-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY SOLUTIONS] Bugs overview page + investigate eql in timeline #81550
Conversation
@elasticmachine merge upstream |
ecsData.signal?.rule?.type?.length && | ||
ecsData.signal?.rule?.type[0] === 'eql' && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Could consolidate to the following using array item access with optional chaining if you'd like:
ecsData.signal?.rule?.type?.length && | |
ecsData.signal?.rule?.type[0] === 'eql' && | |
ecsData.signal?.rule?.type?.[0] === 'eql' && |
]); | ||
const resultingTimeline: TimelineResult = getOr({}, 'data.getOneTimeline', responseTimeline); | ||
const eventData: TimelineEventsDetailsItem[] = getOr([], 'data', eventDataResp); | ||
const eventData: TimelineEventsDetailsItem[] = eventDataResp.data ?? []; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for cleaning up more getOr
's! 🙇♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out, tested locally, and verified EQL Rules with sequences use signal.group.id
and EQL Rules without sequences use _id
when Investigating in Timeline. LGTM! Thanks @XavierM! 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested "investigate in timeline" with both sequence alerts and non-sequence alerts. LGTM!
ecsData.signal?.rule?.type?.length && ecsData.signal?.rule?.type[0] === 'eql'; | ||
export const isEqlRuleWithGroupId = (ecsData: Ecs) => | ||
ecsData.signal?.rule?.type?.length && | ||
ecsData.signal?.rule?.type[0] === 'eql' && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've also got those rule type helpers that could be leveraged here!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for these fixes @XavierM!
Desk tested locally for (only) the following issue:
- Timeline custom indexes change depending on the page the timeline is opened [Security Solution] Timeline custom indexes change depending on the page the timeline is opened #81640
LGTM 🚀
💚 Build SucceededMetrics [docs]async chunks size
page load bundle size
History
To update your PR or re-run it, just comment with: |
…elastic#81550) * fix overview query to be connected to sourcerer * investigate eql in timeline * keep timeline indices * trusting what is coming from timeline saved object for index pattern at initialization * fix type + initialize old timeline to sourcerer Co-authored-by: Kibana Machine <[email protected]>
…elastic#81550) * fix overview query to be connected to sourcerer * investigate eql in timeline * keep timeline indices * trusting what is coming from timeline saved object for index pattern at initialization * fix type + initialize old timeline to sourcerer Co-authored-by: Kibana Machine <[email protected]>
* master: (37 commits) [ILM] Migrate Warm phase to Form Lib (elastic#81323) [Security Solutions][Detection Engine] Fixes critical bug with error reporting that was doing a throw (elastic#81549) [Detection Rules] Add 7.10 rules (elastic#81676) [kbn/optimizer] ignore missing metrics when updating limits with --focus (elastic#81696) [SECURITY SOLUTIONS] Bugs overview page + investigate eql in timeline (elastic#81550) [Maps] fix unable to edit cluster vector styles styled by count when switching to super fine grid resolution (elastic#81525) Fixed migration issue for case specific actions, by extending email action migrator checks (elastic#81673) [CI] Preparation for APM tracking on CI (elastic#80399) [Home] Fixes Kibana app description order on home page and updates Canvas copy (elastic#80057) Make sure `to` is 'now' and not the same as `from` (elastic#81524) Nitpicking the 8.0 Breaking Change issue template (elastic#81678) [SECURITY_SOLUTION] Fix text on onboarding screen (elastic#81672) [data.search] Skip async search tests in build candidates and production builds (elastic#81547) Fix previousStartedAt by not changing when execution fails (elastic#81388) [Monitoring] Fix a couple of issues with the cpu usage alert (elastic#80737) Telemetry collection xpack to ts project references (elastic#81269) Elasticsearch: don't use url authentication for new client (elastic#81564) [App Search] Credentials: implement working flyout form (elastic#81541) Properly encode links to edit user page (elastic#81562) [Alerting UI] Don't wait for health check before showing Create Alert flyout (elastic#80996) ...
…#81550) (#81708) * fix overview query to be connected to sourcerer * investigate eql in timeline * keep timeline indices * trusting what is coming from timeline saved object for index pattern at initialization * fix type + initialize old timeline to sourcerer Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
…#81550) (#81712) * fix overview query to be connected to sourcerer * investigate eql in timeline * keep timeline indices * trusting what is coming from timeline saved object for index pattern at initialization * fix type + initialize old timeline to sourcerer Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
Summary
Host/Network events query on Overview page were not taking into consideration of the sourcerer (meaning the change of indices)
Signals from the correlation rules (EQL) does not have all the time a
signal.group.id
when there is no sequences so we need a way to fallback of the basic query of the_id: idididididididid
Timeline custom indexes change depending on the page the timeline is opened [Security Solution] Timeline custom indexes change depending on the page the timeline is opened #81640
Checklist