[Security Solution][Alerts] fixes merge fields with source in Detection Engine on Alerts creation#151004
Merged
vitaliidm merged 10 commits intoelastic:mainfrom Mar 1, 2023
Merged
Conversation
… Detection Engine on Alerts creation
vitaliidm
added
release_note:skip
…italiidm/kibana into alerts/fix-source-fields-merge
vitaliidm
changed the title
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
# Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/source_fields_merging/utils/is_path_valid.test.ts # x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/source_fields_merging/utils/is_path_valid.ts
marshallmain
approved these changes
Mar 1, 2023
Contributor
marshallmain
left a comment
marshallmain
left a comment
There was a problem hiding this comment.
There's another edge case that we may want to fix in the future, but it should be rare so we don't have to worry about fixing it for 8.7 at this point.
test.only('does the right stuff', () => {
const _source: SignalSourceHit['_source'] = {
'@timestamp': '2023-02-10T10:15:50Z',
'process.command_line': { text: 'a' },
};
const fields: SignalSourceHit['fields'] = {
'process.command_line.text': ['string longer than 10 characters'],
'@timestamp': ['2023-02-10T10:15:50.000Z'],
};
const doc: SignalSourceHit = { ...emptyEsResult(), _source, fields };
const merged = mergeMissingFieldsWithSource({ doc, ignoreFields: [] })._source;
expect(merged).toEqual<ReturnTypeMergeFieldsWithSource>(_source);
});
If, for some reason, source documents mix the dot and nested notations, then mergeMissingFields logic can't find the original field in the _source and still merges the value from fields into it.
...on/server/lib/detection_engine/rule_types/utils/source_fields_merging/utils/is_path_valid.ts
Outdated
Show resolved
Hide resolved
…ule_types/utils/source_fields_merging/utils/is_path_valid.ts Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @vitaliidm |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
Author
Created an issue for this one #152446 |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
vitaliidm
added a commit
to vitaliidm/kibana
that referenced
this pull request
Mar 1, 2023
…on Engine on Alerts creation (elastic#151004) ## Summary - fixes elastic#147389 - `mergeMissingFieldsWithSource` and `mergeAllFieldsWithSource` method will not be merging anymore multi field values into source. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> (cherry picked from commit 88be889) # Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/utils/is_path_valid.test.ts # x-pack/plugins/security_solution/server/lib/detection_engine/signals/source_fields_merging/utils/is_path_valid.ts
vitaliidm
added a commit
that referenced
this pull request
Mar 1, 2023
…etection Engine on Alerts creation (#151004) (#152449) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution][Alerts] fixes merge fields with source in Detection Engine on Alerts creation (#151004)](#151004) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-03-01T11:29:53Z","message":"[Security Solution][Alerts] fixes merge fields with source in Detection Engine on Alerts creation (#151004)\n\n## Summary\r\n\r\n- fixes https://github.com/elastic/kibana/issues/147389\r\n- `mergeMissingFieldsWithSource` and `mergeAllFieldsWithSource` method\r\nwill not be merging anymore multi field values into source.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>","sha":"88be889e1c5bfd97943eaf5eef6c7002433e2169","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","Team: SecuritySolution","Team:Detection Alerts","backport:prev-minor","v8.7.0","v8.8.0"],"number":151004,"url":"https://github.com/elastic/kibana/pull/151004","mergeCommit":{"message":"[Security Solution][Alerts] fixes merge fields with source in Detection Engine on Alerts creation (#151004)\n\n## Summary\r\n\r\n- fixes https://github.com/elastic/kibana/issues/147389\r\n- `mergeMissingFieldsWithSource` and `mergeAllFieldsWithSource` method\r\nwill not be merging anymore multi field values into source.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>","sha":"88be889e1c5bfd97943eaf5eef6c7002433e2169"}},"sourceBranch":"main","suggestedTargetBranches":["8.7"],"targetPullRequestStates":[{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151004","number":151004,"mergeCommit":{"message":"[Security Solution][Alerts] fixes merge fields with source in Detection Engine on Alerts creation (#151004)\n\n## Summary\r\n\r\n- fixes https://github.com/elastic/kibana/issues/147389\r\n- `mergeMissingFieldsWithSource` and `mergeAllFieldsWithSource` method\r\nwill not be merging anymore multi field values into source.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>","sha":"88be889e1c5bfd97943eaf5eef6c7002433e2169"}}]}] BACKPORT-->
bmorelli25
pushed a commit
to bmorelli25/kibana
that referenced
this pull request
Mar 10, 2023
…on Engine on Alerts creation (elastic#151004) ## Summary - fixes elastic#147389 - `mergeMissingFieldsWithSource` and `mergeAllFieldsWithSource` method will not be merging anymore multi field values into source. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mergeMissingFieldsWithSourceandmergeAllFieldsWithSourcemethod will not be merging anymore multi field values into source.Checklist
Delete any items that are not applicable to this PR.
For maintainers