Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Analyzer] Make all analyzer apis have time range as optional #142536

Conversation

kqualters-elastic
Copy link
Contributor

@kqualters-elastic kqualters-elastic commented Oct 3, 2022

Summary

This pr fixes 2 small issues with the analyzer autotune functionality. The first was due to the frontend assuming the process events were sorted by time, which is only true for simple trees, more complex trees follow an ordering described in this comment https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/endpoint/routes/resolver/tree/utils/fetch.ts#L182-#L203. The frontend now sorts the response and both trees that are unbounded and trees with a timerange that contain all events show the same results. The second issue is that the requests made to populate the panel were still including the user supplied time range, so only partial results were being displayed there. All 3 analyzer apis now have timeRange as an optional parameter.

Before:
non_timebound_broken

After:
Valid timerange:
timebound_working
Nonvalid timerange:
non_timebound_working

Checklist

@kqualters-elastic kqualters-elastic added release_note:skip Skip the PR/issue when compiling release notes Feature:Resolver Security Solution Resolver feature Team:Threat Hunting:Investigations Security Solution Investigations Team v8.5.0 labels Oct 3, 2022
@kqualters-elastic kqualters-elastic requested review from a team as code owners October 3, 2022 22:12
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Feature:Resolver)

Copy link
Contributor

@kevinlog kevinlog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.6MB 6.6MB +148.0B

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

);
const timestamps = unboundedTree
.map((event) => firstNonNullValue(event.data['@timestamp']))
.sort();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we expect unboundedTree to potentially contain thousands of entries?

Copy link
Contributor

@janmonschke janmonschke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.5

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Oct 4, 2022
…as optional (#142536) (#142601)

(cherry picked from commit 890bf74)

Co-authored-by: Kevin Qualters <[email protected]>
WafaaNasr pushed a commit to WafaaNasr/kibana that referenced this pull request Oct 11, 2022
WafaaNasr pushed a commit to WafaaNasr/kibana that referenced this pull request Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Resolver Security Solution Resolver feature release_note:skip Skip the PR/issue when compiling release notes Team:Threat Hunting:Investigations Security Solution Investigations Team v8.5.0 v8.6.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants