Skip to content

[Security Solution][Detecttions] Indicator enrichment tweaks#92989

Merged
rylnd merged 5 commits intoelastic:masterfrom
rylnd:indicator_followup
Mar 1, 2021
Merged

[Security Solution][Detecttions] Indicator enrichment tweaks#92989
rylnd merged 5 commits intoelastic:masterfrom
rylnd:indicator_followup

Conversation

@rylnd
Copy link
Contributor

@rylnd rylnd commented Feb 28, 2021

Summary

Some minor tweaks for 7.12 indicator enrichment:

  • Modifies copy for indicator config field
  • Adds two additional fields to indicator enrichments: match.id and match.index
    • These fields are intended to be used for debugging indicator match rules; they contain the id and index of the indicator document that matched the source document. As these fields are not currently part of the proposed ECS, they have been left unmapped for now.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@rylnd rylnd added v8.0.0 v7.12.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 28, 2021
@rylnd rylnd self-assigned this Feb 28, 2021
@rylnd rylnd marked this pull request as ready for review March 1, 2021 14:43
@rylnd rylnd requested a review from a team as a code owner March 1, 2021 14:43
@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 1, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 1, 2021

Pinging @elastic/security-detections-response (Team:Detections and Resp)

dhurley14
dhurley14 approved these changes Mar 1, 2021
View reviewed changes
Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@rylnd
Copy link
Contributor Author

rylnd commented Mar 1, 2021

@elasticmachine merge upstream

@rylnd rylnd added the release_note:skip Skip the PR/issue when compiling release notes label Mar 1, 2021
@kibanamachine
Copy link
Contributor

kibanamachine commented Mar 1, 2021

💛 Build succeeded, but was flaky

Test Failures

Kibana Pipeline / general / adds correctly a filter to the global search bar.SearchBar adds correctly a filter to the global search bar

Link to Jenkins

Stack Trace

Failed Tests Reporter:
  - Test has failed 19 times on tracked branches: https://github.com/elastic/kibana/issues/69595

AssertionError: Timed out retrying after 60000ms: Expected to find element: `[data-test-subj="comboBoxOptionsList filterFieldSuggestionList-optionsList"] button[title="host.ip"] mark`, but never found it.
    at Object.fillAddFilterForm (http://localhost:6121/__cypress/tests?p=cypress/integration/header/search_bar.spec.ts:15733:8)
    at Context.eval (http://localhost:6121/__cypress/tests?p=cypress/integration/header/search_bar.spec.ts:15036:22)

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 7.8MB 7.8MB -1.0B
triggersActionsUi 1.6MB 1.5MB -23.9KB
total -23.9KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
triggersActionsUi 104.0KB 104.1KB +82.0B
Unknown metric groups

async chunk count

id before after diff
triggersActionsUi 41 42 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @rylnd

@rylnd rylnd merged commit a55d8b6 into elastic:master Mar 1, 2021
@rylnd rylnd deleted the indicator_followup branch March 1, 2021 20:57
rylnd added a commit to rylnd/kibana that referenced this pull request Mar 1, 2021
@rylnd @kibanamachine
[Security Solution][Detecttions] Indicator enrichment tweaks (elastic…
5e42d9d 
…#92989)

* Update copy of rule config

* Encode threat index as part of our named query

* Add index to named query, and enrich both id and index

We still need mappings and to fix integration tests, but this generates
the correct data.

* Update integration tests with new enrichment fields

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This was referenced Mar 1, 2021
Merged
Merged
rylnd added a commit to rylnd/kibana that referenced this pull request Mar 1, 2021
@rylnd @kibanamachine
[Security Solution][Detecttions] Indicator enrichment tweaks (elastic…
1c1826a 
…#92989)

* Update copy of rule config

* Encode threat index as part of our named query

* Add index to named query, and enrich both id and index

We still need mappings and to fix integration tests, but this generates
the correct data.

* Update integration tests with new enrichment fields

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
rylnd added a commit that referenced this pull request Mar 1, 2021
@rylnd @kibanamachine
[Security Solution][Detecttions] Indicator enrichment tweaks (#92989) (
ea01ce8 
…#93120)

* Update copy of rule config

* Encode threat index as part of our named query

* Add index to named query, and enrich both id and index

We still need mappings and to fix integration tests, but this generates
the correct data.

* Update integration tests with new enrichment fields

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
rylnd added a commit that referenced this pull request Mar 1, 2021
@rylnd @kibanamachine
[Security Solution][Detecttions] Indicator enrichment tweaks (#92989) (
20a0d82 
…#93121)

* Update copy of rule config

* Encode threat index as part of our named query

* Add index to named query, and enrich both id and index

We still need mappings and to fix integration tests, but this generates
the correct data.

* Update integration tests with new enrichment fields

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
jloleysens added a commit that referenced this pull request Mar 3, 2021
@jloleysens
Merge branch 'ilm/rollup-v2-action' of github.com:elastic/kibana into…
50eed10 
… ilm/rollup-v2-action

* 'ilm/rollup-v2-action' of github.com:elastic/kibana: (30 commits)
  Fix expanding document when using saved search data grid (#92999)
  [SECURITY SOLUTIONS] Bug case connector (#93104)
  [Security Solution] [Timeline] Bugfix to include unmapped fields in the timeline event details JSON (#92025)
  [Alerting][Docs] Changed alerting documentation to point to a single source of explaining the configurations. (#92942)
  [APM] Fix hidden search bar in error pages while loading (#84476) (#93139)
  [DOCS] Fixes links for machine learning alerts (#92744)
  [Security Solution][Detections] -Fixes rule edit flow bug with max_signals (#92748)
  [SecuritySolution][Case] Disable cases on detections in read-only mode (#93010)
  [Security Solution][Case][Bug] Prevent closing collection when pushing (#93095)
  [Security Solution][Detections][7.12] Critical Threshold Rule Fixes (#92667)
  Bump ems landing page to 7.12 (#93065)
  [App Search] Implement various Relevance Tuning states and form actions (#92644)
  [actions] for simplistic email servers, set rejectUnauthorized to false (#91760)
  [Security Solution][Case] Migrate category & subcategory fields of ServiceNow ITSM connector (#93092)
  Hide instances latency distribution chart (#92869)
  [Maps] fix MapboxDraw import from pointing to dist just pointing to folder (#93087)
  [Maps] fix results trimmed tooltip message doubles feature count for line and polygon features (#92932)
  [Security Solution][Detecttions] Indicator enrichment tweaks (#92989)
  [Maps] fix fit to data on heatmap not working (#92697)
  [Security Solution][Endpoint][Admin] Fixes policy sticky footer save test (#92919)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhurley14 dhurley14 dhurley14 approved these changes

Assignees

@rylnd rylnd

Labels

release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rylnd @elasticmachine @kibanamachine @dhurley14