Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM] Fix: Empty Source / Destination shown when only ports are populated #50843

Merged
merged 2 commits into from
Nov 18, 2019

Conversation

andrew-goldstein
Copy link
Contributor

Fixes an issue where an empty Source or Destination container is rendered by
the Timeline row renderer when events have source.port or destination.port populated,
but the corresponding source.ip or destination.ip is not.

Before Chrome 78.0.3904.97

chrome-before

After Chrome 78.0.3904.97

chrome-after

Details

The following JSON is from the event shown in the screenshots above:

  "destination": {
    "port": 53
  },

In the JSON above, the destination.port field is populated, but the
destination.ip field is not populated.

The destination.port in the event is expected to be rendered in the
"before" screenshot above, but an empty Destination label is rendered
instead.

To reproduce:

  1. Create a new timeline with the following KQL:
destination.port: * and NOT destination.ip: *

Expected Result

  • The destination.port contained in the event is rendered in the Destination container

Actual result

  • An empty Destination is rendered, per the "before" screenshot above

Other Corner Cases

An analysis of real data performed while desk testing this PR revealed other
corner cases in real-world data, including port arrays with null values.

The types and implementaion were updated to reflect the reality of the data
found during desk testing. Unit tests were added to cover these cases.

After Firefox 70.0.1

firefox-after

After Safari 13.0.3

safari-after

Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in master

…rendered by

the Timeline row renderer when events have `source.port` or `destination.port` populated,
but the corresponding `source.ip` or `destination.ip` is not.

### Before Chrome `78.0.3904.97`

![chrome-before](https://user-images.githubusercontent.com/4459398/68985053-fd26ec80-07d0-11ea-99e3-1180a3e9d7fb.png)

### After Chrome `78.0.3904.97`

![chrome-after](https://user-images.githubusercontent.com/4459398/68985058-0912ae80-07d1-11ea-990a-1a66802cad0e.png)

## Details

The following JSON is from the event shown in the screenshots above:

```
  "destination": {
    "port": 53
  },
```

In the JSON above, the `destination.port` field is populated, but the
`destination.ip` field is **not** populated.

The `destination.port` in the event is expected to be rendered in the
"before" screenshot above, but an empty `Destination` label is rendered
instead.

## To reproduce:

1. Create a new timeline with the following KQL:

```
destination.port: * and NOT destination.ip: *
```

**Expected Result**

- The `destination.port` contained in the event is rendered in the `Destination` container

**Actual result**

- An empty `Destination` is rendered, per the "before" screenshot above

## Other Corner Cases

An analysis of real data performed while desk testing this PR revealed other
corner cases in real-world data, including port arrays with `null` values.

The types and implementaion were updated to reflect the reality of the data
found during desk testing. Unit tests were added to cover these cases.

### After Firefox `70.0.1`

![firefox-after](https://user-images.githubusercontent.com/4459398/68985063-10d25300-07d1-11ea-9c17-d962c0f1015e.png)

### After Safari `13.0.3`

![safari-after](https://user-images.githubusercontent.com/4459398/68985067-162f9d80-07d1-11ea-8773-d3e71a84a440.png)

Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in `master`

* elastic/siem-team#476
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@stephmilovic
Copy link
Contributor

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Copy link
Contributor

@stephmilovic stephmilovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is @andrew-goldstein writing tests:
giphy (1)

Nice fix and excellent testing! Passes code review + browser testing. LGTM

@@ -104,7 +146,7 @@ IpAdressesWithPorts.displayName = 'IpAdressesWithPorts';
* - a port, hyperlinked to a port lookup service, when it's populated
* - a summary of geolocation details, when they are populated
*/
export const SourceDestinationIp = pure<SourceDestinationIpProps>(
export const SourceDestinationIp = React.memo<SourceDestinationIpProps>(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

;)

@elastic elastic deleted a comment from elasticmachine Nov 18, 2019
@andrew-goldstein andrew-goldstein merged commit e5ef878 into elastic:master Nov 18, 2019
@andrew-goldstein andrew-goldstein deleted the empty-source-dest branch November 18, 2019 20:14
jloleysens added a commit to jloleysens/kibana that referenced this pull request Nov 18, 2019
…-fallback

* 'master' of github.com:elastic/kibana: (116 commits)
  [Maps] move apply global filter settting from layer to source (elastic#50523)
  [SIEM] Fix: Empty `Source` / `Destination` shown when only ports are populated (elastic#50843)
  [Maps] Delay vector tile layer syncing until spritesheet is loaded (elastic#48955)
  [Maps] prevent users from overflowing URL when filtering by shape (elastic#50747)
  [DOCS] Mark Beats central management as discontinued (elastic#49423)
  [page_objects/common_page] convert to ts (elastic#50771)
  [NP Kibana Migrations ] kibana plugin home (elastic#50444)
  [DOCS] Shareables naming convention (elastic#50497)
  [ML] DF Analytics - auto-populate model_memory_limit (elastic#50714)
  Increase alerting test stability and reduce flakiness (elastic#50246)
  [ML] Remaning new_job_new folder (elastic#50917)
  [Telemetry] Show opt-in changes for OSS users (elastic#50831)
  [ML] Fix lat_long anomalies table links menu and value formatting (elastic#50916)
  [Dev] Fix serialising a really big string (elastic#50915)
  Better explanation about the Prettier recommendation (extension vs. NPM module) (elastic#50629)
  [Monitoring] Use a basic monitoring user for tests (elastic#47865)
  [Monitoring] Gracefully handle issue with filebeat indices (elastic#48929)
  [Monitoring] Improve permissions required around setup mode (elastic#50421)
  Additional validation for elasticsearch username (elastic#48247)
  Revert changes to use_kibana_ui_setting (elastic#50877)
  ...

# Conflicts:
#	src/legacy/core_plugins/console/server/request.test.ts
andrew-goldstein added a commit that referenced this pull request Nov 18, 2019
…populated (#50843) (#50971)

Fixes an issue where an empty `Source` or `Destination` container is rendered by
the Timeline row renderer when events have `source.port` or `destination.port` populated,
but the corresponding `source.ip` or `destination.ip` is not.

![chrome-before](https://user-images.githubusercontent.com/4459398/68985053-fd26ec80-07d0-11ea-99e3-1180a3e9d7fb.png)

![chrome-after](https://user-images.githubusercontent.com/4459398/68985058-0912ae80-07d1-11ea-990a-1a66802cad0e.png)

The following JSON is from the event shown in the screenshots above:

```
  "destination": {
    "port": 53
  },
```

In the JSON above, the `destination.port` field is populated, but the
`destination.ip` field is **not** populated.

The `destination.port` in the event is expected to be rendered in the
"before" screenshot above, but an empty `Destination` label is rendered
instead.

1. Create a new timeline with the following KQL:

```
destination.port: * and NOT destination.ip: *
```

**Expected Result**

- The `destination.port` contained in the event is rendered in the `Destination` container

**Actual result**

- An empty `Destination` is rendered, per the "before" screenshot above

An analysis of real data performed while desk testing this PR revealed other
corner cases in real-world data, including port arrays with `null` values.

The types and implementaion were updated to reflect the reality of the data
found during desk testing. Unit tests were added to cover these cases.

![firefox-after](https://user-images.githubusercontent.com/4459398/68985063-10d25300-07d1-11ea-9c17-d962c0f1015e.png)

![safari-after](https://user-images.githubusercontent.com/4459398/68985067-162f9d80-07d1-11ea-8773-d3e71a84a440.png)

Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in `master`

* elastic/siem-team#476
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants