-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Exceptions] - Updates exception item find sort field #76685
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yctercero
added
bug
Fixes for quality problems that affect the customer experience
Team:SIEM
v8.0.0
release_note:skip
Skip the PR/issue when compiling release notes
v7.10.0
Feature:Detection Rules
Security Solution rules and Detection Engine
labels
Sep 3, 2020
Pinging @elastic/siem (Team:SIEM) |
yctercero
removed
the
bug
Fixes for quality problems that affect the customer experience
label
Sep 3, 2020
@elasticmachine merge upstream |
FrankHassanabad
approved these changes
Sep 4, 2020
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
💚 Build SucceededBuild metricspage load bundle size
History
To update your PR or re-run it, just comment with: |
yctercero
added a commit
to yctercero/kibana
that referenced
this pull request
Sep 4, 2020
…eld (elastic#76685) ## Summary This is a bug that was introduced by moi in 76537. This previous PR added a sort_field and sort_order to the call for fetching exception lists' items so that the exception item order in the viewer wouldn't jump around any time there was an update. I noticed however that when a rule had both endpoint and detection lists associated with it, when trying to fetch items from both types of lists, the following error shows: ``` "Unable to sort multiple types by field created_at, not a root property" ```
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Sep 4, 2020
* master: (47 commits) Do not require id & description when creating a logstash pipeline (elastic#76616) Remove commented src/core/tsconfig file (elastic#76792) Replaced whitelistedHosts with allowedHosts in actions ascii docs (elastic#76731) [Dashboard First] Genericize Attribute Service (elastic#76057) [ci-metrics] unify distributable file count metrics (elastic#76448) [Security Solution][Detections] Handle conflicts on alert status update (elastic#75492) [eslint] convert to @typescript-eslint/no-unused-expressions (elastic#76471) [DOCS] Add default time range filter to advanced settings (elastic#76414) [Security Solution] Refactor NetworkTopNFlow to use Search Strategy (elastic#76249) [Dashboard] Update Index Patterns when Child Index Patterns Change (elastic#76356) [ML] Add option to Advanced Settings to set default time range filter for AD jobs (elastic#76347) Add CSM app to CODEOWNERS (elastic#76793) [Security Solution][Exceptions] - Updates exception item find sort field (elastic#76685) [Security Solution][Detections][Tech Debt] - Move to using common io-ts types (elastic#75009) [Lens] Drag dimension to replace (elastic#75895) URI encode the index names we fetch in the fetchIndices lib function. (elastic#76584) [Security Solution] Resolver retrieve entity id of documents without field mapped (elastic#76562) [Ingest Manager] validate agent route using AJV instead kbn-config-schema (elastic#76546) Updated non-dev usages of node-forge (elastic#76699) [Ingest Pipelines] Processor forms for processors K-S (elastic#75638) ...
yctercero
added a commit
that referenced
this pull request
Sep 4, 2020
…eld (#76685) (#76782) ## Summary This is a bug that was introduced by moi in 76537. This previous PR added a sort_field and sort_order to the call for fetching exception lists' items so that the exception item order in the viewer wouldn't jump around any time there was an update. I noticed however that when a rule had both endpoint and detection lists associated with it, when trying to fetch items from both types of lists, the following error shows: ``` "Unable to sort multiple types by field created_at, not a root property" ```
MindyRS
added
the
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
label
Sep 23, 2021
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Feature:Detection Rules
Security Solution rules and Detection Engine
release_note:skip
Skip the PR/issue when compiling release notes
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
v7.10.0
v8.0.0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This is a bug that was introduced by ✋ in #76537 (not yet in prod). This previous PR added a sort_field and sort_order to the call for fetching exception lists' items so that the exception item order in the viewer wouldn't jump around any time there was an update. I noticed however that when a rule had both endpoint and detection lists associated with it, when trying to fetch items from both types of lists, the following error shows:
I was a bit confused at first since
created_at
does in fact exist on both types, however, the wonderful Mr. Frank H. gave me insight into some of the nuances of_find
with namespaces. Exception lists can live in multiple namespaces, we need to be more precise in specifying our sort_field. So for example, the endpoint list lives inexception-list-agnostic
namespace and detections lists live inexception-list
namespace. I found that updating the sort_field toexception-list.created_at
worked in finding both or either list type items. I thought I might need to break it out intoexception-list-agnostic.created_at
andexception-list.created_at
but that was not the case.Checklist