[Security Solution][Detections] Extend alerts schema to accommodate the list of assigned users (#7647)

e40pud · e40pud · commit b79f3f83c688 · 2023-09-20T16:31:17.000+02:00
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts
@@ -32,6 +32,7 @@ import {
   ALERT_TIME_RANGE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
@@ -182,6 +183,11 @@ export const alertFieldMap = {
     array: true,
     required: false,
   },
+  [ALERT_WORKFLOW_ASSIGNEES]: {
+    type: 'keyword',
+    array: true,
+    required: false,
+  },
   [EVENT_ACTION]: {
     type: 'keyword',
     array: false,
diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts
@@ -116,6 +116,7 @@ const AlertOptional = rt.partial({
       start: schemaDate,
       time_range: schemaDateRange,
       url: schemaString,
+      workflow_assignees: schemaStringArray,
       workflow_status: schemaString,
       workflow_tags: schemaStringArray,
     }),
diff --git a/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts b/packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts
@@ -234,6 +234,7 @@ const SecurityAlertOptional = rt.partial({
       }),
       time_range: schemaDateRange,
       url: schemaString,
+      workflow_assignees: schemaStringArray,
       workflow_reason: schemaString,
       workflow_status: schemaString,
       workflow_tags: schemaStringArray,
diff --git a/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts b/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts
@@ -11,6 +11,7 @@ import {
   ALERT_RISK_SCORE,
   ALERT_SEVERITY,
   ALERT_RULE_PARAMETERS,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_TAGS,
 } from '@kbn/rule-data-utils';
 
@@ -46,6 +47,7 @@ export const ALERT_EVENTS_FIELDS = [
   ALERT_RULE_CONSUMER,
   '@timestamp',
   'kibana.alert.ancestors.index',
+  ALERT_WORKFLOW_ASSIGNEES,
   'kibana.alert.workflow_status',
   ALERT_WORKFLOW_TAGS,
   'kibana.alert.group.id',
diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -70,6 +70,9 @@ const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const;
 // kibana.alert.workflow_tags - user workflow alert tags
 const ALERT_WORKFLOW_TAGS = `${ALERT_NAMESPACE}.workflow_tags` as const;
 
+// kibana.alert.workflow_assignees - user workflow alert assignees
+const ALERT_WORKFLOW_ASSIGNEES = `${ALERT_NAMESPACE}.workflow_assignees` as const;
+
 // kibana.alert.rule.category - rule type name for rule that generated this alert
 const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const;
 
@@ -135,6 +138,7 @@ const fields = {
   ALERT_TIME_RANGE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
@@ -174,6 +178,7 @@ export {
   ALERT_TIME_RANGE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -32,6 +32,7 @@ import {
   ALERT_STATUS,
   ALERT_TIME_RANGE,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   SPACE_IDS,
@@ -168,6 +169,7 @@ const fields = {
   ALERT_STATUS,
   ALERT_SYSTEM_STATUS,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_REASON,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
diff --git a/packages/kbn-securitysolution-ecs/src/signal/index.ts b/packages/kbn-securitysolution-ecs/src/signal/index.ts
@@ -24,6 +24,7 @@ export type SignalEcsAAD = Exclude<SignalEcs, 'rule' | 'status'> & {
   building_block_type?: string[];
   workflow_status?: string[];
   workflow_tags?: string[];
+  workflow_assignees?: string[];
   suppression?: {
     docs_count: string[];
   };
diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -306,6 +306,9 @@ describe('mappingFromFieldMap', () => {
                 workflow_tags: {
                   type: 'keyword',
                 },
+                workflow_assignees: {
+                  type: 'keyword',
+                },
               },
             },
             space_ids: {
diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
@@ -286,6 +286,11 @@ it('matches snapshot', () => {
         "required": true,
         "type": "keyword",
       },
+      "kibana.alert.workflow_assignees": Object {
+        "array": true,
+        "required": false,
+        "type": "keyword",
+      },
       "kibana.alert.workflow_reason": Object {
         "array": false,
         "required": false,
diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/8.11.0/index.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/8.11.0/index.ts
@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ALERT_WORKFLOW_ASSIGNEES } from '@kbn/rule-data-utils';
+import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
+import type {
+  Ancestor890,
+  BaseFields890,
+  EqlBuildingBlockFields890,
+  EqlShellFields890,
+  NewTermsFields890,
+} from '../8.9.0';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.11.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.11.0.
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export type { Ancestor890 as Ancestor8110 };
+
+export interface BaseFields8110 extends BaseFields890 {
+  [ALERT_WORKFLOW_ASSIGNEES]: string[];
+}
+
+export interface WrappedFields8110<T extends BaseFields8110> {
+  _id: string;
+  _index: string;
+  _source: T;
+}
+
+export type GenericAlert8110 = AlertWithCommonFields800<BaseFields8110>;
+
+export type EqlShellFields8110 = EqlShellFields890 & BaseFields8110;
+
+export type EqlBuildingBlockFields8110 = EqlBuildingBlockFields890 & BaseFields8110;
+
+export type NewTermsFields8110 = NewTermsFields890 & BaseFields8110;
+
+export type NewTermsAlert8110 = NewTermsFields890 & BaseFields8110;
+
+export type EqlBuildingBlockAlert8110 = AlertWithCommonFields800<EqlBuildingBlockFields890>;
+
+export type EqlShellAlert8110 = AlertWithCommonFields800<EqlShellFields8110>;
+
+export type DetectionAlert8110 =
+  | GenericAlert8110
+  | EqlShellAlert8110
+  | EqlBuildingBlockAlert8110
+  | NewTermsAlert8110;
diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/index.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/alerts/index.ts
@@ -11,15 +11,16 @@ import type { DetectionAlert840 } from './8.4.0';
 import type { DetectionAlert860 } from './8.6.0';
 import type { DetectionAlert870 } from './8.7.0';
 import type { DetectionAlert880 } from './8.8.0';
+import type { DetectionAlert890 } from './8.9.0';
 import type {
-  Ancestor890,
-  BaseFields890,
-  DetectionAlert890,
-  EqlBuildingBlockFields890,
-  EqlShellFields890,
-  NewTermsFields890,
-  WrappedFields890,
-} from './8.9.0';
+  Ancestor8110,
+  BaseFields8110,
+  DetectionAlert8110,
+  EqlBuildingBlockFields8110,
+  EqlShellFields8110,
+  NewTermsFields8110,
+  WrappedFields8110,
+} from './8.11.0';
 
 // When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
 // here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
@@ -29,14 +30,15 @@ export type DetectionAlert =
   | DetectionAlert860
   | DetectionAlert870
   | DetectionAlert880
-  | DetectionAlert890;
+  | DetectionAlert890
+  | DetectionAlert8110;
 
 export type {
-  Ancestor890 as AncestorLatest,
-  BaseFields890 as BaseFieldsLatest,
-  DetectionAlert890 as DetectionAlertLatest,
-  WrappedFields890 as WrappedFieldsLatest,
-  EqlBuildingBlockFields890 as EqlBuildingBlockFieldsLatest,
-  EqlShellFields890 as EqlShellFieldsLatest,
-  NewTermsFields890 as NewTermsFieldsLatest,
+  Ancestor8110 as AncestorLatest,
+  BaseFields8110 as BaseFieldsLatest,
+  DetectionAlert8110 as DetectionAlertLatest,
+  WrappedFields8110 as WrappedFieldsLatest,
+  EqlBuildingBlockFields8110 as EqlBuildingBlockFieldsLatest,
+  EqlShellFields8110 as EqlShellFieldsLatest,
+  NewTermsFields8110 as NewTermsFieldsLatest,
 };
diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
@@ -177,6 +177,7 @@ export const requiredFieldsForActions = [
   '@timestamp',
   'kibana.alert.workflow_status',
   'kibana.alert.workflow_tags',
+  'kibana.alert.workflow_assignees',
   'kibana.alert.group.id',
   'kibana.alert.original_time',
   'kibana.alert.building_block_type',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/es_results.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/__mocks__/es_results.ts
@@ -52,6 +52,7 @@ import {
   ALERT_STATUS_ACTIVE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   EVENT_KIND,
@@ -322,6 +323,7 @@ export const sampleAlertDocAADNoSortId = (
     },
     [ALERT_URL]: 'http://example.com/docID',
     [ALERT_WORKFLOW_TAGS]: [],
+    [ALERT_WORKFLOW_ASSIGNEES]: [],
   },
   fields: {
     someKey: ['someValue'],
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts
@@ -19,6 +19,7 @@ import {
   ALERT_STATUS_ACTIVE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   EVENT_ACTION,
@@ -233,6 +234,7 @@ describe('buildAlert', () => {
       [ALERT_URL]: expectedAlertUrl,
       [ALERT_UUID]: alertUuid,
       [ALERT_WORKFLOW_TAGS]: [],
+      [ALERT_WORKFLOW_ASSIGNEES]: [],
     };
     expect(alert).toEqual(expected);
   });
@@ -426,6 +428,7 @@ describe('buildAlert', () => {
       [ALERT_URL]: expectedAlertUrl,
       [ALERT_UUID]: alertUuid,
       [ALERT_WORKFLOW_TAGS]: [],
+      [ALERT_WORKFLOW_ASSIGNEES]: [],
     };
     expect(alert).toEqual(expected);
   });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
@@ -36,6 +36,7 @@ import {
   ALERT_STATUS_ACTIVE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   EVENT_KIND,
@@ -248,6 +249,7 @@ export const buildAlert = (
     [ALERT_URL]: alertUrl,
     [ALERT_UUID]: alertUuid,
     [ALERT_WORKFLOW_TAGS]: [],
+    [ALERT_WORKFLOW_ASSIGNEES]: [],
     ...flattenWithPrefix(ALERT_RULE_META, params.meta),
     // These fields don't exist in the mappings, but leaving here for now to limit changes to the alert building logic
     'kibana.alert.rule.risk_score': params.riskScore,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/enrichments/__mocks__/alerts.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/enrichments/__mocks__/alerts.ts
@@ -40,6 +40,7 @@ import {
   ALERT_STATUS_ACTIVE,
   ALERT_URL,
   ALERT_UUID,
+  ALERT_WORKFLOW_ASSIGNEES,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
   EVENT_KIND,
@@ -96,6 +97,7 @@ export const createAlert = (
     [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
     [ALERT_WORKFLOW_STATUS]: 'open',
     [ALERT_WORKFLOW_TAGS]: [],
+    [ALERT_WORKFLOW_ASSIGNEES]: [],
     [ALERT_DEPTH]: 1,
     [ALERT_REASON]: 'reasonable reason',
     [ALERT_SEVERITY]: 'high',
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/group6/alerts/alerts_compatibility.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/group6/alerts/alerts_compatibility.ts
@@ -321,6 +321,7 @@ export default ({ getService }: FtrProviderContext) => {
           'kibana.alert.status': 'active',
           'kibana.alert.workflow_status': 'open',
           'kibana.alert.workflow_tags': [],
+          'kibana.alert.workflow_assignees': [],
           'kibana.alert.depth': 2,
           'kibana.alert.reason':
             'event on security-linux-1 created high alert Signal Testing Query.',
@@ -483,6 +484,7 @@ export default ({ getService }: FtrProviderContext) => {
           'kibana.alert.status': 'active',
           'kibana.alert.workflow_status': 'open',
           'kibana.alert.workflow_tags': [],
+          'kibana.alert.workflow_assignees': [],
           'kibana.alert.depth': 2,
           'kibana.alert.reason':
             'event on security-linux-1 created high alert Signal Testing Query.',
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/eql.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/eql.ts
@@ -11,6 +11,7 @@ import {
   ALERT_RULE_UUID,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
+  ALERT_WORKFLOW_ASSIGNEES,
   EVENT_KIND,
 } from '@kbn/rule-data-utils';
 import { flattenWithPrefix } from '@kbn/securitysolution-rules';
@@ -150,6 +151,7 @@ export default ({ getService }: FtrProviderContext) => {
         [ALERT_ORIGINAL_TIME]: fullSignal[ALERT_ORIGINAL_TIME],
         [ALERT_WORKFLOW_STATUS]: 'open',
         [ALERT_WORKFLOW_TAGS]: [],
+        [ALERT_WORKFLOW_ASSIGNEES]: [],
         [ALERT_DEPTH]: 1,
         [ALERT_ANCESTORS]: [
           {
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/machine_learning.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/machine_learning.ts
@@ -15,6 +15,7 @@ import {
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
   ALERT_WORKFLOW_TAGS,
+  ALERT_WORKFLOW_ASSIGNEES,
   SPACE_IDS,
   VERSION,
 } from '@kbn/rule-data-utils';
@@ -120,6 +121,7 @@ export default ({ getService }: FtrProviderContext) => {
           [ALERT_ANCESTORS]: expect.any(Array),
           [ALERT_WORKFLOW_STATUS]: 'open',
           [ALERT_WORKFLOW_TAGS]: [],
+          [ALERT_WORKFLOW_ASSIGNEES]: [],
           [ALERT_STATUS]: 'active',
           [SPACE_IDS]: ['default'],
           [ALERT_SEVERITY]: 'critical',
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/new_terms.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/new_terms.ts
@@ -167,6 +167,7 @@ export default ({ getService }: FtrProviderContext) => {
         'kibana.alert.status': 'active',
         'kibana.alert.workflow_status': 'open',
         'kibana.alert.workflow_tags': [],
+        'kibana.alert.workflow_assignees': [],
         'kibana.alert.depth': 1,
         'kibana.alert.reason':
           'authentication event with source 8.42.77.171 by root on zeek-newyork-sha-aa8df15 created high alert Query with a rule id.',
diff --git a/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threat_match.ts b/x-pack/test/detection_engine_api_integration/security_and_spaces/rule_execution_logic/threat_match.ts
@@ -18,6 +18,7 @@ import {
   SPACE_IDS,
   VERSION,
   ALERT_WORKFLOW_TAGS,
+  ALERT_WORKFLOW_ASSIGNEES,
 } from '@kbn/rule-data-utils';
 import { flattenWithPrefix } from '@kbn/securitysolution-rules';
 import { ThreatMapping } from '@kbn/securitysolution-io-ts-alerting-types';
@@ -289,6 +290,7 @@ export default ({ getService }: FtrProviderContext) => {
         [ALERT_UUID]: fullSignal[ALERT_UUID],
         [ALERT_WORKFLOW_STATUS]: 'open',
         [ALERT_WORKFLOW_TAGS]: [],
+        [ALERT_WORKFLOW_ASSIGNEES]: [],
         [SPACE_IDS]: ['default'],
         [VERSION]: fullSignal[VERSION],
         threat: {
