-
Notifications
You must be signed in to change notification settings - Fork 8.5k
[Security Solution][Detections] - Rule creation query preview #78985
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 25 commits
06ec35b
9039fab
0a0cf94
7bceb49
237bade
ff7f8c5
cc01e09
48fd4cf
d7f6eb1
a25575e
e07ef98
2374e11
ca6977e
3036723
521497f
b034ebc
b283bd9
edb7c3f
6b0be88
8190b0f
ece38ef
b04ec68
87721a0
9a42861
84b7fef
aa4af5f
a750613
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,11 +3,21 @@ | |
| * or more contributor license agreements. Licensed under the Elastic License; | ||
| * you may not use this file except in compliance with the Elastic License. | ||
| */ | ||
| import { Unit } from '@elastic/datemath'; | ||
|
|
||
| import { HttpStart } from '../../../../../../../src/core/public'; | ||
| import { DETECTION_ENGINE_EQL_VALIDATION_URL } from '../../../../common/constants'; | ||
| import { EqlValidationSchema as EqlValidationRequest } from '../../../../common/detection_engine/schemas/request/eql_validation_schema'; | ||
| import { EqlValidationSchema as EqlValidationResponse } from '../../../../common/detection_engine/schemas/response/eql_validation_schema'; | ||
| import { DataPublicPluginStart } from '../../../../../../../src/plugins/data/public'; | ||
| import { | ||
| EqlSearchStrategyRequest, | ||
| EqlSearchStrategyResponse, | ||
| } from '../../../../../data_enhanced/common'; | ||
| import { getEqlAggsData, getSequenceAggs } from './helpers'; | ||
| import { EqlPreviewResponse, Source } from './types'; | ||
| import { hasEqlSequenceQuery } from '../../../../common/detection_engine/utils'; | ||
| import { EqlSearchResponse } from '../../../../common/detection_engine/types'; | ||
|
|
||
| interface ApiParams { | ||
| http: HttpStart; | ||
|
|
@@ -29,3 +39,64 @@ export const validateEql = async ({ | |
| signal, | ||
| }); | ||
| }; | ||
|
|
||
| interface AggsParams extends EqlValidationRequest { | ||
| data: DataPublicPluginStart; | ||
| interval: Unit; | ||
| fromTime: string; | ||
| toTime: string; | ||
| signal: AbortSignal; | ||
| } | ||
|
|
||
| export const getEqlPreview = async ({ | ||
| data, | ||
| index, | ||
| interval, | ||
| query, | ||
| fromTime, | ||
| toTime, | ||
| signal, | ||
| }: AggsParams): Promise<EqlPreviewResponse> => { | ||
| try { | ||
| const response = await data.search | ||
| .search<EqlSearchStrategyRequest, EqlSearchStrategyResponse<EqlSearchResponse<Source>>>( | ||
| { | ||
| params: { | ||
| // @ts-expect-error allow_no_indices is missing on EqlSearch | ||
| allow_no_indices: true, | ||
| index: index.join(), | ||
| body: { | ||
| filter: { | ||
| range: { | ||
| '@timestamp': { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should this be using the timestamp override from the rule if available?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. At first I thought, yes, but we got asked to move the timestamp override field to step 2 and not take it into account. But maybe we want to reconsider? @marrasherrier @dontcallmesherryli |
||
| gte: toTime, | ||
| lte: fromTime, | ||
yctercero marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| format: 'strict_date_optional_time', | ||
| }, | ||
| }, | ||
| }, | ||
| query, | ||
| // EQL requires a cap, otherwise it defaults to 10 | ||
| // It also sorts on ascending order, capping it at | ||
| // something smaller like 20, made it so that some of | ||
| // the more recent events weren't returned | ||
| size: 100, | ||
| }, | ||
| }, | ||
| }, | ||
| { | ||
| strategy: 'eql', | ||
| abortSignal: signal, | ||
| } | ||
| ) | ||
| .toPromise(); | ||
|
|
||
| if (hasEqlSequenceQuery(query)) { | ||
| return getSequenceAggs(response, interval, toTime, fromTime); | ||
| } else { | ||
| return getEqlAggsData(response, interval, toTime, fromTime); | ||
| } | ||
| } catch (err) { | ||
| throw new Error(JSON.stringify(err)); | ||
| } | ||
| }; | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not affect any component as it is optional. When undefined, no y axis title is shown.