Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add ES|QL Custom Library for Rule Support #3134

Closed
wants to merge 43 commits into from
Closed

[FR] Add ES|QL Custom Library for Rule Support #3134

wants to merge 43 commits into from

Conversation

terrancedejesus
Copy link
Contributor

@terrancedejesus terrancedejesus commented Sep 26, 2023
edited by Mikaayenson
Loading

Issue

Resolves https://github.com/elastic/ia-trade-team/issues/186

Overview

This is a temporary dev branch for ES|QL exploration and custom library implementation. This PR is meant to stay in draft but serve as delta visualization for ES|QL library implementation and dev.

Related: https://github.com/elastic/ia-trade-team/issues/172

@terrancedejesus terrancedejesus self-assigned this Sep 26, 2023
@terrancedejesus terrancedejesus added the esql ES|QL label Sep 26, 2023
@botelastic
Copy link

botelastic bot commented Nov 25, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Nov 25, 2023
@botelastic botelastic bot removed the stale 60 days of inactivity label Nov 27, 2023
@Mikaayenson Mikaayenson marked this pull request as ready for review November 27, 2023 22:04
@botelastic botelastic bot added Domain: Endpoint OS: Linux python Internal python for the repository schema labels Nov 27, 2023
Mikaayenson
Mikaayenson reviewed Nov 27, 2023
View reviewed changes
detection_rules/devtools.py Outdated
# Define paths
lexer_file = Path(ESQL_DIR) / 'grammar' / 'EsqlBaseLexer.g4'
parser_file = Path(ESQL_DIR) / 'grammar' / 'EsqlBaseParser.g4'
antlr_file = Path(get_path('detection_rules')) / 'etc' / 'antlr-4.13.1-complete.jar'
Copy link
Contributor

@Mikaayenson Mikaayenson Nov 27, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder to myself to delete this and all the checks below.

Mikaayenson and others added 19 commits December 1, 2023 07:49
Mikaayenson
Mikaayenson reviewed Dec 5, 2023
View reviewed changes
rules/integrations/okta/initial_access_success_okta_sso_esql.toml
@@ -0,0 +1,92 @@
[metadata]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Reminder to self: DELETE THIS FILE ⚠️

Mikaayenson
Mikaayenson reviewed Dec 5, 2023
View reviewed changes
tests/test_esql_rules.py
('from .ds-logs-endpoint.events.process-default-* | where process.name like "Microsoft*"',
pytest.raises(ESQLSemanticError), r"ESQL semantic error: Missing metadata for ES|QL query with no stats command"), # noqa: E501

# returns 0 because count on non-forwarded field process.parent.name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sample unit tests not yet supported.

@eric-forte-elastic
Copy link
Contributor

This is a temporary dev branch for ES|QL exploration and custom library implementation. This PR is meant to stay in draft but serve as delta visualization for ES|QL library implementation and dev.

Should this PR be put back into draft?

eric-forte-elastic
eric-forte-elastic requested changes Jan 29, 2024
View reviewed changes
esql/utils.py
print(Trees.toStringTree(ctx, None, parser))


# def pretty_print_tree(ctx: EsqlBaseParser.SingleStatementContext, indent: int = 0, is_last: bool = True):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reminder, I think we can remove these commented out function headers and add the type hinting to the active headers?

Suggested change
# def pretty_print_tree(ctx: EsqlBaseParser.SingleStatementContext, indent: int = 0, is_last: bool = True):

@Mikaayenson Mikaayenson marked this pull request as draft February 7, 2024 14:55
@botelastic
Copy link

botelastic bot commented Apr 7, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Apr 7, 2024
@botelastic
Copy link

botelastic bot commented Apr 14, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this Apr 14, 2024
@Mikaayenson Mikaayenson mentioned this pull request Dec 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Mikaayenson left review comments

@eric-forte-elastic eric-forte-elastic eric-forte-elastic requested changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

Assignees

@Mikaayenson Mikaayenson

@terrancedejesus terrancedejesus

Labels
backport: auto Domain: Cloud Domain: Endpoint esql ES|QL Integration: Okta okta related rules OS: Linux python Internal python for the repository schema stale 60 days of inactivity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@terrancedejesus @Mikaayenson @eric-forte-elastic