Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add anomalies tab to user page #126079

Merged
merged 3 commits into from
Mar 1, 2022
Merged

Add anomalies tab to user page #126079

merged 3 commits into from
Mar 1, 2022

Conversation

machadoum
Copy link
Member

@machadoum machadoum commented Feb 21, 2022
edited
Loading

Summary

  • Add anomalies tab to user page
  • Filter out anomalies by user.name and host.name on the server

Screenshot 2022-02-21 at 14 54 02

Checklist

Delete any items that are not applicable to this PR.

How to test it

  • You need real auth data
  • enable the feature flag 'usersEnabled'
  • Enable auth ML jobs

machadoum
machadoum commented Feb 21, 2022
View reviewed changes
x-pack/plugins/security_solution/public/common/components/ml/tables/anomalies_user_table.tsx
skip,
criteriaFields: getCriteriaFromUsersType(type, userName),
filterQuery: {
exists: { field: 'user.name' },
Copy link
Member Author

@machadoum machadoum Feb 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elastic/ml-ui I have to display anomalies related to users. So I only return anomalies where user.name exists. Will it work? Do all anomalies influenced by a user have user.namefield?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only work if user.name is included as one of the influencer fields for the job. Is user.name included inside the influencers array inside the analysis_config for the job(s)?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that user.name should be there for all user anomalies.
I checked many auth ml configurations and user.name was there for all of them. For example:

windows_rare_user_runas_event.json

  "analysis_config": {
    "bucket_span": "15m",
    "detectors": [
      {
        "detector_description": "rare by \"user.name\"",
        "function": "rare",
        "by_field_name": "user.name"
      }
    ],
    "influencers": [
      "host.name",
      "process.name",
      "user.name"
    ]
  },

@machadoum machadoum force-pushed the siem-explore-issue-124499-2 branch 6 times, most recently from e8c08a9 to adbf0dc Compare February 22, 2022 10:37
@machadoum machadoum self-assigned this Feb 22, 2022
@machadoum machadoum added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Explore v8.2.0 release_note:feature Makes this part of the condensed release notes auto-backport Deprecated - use backport:version if exact versions are needed enhancement New value added to drive a business result labels Feb 22, 2022
@machadoum machadoum marked this pull request as ready for review February 22, 2022 13:53
@machadoum machadoum requested review from a team as code owners February 22, 2022 13:53
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@machadoum machadoum requested a review from a team February 22, 2022 14:09
@YulNaumenko YulNaumenko self-requested a review February 23, 2022 18:43
@machadoum
Copy link
Member Author

@elasticmachine merge upstream

stephmilovic
stephmilovic approved these changes Feb 24, 2022
View reviewed changes
Copy link
Contributor

@stephmilovic stephmilovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice work @machadoum 🚀

@machadoum machadoum force-pushed the siem-explore-issue-124499-2 branch 2 times, most recently from 0502bcd to 339ed5e Compare February 28, 2022 09:15
@machadoum machadoum enabled auto-merge (squash) February 28, 2022 09:49
@machadoum
Copy link
Member Author

@elasticmachine merge upstream

1 similar comment
@machadoum
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

merge conflict between base and head

@machadoum machadoum force-pushed the siem-explore-issue-124499-2 branch from 8fa27ed to 84a960a Compare March 1, 2022 10:43
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2879 2884 +5

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.7MB 4.7MB +1.6KB

History

  • 💔 Build #26549 failed 0929182febbfa262fd835813e0f0da1059867dd6
  • 💔 Build #26457 failed 339ed5e407d29d69d5518b71d01af31011a77c35
  • 💚 Build #26241 succeeded 1365506c10d773b9c18c322869789ac32fa865a9
  • 💚 Build #25904 succeeded bfc9bb04eef3d8ce9ac53e2bad287d83703f0909
  • 💛 Build #25469 was flaky adbf0dc478dd3e8f1023a94ea7c435978115086c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @machadoum

@machadoum machadoum merged commit 1bc178f into elastic:main Mar 1, 2022
@kibanamachine
Copy link
Contributor

💔 Backport failed

The pull request could not be backported due to the following error:
There are no branches to backport to. Aborting.

How to fix

Re-run the backport manually:

node scripts/backport --pr 126079

Questions ?

Please refer to the Backport tool documentation

@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Mar 3, 2022
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 126079 or prevent reminders by adding the backport:skip label.

1 similar comment
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 126079 or prevent reminders by adding the backport:skip label.

@machadoum machadoum removed backport missing Added to PRs automatically when the are determined to be missing a backport. auto-backport Deprecated - use backport:version if exact versions are needed labels Mar 4, 2022
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 126079 or prevent reminders by adding the backport:skip label.

@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Mar 7, 2022
@machadoum machadoum added the backport:skip This commit does not require backporting label Mar 8, 2022
@kibanamachine kibanamachine removed the backport missing Added to PRs automatically when the are determined to be missing a backport. label Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peteharverson peteharverson peteharverson left review comments

@stephmilovic stephmilovic stephmilovic approved these changes

@YulNaumenko YulNaumenko Awaiting requested review from YulNaumenko

Assignees

@machadoum machadoum

Labels
backport:skip This commit does not require backporting enhancement New value added to drive a business result release_note:feature Makes this part of the condensed release notes Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team v8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@machadoum @elasticmachine @kibanamachine @kibana-ci @stephmilovic @peteharverson