Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY SOLUTION] Eql in timeline #90816

Merged
merged 15 commits into from
Feb 17, 2021
Merged

[SECURITY SOLUTION] Eql in timeline #90816

merged 15 commits into from
Feb 17, 2021

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Feb 9, 2021
edited
Loading

Summary

Timeline can support EQL query.

eql_timelione

Checklist

@XavierM XavierM added v8.0.0 v7.12.0 Team:Threat Hunting Security Solution Threat Hunting Team Feature:Timeline Security Solution Timeline feature release_note:feature Makes this part of the condensed release notes labels Feb 9, 2021
@XavierM XavierM self-assigned this Feb 9, 2021
@XavierM XavierM requested review from a team as code owners February 9, 2021 17:10
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@andrew-goldstein

This comment has been minimized.

Sign in to view
@XavierM

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein andrew-goldstein mentioned this pull request Feb 10, 2021
Closed
andrew-goldstein
andrew-goldstein reviewed Feb 10, 2021
View reviewed changes
x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx
@@ -6,6 +6,7 @@
*/

import React from 'react';
import { isEmpty } from 'lodash';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider changing this to

import { isEmpty } from 'lodash/fp';

for consistency with other imports of isEmpty

Copy link
Contributor Author

@XavierM XavierM Feb 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kibana wants us to use lodash directly

andrew-goldstein
andrew-goldstein reviewed Feb 10, 2021
View reviewed changes
x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx
* 2.0.
*/

import { isEmpty, isEqual } from 'lodash';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider changing this to

import { isEmpty, isEqual } from 'lodash/fp';

@andrew-goldstein
Copy link
Contributor

I can tab through all the elements on the page when in the Query tab, but I can't tab past the events table on the Correlation tab. I'm wondering if we need to update the onTimelineTabKeyPressed function, or one of the helpers invoked by it.

@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein
Copy link
Contributor

The event count badge on the Correlation tab doesn't appear to be reset when a new timeline is created:

event_count

@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@andrew-goldstein
Copy link
Contributor

Per the following screenshot, when a case is created from a Resolver view, additional URL state is included to re-open the Resolver view when users click the rule from a case:

create-case-resolver

Consider appending the active tab to the URL state such that when users click on a timeline link from a case, timeline opens the Correlation tab, because the Query tab will likely be empty when the timeline is opened, which may be confusing.

@XavierM
Copy link
Contributor Author

XavierM commented Feb 17, 2021

Would you be willing to confirm that the 200 results shown in the screenshot below is the expected behavior because size is a multiplier that's applied to each instance of a [ ] in the EQL syntax?

size

I'm 99% sure this is the intended behavior, and experimentally, when I add a third event.category, registry in the example below:

sequence
  [ file where file.extension == "exe" ]
  [ process where true ]
  [ registry where true ]

i get 300 results, so I think it's working as intended.

Yes it is working as expected

@XavierM
Copy link
Contributor Author

XavierM commented Feb 17, 2021

The event count badge on the Correlation tab doesn't appear to be reset when a new timeline is created:

event_count

I can not reproduce it

andrew-goldstein
andrew-goldstein approved these changes Feb 17, 2021
View reviewed changes
Copy link
Contributor

@andrew-goldstein andrew-goldstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this milestone PR @XavierM! 🎉
LGTM 🚀

@XavierM XavierM enabled auto-merge (squash) February 17, 2021 04:43
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2197 2203 +6

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 7.6MB 7.7MB +91.3KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 237.2KB 237.4KB +168.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id before after diff
siem-ui-timeline 91 97 +6
Unknown metric groups

async chunk count

id before after diff
securitySolution 24 25 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@XavierM XavierM merged commit 4707dae into elastic:master Feb 17, 2021
gmmorris added a commit to gmmorris/kibana that referenced this pull request Feb 17, 2021
@gmmorris
Merge branch 'master' into task-manager/docs-monitoring
61d7256 
* master: (157 commits)
  [DOCS] Adds machine learning to the security section of alerting (elastic#91501)
  [Uptime] Ping list step screenshot caption formatting (elastic#91403)
  [Vislib] Use timestamp on brush event instead of iso dates (elastic#91483)
  [Application Usage] Remove deprecated & unused legacy.appChanged API (elastic#91464)
  Migrate logstash, monitoring, url_drilldowns, xpack_legacy to ts projects (elastic#91194)
  [APM] Wrap Elasticsearch client errors (elastic#91125)
  [APM] Fix optimize-tsconfig script (elastic#91487)
  [Discover][docs] Add searchFieldsFromSource description (elastic#90980)
  Adds support for 'ip' data type (elastic#85087)
  [Detection Rules] Add updates from 7.11.2 rules (elastic#91553)
  [SECURITY SOLUTION] Eql in timeline (elastic#90816)
  [APM] Correlations Beta (elastic#86477) (elastic#89952)
  [Security Solutions][Detection Engine] Adds a warning banner when the alerts data has not been migrated yet. (elastic#90258)
  [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (elastic#91446)
  skip flaky suite (elastic#91450)
  skip flaky suite (elastic#91592)
  [Security Solution][Endpoint][Admin] Endpoint Details UX Enhancements (elastic#90870)
  [ML] Add better UI support for runtime fields Transforms  (elastic#90363)
  [Security Solution] [Detections] Replace 'partial failure' with 'warning' for rule statuses (elastic#91167)
  [Security Solution][Detections] Adds Indicator path config for indicator match rules (elastic#91260)
  ...
@XavierM XavierM mentioned this pull request Feb 17, 2021
Merged
XavierM added a commit to XavierM/kibana that referenced this pull request Feb 17, 2021
@XavierM @angorayc
[SECURITY SOLUTION] Eql in timeline (elastic#90816)
8e967d9 
* add EQL as a language

* add eql in timeline

* fix type + unit test

* move eql to it sown tab

* fix merge issue + a liitle bug when creating anew timeline to reset eql textarea

* fix cypress tests

* fix lint error

* fix bug from review

Co-authored-by: Angela Chuang <[email protected]>
XavierM added a commit that referenced this pull request Feb 17, 2021
@XavierM @angorayc
[SECURITY SOLUTION] Eql in timeline (#90816) (#91649)
97bc53a 
* add EQL as a language

* add eql in timeline

* fix type + unit test

* move eql to it sown tab

* fix merge issue + a liitle bug when creating anew timeline to reset eql textarea

* fix cypress tests

* fix lint error

* fix bug from review

Co-authored-by: Angela Chuang <[email protected]>

Co-authored-by: Angela Chuang <[email protected]>
@jmikell821 jmikell821 mentioned this pull request Mar 9, 2021
Closed
@Mikaayenson Mikaayenson mentioned this pull request Jun 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-goldstein andrew-goldstein andrew-goldstein approved these changes

Assignees

@XavierM XavierM

Labels
Feature:Timeline Security Solution Timeline feature release_note:feature Makes this part of the condensed release notes Team:Threat Hunting Security Solution Threat Hunting Team v7.12.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@XavierM @elasticmachine @andrew-goldstein @lizozom @MadameSheema @kibanamachine @angorayc