Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.16] [Security Solution] Fixes issues with the Raw events Top N view (#121562) #121587

Closed
wants to merge 3 commits into from
Closed

[7.16] [Security Solution] Fixes issues with the Raw events Top N view (#121562) #121587

wants to merge 3 commits into from

Conversation

andrew-goldstein
Copy link
Contributor

Backports the following commits to 7.16:

@andrew-goldstein
[Security Solution] Fixes issues with the Raw events Top N view (elas…
92c3a3a 
…tic#121562)

## [Security Solution] Fixes issues with the Raw events Top N view

This PR fixes the following issues with the Raw events Top N view:

- Fixes an issue <elastic#121168> where the Sourcerer context included detection alerts in the Raw events view, per the before screenshot below:

### Before

![image](https://user-images.githubusercontent.com/61860752/145980440-0945a01c-d257-434e-8d94-4231feadff5b.png)

_Above: Before - the Raw events view includes detection alerts_

### After

![after_no_detection_alerts_in_raw_events](https://user-images.githubusercontent.com/4459398/146592973-36e51997-86a4-4982-a8c3-fa0c4ee3e99f.png)

_Above: After - The Raw events view does NOT include detection alerts_

- Fixes an issue <elastic#121381> where when inspecting Raw events, `Sorry about that, something went wrong` is displayed when the Sourcerer context does not match the current selection:

### Before

![image](https://user-images.githubusercontent.com/59917825/146342313-7b0afcd5-31c9-4139-9011-cb85af303deb.png)

_Above: Before - When users `Inspect` the Raw events view, `Sorry about that, something went wrong` is displayed_

### After

![after_inspect_raw_events](https://user-images.githubusercontent.com/4459398/146595397-89aa65d0-9055-4511-81bd-670b20449610.png)

_Above: After - When users `Inspect` the raw events view, the expected Index pattern reflects the current Sourcerer selection_

- Fixes an issue where the following filters in the `Security > Alerts` and `Security > Rule > Details` views:
  - `kibana.alert.building_block_type`: an "Additional filters" option on the alerts table
  - `kibana.alert.rule.rule_id`: filters alerts to a single rule on the `Security > Rules > Details` views
  - `kibana.alert.rule.name`: not a built-in view filter, but frequently applied via the `Filter In` and `Filter Out` actions
  - `kibana.alert.rule.threat_mapping`: an "Additional filters" option on the alerts table
  - `kibana.alert.workflow_status`: The `open | acknowledged | closed` status filter

were incorrectly applied to the Raw events view, per the screenshots below:

### Before

Inspecting the Raw events query reveals the alert filters are applied as filter criteria, per the screenshot below:

![before_alert_filters_applied_to_raw_events_query](https://user-images.githubusercontent.com/4459398/146596292-eb2f52a2-adf4-47a3-bb96-3f39019df725.png)

_Above: Before - The alert filters are applied to the Raw events view_

### After

After the fix, the alert filters are NOT applied to the raw events view, per the screenshot below:

![after_alert_filters_NOT_applied_to_raw_events_query](https://user-images.githubusercontent.com/4459398/146596252-d5ec1512-5514-48f5-aff3-e18a69572e6f.png)

_Above: After - The alert filters are NOT applied to the Raw events view_

# Conflicts:
#	x-pack/plugins/security_solution/public/common/components/top_n/top_n.tsx
@andrew-goldstein andrew-goldstein enabled auto-merge (squash) December 17, 2021 23:52
@andrew-goldstein
- updates the IGNORED_ALERT_FILTERS list in `x-pack/plugins/securit…
946bce8 
…y_solution/public/common/components/top_n/helpers.ts` to include legacy alert fields:

  - `signal.rule.building_block_type`
  - `signal.rule.id`
  - `signal.rule.name`
  - `signal.rule.threat_mapping`
  - `signal.status`
@andrew-goldstein
- update `x-pack/plugins/security_solution/public/common/components/t…
59ab71a 
…op_n/helpers.test.tsx` to use legacy `signal.rule.building_block_type`
@brianseeders
Copy link
Contributor

Closing this because main/8.0 have been reverted

@andrew-goldstein
Copy link
Contributor Author

andrew-goldstein commented Dec 18, 2021
edited
Loading

The PR this backport was based on, #121562 passed CI (and was merged), but a (CI) race condition from #121135 deleted the following constants from @kbn/rule-data-utils after all the CI checks passed:

  ALERT_RULE_RISK_SCORE
  ALERT_RULE_RISK_SCORE_MAPPING
  ALERT_RULE_SEVERITY
  ALERT_RULE_SEVERITY_MAPPING

The (CI) race condition required #121562 to be reverted. A new PR that doesn't depend on the constants deleted from @kbn/rule-data-utils will be opened.

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2740 2744 +4

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.6MB 4.6MB +3.4KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@andrew-goldstein andrew-goldstein deleted the backport/7.16/pr-121562 branch December 20, 2021 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrew-goldstein @brianseeders @kibana-ci