Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Grouping - fix null group missing #155763

Merged
merged 31 commits into from
Apr 27, 2023
Merged

[Security Solution] Grouping - fix null group missing #155763

merged 31 commits into from
Apr 27, 2023

Conversation

stephmilovic
Copy link
Contributor

@stephmilovic stephmilovic commented Apr 25, 2023
edited by kibanamachine
Loading

Adjusts the grouping query to include a "missing" group in the groupByFields bucket results. The "missing" field in the terms aggregation needs to match the field's es type. A helper function, getFieldTypeMissingValue, assigns this value according to the es type. In order to avoid leaving out events that are equivalent with the default value, we are checking 2 default values. This looks like:

    groupByFields: {
      multi_terms: {
        terms: [
          {
            field: groupByField,
            missing: getFieldTypeMissingValues(selectedGroupEsTypes)[0],
          },
          {
            field: groupByField,
            missing: getFieldTypeMissingValues(selectedGroupEsTypes)[1],
          },
        ],
        size: MAX_QUERY_SIZE,
      }
        ...

Once we get the response, we use parseGroupingQuery . For each group, it checks if the elements of the key property are equal. If they are, it sets the key/key_as_string properties to an array with the first element of key, the grouping field, and sets the isNullGroup property to false. If they are not equal, it sets the key to -, and isNullGroup to true. This is so that we have a flag in the UI for the "missing" group.

This is what it looks like in the UI:

user.name

Screenshot 2023-04-25 at 4 57 55 PM

source.ip

Screenshot 2023-04-26 at 11 26 34 AM

@stephmilovic stephmilovic added release_note:skip Skip the PR/issue when compiling release notes Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore v8.8.0 Feature:Alerts Grouping Security Solution Alerts Grouping feature labels Apr 25, 2023
stephmilovic
stephmilovic commented Apr 25, 2023
View reviewed changes
x-pack/plugins/security_solution/public/detections/components/alerts_table/alerts_grouping.tsx
@@ -132,10 +132,6 @@ const GroupedAlertsTableComponent: React.FC<AlertsTableComponentProps> = (props)
setPageIndex((curr) => curr.map(() => DEFAULT_PAGE_INDEX));
}, []);

useEffect(() => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is an unrelated change, but a follow up from the last PR.

@stephmilovic stephmilovic marked this pull request as ready for review April 25, 2023 23:06
@stephmilovic stephmilovic requested review from a team as code owners April 25, 2023 23:06
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

YulNaumenko
YulNaumenko approved these changes Apr 26, 2023
View reviewed changes
Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Have a minor comment about nullGroupMessage

stephmilovic
stephmilovic commented Apr 26, 2023
View reviewed changes
packages/kbn-securitysolution-grouping/src/components/grouping.mock.tsx
@@ -24,13 +22,13 @@ export const mockGroupingProps = {
sum_other_doc_count: 0,
buckets: [
{
key: [rule1Name, rule1Desc],
key_as_string: `${rule1Name}|${rule1Desc}`,
key: [host1Name],
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed this to be a host query since its more realistic for testing, rule name will not have a null group.

@stephmilovic
Copy link
Contributor Author

@elasticmachine merge upstream

semd
semd approved these changes Apr 27, 2023
View reviewed changes
Copy link
Contributor

@semd semd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks awesome!! Thanks @stephmilovic
I wrote a couple of minor suggestions, feel free to apply them.
LGTM! 🚀

...lugins/security_solution/public/detections/components/alerts_table/grouping_settings/mock.ts Outdated Show resolved Hide resolved
packages/kbn-securitysolution-grouping/src/containers/query/helpers.ts Outdated Show resolved Hide resolved
packages/kbn-securitysolution-grouping/src/containers/query/index.ts Outdated Show resolved Hide resolved
packages/kbn-securitysolution-grouping/src/containers/query/index.ts Outdated Show resolved Hide resolved
packages/kbn-securitysolution-grouping/src/containers/query/index.ts Outdated Show resolved Hide resolved
@stephmilovic stephmilovic enabled auto-merge (squash) April 27, 2023 15:32
@stephmilovic stephmilovic merged commit 1a39471 into elastic:main Apr 27, 2023
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 3859 3860 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 9.1MB 9.1MB +2.7KB
Unknown metric groups

ESLint disabled line counts

id before after diff
enterpriseSearch 17 19 +2
securitySolution 399 402 +3
total +5

References to deprecated APIs

id before after diff
securitySolution 546 547 +1

Total ESLint disabled count

id before after diff
enterpriseSearch 18 20 +2
securitySolution 479 482 +3
total +5

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibanamachine kibanamachine mentioned this pull request Apr 27, 2023
Merged
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.8

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Apr 27, 2023
@stephmilovic
[Security Solution] Grouping - fix null group missing (elastic#155763)
8e7f916 
(cherry picked from commit 1a39471)
kibanamachine added a commit that referenced this pull request Apr 27, 2023
@kibanamachine @stephmilovic
[8.8] [Security Solution] Grouping - fix null group missing (#155763) (
2146881 
…#156115)

# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution] Grouping - fix null group missing
(#155763)](#155763)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Steph
Milovic","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-04-27T20:29:34Z","message":"[Security
Solution] Grouping - fix null group missing
(#155763)","sha":"1a39471214af322cdd66713a8eaae6494b651830","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Threat
Hunting","Team: SecuritySolution","Team:Threat
Hunting:Explore","v8.8.0","Feature:Alerts
Grouping","v8.9.0"],"number":155763,"url":"https://github.com/elastic/kibana/pull/155763","mergeCommit":{"message":"[Security
Solution] Grouping - fix null group missing
(#155763)","sha":"1a39471214af322cdd66713a8eaae6494b651830"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/155763","number":155763,"mergeCommit":{"message":"[Security
Solution] Grouping - fix null group missing
(#155763)","sha":"1a39471214af322cdd66713a8eaae6494b651830"}}]}]
BACKPORT-->

Co-authored-by: Steph Milovic <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YulNaumenko YulNaumenko YulNaumenko approved these changes

@semd semd semd approved these changes

Assignees
No one assigned
Labels
Feature:Alerts Grouping Security Solution Alerts Grouping feature release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team v8.8.0 v8.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@stephmilovic @elasticmachine @kibana-ci @kibanamachine @semd @YulNaumenko