal Testing Query created at ${fullSignal['@timestamp']} with a high severity and risk score of 1 on suricata-zeek-sensor-toronto.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1 on suricata-zeek-sensor-toronto.`,
               rule: fullSignal.signal.rule,
               original_time: fullSignal.signal.original_time,
               status: 'open',
@@ -497,7 +497,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
             },
             signal: {
-              reason: `Alert Signal Testing Query created at ${fullSignal['@timestamp']} with a high severity and risk score of 1 on suricata-zeek-sensor-toronto.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1 on suricata-zeek-sensor-toronto.`,
               rule: fullSignal.signal.rule,
               original_time: fullSignal.signal.original_time,
               status: 'open',
@@ -662,7 +662,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
             },
             signal: {
-              reason: `Alert Signal Testing Query created at ${fullSignal['@timestamp']} with a high severity and risk score of 1 by root on zeek-sensor-amsterdam.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1 by root on zeek-sensor-amsterdam.`,
               rule: fullSignal.signal.rule,
               group: fullSignal.signal.group,
               original_time: fullSignal.signal.original_time,
@@ -753,7 +753,7 @@ export default ({ getService }: FtrProviderContext) => {
               status: 'open',
               depth: 2,
               group: source.signal.group,
-              reason: `Alert Signal Testing Query created at ${source['@timestamp']} with a high severity and risk score of 1.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1.`,
               rule: source.signal.rule,
               ancestors: [
                 {
@@ -872,7 +872,7 @@ export default ({ getService }: FtrProviderContext) => {
                 },
               ],
               status: 'open',
-              reason: `Alert Signal Testing Query created at ${fullSignal['@timestamp']} with a high severity and risk score of 1.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1.`,
               rule: fullSignal.signal.rule,
               original_time: fullSignal.signal.original_time,
               depth: 1,
@@ -1010,7 +1010,7 @@ export default ({ getService }: FtrProviderContext) => {
                 },
               ],
               status: 'open',
-              reason: `Alert Signal Testing Query created at ${fullSignal['@timestamp']} with a high severity and risk score of 1.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1.`,
               rule: fullSignal.signal.rule,
               original_time: fullSignal.signal.original_time,
               depth: 1,
@@ -1094,7 +1094,7 @@ export default ({ getService }: FtrProviderContext) => {
                 },
               ],
               status: 'open',
-              reason: `Alert Signal Testing Query created at ${fullSignal['@timestamp']} with a high severity and risk score of 1.`,
+              reason: `Alert Signal Testing Query created with a high severity and risk score of 1.`,
               rule: fullSignal.signal.rule,
               original_time: fullSignal.signal.original_time,
               depth: 1,
@@ -1686,7 +1686,7 @@ export default ({ getService }: FtrProviderContext) => {
               },
             ],
             status: 'open',
-            reason: `Alert boot created at ${fullSignal['@timestamp']} with a high severity and risk score of 1 on zeek-sensor-amsterdam.`,
+            reason: `Alert boot created with a high severity and risk score of 1 on zeek-sensor-amsterdam.`,
             rule: {
               ...fullSignal.signal.rule,
               name: 'boot',