Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY SOLUTION] Investigate EQL signal in timeline #79049

Merged
merged 23 commits into from
Oct 6, 2020
Merged

[SECURITY SOLUTION] Investigate EQL signal in timeline #79049

merged 23 commits into from
Oct 6, 2020

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Oct 1, 2020
edited
Loading

Summary

  • Selection of timeline in the rule creation is done through templateTimelineId and not timelineId anymore
    This will allow pre-packaged rule to associate their rule with a template timeline
  • Allow investigating EQL signal in the timeline
  • Fix bug when re-arranging columns in alert table

image

Checklist

@XavierM XavierM requested review from a team as code owners October 1, 2020 02:31
@XavierM XavierM self-assigned this Oct 1, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

angorayc
angorayc reviewed Oct 1, 2020
View reviewed changes
x-pack/plugins/security_solution/server/lib/timeline/saved_object.ts
@@ -95,9 +99,27 @@ export interface Timeline {

export const getTimeline = async (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems that we have getTimeline and getTimelineByTemplateTimelineId doing the same thing, I am thinking of having a follow up PR to do a clean up for that. So we can just keep getTimeline in our code, what do you think?

@angorayc

This comment has been minimized.

Sign in to view
@XavierM

This comment has been minimized.

Sign in to view
@andrew-goldstein

This comment has been minimized.

Sign in to view
@spong

This comment has been minimized.

Sign in to view
@spong

This comment has been minimized.

Sign in to view
@XavierM
Copy link
Contributor Author

XavierM commented Oct 2, 2020

This PR is taking care of https://github.com/elastic/security-team/issues/388

@XavierM
Copy link
Contributor Author

XavierM commented Oct 5, 2020

@elasticmachine merge upstream

@XavierM
Copy link
Contributor Author

XavierM commented Oct 5, 2020

@andrew-goldstein found a problem with the pagination of the timeline, therefore we did pair to fix it in this PR.

@XavierM XavierM force-pushed the investigate-timeline branch from 172a093 to fe82acc Compare October 5, 2020 18:25
andrew-goldstein
andrew-goldstein reviewed Oct 5, 2020
View reviewed changes
Copy link
Contributor

@andrew-goldstein andrew-goldstein left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The screenshot from the Detections view below shows an extra set of ellipsis:

double-ellipsis-detections

In the screenshot above:

  • The selected page size is 10
  • There are a total of 15 results, which means the results should be shown across 2 pages
  • The first of two pages is selected

Under these conditions, I don't think it should show the ...

EDIT: looks good now 👍

andrew-goldstein
andrew-goldstein approved these changes Oct 6, 2020
View reviewed changes
Copy link
Contributor

@andrew-goldstein andrew-goldstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for building this bridge from EQL detections to timeline @XavierM! 🌉 🙏
Desk tested locally with EQL and non-EQL detections, and with various combinations of states and page sizes
LGTM 🚀

@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Test Failures

Creates and activates a new EQL rule with a sequence.Detection rules, EQL Creates and activates a new EQL rule with a sequence

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has failed 3 times on tracked branches: https://github.com/elastic/kibana/issues/79522

TypeError: Cannot read property 'apply' of undefined
    at listener (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:173184:19)
    at arrayMap (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:25373:23)
    at Function.map (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:34314:14)
    at $Cypress.events.emitMap (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:173188:16)
    at $Cypress.parent.<computed> [as emitMap] (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:173131:33)
    at $Cypress.action (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:166487:31)
    at fail (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:169982:22)
    at http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:169811:14
    at tryCatcher (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:10325:23)
    at Promise._settlePromiseFromHandler (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:8260:31)
    at Promise._settlePromise (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:8317:18)
    at Promise._settlePromise0 (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:8362:10)
    at Promise._settlePromises (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:8438:18)
    at _drainQueueStep (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:5032:12)
    at _drainQueue (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:5025:9)
    at Async.../../node_modules/bluebird/js/release/async.js.Async._drainQueues (http://elastic:changeme@localhost:6121/__cypress/runner/cypress_runner.js:5041:5)

Metrics [docs]

async chunks size

id before after diff
securitySolution 10.3MB 10.3MB +16.3KB

page load bundle size

id before after diff
securitySolution 587.2KB 587.2KB +59.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@XavierM XavierM merged commit cf45fef into elastic:master Oct 6, 2020
@XavierM XavierM mentioned this pull request Oct 6, 2020
Merged
XavierM added a commit to XavierM/kibana that referenced this pull request Oct 6, 2020
@XavierM @kibanamachine
[SECURITY SOLUTION] Investigate EQL signal in timeline (elastic#79049)
cb5fcab 
* fix template timeline for rule

* fix moving column with linkfield by giving back the browserfield

* leftover from investigate timeline with template from rule

* add visualization for eql sequences in timeline + allow eql investigate to timeline through signal.group.id

* bug fix of column in eventviewer

* review I

* review II

* fix bug - Columns dynamically added to timeline indicate no data

* fix pagination to work as attempted by elastic search

* no tweak on pagination timeline

* fix snapshot

* reset activePage to 0 when changing indexNames

* remove last page when we are not sure if it is really the last page

* update activePage when resetting it by searchParameter

* review bug on the last commit

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
XavierM added a commit that referenced this pull request Oct 6, 2020
@XavierM @kibanamachine
[SECURITY SOLUTION] Investigate EQL signal in timeline (#79049) (#79606)
684128b 
* fix template timeline for rule

* fix moving column with linkfield by giving back the browserfield

* leftover from investigate timeline with template from rule

* add visualization for eql sequences in timeline + allow eql investigate to timeline through signal.group.id

* bug fix of column in eventviewer

* review I

* review II

* fix bug - Columns dynamically added to timeline indicate no data

* fix pagination to work as attempted by elastic search

* no tweak on pagination timeline

* fix snapshot

* reset activePage to 0 when changing indexNames

* remove last page when we are not sure if it is really the last page

* update activePage when resetting it by searchParameter

* review bug on the last commit

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 6, 2020
@gmmorris
Merge branch 'master' into alerts/correct-name-of-built-inalerts-feature
791ffca 
* master: (85 commits)
  Refactor attribute service (elastic#78414)
  [APM] Add default message to alerts. (elastic#78930)
  [Discover] Modify columns and sort when switching index pattern (elastic#74336)
  Document ts project references setup (elastic#78586)
  build all ts refs in single kbn:bootstrap (elastic#79438)
  [TSVB] Allow string fields on value count aggregation (elastic#79267)
  [SECURITY SOLUTION] Investigate EQL signal in timeline (elastic#79049)
  [Fleet] Add loading spinner to page headers (elastic#79568)
  [Security Solution][Resolver] Resolver query panel load more (elastic#79160)
  Add type row to monitor detail page. (elastic#79556)
  Remove license refresh from setup (elastic#79518)
  [docker] add reporting fonts (elastic#74806)
  [SECURITY_SOLUTION][ENDPOINT] Add info about trusted apps to the page subtitle + create flyout (elastic#79558)
  Trim Hash value before validating it (elastic#79545)
  Warn users when security is not configured (elastic#78545)
  update copy styling (elastic#79313)
  Update dependency @elastic/charts to v23.1.1 (elastic#78459)
  Introduce geo-threshold alerts (elastic#76285)
  elastic#76920 Show base breadcrumb when there is an error booting the app (elastic#79571)
  remove react-intl from kibana and keep it inside only i18n package (elastic#78956)
  ...
@angorayc angorayc mentioned this pull request Oct 21, 2020
Closed
@spong spong mentioned this pull request Jul 22, 2021
Closed
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spong spong spong approved these changes

@andrew-goldstein andrew-goldstein andrew-goldstein approved these changes

@angorayc angorayc Awaiting requested review from angorayc

Assignees

@XavierM XavierM

Labels
release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@XavierM @elasticmachine @angorayc @andrew-goldstein @spong @kibanamachine @MindyRS