-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solutions][Detection Engine] Throws date time format errors on custom mappings #79865
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Detection Rules
Security Solution rules and Detection Engine
v7.10.0
v7.11.0
v8.0.0
Comments
FrankHassanabad
added
v7.10.0
v7.11.0
v8.0.0
Feature:Detection Rules
Security Solution rules and Detection Engine
bug
Fixes for quality problems that affect the customer experience
labels
Oct 7, 2020
1 task
FrankHassanabad
added a commit
that referenced
this issue
Oct 8, 2020
…79911) ## Summary Fixes #79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
to FrankHassanabad/kibana
that referenced
this issue
Oct 8, 2020
…lastic#79911) ## Summary Fixes elastic#79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
to FrankHassanabad/kibana
that referenced
this issue
Oct 8, 2020
…lastic#79911) ## Summary Fixes elastic#79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
that referenced
this issue
Oct 8, 2020
…79911) (#79965) ## Summary Fixes #79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
that referenced
this issue
Oct 8, 2020
…79911) (#79964) ## Summary Fixes #79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Detection Rules
Security Solution rules and Detection Engine
v7.10.0
v7.11.0
v8.0.0
Kibana version:
7.9.0+
Describe the bug:
When you have a custom timestamp mapping and run the detection engine against that mapping it can produce errors or it can not detect signals depending on what the timestamp happens to be.
Solution is to use format everywhere in ranges:
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-range-query.html
Such as here:
https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts#L40-L46
Likewise docValues for when we pull the
@timestamp
out:https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-request-docvalue-fields.html
Steps to reproduce:
Add a epoch mapping and then get a valid epoch from here:
https://www.epochconverter.com/
Then create a detection rule against the index and you will see:
Errors:
Expected behavior:
No errors, the rule as expected if the custom mapping is Epoch
The text was updated successfully, but these errors were encountered: