-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists #71768
Conversation
Pinging @elastic/siem (Team:SIEM) |
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit about a potentially unnecessary null
check, but other than that LGTM! Thanks @dhurley14!
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
* master: (82 commits) Fixed the spacing of child accordion items for policy response dialog. (elastic#71677) [SECURITY] Timeline bug 7.9 (elastic#71748) use fixed isChromeVisible method (elastic#71813) [SIEM][Detection Engine][Lists] Adds specific endpoint_list REST API and API for abilities to auto-create the endpoint_list if it gets deleted (elastic#71792) [test] Skips flaky Saved Objects Management test [APM] Remove watcher integration (elastic#71655) [APM] Increase `xpack.apm.ui.transactionGroupBucketSize` (elastic#71661) [test] Skips Ingest Manager test preventing ES promotion [test] Skips flaky detection engine tests Revert "re-fix navigate path for master add SAML login to login_page (elastic#71337)" [tests] Temporarily skipped Fleet tests [test] Skipped monitoring test [Security Solution][Detections] Associate Endpoint Exceptions List to Rule during rule creation/update (elastic#71794) Add endpoint exception creation API validation (elastic#71791) Skip jest tests that timeout waiting for react (elastic#71801) [Security Solution][Exceptions] - Adds filtering to endpoint index patterns by exceptional fields (elastic#71757) [Reporting] Re-delete a file (elastic#71730) [Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768) [Ingest Manager] Better display of Fleet requirements (elastic#71686) [tests] Temporarily skipped to promote snapshot ...
…t max signals after filtering with lists (#71768) (#71800) update signal counter with filtered results, not with direct search results. Co-authored-by: Elastic Machine <[email protected]>
…en we hit max signals after filtering with lists (elastic#71768)" This reverts commit 56de45d.
…ons] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) This reverts commit 56de45d.
…ons] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) This reverts commit 56de45d.
* master: (37 commits) [Lens] Handle failing existence check (elastic#70718) [Security Solution]Fix in-app links and popup window text (elastic#71403) [esArchiver] automatically retry if alias creation fails (elastic#71910) Move data stream index pattern creation test to xpack (elastic#71511) [Maps] Improve language for mvt card (elastic#71947) [Security][Detections] Unskip failing modal tests (elastic#71969) skip flaky suite (elastic#71987) skip flaky suite (elastic#71979) [Security Solution] [Detections] Revert "[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) rename ilm policy to remove -default (elastic#71952) Adjust ordering of Management category apps to make Ingest Manager higher (elastic#71948) skip flaky suite (elastic#71971) skip flaky suite (elastic#71951) [kbn/optimizer] ignore compressed files when reporting stats (elastic#71940) skip flaky suite (elastic#71867) [ML] Fix new job with must_not saved search (elastic#71831) [Resolver] Fix bug where process detail panel doesn't show up (elastic#71754) Cleanup (elastic#71849) [Resolver] aria-level and aria-flowto support enhancements (elastic#71887) skip flaky suite (elastic#71304) ...
…feature-privileges * alerting/consumer-based-rbac: (491 commits) [Lens] Handle failing existence check (elastic#70718) [Security Solution]Fix in-app links and popup window text (elastic#71403) [esArchiver] automatically retry if alias creation fails (elastic#71910) Move data stream index pattern creation test to xpack (elastic#71511) [Maps] Improve language for mvt card (elastic#71947) [Security][Detections] Unskip failing modal tests (elastic#71969) skip flaky suite (elastic#71987) skip flaky suite (elastic#71979) [Security Solution] [Detections] Revert "[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) rename ilm policy to remove -default (elastic#71952) Adjust ordering of Management category apps to make Ingest Manager higher (elastic#71948) skip flaky suite (elastic#71971) skip flaky suite (elastic#71951) [kbn/optimizer] ignore compressed files when reporting stats (elastic#71940) skip flaky suite (elastic#71867) [ML] Fix new job with must_not saved search (elastic#71831) [Resolver] Fix bug where process detail panel doesn't show up (elastic#71754) Cleanup (elastic#71849) [Resolver] aria-level and aria-flowto support enhancements (elastic#71887) skip flaky suite (elastic#71304) ...
…ons] Fixes bug for determining when we hit max signals after filtering with lists (#71768)" (#71956) (#71983) This reverts commit 56de45d. Co-authored-by: Elastic Machine <[email protected]>
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Before exceptions were introduced, we were determining when we hit max signals by checking how many events were searched, as those events were being sent straight to bulk create and would be indexed as signals.
Now with exceptions, each search result from the rule query doesn't necessarily mean we are going to index it as a signal, so we need to increment our counter for max signals by the count returned from bulk create (which does the indexing into the signals index), not the count returned from the search.
Checklist
Delete any items that are not applicable to this PR.
For maintainers