[8.x] [SecuritySolution] Add service enrichment to detection engine (#…

…206582) (#207708)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution] Add service enrichment to detection engine
(#206582)](#206582)

<!--- Backport version: 9.6.4 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Pablo
Machado","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-21T16:54:20Z","message":"[SecuritySolution]
Add service enrichment to detection engine (#206582)\n\n## Summary\n\n*
Add alert enrichment for
`service.asset.criticality`,\n`service.risk.calculated_level` and
`service.risk.calculated_score_norm`\nfields\n\n* Add `Service Risk
Level` and `Service Criticality` columns to the\nalerts
table\n\n![Screenshot 2025-01-17 at 11
58\n50](https://github.com/user-attachments/assets/0871dce3-338f-4123-a868-6d23b3a35763)\n\n\n###
How to test?\n* Enable the flag `serviceEntityStoreEnabled `\n* Start an
empty kibana instance\n* Add data using the document generator with the
`yarn start\nentity-store` command.\n * Add a seed when prompted\n*
Assign asset criticality for the service entity you are testing with\n*
Ensure the service entity you are testing with has a risk score. \n *
You can run the engine from the Risk score page if needed.\n* Add more
data using the same seed\n* Force the created rule to run so it
generates new alerts\n* Check if the alerts created for the new batch of
data have the new\nfield populated.\n\n### How does enrichment
work?\nWhen alerts are created, the current asset criticality and risk
score\nare fetched and merged into the alert document. These values
won't get\nupdated if the risk score or asset changes.\n\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"888dd240bdcaa93340767083653521a44c115845","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Feature:Detection
Rules","release_note:feature","Theme: entity_analytics","Feature:Entity
Analytics","Team:Entity
Analytics","backport:version","v8.18.0"],"title":"[SecuritySolution] Add
service enrichment to detection
engine","number":206582,"url":"https://github.com/elastic/kibana/pull/206582","mergeCommit":{"message":"[SecuritySolution]
Add service enrichment to detection engine (#206582)\n\n## Summary\n\n*
Add alert enrichment for
`service.asset.criticality`,\n`service.risk.calculated_level` and
`service.risk.calculated_score_norm`\nfields\n\n* Add `Service Risk
Level` and `Service Criticality` columns to the\nalerts
table\n\n![Screenshot 2025-01-17 at 11
58\n50](https://github.com/user-attachments/assets/0871dce3-338f-4123-a868-6d23b3a35763)\n\n\n###
How to test?\n* Enable the flag `serviceEntityStoreEnabled `\n* Start an
empty kibana instance\n* Add data using the document generator with the
`yarn start\nentity-store` command.\n * Add a seed when prompted\n*
Assign asset criticality for the service entity you are testing with\n*
Ensure the service entity you are testing with has a risk score. \n *
You can run the engine from the Risk score page if needed.\n* Add more
data using the same seed\n* Force the created rule to run so it
generates new alerts\n* Check if the alerts created for the new batch of
data have the new\nfield populated.\n\n### How does enrichment
work?\nWhen alerts are created, the current asset criticality and risk
score\nare fetched and merged into the alert document. These values
won't get\nupdated if the risk score or asset changes.\n\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"888dd240bdcaa93340767083653521a44c115845"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206582","number":206582,"mergeCommit":{"message":"[SecuritySolution]
Add service enrichment to detection engine (#206582)\n\n## Summary\n\n*
Add alert enrichment for
`service.asset.criticality`,\n`service.risk.calculated_level` and
`service.risk.calculated_score_norm`\nfields\n\n* Add `Service Risk
Level` and `Service Criticality` columns to the\nalerts
table\n\n![Screenshot 2025-01-17 at 11
58\n50](https://github.com/user-attachments/assets/0871dce3-338f-4123-a868-6d23b3a35763)\n\n\n###
How to test?\n* Enable the flag `serviceEntityStoreEnabled `\n* Start an
empty kibana instance\n* Add data using the document generator with the
`yarn start\nentity-store` command.\n * Add a seed when prompted\n*
Assign asset criticality for the service entity you are testing with\n*
Ensure the service entity you are testing with has a risk score. \n *
You can run the engine from the Risk score page if needed.\n* Add more
data using the same seed\n* Force the created rule to run so it
generates new alerts\n* Check if the alerts created for the new batch of
data have the new\nfield populated.\n\n### How does enrichment
work?\nWhen alerts are created, the current asset criticality and risk
score\nare fetched and merged into the alert document. These values
won't get\nupdated if the risk score or asset changes.\n\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [ ] [Flaky
Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\nused on any tests changed\n- [ ] The PR description includes the
appropriate Release Notes section,\nand the correct `release_note:*`
label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"888dd240bdcaa93340767083653521a44c115845"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts

@@ -212,6 +212,9 @@ const SecurityAlertOptional = rt.partial({
   'kibana.alert.workflow_tags': schemaStringArray,
   'kibana.alert.workflow_user': schemaString,
   'kibana.version': schemaString,
+  'service.asset.criticality': schemaString,
+  'service.risk.calculated_level': schemaString,
+  'service.risk.calculated_score_norm': schemaNumber,
   tags: schemaStringArray,
   'user.asset.criticality': schemaString,
 });

x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/alerts/8.13.0/index.ts

@@ -40,7 +40,7 @@ export interface BaseFields8130 extends BaseFields8120 {
   [ALERT_HOST_CRITICALITY]: string | undefined;
   [ALERT_USER_CRITICALITY]: string | undefined;
   /**
-   * Risk scores fields was added aroung 8.5.0, but the fields were not added to the alert schema
+   * Risk scores fields was added around 8.5.0, but the fields were not added to the alert schema
    */
   [ALERT_HOST_RISK_SCORE_CALCULATED_LEVEL]: string | undefined;
   [ALERT_HOST_RISK_SCORE_CALCULATED_SCORE_NORM]: number | undefined;

x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/alerts/8.18.0/index.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0';
+import type {
+  Ancestor8160,
+  BaseFields8160,
+  EqlBuildingBlockFields8160,
+  EqlShellFields8160,
+  NewTermsFields8160,
+} from '../8.16.0';
+import type {
+  ALERT_SERVICE_CRITICALITY,
+  ALERT_SERVICE_RISK_SCORE_CALCULATED_LEVEL,
+  ALERT_SERVICE_RISK_SCORE_CALCULATED_SCORE_NORM,
+} from '../../../../../field_maps/field_names';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.18.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.18.0.
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export type { Ancestor8160 as Ancestor8180 };
+
+export interface BaseFields8180 extends BaseFields8160 {
+  [ALERT_SERVICE_CRITICALITY]: string | undefined;
+  [ALERT_SERVICE_RISK_SCORE_CALCULATED_LEVEL]: string | undefined;
+  [ALERT_SERVICE_RISK_SCORE_CALCULATED_SCORE_NORM]: number | undefined;
+}
+
+export interface WrappedFields8180<T extends BaseFields8160> {
+  _id: string;
+  _index: string;
+  _source: T;
+}
+
+export type GenericAlert8180 = AlertWithCommonFields800<BaseFields8180>;
+
+export type EqlShellFields8180 = EqlShellFields8160 & BaseFields8180;
+
+export type EqlBuildingBlockFields8180 = EqlBuildingBlockFields8160 & BaseFields8180;
+
+export type NewTermsFields8180 = NewTermsFields8160 & BaseFields8180;
+
+export type NewTermsAlert8180 = NewTermsFields8160 & BaseFields8180;
+
+export type EqlBuildingBlockAlert8180 = AlertWithCommonFields800<EqlBuildingBlockFields8160>;
+
+export type EqlShellAlert8180 = AlertWithCommonFields800<EqlShellFields8180>;
+
+export type DetectionAlert8180 =
+  | GenericAlert8180
+  | EqlShellAlert8180
+  | EqlBuildingBlockAlert8180
+  | NewTermsAlert8180;

x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/alerts/index.ts

@@ -15,15 +15,16 @@ import type { DetectionAlert890 } from './8.9.0';
 import type { DetectionAlert8120 } from './8.12.0';
 import type { DetectionAlert8130 } from './8.13.0';
 
+import type { DetectionAlert8160 } from './8.16.0';
 import type {
-  Ancestor8160,
-  BaseFields8160,
-  DetectionAlert8160,
-  EqlBuildingBlockFields8160,
-  EqlShellFields8160,
-  NewTermsFields8160,
-  WrappedFields8160,
-} from './8.16.0';
+  Ancestor8180,
+  BaseFields8180,
+  DetectionAlert8180,
+  EqlBuildingBlockFields8180,
+  EqlShellFields8180,
+  NewTermsFields8180,
+  WrappedFields8180,
+} from './8.18.0';
 
 // When new Alert schemas are created for new Kibana versions, add the DetectionAlert type from the new version
 // here, e.g. `export type DetectionAlert = DetectionAlert800 | DetectionAlert820` if a new schema is created in 8.2.0
@@ -36,14 +37,15 @@ export type DetectionAlert =
   | DetectionAlert890
   | DetectionAlert8120
   | DetectionAlert8130
-  | DetectionAlert8160;
+  | DetectionAlert8160
+  | DetectionAlert8180;
 
 export type {
-  Ancestor8160 as AncestorLatest,
-  BaseFields8160 as BaseFieldsLatest,
-  DetectionAlert8160 as DetectionAlertLatest,
-  WrappedFields8160 as WrappedFieldsLatest,
-  EqlBuildingBlockFields8160 as EqlBuildingBlockFieldsLatest,
-  EqlShellFields8160 as EqlShellFieldsLatest,
-  NewTermsFields8160 as NewTermsFieldsLatest,
+  Ancestor8180 as AncestorLatest,
+  BaseFields8180 as BaseFieldsLatest,
+  DetectionAlert8180 as DetectionAlertLatest,
+  WrappedFields8180 as WrappedFieldsLatest,
+  EqlBuildingBlockFields8180 as EqlBuildingBlockFieldsLatest,
+  EqlShellFields8180 as EqlShellFieldsLatest,
+  NewTermsFields8180 as NewTermsFieldsLatest,
 };

x-pack/solutions/security/plugins/security_solution/common/field_maps/8.18.0/alerts.ts

@@ -0,0 +1,43 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { alertsFieldMap8160 } from '../8.16.0';
+import {
+  ALERT_SERVICE_CRITICALITY,
+  ALERT_SERVICE_RISK_SCORE_CALCULATED_LEVEL,
+  ALERT_SERVICE_RISK_SCORE_CALCULATED_SCORE_NORM,
+} from '../field_names';
+
+export const alertsFieldMap8180 = {
+  ...alertsFieldMap8160,
+  /**
+   * Stores the criticality level for the service, as determined by analysts, in relation to the alert.
+   * The Criticality level is copied from the asset criticality index.
+   */
+  [ALERT_SERVICE_CRITICALITY]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+
+  /**
+   * Stores the risk score level and score_norm level for the service, as determined by the Risk Engine, in relation to the alert.
+   * The Risk score is copied from the risk score index.
+   */
+  [ALERT_SERVICE_RISK_SCORE_CALCULATED_LEVEL]: {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  [ALERT_SERVICE_RISK_SCORE_CALCULATED_SCORE_NORM]: {
+    type: 'float',
+    array: false,
+    required: false,
+  },
+} as const;
+
+export type AlertsFieldMap8180 = typeof alertsFieldMap8180;

x-pack/solutions/security/plugins/security_solution/common/field_maps/8.18.0/index.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { AlertsFieldMap8180 } from './alerts';
+import { alertsFieldMap8180 } from './alerts';
+export type { AlertsFieldMap8180 };
+export { alertsFieldMap8180 };

x-pack/solutions/security/plugins/security_solution/common/field_maps/field_names.ts

@@ -28,12 +28,16 @@ export const LEGACY_ALERT_USER_CRITICALITY = `${ALERT_NAMESPACE}.user.criticalit
 
 export const ALERT_HOST_CRITICALITY = `host.asset.criticality` as const;
 export const ALERT_USER_CRITICALITY = `user.asset.criticality` as const;
+export const ALERT_SERVICE_CRITICALITY = `service.asset.criticality` as const;
 export const ALERT_HOST_RISK_SCORE_CALCULATED_LEVEL = `host.risk.calculated_level` as const;
 export const ALERT_HOST_RISK_SCORE_CALCULATED_SCORE_NORM =
   `host.risk.calculated_score_norm` as const;
 export const ALERT_USER_RISK_SCORE_CALCULATED_LEVEL = `user.risk.calculated_level` as const;
 export const ALERT_USER_RISK_SCORE_CALCULATED_SCORE_NORM =
   `user.risk.calculated_score_norm` as const;
+export const ALERT_SERVICE_RISK_SCORE_CALCULATED_LEVEL = `service.risk.calculated_level` as const;
+export const ALERT_SERVICE_RISK_SCORE_CALCULATED_SCORE_NORM =
+  `service.risk.calculated_score_norm` as const;
 
 export const ALERT_ORIGINAL_EVENT = `${ALERT_NAMESPACE}.original_event` as const;
 export const ALERT_ORIGINAL_EVENT_ACTION = `${ALERT_ORIGINAL_EVENT}.action` as const;

x-pack/solutions/security/plugins/security_solution/common/field_maps/index.ts

@@ -4,10 +4,9 @@
  * 2.0; you may not use this file except in compliance with the Elastic License
  * 2.0.
  */
-
-import type { AlertsFieldMap8160 } from './8.16.0';
-import { alertsFieldMap8160 } from './8.16.0';
+import type { AlertsFieldMap8180 } from './8.18.0';
+import { alertsFieldMap8180 } from './8.18.0';
 import type { RulesFieldMap } from './8.0.0/rules';
 import { rulesFieldMap } from './8.0.0/rules';
-export type { AlertsFieldMap8160 as AlertsFieldMap, RulesFieldMap };
-export { alertsFieldMap8160 as alertsFieldMap, rulesFieldMap };
+export type { AlertsFieldMap8180 as AlertsFieldMap, RulesFieldMap };
+export { alertsFieldMap8180 as alertsFieldMap, rulesFieldMap };