[SIEM] [Detections] Fixes filtering with large value lists to use "ands" between lists #72304
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bc7256a to
8bb0ec9
Compare
|
Pinging @elastic/siem (Team:SIEM) |
x-pack/plugins/lists/server/scripts/lists/new/list_ip_item.json
Outdated
Show resolved
Hide resolved
| @@ -106,6 +125,72 @@ describe('filterEventsAgainstList', () => { | |||
| 'ci-badguys.txt' | |||
| ); | |||
| expect(res.hits.hits.length).toEqual(2); | |||
|
|
|||
| // @ts-ignore | |||
There was a problem hiding this comment.
Is it possible for us to use an as cast or better yet an is cast using the io-ts is on this here or do we have to keep the ts-ignore. We really should be more strict about allowing ts-ignore. Also there is ts-expect-error which it supposed to replace the ts-ignore:
https://www.typescriptlang.org/docs/handbook/release-notes/typescript-3-9.html#-ts-expect-error-comments
it will be better in that builds will fail once it is no longer an error condition, but I prefer we try to not use ts-ignore as much as possible.
There was a problem hiding this comment.
the ts-ignore says that .ip is not available on item._source.source
Property 'ip' does not exist on type 'string | number | boolean | object | string[] | number[] | boolean[] | object[]'.
comes from here
I'm not sure there is a way to change that without making a more explicit structure with every ECS property.
| expect(listClient.getListItemByValues as jest.Mock).toHaveBeenCalledTimes(2); | ||
| expect(res.hits.hits.length).toEqual(6); | ||
|
|
||
| // @ts-ignore |
There was a problem hiding this comment.
Same comment as above about the ts-ignore.
|
|
||
| // @ts-ignore | ||
| const ipVals = res.hits.hits.map((item) => item._source.source.ip); | ||
| expect(['1.1.1.1', '3.3.3.3', '5.5.5.5', '7.7.7.7', '8.8.8.8', '9.9.9.9']).toEqual(ipVals); |
There was a problem hiding this comment.
Thanks for all the tests though! Much appreciated.
x-pack/plugins/security_solution/server/lib/detection_engine/signals/filter_events_with_list.ts
Outdated
Show resolved
Hide resolved
…ut a value list are passed in to the filter function
…ue lists when appearing in different exception items
4475636 to
597fa1d
Compare
marshallmain
approved these changes
Jul 22, 2020
| expect(['1.1.1.1', '3.3.3.3', '5.5.5.5', '7.7.7.7', '8.8.8.8', '9.9.9.9']).toEqual(ipVals); | ||
| }); | ||
|
|
||
| it('should respond with less items in the list given one exception item with two entries of type list if some values match', async () => { |
There was a problem hiding this comment.
nit: the description says one exception item but the test has 2 exception items with one entry each
| .filter((t): t is EntryList => entriesList.is(t)) | ||
| .map(async (entry) => { | ||
| const valueListExceptionItems = exceptionsList.filter((listItem: ExceptionListItemSchema) => { | ||
| return listItem.entries.some((entry) => entriesList.is(entry)); |
There was a problem hiding this comment.
probably want listItem.entries.every here since we can't support items that have both list-based and regular entries
There was a problem hiding this comment.
We should also modify the exception list item schema to prevent creation of an item with both list and non-list entries, but that can be a separate PR.
… filter logic should execute
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jul 22, 2020
…ds" between lists (elastic#72304) * wip - comment and sample json for exceptions * promise.all for OR-ing exception items and quick-start script * logging, added/updated json sample scripts, fixed missing await on filter with lists * WIP * bug fix where two lists when 'anded' together were not filtering down result set * undo changes from testing * fix changes to example json and fixes missed conflict with master * update log message and fix type errors * change log statement and add unit test for when exception items without a value list are passed in to the filter function * fix failing test * update expect on one test and adds a new test to ensure anding of value lists when appearing in different exception items * update test after rebasing with master * properly ands exception item entries together with proper test cases * fix test (log statement tests - need to come up with a better way to cover these) * cleans up json examples * rename test and use 'every' in lieu of 'some' when determining if the filter logic should execute
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jul 22, 2020
…ds" between lists (elastic#72304) * wip - comment and sample json for exceptions * promise.all for OR-ing exception items and quick-start script * logging, added/updated json sample scripts, fixed missing await on filter with lists * WIP * bug fix where two lists when 'anded' together were not filtering down result set * undo changes from testing * fix changes to example json and fixes missed conflict with master * update log message and fix type errors * change log statement and add unit test for when exception items without a value list are passed in to the filter function * fix failing test * update expect on one test and adds a new test to ensure anding of value lists when appearing in different exception items * update test after rebasing with master * properly ands exception item entries together with proper test cases * fix test (log statement tests - need to come up with a better way to cover these) * cleans up json examples * rename test and use 'every' in lieu of 'some' when determining if the filter logic should execute
dhurley14
added a commit
that referenced
this pull request
Jul 22, 2020
…se "ands" between lists (#72304) (#72908) * wip - comment and sample json for exceptions * promise.all for OR-ing exception items and quick-start script * logging, added/updated json sample scripts, fixed missing await on filter with lists * WIP * bug fix where two lists when 'anded' together were not filtering down result set * undo changes from testing * fix changes to example json and fixes missed conflict with master * update log message and fix type errors * change log statement and add unit test for when exception items without a value list are passed in to the filter function * fix failing test * update expect on one test and adds a new test to ensure anding of value lists when appearing in different exception items * update test after rebasing with master * properly ands exception item entries together with proper test cases * fix test (log statement tests - need to come up with a better way to cover these) * cleans up json examples * rename test and use 'every' in lieu of 'some' when determining if the filter logic should execute
dhurley14
added a commit
that referenced
this pull request
Jul 22, 2020
…se "ands" between lists (#72304) (#72909) * wip - comment and sample json for exceptions * promise.all for OR-ing exception items and quick-start script * logging, added/updated json sample scripts, fixed missing await on filter with lists * WIP * bug fix where two lists when 'anded' together were not filtering down result set * undo changes from testing * fix changes to example json and fixes missed conflict with master * update log message and fix type errors * change log statement and add unit test for when exception items without a value list are passed in to the filter function * fix failing test * update expect on one test and adds a new test to ensure anding of value lists when appearing in different exception items * update test after rebasing with master * properly ands exception item entries together with proper test cases * fix test (log statement tests - need to come up with a better way to cover these) * cleans up json examples * rename test and use 'every' in lieu of 'some' when determining if the filter logic should execute
1 task
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This fixes a bug where an exception which includes two value lists "anded" together wouldn't return the right
signalsalerts.Checklist
Delete any items that are not applicable to this PR.
For maintainers