[Security Solution] Fixes issues with the Raw events Top N view #121562
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_
andrew-goldstein
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
andrew-goldstein
added
the
auto-backport
| * MUST be ignored when showing Top N alerts for `raw` documents, because | ||
| * the raw documents don't include them. | ||
| */ | ||
| export const IGNORED_ALERT_FILTERS = [ |
There was a problem hiding this comment.
nit: might make sense to use the consts from '@kbn/rule-data-utils' here and in the tests above just in case these are changed en masse again
There was a problem hiding this comment.
great suggestion @kqualters-elastic! implemented in eea414d
kqualters-elastic
approved these changes
Dec 17, 2021
💛 Build succeeded, but was flaky
Metrics [docs]Module Count
Async chunks
Page load bundle
To update your PR or re-run it, just comment with: |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 17, 2021
…tic#121562) ## [Security Solution] Fixes issues with the Raw events Top N view This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_
💔 Backport failed
Successful backport PRs will be merged automatically after passing CI. To backport manually run: |
This was referenced Dec 17, 2021
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 17, 2021
…tic#121562) ## [Security Solution] Fixes issues with the Raw events Top N view This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_ # Conflicts: # x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
|
Apologies @andrew-goldstein I had to revert this, it's failing in main: |
andrew-goldstein
pushed a commit
that referenced
this pull request
Dec 18, 2021
) (#121583) ## [Security Solution] Fixes issues with the Raw events Top N view This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_
|
This PR passed CI (and was merged), but a (CI) race condition from #121135 deleted the following constants from The (CI) race condition required this PR to be reverted. A new PR that doesn't depend on the constants deleted from |
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 18, 2021
…edux) This PR contains the same fixes described below from elastic#121562 , but doesn't depend on the following constants deleted from `@kbn/rule-data-utils` by elastic#121135 ``` ALERT_RULE_RISK_SCORE ALERT_RULE_RISK_SCORE_MAPPING ALERT_RULE_SEVERITY ALERT_RULE_SEVERITY_MAPPING ``` This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_
andrew-goldstein
added a commit
that referenced
this pull request
Dec 20, 2021
…x) (#121590) ## [Security Solution] Fixes issues with the Raw events Top N view (redux) This PR contains the same fixes described below from #121562 , but doesn't depend on the following constants deleted from `@kbn/rule-data-utils` by #121135 ``` ALERT_RULE_RISK_SCORE ALERT_RULE_RISK_SCORE_MAPPING ALERT_RULE_SEVERITY ALERT_RULE_SEVERITY_MAPPING ``` This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 20, 2021
…x) (elastic#121590) ## [Security Solution] Fixes issues with the Raw events Top N view (redux) This PR contains the same fixes described below from elastic#121562 , but doesn't depend on the following constants deleted from `@kbn/rule-data-utils` by elastic#121135 ``` ALERT_RULE_RISK_SCORE ALERT_RULE_RISK_SCORE_MAPPING ALERT_RULE_SEVERITY ALERT_RULE_SEVERITY_MAPPING ``` This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this pull request
Dec 20, 2021
…x) (elastic#121590) ## [Security Solution] Fixes issues with the Raw events Top N view (redux) This PR contains the same fixes described below from elastic#121562 , but doesn't depend on the following constants deleted from `@kbn/rule-data-utils` by elastic#121135 ``` ALERT_RULE_RISK_SCORE ALERT_RULE_RISK_SCORE_MAPPING ALERT_RULE_SEVERITY ALERT_RULE_SEVERITY_MAPPING ``` This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_ # Conflicts: # x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
kibanamachine
added a commit
that referenced
this pull request
Dec 20, 2021
…x) (#121590) (#121607) ## [Security Solution] Fixes issues with the Raw events Top N view (redux) This PR contains the same fixes described below from #121562 , but doesn't depend on the following constants deleted from `@kbn/rule-data-utils` by #121135 ``` ALERT_RULE_RISK_SCORE ALERT_RULE_RISK_SCORE_MAPPING ALERT_RULE_SEVERITY ALERT_RULE_SEVERITY_MAPPING ``` This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_ Co-authored-by: Andrew Goldstein <[email protected]>
andrew-goldstein
added a commit
that referenced
this pull request
Dec 20, 2021
…x) (#121590) (#121608) ## [Security Solution] Fixes issues with the Raw events Top N view (redux) This PR contains the same fixes described below from #121562 , but doesn't depend on the following constants deleted from `@kbn/rule-data-utils` by #121135 ``` ALERT_RULE_RISK_SCORE ALERT_RULE_RISK_SCORE_MAPPING ALERT_RULE_SEVERITY ALERT_RULE_SEVERITY_MAPPING ``` This PR fixes the following issues with the Raw events Top N view: - Fixes an issue <#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below: ### Before  _Above: Before - the Raw events view includes detection alerts_ ### After  _Above: After - The Raw events view does NOT include detection alerts_ - Fixes an issue <#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection: ### Before  _Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_ ### After  _Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_ - Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views: - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter were incorrectly applied to the Raw events view, per the screenshots below: ### Before Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:  _Above: Before - The alert filters are applied to the Raw events view_ ### After After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:  _Above: After - The alert filters are NOT applied to the Raw events view_ # Conflicts: # x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Security Solution] Fixes issues with the Raw events Top N view
This PR fixes the following issues with the Raw events Top N view:
Before
Above: Before - the Raw events view includes detection alerts
After
Above: After - The Raw events view does NOT include detection alerts
Sorry about that, something went wrongis displayed when the Sourcerer context does not match the current selection:Before
Above: Before - When users
Inspectthe Raw events view,Sorry about that, something went wrongis displayedAfter
Above: After - When users
Inspectthe raw events view, the expected Index pattern reflects the current Sourcerer selectionSecurity > AlertsandSecurity > Rule > Detailsviews:kibana.alert.building_block_type: an "Additional filters" option on the alerts tablekibana.alert.rule.rule_id: filters alerts to a single rule on theSecurity > Rules > Detailsviewskibana.alert.rule.name: not a built-in view filter, but frequently applied via theFilter InandFilter Outactionskibana.alert.rule.threat_mapping: an "Additional filters" option on the alerts tablekibana.alert.workflow_status: Theopen | acknowledged | closedstatus filterwere incorrectly applied to the Raw events view, per the screenshots below:
Before
Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:
Above: Before - The alert filters are applied to the Raw events view
After
After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:
Above: After - The alert filters are NOT applied to the Raw events view