From a524c001f5f84bc415983d7906f99a73e712e5de Mon Sep 17 00:00:00 2001 From: Tudor Golubenco Date: Tue, 24 Mar 2020 08:09:42 +0100 Subject: [PATCH] [SIEM] Use ECS categorisation for Authentication widgets (#60734) (#60890) * Update the Authentication histogram to use categorization fields * linting * Use categorization fields for the Authentications table * Use event.outcome for authentications KPIs * Adjust mock to fix unit test Co-authored-by: Elastic Machine Co-authored-by: Elastic Machine --- .../navigation/authentications_query_tab_body.tsx | 10 +++++----- .../siem/server/lib/authentications/query.dsl.ts | 4 ++-- .../plugins/siem/server/lib/kpi_hosts/mock.ts | 8 ++++---- .../lib/kpi_hosts/query_authentication.dsl.ts | 8 ++++---- .../query.authentications_over_time.dsl.ts | 15 +++++++++++++-- 5 files changed, 28 insertions(+), 17 deletions(-) diff --git a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx index fb083b7a7da2f3..5a6759fd072217 100644 --- a/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx +++ b/x-pack/legacy/plugins/siem/public/pages/hosts/navigation/authentications_query_tab_body.tsx @@ -25,15 +25,15 @@ const AuthenticationTableManage = manageQuery(AuthenticationTable); const ID = 'authenticationsOverTimeQuery'; const authStackByOptions: MatrixHistogramOption[] = [ { - text: 'event.type', - value: 'event.type', + text: 'event.outcome', + value: 'event.outcome', }, ]; -const DEFAULT_STACK_BY = 'event.type'; +const DEFAULT_STACK_BY = 'event.outcome'; enum AuthMatrixDataGroup { - authSuccess = 'authentication_success', - authFailure = 'authentication_failure', + authSuccess = 'success', + authFailure = 'failure', } export const authMatrixDataMappingFields: MatrixHistogramMappingTypes = { diff --git a/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts index 333cc79fadabcc..b9ed88e91f87d1 100644 --- a/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/authentications/query.dsl.ts @@ -70,7 +70,7 @@ export const buildQuery = ({ failures: { filter: { term: { - 'event.type': 'authentication_failure', + 'event.outcome': 'failure', }, }, aggs: { @@ -86,7 +86,7 @@ export const buildQuery = ({ successes: { filter: { term: { - 'event.type': 'authentication_success', + 'event.outcome': 'success', }, }, aggs: { diff --git a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts index b82a540900bd0b..ed9fbf0ba06466 100644 --- a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts +++ b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/mock.ts @@ -356,15 +356,15 @@ export const mockKpiHostDetailsUniqueIpsQuery = [ ]; const mockAuthAggs = { - authentication_success: { filter: { term: { 'event.type': 'authentication_success' } } }, + authentication_success: { filter: { term: { 'event.outcome': 'success' } } }, authentication_success_histogram: { auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { filter: { term: { 'event.type': 'authentication_success' } } } }, + aggs: { count: { filter: { term: { 'event.outcome': 'success' } } } }, }, - authentication_failure: { filter: { term: { 'event.type': 'authentication_failure' } } }, + authentication_failure: { filter: { term: { 'event.outcome': 'failure' } } }, authentication_failure_histogram: { auto_date_histogram: { field: '@timestamp', buckets: '6' }, - aggs: { count: { filter: { term: { 'event.type': 'authentication_failure' } } } }, + aggs: { count: { filter: { term: { 'event.outcome': 'failure' } } } }, }, }; diff --git a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts index 5734aa6ee88ccf..0b7803d0071947 100644 --- a/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.ts @@ -49,7 +49,7 @@ export const buildAuthQuery = ({ authentication_success: { filter: { term: { - 'event.type': 'authentication_success', + 'event.outcome': 'success', }, }, }, @@ -62,7 +62,7 @@ export const buildAuthQuery = ({ count: { filter: { term: { - 'event.type': 'authentication_success', + 'event.outcome': 'success', }, }, }, @@ -71,7 +71,7 @@ export const buildAuthQuery = ({ authentication_failure: { filter: { term: { - 'event.type': 'authentication_failure', + 'event.outcome': 'failure', }, }, }, @@ -84,7 +84,7 @@ export const buildAuthQuery = ({ count: { filter: { term: { - 'event.type': 'authentication_failure', + 'event.outcome': 'failure', }, }, }, diff --git a/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts b/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts index ccf0d235abdd3a..34a3804f974ded 100644 --- a/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts +++ b/x-pack/legacy/plugins/siem/server/lib/matrix_histogram/query.authentications_over_time.dsl.ts @@ -13,10 +13,21 @@ export const buildAuthenticationsOverTimeQuery = ({ sourceConfiguration: { fields: { timestamp }, }, - stackByField = 'event.type', + stackByField = 'event.outcome', }: MatrixHistogramRequestOptions) => { const filter = [ ...createQueryFilterClauses(filterQuery), + { + bool: { + must: [ + { + term: { + 'event.category': 'authentication', + }, + }, + ], + }, + }, { range: { [timestamp]: { @@ -45,7 +56,7 @@ export const buildAuthenticationsOverTimeQuery = ({ eventActionGroup: { terms: { field: stackByField, - include: ['authentication_success', 'authentication_failure'], + include: ['success', 'failure'], order: { _count: 'desc', },