[Security Solution][Alerts] Use RuleDataReader to query for threshold alert history #129763
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
marshallmain
added
release_note:skip
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
madirey
reviewed
Apr 12, 2022
|
|
||
| import { buildPreviousThresholdAlertRequest } from './get_threshold_signal_history'; | ||
|
|
||
| describe('buildPreviousThresholdAlertRequest', () => { |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
marshallmain
added a commit
to marshallmain/kibana
that referenced
this pull request
Apr 12, 2022
) (cherry picked from commit 4373d0a) # Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/find_previous_threshold_signals.ts # x-pack/plugins/security_solution/server/lib/detection_engine/signals/threshold/get_threshold_signal_history.ts
marshallmain
removed
the
auto-backport
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Apr 13, 2022
…disable-server-side * 'main' of github.com:elastic/kibana: (35 commits) [Uptime] remove latency limit warnings when using monitor management (elastic#129597) [Security Solution] [ReponseOps] Executes Cases Cypress test when there is a change on cases plugin (elastic#129992) Paramaterized Discover tests (elastic#129684) [Security Solution][Investigations] - Minor bug fixes (elastic#130054) [DOCS} Adds technical preview to Lens annotations (elastic#130058) [Security solution] [Endpoint] Revisit blocklist wrong labels (elastic#128773) [Security Solutions] Adds API docs for value lists (elastic#129962) [CI] Move jest tests to spot instances, and fix spot retries in PRs (elastic#130045) chore(NA): upgrades rules_node_js to v5.4.0 (elastic#130051) [SecuritySolution] Remove the cell hovers actions for agent status (elastic#130042) Upgrade RxJS to 7 (elastic#129087) [SecuritySolution] Clean up CaseContext (elastic#130036) Revert "chore(NA): upgrades rules_node_js to v5.4.0 (elastic#130021)" Use RuleDataReader to query for threshold signal history (elastic#129763) Remove securityRulesCancelEnabled setting and set shorter default timeouts (elastic#129769) Upgrade EUI to v54.0.0 (elastic#129653) [Security Solution] More Ransomware exceptionable fields (elastic#130039) Add e2e for the apm integration policy form (elastic#129860) chore(NA): upgrades rules_node_js to v5.4.0 (elastic#130021) [ML] Fix Single Metric Viewer chart failing to load if no points during calendar event (elastic#130000) ... # Conflicts: # x-pack/plugins/screenshotting/server/screenshots/index.test.ts
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Apr 13, 2022
…rint-media-attempt-2 * 'main' of github.com:elastic/kibana: (75 commits) [Lens] Hide disabled toolbar entries (elastic#129994) Fix explore tables don't display data when a global filter is applied (elastic#130024) [Console] Add option to disable keyboard shortcuts (elastic#128887) [Discover] Update refreshOnClick flaky test (elastic#130001) [Uptime] remove latency limit warnings when using monitor management (elastic#129597) [Security Solution] [ReponseOps] Executes Cases Cypress test when there is a change on cases plugin (elastic#129992) Paramaterized Discover tests (elastic#129684) [Security Solution][Investigations] - Minor bug fixes (elastic#130054) [DOCS} Adds technical preview to Lens annotations (elastic#130058) [Security solution] [Endpoint] Revisit blocklist wrong labels (elastic#128773) [Security Solutions] Adds API docs for value lists (elastic#129962) [CI] Move jest tests to spot instances, and fix spot retries in PRs (elastic#130045) chore(NA): upgrades rules_node_js to v5.4.0 (elastic#130051) [SecuritySolution] Remove the cell hovers actions for agent status (elastic#130042) Upgrade RxJS to 7 (elastic#129087) [SecuritySolution] Clean up CaseContext (elastic#130036) Revert "chore(NA): upgrades rules_node_js to v5.4.0 (elastic#130021)" Use RuleDataReader to query for threshold signal history (elastic#129763) Remove securityRulesCancelEnabled setting and set shorter default timeouts (elastic#129769) Upgrade EUI to v54.0.0 (elastic#129653) ... # Conflicts: # x-pack/plugins/screenshotting/server/formats/pdf/index.ts
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #128712
RuleDataReaderto all Security rule typesRuleDataReaderin Threshold rule type to query for existing alerts from the ruletermsfilter was targeting onlysignal.rule.threshold.field, which is not aliased to the corresponding alerts as data field so it could only find legacy signals. The fix is to allow the threshold field to match eitherkibana.alert.rule.parameters.threshold.field(for AAD alerts) orsignal.rule.threshold.field(for legacy signals).