From 765c2d1ad3308a3c3af50f8d67b80579aeb13a9a Mon Sep 17 00:00:00 2001
From: Garrett Spong <spong@users.noreply.github.com>
Date: Mon, 27 Jul 2020 19:52:28 -0600
Subject: [PATCH] [Security Solution][ML] Updates siem group name to security
 (#73218)

## Summary

Resolves https://github.com/elastic/kibana/issues/69319

Updates `siem` grouping to `security`, and enables cloudtrail module, fixing mis-match between the newly updated modules (https://github.com/elastic/kibana/pull/71696).


<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444121-b6b27480-cdd8-11ea-886a-9b4cadbaede8.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444181-16108480-cdd9-11ea-9fba-aff1e4c38da3.png" />
</p>


Also updates all module icons to be consistent:

Auditbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592057-9a9e1580-d01a-11ea-97bb-d1096a4ae85f.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592020-8b1ecc80-d01a-11ea-8f2d-aa5cba94924e.png" />
</p>

Packetbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592205-e18c0b00-d01a-11ea-9553-9c87527c600b.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592270-f8caf880-d01a-11ea-94a8-5428d2c6ddea.png" />
</p>

Winlogbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592286-fff20680-d01a-11ea-87dd-4150debc988c.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592351-2021c580-d01b-11ea-863f-efd26d0105ab.png" />
</p>



- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Working w/ @benskelker on updated ML Jobs & nomenclature
---
 .../models/data_recognizer/modules/siem_auditbeat/logo.json | 2 +-
 .../data_recognizer/modules/siem_auditbeat_auth/logo.json   | 4 ++--
 .../data_recognizer/modules/siem_packetbeat/logo.json       | 4 ++--
 .../data_recognizer/modules/siem_winlogbeat/logo.json       | 2 +-
 .../data_recognizer/modules/siem_winlogbeat_auth/logo.json  | 4 ++--
 .../public/common/components/ml_popover/api.tsx             | 2 +-
 .../common/components/ml_popover/hooks/translations.ts      | 2 +-
 .../components/ml_popover/hooks/use_siem_jobs_helpers.tsx   | 2 +-
 .../ml_popover/jobs_table/filters/groups_filter_popover.tsx | 6 +++---
 .../public/common/components/ml_popover/ml_modules.tsx      | 1 +
 .../detections/components/rules/ml_job_select/index.tsx     | 2 +-
 .../server/usage/detections/detections_helpers.ts           | 4 +++-
 12 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
index 40a5c5967714..dfd22f6b1140 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
+	"icon": "logoSecurity"
 }
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json
index 6b02648ccf28..dfd22f6b1140 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_auditbeat_auth/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
-}
\ No newline at end of file
+	"icon": "logoSecurity"
+}
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json
index 6b02648ccf28..dfd22f6b1140 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_packetbeat/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
-}
\ No newline at end of file
+	"icon": "logoSecurity"
+}
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json
index 40a5c5967714..dfd22f6b1140 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
+	"icon": "logoSecurity"
 }
diff --git a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json
index 6b02648ccf28..dfd22f6b1140 100644
--- a/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json
+++ b/x-pack/plugins/ml/server/models/data_recognizer/modules/siem_winlogbeat_auth/logo.json
@@ -1,3 +1,3 @@
 {
-	"icon": "securityAnalyticsApp"
-}
\ No newline at end of file
+	"icon": "logoSecurity"
+}
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx
index b4da4fa79e03..7c72098209a0 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/api.tsx
@@ -71,7 +71,7 @@ export const setupMlJob = async ({
   configTemplate,
   indexPatternName = 'auditbeat-*',
   jobIdErrorFilter = [],
-  groups = ['siem'],
+  groups = ['security'],
   prefix = '',
 }: MlSetupArgs): Promise<SetupMlResponse> => {
   const response = await KibanaServices.get().http.fetch<SetupMlResponse>(
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts
index 2b37c437866e..7b29bab2e38f 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/translations.ts
@@ -9,6 +9,6 @@ import { i18n } from '@kbn/i18n';
 export const SIEM_JOB_FETCH_FAILURE = i18n.translate(
   'xpack.securitySolution.components.mlPopup.hooks.errors.siemJobFetchFailureTitle',
   {
-    defaultMessage: 'SIEM job fetch failure',
+    defaultMessage: 'Security job fetch failure',
   }
 );
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx
index 658d2659282c..adbd712ffeb3 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_siem_jobs_helpers.tsx
@@ -104,7 +104,7 @@ export const getInstalledJobs = (
   compatibleModuleIds: string[]
 ): SiemJob[] =>
   jobSummaryData
-    .filter(({ groups }) => groups.includes('siem'))
+    .filter(({ groups }) => groups.includes('siem') || groups.includes('security'))
     .map<SiemJob>((jobSummary) => ({
       ...jobSummary,
       ...getAugmentedFields(jobSummary.id, moduleJobs, compatibleModuleIds),
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx
index 1aa3ad630306..d879942b8b10 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/jobs_table/filters/groups_filter_popover.tsx
@@ -25,8 +25,8 @@ interface GroupsFilterPopoverProps {
 
 /**
  * Popover for selecting which SiemJob groups to filter on. Component extracts unique groups and
- * their counts from the provided SiemJobs. The 'siem' group is filtered out as all jobs will be
- * siem jobs
+ * their counts from the provided SiemJobs. The 'siem' & 'security' groups are filtered out as all jobs will be
+ * siem/security jobs
  *
  * @param siemJobs jobs to fetch groups from to display for filtering
  * @param onSelectedGroupsChanged change listener to be notified when group selection changes
@@ -41,7 +41,7 @@ export const GroupsFilterPopoverComponent = ({
   const groups = siemJobs
     .map((j) => j.groups)
     .flat()
-    .filter((g) => g !== 'siem');
+    .filter((g) => g !== 'siem' && g !== 'security');
   const uniqueGroups = Array.from(new Set(groups));
 
   useEffect(() => {
diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
index b956cf2c1494..4dccba08590a 100644
--- a/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/ml_modules.tsx
@@ -12,6 +12,7 @@
 export const mlModules: string[] = [
   'siem_auditbeat',
   'siem_auditbeat_auth',
+  'siem_cloudtrail',
   'siem_packetbeat',
   'siem_winlogbeat',
   'siem_winlogbeat_auth',
diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
index cb084d4daa78..cdfdf4ca6b66 100644
--- a/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
+++ b/x-pack/plugins/security_solution/public/detections/components/rules/ml_job_select/index.tsx
@@ -41,7 +41,7 @@ const HelpText: React.FC<{ href: string; showEnableWarning: boolean }> = ({
   <>
     <FormattedMessage
       id="xpack.securitySolution.detectionEngine.createRule.stepDefineRule.machineLearningJobIdHelpText"
-      defaultMessage="We've provided a few common jobs to get you started. To add your own custom jobs, assign a group of “siem” to those jobs in the {machineLearning} application to make them appear here."
+      defaultMessage="We've provided a few common jobs to get you started. To add your own custom jobs, assign a group of “security” to those jobs in the {machineLearning} application to make them appear here."
       values={{
         machineLearning: (
           <EuiLink href={href} target="_blank">
diff --git a/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts b/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts
index e9d4f3aa426f..f9905c373291 100644
--- a/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts
+++ b/x-pack/plugins/security_solution/server/usage/detections/detections_helpers.ts
@@ -176,7 +176,9 @@ export const getMlJobsUsage = async (ml: MlPluginSetup | undefined): Promise<MlJ
         .modulesProvider(internalMlClient, fakeRequest, fakeSOClient)
         .listModules();
       const moduleJobs = modules.flatMap((module) => module.jobs);
-      const jobs = await ml.jobServiceProvider(internalMlClient, fakeRequest).jobsSummary(['siem']);
+      const jobs = await ml
+        .jobServiceProvider(internalMlClient, fakeRequest)
+        .jobsSummary(['siem', 'security']);
 
       jobsUsage = jobs.reduce((usage, job) => {
         const isElastic = moduleJobs.some((moduleJob) => moduleJob.id === job.id);