-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Analyzer] Make all analyzer apis have time range as optional #142536
[Security Solution][Analyzer] Make all analyzer apis have time range as optional #142536
Conversation
Pinging @elastic/security-threat-hunting (Feature:Resolver) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
💚 Build Succeeded
Metrics [docs]Async chunks
To update your PR or re-run it, just comment with: |
); | ||
const timestamps = unboundedTree | ||
.map((event) => firstNonNullValue(event.data['@timestamp'])) | ||
.sort(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we expect unboundedTree
to potentially contain thousands of entries?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
…as optional (elastic#142536) (cherry picked from commit 890bf74)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…as optional (#142536) (#142601) (cherry picked from commit 890bf74) Co-authored-by: Kevin Qualters <[email protected]>
Summary
This pr fixes 2 small issues with the analyzer autotune functionality. The first was due to the frontend assuming the process events were sorted by time, which is only true for simple trees, more complex trees follow an ordering described in this comment https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.ts#L182-#L203. The frontend now sorts the response and both trees that are unbounded and trees with a timerange that contain all events show the same results. The second issue is that the requests made to populate the panel were still including the user supplied time range, so only partial results were being displayed there. All 3 analyzer apis now have timeRange as an optional parameter.
Before:
After:
Valid timerange:
Nonvalid timerange:
Checklist