auto extract observables

Author: christineweng

packages/kbn-check-saved-objects-cli/current_fields.json

@@ -185,6 +185,7 @@
     "observables.value",
     "owner",
     "settings",
+    "settings.extractObservables",
     "settings.syncAlerts",
     "severity",
     "status",

packages/kbn-check-saved-objects-cli/current_mappings.json

@@ -646,6 +646,9 @@
         "properties": {
           "syncAlerts": {
             "type": "boolean"
+          },
+          "extractObservables": {
+            "type": "boolean"
           }
         }
       },

src/core/packages/saved-objects/migration-server-internal/src/kibana_migrator_utils.fixtures.ts

@@ -1708,6 +1708,9 @@ export const INDEX_MAP_BEFORE_SPLIT: IndexMap = {
               syncAlerts: {
                 type: 'boolean',
               },
+              extractObservables: {
+                type: 'boolean',
+              },
             },
           },
           severity: {

src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts

@@ -79,7 +79,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "canvas-element": "288fd8d216eb49cbeb5e8f7491f207ef074b80dd",
         "canvas-workpad": "5cd605383a100a27941cca6cbf2d954aa96a16e2",
         "canvas-workpad-template": "f9a6ffab76ddfcd8fa3823002aa576c8f1d0e686",
-        "cases": "2377506cc9ce6506bfc1c1b04cb8aed87d3fecab",
+        "cases": "4fc50754783dc773d9de7059de195419e4d1a49b",
         "cases-comments": "9e336aceb6a330452d1cbf0ba1b8fd542c9e3856",
         "cases-configure": "66d4c64d83b464f5166005b8ffa03b721fcaaf8b",
         "cases-connector-mappings": "877bb4d52e9821e330622bd75fba799490ec6952",
@@ -405,20 +405,20 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "canvas-workpad-template|warning: The SO type owner should ensure these transform functions DO NOT mutate after they are defined.",
         "================================================================================================================================",
         "cases|global: 58923536ede82aed6c22799b52c4f51f4bf66aba",
-        "cases|mappings: 04e7b5c53626eb3e5e08837830697951084d9d7d",
+        "cases|mappings: f7c1e6c70a721ce1be5e25bc9864cf01e625ad26",
         "cases|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
-        "cases|10.4.0: a6b78b2317fa12cf0ec1d7ac21382e6528be409b",
-        "cases|10.3.0: 6bf633e6147007b80adfe8da94b3e57d6004a803",
-        "cases|10.2.0: 9b3de0b9947e9d6bfb5d63ea9d5e9df9afca2601",
-        "cases|10.1.0: 932fb3a37b3346e4c6bb6ad78dc3c0fd323b858f",
+        "cases|10.4.0: 53709645b83000e4141255001b3a64a1586d302b",
+        "cases|10.3.0: ef93b5968381e4b3270eac0e3a99852cfce27b50",
+        "cases|10.2.0: 831b43bd86d1188e3d350c233385fa559ce85d04",
+        "cases|10.1.0: 914f63dc72610117f0a17b723320d31d3e9f1333",
         "cases|8.7.0: 54c152a2584673672445346cf69d72bda587cc52",
         "cases|8.5.0: a2c0c0dcdbac64d71ddb583dc02e83aa760eb784",
         "cases|8.3.0: 09aaac909eff1a6a2d944aa6c1dd297dda05b5ce",
         "cases|8.1.0: 914c4a158269530e5cfe0810b27befb4a8eb3d26",
         "cases|7.15.0: 05b8ad5f38499fcef2666b4af91d509e6990b3de",
         "cases|7.14.0: 9414dc2de142457c95169cc2b6201edeb7be411b",
         "cases|7.12.0: f7dcaea36ecd915719b40a0e082b393423ca3701",
-        "cases|7.11.0: b458fb6214126d9aa652dff8e9be1cdaf1abf02b",
+        "cases|7.11.0: 7df7ea63adabe586db3f9a103f937651593f25f3",
         "cases|7.10.0: 145055b3bffb3f05c7bc516aca9ed5bbebe19dd4",
         "======================================================",
         "cases-comments|global: 18aa115865c6f0772a6afd9b63f83e87e51e48c0",

src/platform/packages/shared/kbn-securitysolution-ecs/src/dll/index.ts

@@ -7,12 +7,13 @@
  * License v3.0 only", or the "Server Side Public License, v 1".
  */
 
-import type { CodeSignature, Ext } from '../file';
+import type { CodeSignature, Ext, Hash } from '../file';
 import type { ProcessPe } from '../process';
 
 export interface DllEcs {
   Ext?: Ext;
   path?: string;
   code_signature?: CodeSignature;
   pe?: ProcessPe;
+  hash?: Hash;
 }

src/platform/packages/shared/kbn-securitysolution-ecs/src/file/index.ts

@@ -57,6 +57,11 @@ export interface Hash {
   md5?: string[];
   sha1?: string[];
   sha256: string[];
+  cdhash?: string[];
+  sha384?: string[];
+  sha512?: string[];
+  ssdeep?: string[];
+  tlsh?: string[];
 }
 
 export interface FileEcs {

src/platform/packages/shared/kbn-securitysolution-ecs/src/process/index.ts

@@ -41,6 +41,11 @@ export interface ProcessHashData {
   md5?: string[];
   sha1?: string[];
   sha256?: string[];
+  sha384?: string[];
+  sha512?: string[];
+  ssdeep?: string[];
+  tlsh?: string[];
+  cdhash?: string[];
 }
 
 export interface ProcessParentData {

src/platform/packages/shared/response-ops/alerts-table/components/alerts_table.test.tsx

@@ -494,7 +494,10 @@ describe('AlertsTable', () => {
           children: expect.anything(),
           owner: ['cases'],
           permissions: { create: true, read: true },
-          features: { alerts: { sync: false } },
+          features: {
+            alerts: { sync: false },
+            observables: { enabled: true, autoExtract: false },
+          },
         },
         {}
       );
@@ -510,7 +513,10 @@ describe('AlertsTable', () => {
           children: expect.anything(),
           owner: [],
           permissions: { create: true, read: true },
-          features: { alerts: { sync: false } },
+          features: {
+            alerts: { sync: false },
+            observables: { enabled: true, autoExtract: false },
+          },
         },
         {}
       );
@@ -529,7 +535,10 @@ describe('AlertsTable', () => {
           children: expect.anything(),
           owner: [],
           permissions: { create: false, read: false },
-          features: { alerts: { sync: false } },
+          features: {
+            alerts: { sync: false },
+            observables: { enabled: true, autoExtract: false },
+          },
         },
         {}
       );
@@ -541,7 +550,7 @@ describe('AlertsTable', () => {
         casesConfiguration: {
           featureId: 'test-feature-id',
           owner: ['cases'],
-          syncAlerts: true,
+          extractObservables: false,
         },
       };
 
@@ -554,7 +563,7 @@ describe('AlertsTable', () => {
           children: expect.anything(),
           owner: ['cases'],
           permissions: { create: true, read: true },
-          features: { alerts: { sync: true } },
+          features: { alerts: { sync: false }, observables: { enabled: true, autoExtract: false } },
         },
         {}
       );

src/platform/packages/shared/response-ops/alerts-table/components/alerts_table.tsx

@@ -638,7 +638,13 @@ const AlertsTableContent = typedForwardRef(
             <CasesContext
               owner={casesConfiguration?.owner ?? []}
               permissions={casesPermissions}
-              features={{ alerts: { sync: casesConfiguration?.syncAlerts ?? false } }}
+              features={{
+                alerts: { sync: casesConfiguration?.syncAlerts ?? false },
+                observables: {
+                  enabled: true,
+                  autoExtract: false,
+                },
+              }}
             >
               <AlertsDataGrid {...dataGridProps} />
             </CasesContext>

src/platform/packages/shared/response-ops/alerts-table/types.ts

@@ -469,6 +469,7 @@ export interface PublicAlertsDataGridProps
     owner: Parameters<CasesService['helpers']['canUseCases']>[0];
     appId?: string;
     syncAlerts?: boolean;
+    extractObservables?: boolean;
   };
   /**
    * If true, hides the bulk actions controls