Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x] [SIEM] Fix: Empty Source / Destination shown when only ports are populated (#50843) #50971

Merged
merged 1 commit into from
Nov 18, 2019
Merged

[7.x] [SIEM] Fix: Empty Source / Destination shown when only ports are populated (#50843) #50971

merged 1 commit into from
Nov 18, 2019

Conversation

andrew-goldstein
Copy link
Contributor

Backports the following commits to 7.x:

@andrew-goldstein
[SIEM] Fix: Empty Source / Destination shown when only ports are …
7c32423 
…populated (elastic#50843)

Fixes an issue where an empty `Source` or `Destination` container is rendered by
the Timeline row renderer when events have `source.port` or `destination.port` populated,
but the corresponding `source.ip` or `destination.ip` is not.

![chrome-before](https://user-images.githubusercontent.com/4459398/68985053-fd26ec80-07d0-11ea-99e3-1180a3e9d7fb.png)

![chrome-after](https://user-images.githubusercontent.com/4459398/68985058-0912ae80-07d1-11ea-990a-1a66802cad0e.png)

The following JSON is from the event shown in the screenshots above:

```
  "destination": {
    "port": 53
  },
```

In the JSON above, the `destination.port` field is populated, but the
`destination.ip` field is **not** populated.

The `destination.port` in the event is expected to be rendered in the
"before" screenshot above, but an empty `Destination` label is rendered
instead.

1. Create a new timeline with the following KQL:

```
destination.port: * and NOT destination.ip: *
```

**Expected Result**

- The `destination.port` contained in the event is rendered in the `Destination` container

**Actual result**

- An empty `Destination` is rendered, per the "before" screenshot above

An analysis of real data performed while desk testing this PR revealed other
corner cases in real-world data, including port arrays with `null` values.

The types and implementaion were updated to reflect the reality of the data
found during desk testing. Unit tests were added to cover these cases.

![firefox-after](https://user-images.githubusercontent.com/4459398/68985063-10d25300-07d1-11ea-9c17-d962c0f1015e.png)

![safari-after](https://user-images.githubusercontent.com/4459398/68985067-162f9d80-07d1-11ea-8773-d3e71a84a440.png)

Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in `master`

* elastic/siem-team#476
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@andrew-goldstein andrew-goldstein merged commit 94d69f2 into elastic:7.x Nov 18, 2019
@andrew-goldstein andrew-goldstein deleted the backport/7.x/pr-50843 branch November 18, 2019 22:45
@andrew-goldstein andrew-goldstein self-assigned this Nov 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@andrew-goldstein andrew-goldstein

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrew-goldstein @elasticmachine