From 072c70dc99a0cb239a9617414f4d4c72a62c7822 Mon Sep 17 00:00:00 2001
From: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
Date: Wed, 16 Nov 2022 10:17:40 -0500
Subject: [PATCH] [Security Solution] Investigation guide - insights in
markdown (#145240)
## Summary
This pr adds a new parsing plugin to the EuiMarkdownEditor used in
security solution that enables users to create run time queries that can
be parameterized from alert data, or hard coded literal values. A count
of the matching events is displayed in a button that when clicked will
open the same event set in timeline. Markdown is expected to be in the
following format:
`!{insight{"description":"2 top level OR providers, 1 nested
AND","label":"test insight", "providers": [[{ "field": "event.id",
"value": "kibana.alert.original_event.id", "type": "parameter" }], [{
"field": "event.category", "value": "network", "type": "literal" },
{"field": "process.pid", "value": "process.pid", "type":
"parameter"}]]}}`
The 2d array is used to allow nested queries, the top level arrays are
OR'ed together, and the inner array AND'ed together:
Following a prefix of !insight, the configuration object takes optional
description and label strings, along with a 2 dimensional array called
"providers". This value corresponds to what are called data providers in
the timeline view,
and are arrays of filters with 3 fields, "field" which is the field name
for that part of the query clause, "value" which is the value to be
used, and "type" which is either "parameter" or "literal". Filters of
type parameter expect value to be the name of a field present in an
alert document, and will use the value in the underlying document if
found. If the field is not present for some reason, a wildcard is used.
If the markdown is rendered in a context not tied to a specific alert,
parameter fields are treated as a timeline template field.
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
---
.../cypress/e2e/timelines/notes_tab.cy.ts | 8 +
.../cypress/screens/timeline.ts | 3 +
.../cypress/tasks/timeline.ts | 6 +-
.../table/investigate_in_timeline_button.tsx | 50 ++++--
.../markdown_editor/plugins/index.ts | 3 +
.../markdown_editor/plugins/insight/index.tsx | 146 ++++++++++++++++++
.../use_insight_data_providers.test.ts | 132 ++++++++++++++++
.../insight/use_insight_data_providers.ts | 114 ++++++++++++++
.../plugins/insight/use_insight_query.test.ts | 46 ++++++
.../plugins/insight/use_insight_query.ts | 79 ++++++++++
.../markdown_editor/plugins/osquery/index.tsx | 1 +
.../components/markdown_editor/renderer.tsx | 1 -
.../side_panel/event_details/helpers.tsx | 4 +-
.../public/timelines/containers/index.tsx | 20 +--
.../common/search_strategy/timeline/index.ts | 2 +-
.../search_strategy/timeline/eql/helpers.ts | 22 +--
.../timeline/factory/events/all/index.ts | 1 +
.../events/all/query.events_all.dsl.ts | 1 -
18 files changed, 599 insertions(+), 40 deletions(-)
create mode 100644 x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/index.tsx
create mode 100644 x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts
create mode 100644 x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts
create mode 100644 x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts
create mode 100644 x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts
diff --git a/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts b/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts
index c20a4ae39026d..a6691225808ef 100644
--- a/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts
+++ b/x-pack/plugins/security_solution/cypress/e2e/timelines/notes_tab.cy.ts
@@ -13,6 +13,7 @@ import {
NOTES_LINK,
NOTES_TEXT,
NOTES_TEXT_AREA,
+ MARKDOWN_INVESTIGATE_BUTTON,
} from '../../screens/timeline';
import { createTimeline } from '../../tasks/api_calls/timelines';
@@ -84,4 +85,11 @@ describe('Timeline notes tab', () => {
cy.get(NOTES_LINK).last().should('have.text', `${text}(opens in a new tab or window)`);
cy.get(NOTES_LINK).last().click();
});
+
+ it('should render insight query from markdown', () => {
+ addNotesToTimeline(
+ `!{insight{"description":"2 top level OR providers, 1 nested AND","label":"test insight", "providers": [[{ "field": "event.id", "value": "kibana.alert.original_event.id", "type": "parameter" }], [{ "field": "event.category", "value": "network", "type": "literal" }, {"field": "process.pid", "value": "process.pid", "type": "parameter"}]]}}`
+ );
+ cy.get(MARKDOWN_INVESTIGATE_BUTTON).should('exist');
+ });
});
diff --git a/x-pack/plugins/security_solution/cypress/screens/timeline.ts b/x-pack/plugins/security_solution/cypress/screens/timeline.ts
index 529847261e06d..59c8d6a4103f7 100644
--- a/x-pack/plugins/security_solution/cypress/screens/timeline.ts
+++ b/x-pack/plugins/security_solution/cypress/screens/timeline.ts
@@ -90,6 +90,9 @@ export const NOTES_AUTHOR = '.euiCommentEvent__headerUsername';
export const NOTES_LINK = '[data-test-subj="markdown-link"]';
+export const MARKDOWN_INVESTIGATE_BUTTON =
+ '[data-test-subj="insight-investigate-in-timeline-button"]';
+
export const OPEN_TIMELINE_ICON = '[data-test-subj="open-timeline-button"]';
export const OPEN_TIMELINE_MODAL = '[data-test-subj="open-timeline-modal"]';
diff --git a/x-pack/plugins/security_solution/cypress/tasks/timeline.ts b/x-pack/plugins/security_solution/cypress/tasks/timeline.ts
index 1ff04833db2a4..76a512a6fcb88 100644
--- a/x-pack/plugins/security_solution/cypress/tasks/timeline.ts
+++ b/x-pack/plugins/security_solution/cypress/tasks/timeline.ts
@@ -161,7 +161,11 @@ export const addNotesToTimeline = (notes: string) => {
.then(($el) => {
const notesCount = parseInt($el.text(), 10);
- cy.get(NOTES_TEXT_AREA).type(notes);
+ cy.get(NOTES_TEXT_AREA).type(notes, {
+ parseSpecialCharSequences: false,
+ delay: 0,
+ force: true,
+ });
cy.get(ADD_NOTE_BUTTON).trigger('click');
cy.get(`${NOTES_TAB_BUTTON} .euiBadge`).should('have.text', `${notesCount + 1}`);
});
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/table/investigate_in_timeline_button.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/table/investigate_in_timeline_button.tsx
index 820488225e17b..3c095c5ed87da 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/table/investigate_in_timeline_button.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/table/investigate_in_timeline_button.tsx
@@ -5,13 +5,14 @@
* 2.0.
*/
-import React, { useMemo } from 'react';
+import React, { useMemo, useCallback } from 'react';
import { EuiButton, EuiButtonEmpty } from '@elastic/eui';
import type { Filter } from '@kbn/es-query';
import { useDispatch } from 'react-redux';
import { sourcererSelectors } from '../../../store';
import { InputsModelId } from '../../../store/inputs/constants';
+import type { TimeRange } from '../../../store/inputs/model';
import { inputsActions } from '../../../store/inputs';
import { updateProviders, setFilters } from '../../../../timelines/store/timeline/actions';
import { sourcererActions } from '../../../store/actions';
@@ -26,7 +27,10 @@ export const InvestigateInTimelineButton: React.FunctionComponent<{
asEmptyButton: boolean;
dataProviders: DataProvider[] | null;
filters?: Filter[] | null;
-}> = ({ asEmptyButton, children, dataProviders, filters, ...rest }) => {
+ timeRange?: TimeRange;
+ keepDataView?: boolean;
+ isDisabled?: boolean;
+}> = ({ asEmptyButton, children, dataProviders, filters, timeRange, keepDataView, ...rest }) => {
const dispatch = useDispatch();
const getDataViewsSelector = useMemo(
@@ -37,15 +41,24 @@ export const InvestigateInTimelineButton: React.FunctionComponent<{
getDataViewsSelector(state)
);
+ const hasTemplateProviders =
+ dataProviders && dataProviders.find((provider) => provider.type === 'template');
+
const clearTimeline = useCreateTimeline({
timelineId: TimelineId.active,
- timelineType: TimelineType.default,
+ timelineType: hasTemplateProviders ? TimelineType.template : TimelineType.default,
});
- const configureAndOpenTimeline = React.useCallback(() => {
+ const configureAndOpenTimeline = useCallback(() => {
if (dataProviders || filters) {
// Reset the current timeline
- clearTimeline();
+ if (timeRange) {
+ clearTimeline({
+ timeRange,
+ });
+ } else {
+ clearTimeline();
+ }
if (dataProviders) {
// Update the timeline's providers to match the current prevalence field query
dispatch(
@@ -66,17 +79,28 @@ export const InvestigateInTimelineButton: React.FunctionComponent<{
}
// Only show detection alerts
// (This is required so the timeline event count matches the prevalence count)
- dispatch(
- sourcererActions.setSelectedDataView({
- id: SourcererScopeName.timeline,
- selectedDataViewId: defaultDataView.id,
- selectedPatterns: [signalIndexName || ''],
- })
- );
+ if (!keepDataView) {
+ dispatch(
+ sourcererActions.setSelectedDataView({
+ id: SourcererScopeName.timeline,
+ selectedDataViewId: defaultDataView.id,
+ selectedPatterns: [signalIndexName || ''],
+ })
+ );
+ }
// Unlock the time range from the global time range
dispatch(inputsActions.removeLinkTo([InputsModelId.timeline, InputsModelId.global]));
}
- }, [dataProviders, clearTimeline, dispatch, defaultDataView.id, signalIndexName, filters]);
+ }, [
+ dataProviders,
+ clearTimeline,
+ dispatch,
+ defaultDataView.id,
+ signalIndexName,
+ filters,
+ timeRange,
+ keepDataView,
+ ]);
return asEmptyButton ? (
{
+ return value.indexOf(insightPrefix, fromIndex);
+ };
+ tokenizers.insight = tokenizeInsight;
+ methods.splice(methods.indexOf('text'), 0, 'insight');
+};
+
+// receives the configuration from the parser and renders
+const InsightComponent = ({ label, description, providers }: InsightComponentProps) => {
+ const { addError } = useAppToasts();
+ let parsedProviders = [];
+ try {
+ if (providers !== undefined) {
+ parsedProviders = JSON.parse(providers);
+ }
+ } catch (err) {
+ addError(err, {
+ title: i18n.translate('xpack.securitySolution.markdownEditor.plugins.insightProviderError', {
+ defaultMessage: 'Unable to parse insight provider configuration',
+ }),
+ });
+ }
+ const { data: alertData } = useContext(BasicAlertDataContext);
+ const dataProviders = useInsightDataProviders({
+ providers: parsedProviders,
+ alertData,
+ });
+ const { totalCount, isQueryLoading, oldestTimestamp, hasError } = useInsightQuery({
+ dataProviders,
+ });
+ const timerange: AbsoluteTimeRange = useMemo(() => {
+ return {
+ kind: 'absolute',
+ from: oldestTimestamp ?? '',
+ to: new Date().toISOString(),
+ };
+ }, [oldestTimestamp]);
+ if (isQueryLoading) {
+ return ;
+ } else {
+ return (
+
+
+ {` ${label} (${totalCount}) - ${description}`}
+
+ );
+ }
+};
+
+export { InsightComponent as renderer };
diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts
new file mode 100644
index 0000000000000..8542c445b5d14
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.test.ts
@@ -0,0 +1,132 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { renderHook } from '@testing-library/react-hooks';
+import type { DataProvider } from '@kbn/timelines-plugin/common';
+import type { UseInsightDataProvidersProps, Provider } from './use_insight_data_providers';
+import type { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy';
+import { useInsightDataProviders } from './use_insight_data_providers';
+import { mockAlertDetailsData } from '../../../event_details/__mocks__';
+
+const mockAlertDetailsDataWithIsObject = mockAlertDetailsData.map((detail) => {
+ return {
+ ...detail,
+ isObjectArray: false,
+ };
+}) as TimelineEventsDetailsItem[];
+
+const nestedAndProvider = [
+ [
+ {
+ field: 'event.id',
+ value: 'kibana.alert.rule.uuid',
+ type: 'parameter',
+ },
+ ],
+ [
+ {
+ field: 'event.category',
+ value: 'network',
+ type: 'literal',
+ },
+ {
+ field: 'process.pid',
+ value: 'process.pid',
+ type: 'parameter',
+ },
+ ],
+] as Provider[][];
+
+const topLevelOnly = [
+ [
+ {
+ field: 'event.id',
+ value: 'kibana.alert.rule.uuid',
+ type: 'parameter',
+ },
+ ],
+ [
+ {
+ field: 'event.category',
+ value: 'network',
+ type: 'literal',
+ },
+ ],
+ [
+ {
+ field: 'process.pid',
+ value: 'process.pid',
+ type: 'parameter',
+ },
+ ],
+] as Provider[][];
+
+const nonExistantField = [
+ [
+ {
+ field: 'event.id',
+ value: 'kibana.alert.rule.parameters.threshold.field',
+ type: 'parameter',
+ },
+ ],
+] as Provider[][];
+
+describe('useInsightDataProviders', () => {
+ it('should return 2 data providers, 1 with a nested provider ANDed to it', () => {
+ const { result } = renderHook(() =>
+ useInsightDataProviders({
+ providers: nestedAndProvider,
+ alertData: mockAlertDetailsDataWithIsObject,
+ })
+ );
+ const providers = result.current;
+ const providersWithNonEmptyAnd = providers.filter((provider) => provider.and.length > 0);
+ expect(providers.length).toBe(2);
+ expect(providersWithNonEmptyAnd.length).toBe(1);
+ });
+
+ it('should return 3 data providers without any containing nested ANDs', () => {
+ const { result } = renderHook(() =>
+ useInsightDataProviders({
+ providers: topLevelOnly,
+ alertData: mockAlertDetailsDataWithIsObject,
+ })
+ );
+ const providers = result.current;
+ const providersWithNonEmptyAnd = providers.filter((provider) => provider.and.length > 0);
+ expect(providers.length).toBe(3);
+ expect(providersWithNonEmptyAnd.length).toBe(0);
+ });
+
+ it('should use a wildcard for a field not present in an alert', () => {
+ const { result } = renderHook(() =>
+ useInsightDataProviders({
+ providers: nonExistantField,
+ alertData: mockAlertDetailsDataWithIsObject,
+ })
+ );
+ const providers = result.current;
+ const {
+ queryMatch: { value },
+ } = providers[0];
+ expect(providers.length).toBe(1);
+ expect(value).toBe('*');
+ });
+
+ it('should use template data providers when called without alertData', () => {
+ const { result } = renderHook(() =>
+ useInsightDataProviders({
+ providers: nestedAndProvider,
+ })
+ );
+ const providers = result.current;
+ const [first, second] = providers;
+ const [nestedSecond] = second.and;
+ expect(second.type).toBe('default');
+ expect(first.type).toBe('template');
+ expect(nestedSecond.type).toBe('template');
+ });
+});
diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts
new file mode 100644
index 0000000000000..5c5de496b04b5
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_data_providers.ts
@@ -0,0 +1,114 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useMemo } from 'react';
+import type { QueryOperator, DataProvider } from '@kbn/timelines-plugin/common';
+import { DataProviderType } from '@kbn/timelines-plugin/common';
+import { IS_OPERATOR } from '../../../../../timelines/components/timeline/data_providers/data_provider';
+import type { TimelineEventsDetailsItem } from '../../../../../../common/search_strategy';
+
+export interface Provider {
+ field: string;
+ value: string;
+ type: 'parameter' | 'value';
+}
+export interface UseInsightDataProvidersProps {
+ providers: Provider[][];
+ alertData?: TimelineEventsDetailsItem[] | null;
+}
+
+export const useInsightDataProviders = ({
+ providers,
+ alertData,
+}: UseInsightDataProvidersProps): DataProvider[] => {
+ function getFieldValue(fields: TimelineEventsDetailsItem[], fieldToFind: string) {
+ const alertField = fields.find((dataField) => dataField.field === fieldToFind);
+ return alertField?.values ? alertField.values[0] : '*';
+ }
+ const dataProviders: DataProvider[] = useMemo(() => {
+ if (alertData) {
+ return providers.map((innerProvider) => {
+ return innerProvider.reduce((prev, next, index): DataProvider => {
+ const { field, value, type } = next;
+ if (index === 0) {
+ return {
+ and: [],
+ enabled: true,
+ id: JSON.stringify(field + value + type),
+ name: field,
+ excluded: false,
+ kqlQuery: '',
+ type: DataProviderType.default,
+ queryMatch: {
+ field,
+ value: type === 'parameter' ? getFieldValue(alertData, value) : value,
+ operator: IS_OPERATOR as QueryOperator,
+ },
+ };
+ } else {
+ const newProvider = {
+ and: [],
+ enabled: true,
+ id: JSON.stringify(field + value + type),
+ name: field,
+ excluded: false,
+ kqlQuery: '',
+ type: DataProviderType.default,
+ queryMatch: {
+ field,
+ value: type === 'parameter' ? getFieldValue(alertData, value) : value,
+ operator: IS_OPERATOR as QueryOperator,
+ },
+ };
+ prev.and.push(newProvider);
+ }
+ return prev;
+ }, {} as DataProvider);
+ });
+ } else {
+ return providers.map((innerProvider) => {
+ return innerProvider.reduce((prev, next, index) => {
+ const { field, value, type } = next;
+ if (index === 0) {
+ return {
+ and: [],
+ enabled: true,
+ id: JSON.stringify(field + value + type),
+ name: field,
+ excluded: false,
+ kqlQuery: '',
+ type: type === 'parameter' ? DataProviderType.template : DataProviderType.default,
+ queryMatch: {
+ field,
+ value: type === 'parameter' ? `{${value}}` : value,
+ operator: IS_OPERATOR as QueryOperator,
+ },
+ };
+ } else {
+ const newProvider = {
+ and: [],
+ enabled: true,
+ id: JSON.stringify(field + value + type),
+ name: field,
+ excluded: false,
+ kqlQuery: '',
+ type: type === 'parameter' ? DataProviderType.template : DataProviderType.default,
+ queryMatch: {
+ field,
+ value: type === 'parameter' ? `{${value}}` : value,
+ operator: IS_OPERATOR as QueryOperator,
+ },
+ };
+ prev.and.push(newProvider);
+ }
+ return prev;
+ }, {} as DataProvider);
+ });
+ }
+ }, [alertData, providers]);
+ return dataProviders;
+};
diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts
new file mode 100644
index 0000000000000..74942f0f4ad38
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.test.ts
@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { renderHook } from '@testing-library/react-hooks';
+import type { QueryOperator } from '@kbn/timelines-plugin/common';
+import { DataProviderType } from '@kbn/timelines-plugin/common';
+import { useInsightQuery } from './use_insight_query';
+import { TestProviders } from '../../../../mock';
+import type { UseInsightQuery, UseInsightQueryResult } from './use_insight_query';
+import { IS_OPERATOR } from '../../../../../timelines/components/timeline/data_providers/data_provider';
+
+const mockProvider = {
+ and: [],
+ enabled: true,
+ id: 'made-up-id',
+ name: 'test',
+ excluded: false,
+ kqlQuery: '',
+ type: DataProviderType.default,
+ queryMatch: {
+ field: 'event.id',
+ value: '*',
+ operator: IS_OPERATOR as QueryOperator,
+ },
+};
+
+describe('useInsightQuery', () => {
+ it('should return renderable defaults', () => {
+ const { result } = renderHook(
+ () =>
+ useInsightQuery({
+ dataProviders: [mockProvider],
+ }),
+ {
+ wrapper: TestProviders,
+ }
+ );
+ const { isQueryLoading, totalCount, oldestTimestamp } = result.current;
+ expect(isQueryLoading).toBeFalsy();
+ expect(totalCount).toBe(-1);
+ expect(oldestTimestamp).toBe(undefined);
+ });
+});
diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts
new file mode 100644
index 0000000000000..e7836cd6cd3ad
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/insight/use_insight_query.ts
@@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useMemo, useState } from 'react';
+import { getEsQueryConfig } from '@kbn/data-plugin/common';
+import type { DataProvider } from '@kbn/timelines-plugin/common';
+import { TimelineId } from '../../../../../../common/types/timeline';
+import { useKibana } from '../../../../lib/kibana';
+import { combineQueries } from '../../../../lib/kuery';
+import { useTimelineEvents } from '../../../../../timelines/containers';
+import { useSourcererDataView } from '../../../../containers/sourcerer';
+import { SourcererScopeName } from '../../../../store/sourcerer/model';
+
+export interface UseInsightQuery {
+ dataProviders: DataProvider[];
+}
+
+export interface UseInsightQueryResult {
+ isQueryLoading: boolean;
+ totalCount: number;
+ oldestTimestamp: string | null | undefined;
+ hasError: boolean;
+}
+
+export const useInsightQuery = ({ dataProviders }: UseInsightQuery): UseInsightQueryResult => {
+ const { uiSettings } = useKibana().services;
+ const esQueryConfig = useMemo(() => getEsQueryConfig(uiSettings), [uiSettings]);
+ const { browserFields, selectedPatterns, indexPattern, dataViewId } = useSourcererDataView(
+ SourcererScopeName.timeline
+ );
+ const [hasError, setHasError] = useState(false);
+ const combinedQueries = useMemo(() => {
+ try {
+ if (hasError === false) {
+ const parsedCombinedQueries = combineQueries({
+ config: esQueryConfig,
+ dataProviders,
+ indexPattern,
+ browserFields,
+ filters: [],
+ kqlQuery: {
+ query: '',
+ language: 'kuery',
+ },
+ kqlMode: 'filter',
+ });
+ return parsedCombinedQueries;
+ }
+ } catch (err) {
+ setHasError(true);
+ return null;
+ }
+ }, [browserFields, dataProviders, esQueryConfig, hasError, indexPattern]);
+
+ const [isQueryLoading, { events, totalCount }] = useTimelineEvents({
+ dataViewId,
+ fields: ['*'],
+ filterQuery: combinedQueries?.filterQuery,
+ id: TimelineId.active,
+ indexNames: selectedPatterns,
+ language: 'kuery',
+ limit: 1,
+ runtimeMappings: {},
+ });
+ const [oldestEvent] = events;
+ const timestamp =
+ oldestEvent && oldestEvent.data && oldestEvent.data.find((d) => d.field === '@timestamp');
+ const oldestTimestamp = timestamp && timestamp.value && timestamp.value[0];
+ return {
+ isQueryLoading,
+ totalCount,
+ oldestTimestamp,
+ hasError,
+ };
+};
diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/osquery/index.tsx b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/osquery/index.tsx
index 3d046e349de31..d65405cd1c48f 100644
--- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/osquery/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins/osquery/index.tsx
@@ -258,6 +258,7 @@ const RunOsqueryButtonRenderer = ({
label?: string;
query: string;
ecs_mapping: { [key: string]: {} };
+ test: [];
};
}) => {
const [showFlyout, setShowFlyout] = useState(false);
diff --git a/x-pack/plugins/security_solution/public/common/components/markdown_editor/renderer.tsx b/x-pack/plugins/security_solution/public/common/components/markdown_editor/renderer.tsx
index 6dcb93321056e..449e2adee8bf8 100644
--- a/x-pack/plugins/security_solution/public/common/components/markdown_editor/renderer.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/markdown_editor/renderer.tsx
@@ -24,7 +24,6 @@ const MarkdownRendererComponent: React.FC = ({ children, disableLinks })
() => (props) => ,
[disableLinks]
);
-
// Deep clone of the processing plugins to prevent affecting the markdown editor.
const processingPluginList = cloneDeep(processingPlugins);
// This line of code is TS-compatible and it will break if [1][1] change in the future.
diff --git a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx
index 6bee089027477..f91a9eed0d165 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/helpers.tsx
@@ -19,6 +19,7 @@ export interface GetBasicDataFromDetailsData {
userName: string;
ruleName: string;
timestamp: string;
+ data: TimelineEventsDetailsItem[] | null;
}
export const useBasicDataFromDetailsData = (
@@ -62,8 +63,9 @@ export const useBasicDataFromDetailsData = (
userName,
ruleName,
timestamp,
+ data,
}),
- [agentId, alertId, hostName, isAlert, ruleName, timestamp, userName]
+ [agentId, alertId, hostName, isAlert, ruleName, timestamp, userName, data]
);
};
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
index 5324c02fcbfdf..55c8d2cad65bc 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
@@ -81,7 +81,7 @@ type TimelineResponse = T extends 'kuery'
export interface UseTimelineEventsProps {
dataViewId: string | null;
- endDate: string;
+ endDate?: string;
eqlOptions?: EqlOptionsSelected;
fields: string[];
filterQuery?: ESQuery | string;
@@ -92,7 +92,7 @@ export interface UseTimelineEventsProps {
runtimeMappings: MappingRuntimeFields;
skip?: boolean;
sort?: TimelineRequestSortField[];
- startDate: string;
+ startDate?: string;
timerangeKind?: 'absolute' | 'relative';
}
@@ -360,17 +360,17 @@ export const useTimelineEventsHandler = ({
...deStructureEqlOptions(prevEqlRequest),
};
+ const timerange =
+ startDate && endDate
+ ? { timerange: { interval: '12h', from: startDate, to: endDate } }
+ : {};
const currentSearchParameters = {
defaultIndex: indexNames,
filterQuery: createFilter(filterQuery),
querySize: limit,
sort,
- timerange: {
- interval: '12h',
- from: startDate,
- to: endDate,
- },
runtimeMappings,
+ ...timerange,
...deStructureEqlOptions(eqlOptions),
};
@@ -391,11 +391,7 @@ export const useTimelineEventsHandler = ({
language,
runtimeMappings,
sort,
- timerange: {
- interval: '12h',
- from: startDate,
- to: endDate,
- },
+ ...timerange,
...(eqlOptions ? eqlOptions : {}),
};
diff --git a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts
index dfdc1ed3eabd4..a5856169a5748 100644
--- a/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts
+++ b/x-pack/plugins/timelines/common/search_strategy/timeline/index.ts
@@ -32,7 +32,7 @@ export * from './events';
export type TimelineFactoryQueryTypes = TimelineEventsQueries;
export interface TimelineRequestBasicOptions extends IEsSearchRequest {
- timerange: TimerangeInput;
+ timerange?: TimerangeInput;
filterQuery: ESQuery | string | undefined;
defaultIndex: string[];
factoryQueryType?: TimelineFactoryQueryTypes;
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts
index 5424568c44a70..e9a2ef7e49cda 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/eql/helpers.ts
@@ -27,17 +27,19 @@ export const buildEqlDsl = (options: TimelineEqlRequestOptions): Record = {
// eslint-disable-next-line prefer-const
let { fieldRequested, ...queryOptions } = cloneDeep(options);
queryOptions.fields = buildFieldsRequest(fieldRequested, queryOptions.excludeEcsData);
+
const { activePage, querySize } = options.pagination;
const producerBuckets = getOr([], 'aggregations.producers.buckets', response.rawResponse);
const totalCount = response.rawResponse.hits.total || 0;
diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
index 9f6902c65f639..5ae88bcf6f460 100644
--- a/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
+++ b/x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts
@@ -28,7 +28,6 @@ export const buildTimelineEventsAllQuery = ({
timerange,
}: Omit) => {
const filterClause = [...createQueryFilterClauses(filterQuery)];
-
const getTimerangeFilter = (timerangeOption: TimerangeInput | undefined): TimerangeFilter[] => {
if (timerangeOption) {
const { to, from } = timerangeOption;