Add support for threat.feed.name #120250
Add support for threat.feed.name #120250
Conversation
| @@ -1107,6 +1107,9 @@ export const mockTimelineData: TimelineItem[] = [ | |||
| field: ['source.ip'], | |||
| type: ['ip'], | |||
| }, | |||
| feed: { | |||
| name: ['indicator_provider'], | |||
There was a problem hiding this comment.
A more realistic example here might help distinguish it from provider 😉
There was a problem hiding this comment.
Agree, it's value used here, I think it make more sense
| @@ -81,7 +82,9 @@ export const getEnrichmentIdentifiers = (enrichment: CtiEnrichment): CtiEnrichme | |||
| field: getEnrichmentValue(enrichment, MATCHED_FIELD), | |||
| value: getEnrichmentValue(enrichment, MATCHED_ATOMIC), | |||
| type: getEnrichmentValue(enrichment, MATCHED_TYPE), | |||
| provider: getShimmedIndicatorValue(enrichment, PROVIDER), | |||
| provider: | |||
There was a problem hiding this comment.
I don't think we want to conflate these two values as they're different concepts. Feed name is the data feed containing the indicator, while the provider is the entity that discovered/generated the indicator.
There was a problem hiding this comment.
So, do you suggest that we need to keep only FEED_NAME here?
It's basically will be the same as old behaviour
| @@ -46,7 +47,7 @@ export const ThreatMatchRow = ({ | |||
| contextId, | |||
| eventId, | |||
| indicatorReference: get(data, REFERENCE)[0] as string | undefined, | |||
| indicatorProvider: get(data, PROVIDER)[0] as string | undefined, | |||
| indicatorProvider: (get(data, FEED_NAME)[0] ?? get(data, PROVIDER)[0]) as string | undefined, | |||
There was a problem hiding this comment.
Ditto on the conflation here.
| @@ -81,7 +81,7 @@ export const getEnrichmentIdentifiers = (enrichment: CtiEnrichment): CtiEnrichme | |||
| field: getEnrichmentValue(enrichment, MATCHED_FIELD), | |||
| value: getEnrichmentValue(enrichment, MATCHED_ATOMIC), | |||
| type: getEnrichmentValue(enrichment, MATCHED_TYPE), | |||
| provider: getShimmedIndicatorValue(enrichment, PROVIDER), | |||
| provider: getShimmedIndicatorValue(enrichment, FEED_NAME), | |||
There was a problem hiding this comment.
I think we should rename this to feedName to remain consistent. I see no reason not to keep returning provider as well:
| provider: getShimmedIndicatorValue(enrichment, FEED_NAME), | |
| feedName: getShimmedIndicatorValue(enrichment, FEED_NAME), | |
| provider: getShimmedIndicatorValue(enrichment, PROVIDER), |
| @@ -46,7 +47,7 @@ export const ThreatMatchRow = ({ | |||
| contextId, | |||
| eventId, | |||
| indicatorReference: get(data, REFERENCE)[0] as string | undefined, | |||
| indicatorProvider: get(data, PROVIDER)[0] as string | undefined, | |||
| indicatorProvider: get(data, FEED_NAME)[0] as string | undefined, | |||
There was a problem hiding this comment.
If we're changing the semantic meaning of this prop we should change its name as well.
| indicatorProvider: get(data, FEED_NAME)[0] as string | undefined, | |
| feedName: get(data, FEED_NAME)[0] as string | undefined, |
|
@elasticmachine merge upstream |
| </EnrichmentFieldProvider> | ||
| {feedName && ( | ||
| <EnrichmentFieldFeedName> | ||
| {i18n.PROVIDER_PREPOSITION} {feedName} |
There was a problem hiding this comment.
we could probably rename i18n.PROVIDER_PREPOSITION
| 'matched.atomic': ['matched atomic'], | ||
| 'matched.type': ['matched type'], | ||
| 'feed.name': ['feed name'], | ||
| 'indicator.provider': ['provider name'], |
There was a problem hiding this comment.
do we use the indicator.provider enrichment identifier in Kibana? trying to understand if we need to leave it here considering it's a mapped field just like most others and it would work on the timeline anyway. if it's not used on the row renderer UI, there might not be an urgent reason to keep it here
| return { | ||
| indicator, | ||
| feed, |
There was a problem hiding this comment.
I thought we only wanted and mapped the threat.feed.name field for the alert, so I think we could consider just putting feed.name here instead of the feed obj
| @@ -98,7 +98,7 @@ const EnrichmentAccordion: React.FC<{ | |||
| key={accordionId} | |||
| initialIsOpen={true} | |||
| arrowDisplay="right" | |||
| buttonContent={<EnrichmentButtonContent field={field} provider={provider} value={value} />} | |||
| buttonContent={<EnrichmentButtonContent field={field} feedName={feedName} value={value} />} | |||
There was a problem hiding this comment.
it looks like we are completely removing the provider string from the UI - I thought we wanted to display provider if there was no feedName for the purpose of identifying the source of a feed. I understand previously raised concerns around conflating information , but we also know that it's very unlikely for the users to have chatted w/Ryland, it looks like this is something we could get product feedback on - since threat intel integrations from 8.0 are all designed to ship the threat.feed.name fields populated at least in 8.0 (as threat.feed.name is not in the ECS specification). IMHO we can do something like feedName={feedName ?? provider} in the UI contextthreat.feed.name field, this is less of a concern
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
* Add support for threat.feed.name * fix cy tests * Remove provider field * fix tests * Provider to feed.name * Fix tests * Fix tests * fix comments * Fix i18n * fix type * Fix types * fix tests Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…-chromium-before-compiling-pdf * 'main' of github.com:elastic/kibana: (121 commits) FTR should use the new kibana_system user (elastic#120436) [Lens] Temporarily exclude Mosaic/Waffle from the suggestions list (elastic#120488) [Reporting] Fix slow CSV with large max size bytes (elastic#120365) [CTI] Threat Intel Card on Overview page needs to accommodate Fleet TI integrations - (elastic#120459) [Dashboard] Added KibanaThemeProvider. (elastic#120122) add more rule_registry unit tests (elastic#120323) [Lens] update xpack.lens.pie.smallValuesWarningMessage text (elastic#120478) [Fleet] Simplified package policy create API, enriching default values (elastic#119739) mock `elastic-apm-node` in `@kbn/test` jest preset (elastic#120324) [RAC] Rename occurrences of alert_type to rule_type in Infra (elastic#120455) [Security Solutions] Removes tech debt of exporting all from linter rule for timeline plugin (elastic#120437) [Workplace Search] Add API Keys view to replace Access tokens (elastic#120147) [Security Solutions] Removes tech debt of exporting all from linter rule for cases plugin in the server section (elastic#120411) Add support for threat.feed.name (elastic#120250) [Rule Registry] Rewrite APM registry rules for Observability (elastic#117740) [docs] Fix artifact layout formatting (elastic#119386) [Workplace Search] Add a technical preview of connecting GitHub via GitHub apps (elastic#119764) add osquery notes for 7.16 (elastic#120407) chore(NA): splits types from code on @kbn/docs-utils (elastic#120533) [Reporting] Decouple screenshotting plugin from the reporting (elastic#120110) ... # Conflicts: # x-pack/plugins/reporting/server/browsers/chromium/driver_factory/index.test.ts # x-pack/plugins/reporting/server/browsers/chromium/driver_factory/index.ts # x-pack/plugins/reporting/server/lib/screenshots/observable.test.ts # x-pack/plugins/reporting/server/lib/screenshots/observable.ts # x-pack/plugins/reporting/server/test_helpers/create_mock_browserdriverfactory.ts
How to test:Intro
Filebeat
Create a custom test-indexCreate an IM ruleLet's make a match
|
* Add support for threat.feed.name * fix cy tests * Remove provider field * fix tests * Provider to feed.name * Fix tests * Fix tests * fix comments * Fix i18n * fix type * Fix types * fix tests Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Add support for threat.feed.name * fix cy tests * Remove provider field * fix tests * Provider to feed.name * Fix tests * Fix tests * fix comments * Fix i18n * fix type * Fix types * fix tests Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
We add supporting of
threat.feed.namefor alerts flyout and timeline view.Context
Previously we were showing
indicator. provideras source name (provider) of enrichment.e.g
In new fleet TI integrations and filebeat 8.x the purpose of
indicator. providerfield was changed.And to be able to show previous source name was introduced
threat.feed.nameSolution
Currently, we have 2 different ways of building enrichment on the backend:
threat, sothreat.feedjust will be in enrichment automatically)feedinto enrichment)The frontend has logic about what to show for source name:
feed.name- show itHow to tests
Be sure that on alerts flyout and timeline we have the right source name
Checklist
Delete any items that are not applicable to this PR.
(https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))