[Security Solution] fix from-to values investigate in timeline pulled from timestamp instead of @timestamp field #156884
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… from timestamp instead of @timestamp field
PhilippeOberti
added
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
To update your PR or re-run it, just comment with: |
michaelolo24
approved these changes
May 8, 2023
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
May 8, 2023
… from timestamp instead of @timestamp field (elastic#156884) ## Summary In Kibana 8.8 we've done a huge refactor of the alert table (see [PR](elastic#149128)). The new table's trigger actions are no longer some of the Security Solution server side methods that were adding a `timestamp` field to the response (see [here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts#L28)). That `timestamp` field was basically a duplication of the `@timestamp` field (done via [this helper function](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts#L12)) Running the stack locally, you would see that clicking on the `Investigate in timeline` icon button or ANY alerts in the alerts table (pretty new or months/years old) would bring the timeline flyout with always the `to` value being the `current date`, and the `from` value being the `current date - kibana.alert.rule.from`. The `timetamp` field [here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx#L158) does not exists, so we always fall back to `new Date()` (unless you're looking at an alert generated by a threshold rule, a new terms rule or a suppressed alert). This PR fixes the issue by retrieving the `@timestamp` field instead of the unwanted `timestamp` field. More work will be done in the future to actually entirely remove and cleanup the `timestamp` field (see [this WIP ticket](elastic#156879)). ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Before (recorded on May 4th and we're looking at an alert generated on May 3rd) https://user-images.githubusercontent.com/17276605/236509848-a5b0a363-c9c5-4d80-a139-84e3df3a1bd6.mov After https://user-images.githubusercontent.com/17276605/236509884-74805cef-ccf2-4b09-a174-2fcb6b75d4bb.mov Closes elastic#126077 (cherry picked from commit 114c98d)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
May 9, 2023
…pulled from timestamp instead of @timestamp field (#156884) (#157114) # Backport This will backport the following commits from `main` to `8.8`: - [[Security Solution] fix from-to values investigate in timeline pulled from timestamp instead of @timestamp field (#156884)](#156884) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Philippe Oberti","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-05-08T23:44:14Z","message":"[Security Solution] fix from-to values investigate in timeline pulled from timestamp instead of @timestamp field (#156884)\n\n## Summary\r\n\r\nIn Kibana 8.8 we've done a huge refactor of the alert table (see\r\n[PR](https://github.com/elastic/kibana/pull/149128)).\r\nThe new table's trigger actions are no longer some of the Security\r\nSolution server side methods that were adding a `timestamp` field to the\r\nresponse (see\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts#L28)).\r\nThat `timestamp` field was basically a duplication of the `@timestamp`\r\nfield (done via [this helper\r\nfunction](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts#L12))\r\n\r\nRunning the stack locally, you would see that clicking on the\r\n`Investigate in timeline` icon button or ANY alerts in the alerts table\r\n(pretty new or months/years old) would bring the timeline flyout with\r\nalways the `to` value being the `current date`, and the `from` value\r\nbeing the `current date - kibana.alert.rule.from`.\r\nThe `timetamp` field\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx#L158)\r\ndoes not exists, so we always fall back to `new Date()` (unless you're\r\nlooking at an alert generated by a threshold rule, a new terms rule or a\r\nsuppressed alert).\r\n\r\nThis PR fixes the issue by retrieving the `@timestamp` field instead of\r\nthe unwanted `timestamp` field.\r\n\r\nMore work will be done in the future to actually entirely remove and\r\ncleanup the `timestamp` field (see [this WIP\r\nticket](https://github.com/elastic/kibana/issues/156879)).\r\n\r\n### Checklist\r\n\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\nBefore (recorded on May 4th and we're looking at an alert generated on\r\nMay 3rd)\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17276605/236509848-a5b0a363-c9c5-4d80-a139-84e3df3a1bd6.mov\r\n\r\nAfter\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17276605/236509884-74805cef-ccf2-4b09-a174-2fcb6b75d4bb.mov\r\n\r\nCloses https://github.com/elastic/kibana/issues/126077","sha":"114c98d3b5df4252f500ea762879524540b2c50a","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting","Team: SecuritySolution","Team:Threat Hunting:Investigations","v8.8.0","v8.9.0"],"number":156884,"url":"https://github.com/elastic/kibana/pull/156884","mergeCommit":{"message":"[Security Solution] fix from-to values investigate in timeline pulled from timestamp instead of @timestamp field (#156884)\n\n## Summary\r\n\r\nIn Kibana 8.8 we've done a huge refactor of the alert table (see\r\n[PR](https://github.com/elastic/kibana/pull/149128)).\r\nThe new table's trigger actions are no longer some of the Security\r\nSolution server side methods that were adding a `timestamp` field to the\r\nresponse (see\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts#L28)).\r\nThat `timestamp` field was basically a duplication of the `@timestamp`\r\nfield (done via [this helper\r\nfunction](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts#L12))\r\n\r\nRunning the stack locally, you would see that clicking on the\r\n`Investigate in timeline` icon button or ANY alerts in the alerts table\r\n(pretty new or months/years old) would bring the timeline flyout with\r\nalways the `to` value being the `current date`, and the `from` value\r\nbeing the `current date - kibana.alert.rule.from`.\r\nThe `timetamp` field\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx#L158)\r\ndoes not exists, so we always fall back to `new Date()` (unless you're\r\nlooking at an alert generated by a threshold rule, a new terms rule or a\r\nsuppressed alert).\r\n\r\nThis PR fixes the issue by retrieving the `@timestamp` field instead of\r\nthe unwanted `timestamp` field.\r\n\r\nMore work will be done in the future to actually entirely remove and\r\ncleanup the `timestamp` field (see [this WIP\r\nticket](https://github.com/elastic/kibana/issues/156879)).\r\n\r\n### Checklist\r\n\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\nBefore (recorded on May 4th and we're looking at an alert generated on\r\nMay 3rd)\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17276605/236509848-a5b0a363-c9c5-4d80-a139-84e3df3a1bd6.mov\r\n\r\nAfter\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17276605/236509884-74805cef-ccf2-4b09-a174-2fcb6b75d4bb.mov\r\n\r\nCloses https://github.com/elastic/kibana/issues/126077","sha":"114c98d3b5df4252f500ea762879524540b2c50a"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156884","number":156884,"mergeCommit":{"message":"[Security Solution] fix from-to values investigate in timeline pulled from timestamp instead of @timestamp field (#156884)\n\n## Summary\r\n\r\nIn Kibana 8.8 we've done a huge refactor of the alert table (see\r\n[PR](https://github.com/elastic/kibana/pull/149128)).\r\nThe new table's trigger actions are no longer some of the Security\r\nSolution server side methods that were adding a `timestamp` field to the\r\nresponse (see\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts#L28)).\r\nThat `timestamp` field was basically a duplication of the `@timestamp`\r\nfield (done via [this helper\r\nfunction](https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/get_timestamp.ts#L12))\r\n\r\nRunning the stack locally, you would see that clicking on the\r\n`Investigate in timeline` icon button or ANY alerts in the alerts table\r\n(pretty new or months/years old) would bring the timeline flyout with\r\nalways the `to` value being the `current date`, and the `from` value\r\nbeing the `current date - kibana.alert.rule.from`.\r\nThe `timetamp` field\r\n[here](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx#L158)\r\ndoes not exists, so we always fall back to `new Date()` (unless you're\r\nlooking at an alert generated by a threshold rule, a new terms rule or a\r\nsuppressed alert).\r\n\r\nThis PR fixes the issue by retrieving the `@timestamp` field instead of\r\nthe unwanted `timestamp` field.\r\n\r\nMore work will be done in the future to actually entirely remove and\r\ncleanup the `timestamp` field (see [this WIP\r\nticket](https://github.com/elastic/kibana/issues/156879)).\r\n\r\n### Checklist\r\n\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\nBefore (recorded on May 4th and we're looking at an alert generated on\r\nMay 3rd)\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17276605/236509848-a5b0a363-c9c5-4d80-a139-84e3df3a1bd6.mov\r\n\r\nAfter\r\n\r\n\r\nhttps://user-images.githubusercontent.com/17276605/236509884-74805cef-ccf2-4b09-a174-2fcb6b75d4bb.mov\r\n\r\nCloses https://github.com/elastic/kibana/issues/126077","sha":"114c98d3b5df4252f500ea762879524540b2c50a"}}]}] BACKPORT--> Co-authored-by: Philippe Oberti <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
In Kibana 8.8 we've done a huge refactor of the alert table (see PR).
The new table's trigger actions are no longer some of the Security Solution server side methods that were adding a
timestampfield to the response (see here). Thattimestampfield was basically a duplication of the@timestampfield (done via this helper function)Running the stack locally, you would see that clicking on the
Investigate in timelineicon button or ANY alerts in the alerts table (pretty new or months/years old) would bring the timeline flyout with always thetovalue being thecurrent date, and thefromvalue being thecurrent date - kibana.alert.rule.from.The
timetampfield here does not exists, so we always fall back tonew Date()(unless you're looking at an alert generated by a threshold rule, a new terms rule or a suppressed alert).This PR fixes the issue by retrieving the
@timestampfield instead of the unwantedtimestampfield.More work will be done in the future to actually entirely remove and cleanup the
timestampfield (see this WIP ticket).Checklist
Before (recorded on May 4th and we're looking at an alert generated on May 3rd)
Screen.Recording.2023-05-04.at.4.57.07.PM.mov
After
Screen.Recording.2023-05-04.at.4.58.06.PM.mov
Closes #126077