Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Specify format for date range in EQL query #81025

Merged
merged 1 commit into from
Oct 20, 2020

Conversation

marshallmain
Copy link
Contributor

If no date format is specified in the range filter then elasticsearch will attempt to format the dates using the format of the field in the index mapping. Our queries use strict_date_optional_time formatted dates which leads to parsing exceptions if customers run rules against indices that use a different format for their timestamp.

Adding the format here tells ES how to parse the dates we pass in so they can be properly compared against any other date format.

Thanks Frank H for discovering this bug!

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@marshallmain marshallmain requested review from a team as code owners October 19, 2020 17:13
@marshallmain marshallmain added v7.10.0 v7.11.0 v8.0.0 Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team:SIEM labels Oct 19, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

async chunks size

id before after diff
securitySolution 8.1MB 8.1MB +35.0B

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks @FrankHassanabad for having pointed this out to me too in my code.

@marshallmain marshallmain merged commit 39242f1 into elastic:master Oct 20, 2020
@marshallmain marshallmain deleted the format-eql-query-date branch October 20, 2020 14:55
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 20, 2020
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 20, 2020
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 20, 2020
* master: (64 commits)
  Rename Security Solution Bug Template (elastic#81187)
  Update links (elastic#81125)
  Specify format for date range query (elastic#81025)
  [Alerting] Improve toast when alert is created (elastic#80327)
  [UX] Add empty states (elastic#80904)
  Add TS config for kibana_legacy (elastic#80992)
  [Telemetry] Add method to enable endpoint security data usage example (elastic#80940)
  [Alerting] Add scoped cluster client to alerts and actions services (elastic#80794)
  Fix reactRouterNavigate when used with a string (elastic#80520)
  [Security Solution] [Detections] Read privileges for dependencies (elastic#80852)
  [ML] Fixing exclude frequent in advanced wizard (elastic#81121)
  Fix security solution template label (elastic#80976)
  [DOCS] Update index management docs (elastic#80893)
  [APM] Error rate on service list page is not in sync with the value at the transaction page (elastic#80814)
  skip flaky suite (elastic#81072)
  [Task Manager] Cleans up legacy plugin structure (elastic#80381)
  Support unsigned_long fields (elastic#81115)
  [Form lib] Export internal state instead of raw state (elastic#80842)
  [Lens] Add toast notification when visualization is saved (elastic#80788)
  Index pattern edit field formatter API (elastic#78352)
  ...
marshallmain added a commit that referenced this pull request Oct 20, 2020
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants