[Security Solution] Add support for arrays in the build_ebt_data_views script #234905
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jkelas
added
Team:Detections and Resp
jkelas
force-pushed
the
add_support_for_arrays_in_build_ebt_views_script
branch
from
936ca5f to
413a065
Compare
jkelas
added
the
release_note:skip
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
stephmilovic
approved these changes
Sep 12, 2025
Contributor
stephmilovic
left a comment
stephmilovic
left a comment
There was a problem hiding this comment.
thanks for the script improvement!
maximpn
reviewed
Sep 15, 2025
Contributor
maximpn
left a comment
maximpn
left a comment
There was a problem hiding this comment.
@jkelas Thanks for extending the schema flattening logic to support different array types 🙏
My main concern is maintainability. It might be required to extend the logic in the future so it has to be readable. Unfortunately five folded if's aren't very readable. In fact we have BFS searching for type fields so we could re-write the implementation based on that idea. I've made a code sketch how it could look like in a simpler way but it's it's not tested.
So we could have some unit tests to make sure the implementation works as expected.
Comment on lines
172
to
183
| const item = node.items; | ||
| if (item && typeof item === 'object') { | ||
| if ('type' in item && item.type) { | ||
| // array of primitive types | ||
| result[newKey] = String(item.type); | ||
| } else if (item.properties) { | ||
| // array of objects | ||
| queue.push({ obj: item.properties, prefix: `${newKey}.` }); | ||
| } else { | ||
| // unknown array item type, leave it unaffected | ||
| result[newKey] = 'array'; | ||
| } |
Contributor
There was a problem hiding this comment.
Should it being extracted to a separate function and restructured to avoid deep folded ifs?
Contributor
There was a problem hiding this comment.
I played around to come up with a simpler version and ended up with the following
function flattenSchema(inputObj: NestedObject): Record<string, string> {
const result: { [key: string]: string } = {};
const queue: Array<{ obj: NestedObject; prefix: string }> = [{ obj: inputObj, prefix: '' }];
while (queue.length > 0) {
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
const { obj, prefix } = queue.shift()!;
for (const key in obj) {
if (typeof obj[key] === 'object' && obj[key] !== null) {
const newKey = `${prefix}${key}`;
const { childToInspect, nodeType } = inspectSchemaNode(obj[key]);
if (childToInspect) {
queue.push({ obj: childToInspect, prefix: `${newKey}.` });
}
if (nodeType) {
result[newKey] = nodeType;
}
}
}
}
return result;
}
interface InspectSchemaNodeResult {
childToInspect?: NestedObject | NestedSchemaNode;
nodeType?: string;
}
function inspectSchemaNode(node: NestedSchemaNode): InspectSchemaNodeResult {
if (!node.type) {
const objectNode = node.properties ?? node;
return { childToInspect: objectNode };
}
if (node.type === 'array' && node.items) {
return inspectArraySchemaNode(node);
}
return { nodeType: String(node.type) };
}
function inspectArraySchemaNode(node: NestedSchemaNode): InspectSchemaNodeResult {
const itemSchema = node.items;
if (typeof itemSchema !== 'object' || itemSchema === null) {
// "items" schema is not defined or not an object, leave it unaffected
return { nodeType: 'array' };
}
if ('type' in itemSchema && itemSchema.type) {
// array of primitive types
return { nodeType: String(itemSchema.type) };
}
if (itemSchema.properties) {
// array of objects
return { childToInspect: itemSchema.properties };
}
return {};
}There is an issue with types. To make it working types should be defined as a union of object and array schemas.
And I haven't tested my code so I could missed an if condition.
Contributor
Author
Yes, I agree. I was trying to make the changes as little invasive as possible, because there were no unit tests and I tried to push this quickly, but I agree, I can add the tests and then restructure the code. |
added 2 commits
September 16, 2025 10:27
maximpn
approved these changes
Sep 16, 2025
Comment on lines
164
to
166
| function isObjectRecord(x: unknown): x is Record<string, unknown> { | ||
| return typeof x === 'object' && x !== null; | ||
| } |
Contributor
There was a problem hiding this comment.
nit: isObjectRecord might be removed in favor of Lodash's isObject.
Comment on lines
168
to
205
| function inspectArraySchemaNode(node: NestedSchemaNode): InspectSchemaNodeResult { | ||
| const item = node.items; | ||
|
|
||
| if (!isObjectRecord(item)) { | ||
| return { nodeType: 'array' }; | ||
| } | ||
|
|
||
| if ('type' in item && (item as NestedSchemaNode).type) { | ||
| const t = String((item as NestedSchemaNode).type); | ||
| if (t === 'array') return { nodeType: 'array' }; // array-of-arrays -> keep "array" | ||
| return { nodeType: t }; // array of primitives | ||
| } | ||
|
|
||
| if ( | ||
| (item as NestedSchemaNode).properties && | ||
| isObjectRecord((item as NestedSchemaNode).properties) | ||
| ) { | ||
| return { childToInspect: (item as NestedSchemaNode).properties as NestedObject }; // array of objects | ||
| } | ||
|
|
||
| return { nodeType: 'array' }; | ||
| } | ||
|
|
||
| function flattenSchema(inputObj: NestedObject): { [key: string]: string } { | ||
| const result: { [key: string]: string } = {}; | ||
| function inspectSchemaNode(node: NestedSchemaNode): InspectSchemaNodeResult { | ||
| if (!node.type) { | ||
| const objectNode = node.properties ?? (node as unknown as NestedObject); | ||
| return { childToInspect: objectNode }; | ||
| } | ||
|
|
||
| if (node.type === 'array') { | ||
| return inspectArraySchemaNode(node); | ||
| } | ||
|
|
||
| return { nodeType: String(node.type) }; | ||
| } | ||
|
|
||
| export function flattenSchema(inputObj: NestedObject): Record<string, string> { | ||
| const result: Record<string, string> = {}; |
Contributor
There was a problem hiding this comment.
nit: Let's move these functions to this file's bottom. These inspect functions are implementation details so it's logical to see the exported members first.
| return { nodeType: 'array' }; | ||
| } | ||
|
|
||
| if ('type' in item && (item as NestedSchemaNode).type) { |
Contributor
There was a problem hiding this comment.
To get rid of type casting node schema TS type could be simplified to
interface NestedSchemaNode {
type?: string;
properties?: NestedSchemaNode;
items?: NestedSchemaNode;
[key: string]: unknown;
}This simplified type could be used in args and return types. With that you'd need only a single casting in flattenSchema
const { childToInspect, nodeType } = inspectSchemaNode(node as NestedSchemaNode);
Contributor
Author
There was a problem hiding this comment.
Good idea, thx, will improve
| }, | ||
| }, | ||
| }, | ||
| } as any; |
Contributor
There was a problem hiding this comment.
Instead of any it's possible to use @ts-expect-error above const out = flattenSchema(schema); line.
Contributor
|
Starting backport for target branches: 8.18, 8.19, 9.0, 9.1 https://github.com/elastic/kibana/actions/runs/17790809288 |
Contributor
💚 Build Succeeded
Metrics [docs]Saved Objects .kibana field count
Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
cc @jkelas |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 17, 2025
…s script (elastic#234905) **Partially resolves: elastic#140369** ## Summary This PR is a follow up for the elastic#234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]> (cherry picked from commit f0e38a3)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 17, 2025
…s script (elastic#234905) **Partially resolves: elastic#140369** ## Summary This PR is a follow up for the elastic#234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]> (cherry picked from commit f0e38a3)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 17, 2025
…s script (elastic#234905) **Partially resolves: elastic#140369** ## Summary This PR is a follow up for the elastic#234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]> (cherry picked from commit f0e38a3)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 17, 2025
…s script (elastic#234905) **Partially resolves: elastic#140369** ## Summary This PR is a follow up for the elastic#234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]> (cherry picked from commit f0e38a3)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Sep 17, 2025
…ta_views script (#234905) (#235312) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)](#234905) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-17T07:58:32Z","message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.2.0","v8.18.8","v8.19.5","v9.0.8","v9.1.5"],"title":"[Security Solution] Add support for arrays in the build_ebt_data_views script","number":234905,"url":"https://github.com/elastic/kibana/pull/234905","mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.19","9.0","9.1"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234905","number":234905,"mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},{"branch":"8.18","label":"v8.18.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jacek Kolezynski <[email protected]> Co-authored-by: Maxim Palenov <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Sep 17, 2025
…a_views script (#234905) (#235314) # Backport This will backport the following commits from `main` to `9.1`: - [[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)](#234905) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-17T07:58:32Z","message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.2.0","v8.18.8","v8.19.5","v9.0.8","v9.1.5"],"title":"[Security Solution] Add support for arrays in the build_ebt_data_views script","number":234905,"url":"https://github.com/elastic/kibana/pull/234905","mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.19","9.0","9.1"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234905","number":234905,"mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},{"branch":"8.18","label":"v8.18.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jacek Kolezynski <[email protected]> Co-authored-by: Maxim Palenov <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Sep 17, 2025
…a_views script (#234905) (#235313) # Backport This will backport the following commits from `main` to `9.0`: - [[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)](#234905) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-17T07:58:32Z","message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.2.0","v8.18.8","v8.19.5","v9.0.8","v9.1.5"],"title":"[Security Solution] Add support for arrays in the build_ebt_data_views script","number":234905,"url":"https://github.com/elastic/kibana/pull/234905","mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.19","9.0","9.1"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234905","number":234905,"mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},{"branch":"8.18","label":"v8.18.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jacek Kolezynski <[email protected]> Co-authored-by: Maxim Palenov <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Sep 17, 2025
…ta_views script (#234905) (#235311) # Backport This will backport the following commits from `main` to `8.18`: - [[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)](#234905) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-17T07:58:32Z","message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v9.2.0","v8.18.8","v8.19.5","v9.0.8","v9.1.5"],"title":"[Security Solution] Add support for arrays in the build_ebt_data_views script","number":234905,"url":"https://github.com/elastic/kibana/pull/234905","mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.19","9.0","9.1"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234905","number":234905,"mergeCommit":{"message":"[Security Solution] Add support for arrays in the build_ebt_data_views script (#234905)\n\n**Partially resolves: #140369**\n\n## Summary\n\nThis PR is a follow up for the #234571, where I am introducing telemetry\nevent with array of primitive string values.\nIn order to display these values in Kibana Lens, a runtime mapping needs\nto be done in the `security-solution-ebt-kibana-server` data view.\nBefore that, it was done manually. I am introducing support for arrays,\nso that manual intervention is not needed for them.\n\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n---------\n\nCo-authored-by: Maxim Palenov <[email protected]>","sha":"f0e38a357dfbfe535ca77438d7afabde9c9b9cf2"}},{"branch":"8.18","label":"v8.18.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.1","label":"v9.1.5","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jacek Kolezynski <[email protected]> Co-authored-by: Maxim Palenov <[email protected]>
36 tasks
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Sep 24, 2025
…s script (elastic#234905) **Partially resolves: elastic#140369** ## Summary This PR is a follow up for the elastic#234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]>
niros1
pushed a commit
that referenced
this pull request
Sep 30, 2025
…s script (#234905) **Partially resolves: #140369** ## Summary This PR is a follow up for the #234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]>
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…s script (elastic#234905) **Partially resolves: elastic#140369** ## Summary This PR is a follow up for the elastic#234571, where I am introducing telemetry event with array of primitive string values. In order to display these values in Kibana Lens, a runtime mapping needs to be done in the `security-solution-ebt-kibana-server` data view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Maxim Palenov <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Partially resolves: #140369
Summary
This PR is a follow up for the #234571, where I am introducing telemetry event with array of primitive string values.
In order to display these values in Kibana Lens, a runtime mapping needs to be done in the
security-solution-ebt-kibana-serverdata view. Before that, it was done manually. I am introducing support for arrays, so that manual intervention is not needed for them.Checklist
release_note:*label is applied per the guidelines