-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solutions][Detection Engine] Changes wording for threat matches and rules #81334
[Security Solutions][Detection Engine] Changes wording for threat matches and rules #81334
Conversation
@FrankHassanabad - following up on the updates for threat match rules UI. I have synced with @MikePaquette and we are aligned on there.
There is also a UI flow change we want to propose. Effectively its a repositioning of existing selections to make it easier to use the feature:
|
@shimonmodi we currently require the custom query to be filled in for threat matching feature. Should we change that to be defaulted to |
Thanks @FrankHassanabad those screen shots look good, but there seems to be one more location where
Yes, that would be fine, and should always work, but is a very broad query - guaranteed to return all events. Could there also be an optimization, with a possible performance improvement, by waiting until the rule author selects the indicator mapping field(s), e.g., |
I would like to evaluate if Mike's suggested optimization is a possible way forward. |
Thanks for the catch on the fields missing a value, I will fix that and update the screenshots!
Ok, I will let you know if there's anything tricky or weird when I change it as it is a shared component but I think I can manage it without too much hassle.
Yeah, that would be bug prone through ambiguity of DSL parsing, but I have good news already. When the filters from the threat list are applied along with any query against the indexes it turns into just one ES translated query that is just as optimal as something like, For example if the user has a query of, |
It turns out that adding a default for the query and changing the UI flow are hard and risky things because of component coupling. I am going to keep the naming separate from these two work items. I have created a new draft PR that already has the defaulting of the query done here but I don't think we should mix these harder things with renaming for 7.10.0 right now since they are showing to require more code than we want. New PR for the defaulting of the query when selecting the indicator match: |
💚 Build SucceededMetrics [docs]async chunks size
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Super duper nit thing on wording. 👍
@@ -1,5 +1,5 @@ | |||
{ | |||
"name": "Query with a threat mapping", | |||
"name": "Query with a indicator mapping", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super duper nit:
"name": "Query with a indicator mapping", | |
"name": "Query with an indicator mapping", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Crap missed this after the merge! Thanks though, this shows the level you're looking at the code. I appreciate it. Always nervous of making simple slip ups in the UI.
…ches and rules (elastic#81334) ## Summary Changes the wording for threat matches and rules cc @marrasherrier @MikePaquette @paulewing Before: <img width="1063" alt="Screen Shot 2020-10-21 at 8 52 44 AM" src="https://user-images.githubusercontent.com/1151048/96737354-ce1ee080-137a-11eb-973f-6a7d96f69117.png"> After: <img width="1055" alt="Screen Shot 2020-10-26 at 10 10 17 PM" src="https://user-images.githubusercontent.com/1151048/97256235-1fdec500-17d8-11eb-8a8b-4adffd23dbdc.png"> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
…ches and rules (elastic#81334) ## Summary Changes the wording for threat matches and rules cc @marrasherrier @MikePaquette @paulewing Before: <img width="1063" alt="Screen Shot 2020-10-21 at 8 52 44 AM" src="https://user-images.githubusercontent.com/1151048/96737354-ce1ee080-137a-11eb-973f-6a7d96f69117.png"> After: <img width="1055" alt="Screen Shot 2020-10-26 at 10 10 17 PM" src="https://user-images.githubusercontent.com/1151048/97256235-1fdec500-17d8-11eb-8a8b-4adffd23dbdc.png"> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
…ches and rules (#81334) (#81834) ## Summary Changes the wording for threat matches and rules cc @marrasherrier @MikePaquette @paulewing Before: <img width="1063" alt="Screen Shot 2020-10-21 at 8 52 44 AM" src="https://user-images.githubusercontent.com/1151048/96737354-ce1ee080-137a-11eb-973f-6a7d96f69117.png"> After: <img width="1055" alt="Screen Shot 2020-10-26 at 10 10 17 PM" src="https://user-images.githubusercontent.com/1151048/97256235-1fdec500-17d8-11eb-8a8b-4adffd23dbdc.png"> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Kibana Machine <[email protected]>
…eat matches and rules (#81334) (#81835) * [Security Solutions][Detection Engine] Changes wording for threat matches and rules (#81334) ## Summary Changes the wording for threat matches and rules cc @marrasherrier @MikePaquette @paulewing Before: <img width="1063" alt="Screen Shot 2020-10-21 at 8 52 44 AM" src="https://user-images.githubusercontent.com/1151048/96737354-ce1ee080-137a-11eb-973f-6a7d96f69117.png"> After: <img width="1055" alt="Screen Shot 2020-10-26 at 10 10 17 PM" src="https://user-images.githubusercontent.com/1151048/97256235-1fdec500-17d8-11eb-8a8b-4adffd23dbdc.png"> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) * skips overview tests Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Gloria Hornero <[email protected]>
…kibana into task-manager/lost-connectivity * 'task-manager/lost-connectivity' of github.com:gmmorris/kibana: skips overview tests (elastic#81877) [Security Solution][Case] Fix connector's labeling (elastic#81824) [Maps] Fix EMS test (elastic#81856) [Security Solutions][Detections] - Fix bug, last response not showing for disabled rules (elastic#81783) skip flaky suite (elastic#81853) Add tsconfig for url_forwarding (elastic#81177) skip flaky suite (elastic#81844) check for server enabled (elastic#81818) [Seurity Solution][Case] Create case plugin client (elastic#81018) [Security Solutions][Detection Engine] Changes wording for threat matches and rules (elastic#81334) [Security Solution] critical pref bug with browser fields reducer
Summary
Changes the wording for threat matches and rules
cc @marrasherrier @MikePaquette @paulewing
Before:
After:
Checklist