Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detection Engine] Adds support for suppressing EQL sequence alerts #189725

Merged
merged 91 commits into from
Dec 4, 2024
Merged
Changes from 1 commit
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
a2f4c8f
interim commit - undo me
dhurley14 Jul 24, 2024
70cf919
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Jul 29, 2024
707727a
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Jul 29, 2024
1eb6a58
first commit, working suppression by time range, need to filter out b…
dhurley14 Aug 1, 2024
79206ce
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Aug 5, 2024
1514ad5
create building block alerts for non-suppressed alert
dhurley14 Aug 5, 2024
bb120aa
enables UI for creating suppressed sequence alert
dhurley14 Aug 5, 2024
b1db508
merge with main
dhurley14 Aug 7, 2024
e44fc04
update import order, updates logic for get suppressed terms
dhurley14 Aug 12, 2024
68b7863
adds usage of lodash/get function to fetch suppression value
dhurley14 Aug 12, 2024
837b5ae
functionally complete rewrite
dhurley14 Aug 13, 2024
807ff03
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Aug 28, 2024
3f8bb0a
mostly console logs, some cleanup
dhurley14 Sep 3, 2024
d551198
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Sep 3, 2024
13c21bc
enables feature flag for ui
dhurley14 Sep 5, 2024
ae53bf1
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Sep 5, 2024
d1f7268
type fixes
dhurley14 Sep 9, 2024
4f5e14b
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Sep 9, 2024
b065fb6
fix bug where building block alerts were not being added to individua…
dhurley14 Sep 9, 2024
19334e4
working test with feature flag enabled
dhurley14 Sep 9, 2024
1a6d913
adds more ftr tests with additional bug fixes
dhurley14 Sep 17, 2024
3bfa5ab
adds more tests
dhurley14 Sep 19, 2024
6b74bb4
adds test for not suppressing outside of duration
dhurley14 Sep 24, 2024
4f42733
passing tests
dhurley14 Sep 24, 2024
88424c2
fixes lint and type check errors
dhurley14 Sep 25, 2024
3960710
merge with main
dhurley14 Sep 25, 2024
79917be
removes unused translations
dhurley14 Sep 26, 2024
11c8a4b
missing intendedTimestamp from merge with main
dhurley14 Sep 26, 2024
9899887
fix type errors
dhurley14 Sep 26, 2024
15e12ff
fix tests
dhurley14 Sep 26, 2024
8a38f2f
test fixes
dhurley14 Sep 27, 2024
e9811c9
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Sep 27, 2024
d4701b4
fix type error
dhurley14 Sep 27, 2024
50f1b24
skip test in serverless and fix conflicts and cypress config file
dhurley14 Sep 30, 2024
992c983
fix type errors in ftr test
dhurley14 Sep 30, 2024
e34b416
more cleanup, move utility functions to utils file
dhurley14 Sep 30, 2024
3bcbad5
undo addition of building block type to alert schema
dhurley14 Sep 30, 2024
63b09c4
more cleanup
dhurley14 Oct 1, 2024
cbc46e0
updates example json for sequence rules
dhurley14 Oct 1, 2024
b9d3950
utilize pre-existing logic for building alert in sequence suppression
dhurley14 Oct 1, 2024
88a6397
refactor buildAlertGroupFromSequence to use object param instead of p…
dhurley14 Oct 1, 2024
d0ad714
add comment for feature flag
dhurley14 Oct 1, 2024
59f12b2
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Oct 2, 2024
b9ed401
update logic for building block alerts
dhurley14 Oct 14, 2024
e8792b2
merge with main, resolves conflicts
dhurley14 Oct 14, 2024
1709a05
move logic for suppression terms and fields to after we build shell a…
dhurley14 Oct 25, 2024
36f9b97
prevent eql sequence suppression for building block rule types
dhurley14 Oct 27, 2024
926478f
add subAlerts when wrapping suppressed sequences to be used in alertW…
dhurley14 Nov 4, 2024
51a4651
merge with main
dhurley14 Nov 4, 2024
fda2a84
evaluate do not suppress for values from generated shell alert, not f…
dhurley14 Nov 5, 2024
ac0c179
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Nov 5, 2024
351d223
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Nov 5, 2024
af229f8
[CI] Auto-commit changed files from 'node scripts/lint_ts_projects --…
kibanamachine Nov 5, 2024
0412e25
adds eql utility class to encapsulate related params and centralize d…
dhurley14 Nov 7, 2024
4e3587e
flatten subAlerts and shell alerts when they are newAlerts
dhurley14 Nov 7, 2024
3079b9e
fixes as castings
dhurley14 Nov 7, 2024
4393b35
merge with origin
dhurley14 Nov 7, 2024
550ea89
remove unused function wrapSuppressedSequences
dhurley14 Nov 7, 2024
cc7687c
use latest fields for type guards
dhurley14 Nov 7, 2024
74b01c9
Revert "prevent eql sequence suppression for building block rule types"
dhurley14 Nov 8, 2024
6ed8121
adds e2e test for suppressing alerts from building block rule type
dhurley14 Nov 8, 2024
b4aac4a
remove console log
dhurley14 Nov 8, 2024
d6ca5b5
cleans up comments in test file, remove unused property leftover from…
dhurley14 Nov 12, 2024
d8956e5
merge with main
dhurley14 Nov 13, 2024
9d83958
flatten subAlerts when present
dhurley14 Nov 14, 2024
002500d
use data already present
dhurley14 Nov 14, 2024
5fad454
remove casting
dhurley14 Nov 14, 2024
479b16a
removes eql utils class, pass shared params to other functions, remov…
dhurley14 Nov 14, 2024
88e05e1
assert correct functionality for sequence rule with 3 sequences in th…
dhurley14 Nov 14, 2024
22e1416
fix comment in test
dhurley14 Nov 14, 2024
fcf28d3
adds partition utility function within test suite
dhurley14 Nov 14, 2024
19c5257
remove unused types
dhurley14 Nov 14, 2024
fe390bb
some more cleanup
dhurley14 Nov 14, 2024
7c1a53d
remove unused type
dhurley14 Nov 18, 2024
aa9d5d3
narrow type for alertSuppression param
dhurley14 Nov 18, 2024
dce9b92
updates return type and field name for getSuppressionTerms, also chan…
dhurley14 Nov 18, 2024
d1067ae
partition on group.index field in e2e test
dhurley14 Nov 18, 2024
73e5f9a
partition on group.index field in e2e test
dhurley14 Nov 18, 2024
ba05c66
adds cypress test to create eql sequence rule with suppression and mo…
dhurley14 Nov 18, 2024
65b5a9c
fixes misaligned assertions between shell alert and building block al…
dhurley14 Nov 22, 2024
9f1583b
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Nov 22, 2024
8b020ce
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Nov 26, 2024
09be989
removes suppression fields when saving and suppression is disabled
dhurley14 Nov 26, 2024
cc27026
skip test in serverless env because of feature flags
dhurley14 Nov 27, 2024
9db4d35
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
dhurley14 Nov 27, 2024
9c35d5e
Merge branch 'main' into eql-sequence-suppression
dhurley14 Nov 27, 2024
5bcdf9f
eql sequence suppression feature flag set default to enabled
dhurley14 Dec 2, 2024
98a9c11
Merge branch 'eql-sequence-suppression' of github.com:dhurley14/kiban…
dhurley14 Dec 2, 2024
7abac02
merge with main
dhurley14 Dec 4, 2024
a38142f
remove ruletype param from useAlertSuppression hook since all rule ty…
dhurley14 Dec 4, 2024
fe47eb5
fix translation files
dhurley14 Dec 4, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Merge remote-tracking branch 'upstream/main' into eql-sequence-suppre…
…ssion
dhurley14 committed Sep 3, 2024
commit d5511989cdc2b4b2461c32eabb53f5c788a2487f

This merge commit was added into this branch cleanly.

There are no new changes to show, but you can still view the diff.