[Security Solution] UEBA Spacetime Project (#104973)

Merging with known issues documented here: #106648

x-pack/plugins/security_solution/common/constants.ts

@@ -62,20 +62,21 @@ export const DEFAULT_INDICATOR_SOURCE_PATH = 'threatintel.indicator';
 export const INDICATOR_DESTINATION_PATH = 'threat.indicator';
 
 export enum SecurityPageName {
-  overview = 'overview',
-  detections = 'detections',
+  administration = 'administration',
   alerts = 'alerts',
-  rules = 'rules',
+  case = 'case',
+  detections = 'detections',
+  endpoints = 'endpoints',
+  eventFilters = 'event_filters',
   exceptions = 'exceptions',
   hosts = 'hosts',
   network = 'network',
-  timelines = 'timelines',
-  case = 'case',
-  administration = 'administration',
-  endpoints = 'endpoints',
+  overview = 'overview',
   policies = 'policies',
+  rules = 'rules',
+  timelines = 'timelines',
   trustedApps = 'trusted_apps',
-  eventFilters = 'event_filters',
+  ueba = 'ueba',
 }
 
 export const TIMELINES_PATH = '/timelines';
@@ -86,6 +87,7 @@ export const ALERTS_PATH = '/alerts';
 export const RULES_PATH = '/rules';
 export const EXCEPTIONS_PATH = '/exceptions';
 export const HOSTS_PATH = '/hosts';
+export const UEBA_PATH = '/ueba';
 export const NETWORK_PATH = '/network';
 export const MANAGEMENT_PATH = '/administration';
 export const ENDPOINTS_PATH = `${MANAGEMENT_PATH}/endpoints`;
@@ -100,6 +102,7 @@ export const APP_RULES_PATH = `${APP_PATH}${RULES_PATH}`;
 export const APP_EXCEPTIONS_PATH = `${APP_PATH}${EXCEPTIONS_PATH}`;
 
 export const APP_HOSTS_PATH = `${APP_PATH}${HOSTS_PATH}`;
+export const APP_UEBA_PATH = `${APP_PATH}${UEBA_PATH}`;
 export const APP_NETWORK_PATH = `${APP_PATH}${NETWORK_PATH}`;
 export const APP_TIMELINES_PATH = `${APP_PATH}${TIMELINES_PATH}`;
 export const APP_CASES_PATH = `${APP_PATH}${CASES_PATH}`;
@@ -119,6 +122,11 @@ export const DEFAULT_INDEX_PATTERN = [
   'winlogbeat-*',
 ];
 
+export const DEFAULT_INDEX_PATTERN_EXPERIMENTAL = [
+  // TODO: Steph/ueba TEMP for testing UEBA data
+  'ml_host_risk_score_*',
+];
+
 /** This Kibana Advanced Setting enables the `Security news` feed widget */
 export const ENABLE_NEWS_FEED_SETTING = 'securitySolution:enableNewsFeed';
 

x-pack/plugins/security_solution/common/experimental_features.ts

@@ -11,11 +11,12 @@ export type ExperimentalFeatures = typeof allowedExperimentalValues;
  * A list of allowed values that can be used in `xpack.securitySolution.enableExperimental`.
  * This object is then used to validate and parse the value entered.
  */
-const allowedExperimentalValues = Object.freeze({
-  trustedAppsByPolicyEnabled: false,
+export const allowedExperimentalValues = Object.freeze({
   metricsEntitiesEnabled: false,
   ruleRegistryEnabled: false,
   tGridEnabled: false,
+  trustedAppsByPolicyEnabled: false,
+  uebaEnabled: false,
 });
 
 type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;

x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts

@@ -71,14 +71,27 @@ import {
   CtiEventEnrichmentStrategyResponse,
   CtiQueries,
 } from './cti';
+import {
+  HostRulesRequestOptions,
+  HostRulesStrategyResponse,
+  HostTacticsRequestOptions,
+  HostTacticsStrategyResponse,
+  RiskScoreRequestOptions,
+  RiskScoreStrategyResponse,
+  UebaQueries,
+  UserRulesRequestOptions,
+  UserRulesStrategyResponse,
+} from './ueba';
 
 export * from './hosts';
 export * from './matrix_histogram';
 export * from './network';
+export * from './ueba';
 
 export type FactoryQueryTypes =
   | HostsQueries
   | HostsKpiQueries
+  | UebaQueries
   | NetworkQueries
   | NetworkKpiQueries
   | CtiQueries
@@ -109,6 +122,14 @@ export type StrategyResponseType<T extends FactoryQueryTypes> = T extends HostsQ
   ? HostsStrategyResponse
   : T extends HostsQueries.details
   ? HostDetailsStrategyResponse
+  : T extends UebaQueries.riskScore
+  ? RiskScoreStrategyResponse
+  : T extends UebaQueries.hostRules
+  ? HostRulesStrategyResponse
+  : T extends UebaQueries.userRules
+  ? UserRulesStrategyResponse
+  : T extends UebaQueries.hostTactics
+  ? HostTacticsStrategyResponse
   : T extends HostsQueries.overview
   ? HostsOverviewStrategyResponse
   : T extends HostsQueries.authentications
@@ -199,6 +220,14 @@ export type StrategyRequestType<T extends FactoryQueryTypes> = T extends HostsQu
   ? NetworkKpiUniqueFlowsRequestOptions
   : T extends NetworkKpiQueries.uniquePrivateIps
   ? NetworkKpiUniquePrivateIpsRequestOptions
+  : T extends UebaQueries.riskScore
+  ? RiskScoreRequestOptions
+  : T extends UebaQueries.hostRules
+  ? HostRulesRequestOptions
+  : T extends UebaQueries.userRules
+  ? UserRulesRequestOptions
+  : T extends UebaQueries.hostTactics
+  ? HostTacticsRequestOptions
   : T extends typeof MatrixHistogramQuery
   ? MatrixHistogramRequestOptions
   : T extends CtiQueries.eventEnrichment

x-pack/plugins/security_solution/common/search_strategy/security_solution/ueba/common/index.ts

@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { Maybe } from '../../../common';
+
+export enum RiskScoreFields {
+  hostName = 'host_name',
+  riskKeyword = 'risk_keyword',
+  riskScore = 'risk_score',
+}
+export interface RiskScoreItem {
+  _id?: Maybe<string>;
+  [RiskScoreFields.hostName]: Maybe<string>;
+  [RiskScoreFields.riskKeyword]: Maybe<string>;
+  [RiskScoreFields.riskScore]: Maybe<number>;
+}
+export enum HostRulesFields {
+  hits = 'hits',
+  riskScore = 'risk_score',
+  ruleName = 'rule_name',
+  ruleType = 'rule_type',
+}
+export interface HostRulesItem {
+  _id?: Maybe<string>;
+  [HostRulesFields.hits]: Maybe<number>;
+  [HostRulesFields.riskScore]: Maybe<number>;
+  [HostRulesFields.ruleName]: Maybe<string>;
+  [HostRulesFields.ruleType]: Maybe<string>;
+}
+export enum UserRulesFields {
+  userName = 'user_name',
+  riskScore = 'risk_score',
+  rules = 'rules',
+  ruleCount = 'rule_count',
+}
+export enum HostTacticsFields {
+  hits = 'hits',
+  riskScore = 'risk_score',
+  tactic = 'tactic',
+  technique = 'technique',
+}
+export interface HostTacticsItem {
+  _id?: Maybe<string>;
+  [HostTacticsFields.hits]: Maybe<number>;
+  [HostTacticsFields.riskScore]: Maybe<number>;
+  [HostTacticsFields.tactic]: Maybe<string>;
+  [HostTacticsFields.technique]: Maybe<string>;
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/ueba/host_rules/index.ts

@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+
+import { HostRulesItem, HostRulesFields } from '../common';
+import { CursorType, Hit, Inspect, Maybe, PageInfoPaginated, SortField } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
+
+export interface HostRulesHit extends Hit {
+  key: string;
+  doc_count: number;
+  risk_score: {
+    value?: number;
+  };
+  rule_type: {
+    buckets?: Array<{
+      key: string;
+      doc_count: number;
+    }>;
+  };
+  rule_count: {
+    value: number;
+  };
+}
+
+export interface HostRulesEdges {
+  node: HostRulesItem;
+  cursor: CursorType;
+}
+
+export interface HostRulesStrategyResponse extends IEsSearchResponse {
+  edges: HostRulesEdges[];
+  totalCount: number;
+  pageInfo: PageInfoPaginated;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface HostRulesRequestOptions extends RequestOptionsPaginated<HostRulesFields> {
+  defaultIndex: string[];
+  hostName: string;
+}
+
+export type HostRulesSortField = SortField<HostRulesFields>;

x-pack/plugins/security_solution/common/search_strategy/security_solution/ueba/host_tactics/index.ts

@@ -0,0 +1,52 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+
+import { HostTacticsItem, HostTacticsFields } from '../common';
+import { CursorType, Hit, Inspect, Maybe, PageInfoPaginated, SortField } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
+export interface HostTechniqueHit {
+  key: string;
+  doc_count: number;
+  risk_score: {
+    value?: number;
+  };
+}
+export interface HostTacticsHit extends Hit {
+  key: string;
+  doc_count: number;
+  risk_score: {
+    value?: number;
+  };
+  technique: {
+    buckets?: HostTechniqueHit[];
+  };
+  tactic_count: {
+    value: number;
+  };
+}
+
+export interface HostTacticsEdges {
+  node: HostTacticsItem;
+  cursor: CursorType;
+}
+
+export interface HostTacticsStrategyResponse extends IEsSearchResponse {
+  edges: HostTacticsEdges[];
+  techniqueCount: number;
+  totalCount: number;
+  pageInfo: PageInfoPaginated;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface HostTacticsRequestOptions extends RequestOptionsPaginated<HostTacticsFields> {
+  defaultIndex: string[];
+  hostName: string;
+}
+
+export type HostTacticsSortField = SortField<HostTacticsFields>;

x-pack/plugins/security_solution/common/search_strategy/security_solution/ueba/index.ts

@@ -0,0 +1,19 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export * from './common';
+export * from './host_rules';
+export * from './host_tactics';
+export * from './risk_score';
+export * from './user_rules';
+
+export enum UebaQueries {
+  hostRules = 'hostRules',
+  hostTactics = 'hostTactics',
+  riskScore = 'riskScore',
+  userRules = 'userRules',
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/ueba/risk_score/index.ts

@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+
+import { RiskScoreItem, RiskScoreFields } from '../common';
+import { CursorType, Hit, Inspect, Maybe, PageInfoPaginated, SortField } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
+
+export interface RiskScoreHit extends Hit {
+  _source: {
+    '@timestamp': string;
+  };
+  key: string;
+  doc_count: number;
+  risk_score: {
+    value?: number;
+  };
+  risk_keyword: {
+    buckets?: Array<{
+      key: string;
+      doc_count: number;
+    }>;
+  };
+}
+
+export interface RiskScoreEdges {
+  node: RiskScoreItem;
+  cursor: CursorType;
+}
+
+export interface RiskScoreStrategyResponse extends IEsSearchResponse {
+  edges: RiskScoreEdges[];
+  totalCount: number;
+  pageInfo: PageInfoPaginated;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface RiskScoreRequestOptions extends RequestOptionsPaginated<RiskScoreFields> {
+  defaultIndex: string[];
+}
+
+export type RiskScoreSortField = SortField<RiskScoreFields>;