-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Exceptions] - Make esTypes and subType available to index patterns #72336
Conversation
…ll checking signals index for closing alerts functionality
Pinging @elastic/siem (Team:SIEM) |
...k/plugins/security_solution/public/common/components/autocomplete/field_value_lists.test.tsx
Outdated
Show resolved
Hide resolved
...k/plugins/security_solution/public/common/components/autocomplete/field_value_lists.test.tsx
Outdated
Show resolved
Hide resolved
switch (type) { | ||
case 'date': | ||
const moment = dateMath.parse(params); | ||
return Boolean(moment && moment.isValid()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, can you just do: return moment && moment.isValid()
? Won't that work as well without introducing the capital boolean boxing here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried removing it and the test yelled at me saying expected boolean
not string
. Leaving for now.
return Boolean(moment && moment.isValid()); | ||
case 'ip': | ||
try { | ||
return Boolean(new Ipv4Address(params)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new object seems weird to me...Does this mean we only support ipv4 and not ipv6?
If this is only validating ipv4 but allowing ipv6 I am fine with it. If we begin hindering users or disallowing ipv6 though we are going to start to have issue relatively quickly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a bit of research and there isn't really great consensus on a good regex for ipv6. I didn't find a similar util like the one above for ipv4 in our code so I removed the validation here. I don't want to block users from adding exceptions. This can be something we can circle back on.
exceptionToEdit !== null && | ||
exceptionListTypeToEdit !== null && ( | ||
exceptionToEdit != null && | ||
exceptionListTypeToEdit != null && ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 , using the != null
is great here!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Thanks adding the subType to the index patterns.
@@ -21,7 +21,6 @@ import { | |||
EuiCallOut, | |||
EuiText, | |||
} from '@elastic/eui'; | |||
import { alertsIndexPattern } from '../../../../../common/endpoint/constants'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for removing this!
@@ -16,4 +17,6 @@ export interface IndexFieldDescriptor { | |||
type: string; | |||
searchable: boolean; | |||
aggregatable: boolean; | |||
esTypes?: string[]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is esTypes
optional. I think getFieldsForWildcard()
always returns it. https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/index_fields/elasticsearch_adapter.ts#L42
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for improving the field validation in the builder! LGTM, only comment is about esTypes
being an optional type, but we can leave as is if it makes sense.
💚 Build SucceededBuild metrics@kbn/optimizer bundle module count
async chunks size
History
To update your PR or re-run it, just comment with: |
…to index patterns (elastic#72336) ## Summary This PR updates the following: - `useFetchIndexPatterns` now returns `indexPatterns` whose fields include `esTypes` and `subType` - Why?? The exceptions builder needs these two fields to determine what fields are of ES type `nested` and parent paths - exceptions add and edit modals now use the `rule.index` field to pass into `useFetchindexPatterns` - Before we were using the signals index and alerts index for endpoint, needs to be rule's index patterns - if no index patterns exist on the rule (if rule created via API, it's not required), then uses `DEFAULT_INDEX_PATTERN` - updates the autocomplete validation to use `IField.esTypes` to check type instead of `IField.type`
…to index patterns (elastic#72336) ## Summary This PR updates the following: - `useFetchIndexPatterns` now returns `indexPatterns` whose fields include `esTypes` and `subType` - Why?? The exceptions builder needs these two fields to determine what fields are of ES type `nested` and parent paths - exceptions add and edit modals now use the `rule.index` field to pass into `useFetchindexPatterns` - Before we were using the signals index and alerts index for endpoint, needs to be rule's index patterns - if no index patterns exist on the rule (if rule created via API, it's not required), then uses `DEFAULT_INDEX_PATTERN` - updates the autocomplete validation to use `IField.esTypes` to check type instead of `IField.type`
…to index patterns (#72336) (#72554) ## Summary This PR updates the following: - `useFetchIndexPatterns` now returns `indexPatterns` whose fields include `esTypes` and `subType` - Why?? The exceptions builder needs these two fields to determine what fields are of ES type `nested` and parent paths - exceptions add and edit modals now use the `rule.index` field to pass into `useFetchindexPatterns` - Before we were using the signals index and alerts index for endpoint, needs to be rule's index patterns - if no index patterns exist on the rule (if rule created via API, it's not required), then uses `DEFAULT_INDEX_PATTERN` - updates the autocomplete validation to use `IField.esTypes` to check type instead of `IField.type`
…to index patterns (#72336) (#72555) ## Summary This PR updates the following: - `useFetchIndexPatterns` now returns `indexPatterns` whose fields include `esTypes` and `subType` - Why?? The exceptions builder needs these two fields to determine what fields are of ES type `nested` and parent paths - exceptions add and edit modals now use the `rule.index` field to pass into `useFetchindexPatterns` - Before we were using the signals index and alerts index for endpoint, needs to be rule's index patterns - if no index patterns exist on the rule (if rule created via API, it's not required), then uses `DEFAULT_INDEX_PATTERN` - updates the autocomplete validation to use `IField.esTypes` to check type instead of `IField.type`
* master: (28 commits) allow some env settings for ingest manager (elastic#72544) Add inspector for VEGA (elastic#70941) chore(NA): fix grunt task for test:coverage (elastic#72539) Archive e2e test results in ES (elastic#72575) preserve 401 errors from new es client (elastic#71248) [SIEM][Detections] Updates text for severity and risk_score overrides (elastic#72244) fixing error occurences tooltip (elastic#72425) use KibanaClient interface instead of Client for new client interface (elastic#72388) [APM] Handle ML errors (elastic#72316) [Discover] Improve histogram tests (elastic#72235) [ftr/webdriver] retry on all errors, use Rx so that timers are canceled (elastic#72540) [pre-req] Move .storybook to storybook; standardize files (elastic#72384) [Security_Solution][Resolver][Bug]: Restore breadcrumb background (elastic#72538) [ML] Fix annotation detector linking & delayed_data(0) (elastic#72468) [Security Solution][Exceptions] - Make esTypes and subType available to index patterns (elastic#72336) [SIEM] Uses faster wait from testing-library and removes duplicate older wait idiom (elastic#72509) Fix long combo box items breaking out of flex item width (elastic#72512) [pipeline/commitStatus] update commit status in baseline-capture job (elastic#72366) [Security Solution][Resolver] Update the resolver element ref on scroll events if the position of the element has changed within the page (elastic#72461) [Maps] auto-fit to data bounds (elastic#72129) ...
…feature-privileges * alerting/consumer-based-rbac: (30 commits) removed uneeded tests expclude security wrapper in SO client passed to ActionsClient allow some env settings for ingest manager (elastic#72544) Add inspector for VEGA (elastic#70941) chore(NA): fix grunt task for test:coverage (elastic#72539) Archive e2e test results in ES (elastic#72575) preserve 401 errors from new es client (elastic#71248) [SIEM][Detections] Updates text for severity and risk_score overrides (elastic#72244) fixing error occurences tooltip (elastic#72425) use KibanaClient interface instead of Client for new client interface (elastic#72388) [APM] Handle ML errors (elastic#72316) [Discover] Improve histogram tests (elastic#72235) [ftr/webdriver] retry on all errors, use Rx so that timers are canceled (elastic#72540) [pre-req] Move .storybook to storybook; standardize files (elastic#72384) [Security_Solution][Resolver][Bug]: Restore breadcrumb background (elastic#72538) [ML] Fix annotation detector linking & delayed_data(0) (elastic#72468) [Security Solution][Exceptions] - Make esTypes and subType available to index patterns (elastic#72336) [SIEM] Uses faster wait from testing-library and removes duplicate older wait idiom (elastic#72509) Fix long combo box items breaking out of flex item width (elastic#72512) [pipeline/commitStatus] update commit status in baseline-capture job (elastic#72366) ...
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
This PR updates the following:
useFetchIndexPatterns
now returnsindexPatterns
whose fields includeesTypes
andsubType
nested
and parent pathsrule.index
field to pass intouseFetchindexPatterns
DEFAULT_INDEX_PATTERN
IField.esTypes
to check type instead ofIField.type
We were noticing that when selecting
is in list
in the builder, theIFieldType.type
does not match the ES type assigned to the large value list on creation and so the lists were not populating in the select dropdown. This should fix that issue.Checklist