Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] includes missing data with preview #119253

Closed
wants to merge 1 commit into from

Conversation

ecezalp
Copy link
Contributor

@ecezalp ecezalp commented Nov 19, 2021

Summary

Previously preview UI in the create rule flow didn't display events that were lacking an event.category field. This change ensures that the events that are without a category can still be previewed.

Testing scenario

  • Create an event in a test-index that does not have an event.category field.
  • Confirm that when previewing any rule that matches the event, the event appears in the preview UI.

Checklist

Delete any items that are not applicable to this PR.

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk Probability Severity Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space. Low High Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. High Low Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled. Medium High Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

@ecezalp ecezalp added bug Fixes for quality problems that affect the customer experience release_note:fix v8.0.0 impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. auto-backport Deprecated - use backport:version if exact versions are needed labels Nov 19, 2021
@ecezalp ecezalp requested review from a team November 19, 2021 22:58
@ecezalp ecezalp self-assigned this Nov 19, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Copy link
Contributor

@dplumlee dplumlee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it works for me 👍

@kibana-ci
Copy link
Collaborator

kibana-ci commented Nov 20, 2021

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Security Solution Tests / Detection rules, threshold Preview results of "ip" using "source.ip"
  • [job] [logs] Security Solution Tests / Detection rules, threshold Preview results of "ip" using "source.ip"

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.5MB 4.5MB +22.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

@ecezalp
Copy link
Contributor Author

ecezalp commented Nov 23, 2021

investigating this a bit more as it looks like having the isMissingData boolean turned on for non-keyword fields can return 0 results with illegal_argument_exception which is bad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. release_note:fix Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants