Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Fix EQL search request filter when built with exceptions #79753

Merged
merged 1 commit into from
Oct 6, 2020
Merged

[Security Solution][Detections] Fix EQL search request filter when built with exceptions #79753

merged 1 commit into from
Oct 6, 2020

Conversation

marshallmain
Copy link
Contributor

Summary

The ES query DSL does not support multiple objects within a filter object, which is how we were attempting to build the query. Instead, filter needs to be an array of objects. The EQL search API does not allow the top level filter to be an array so we have to nest the filter array within another bool object.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@marshallmain marshallmain requested review from a team as code owners October 6, 2020 19:51
@marshallmain marshallmain added release_note:skip Skip the PR/issue when compiling release notes v7.10.0 v8.0.0 Feature:Detection Rules Security Solution rules and Detection Engine Team:SIEM labels Oct 6, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

async chunks size

id before after diff
securitySolution 10.5MB 10.5MB +132.0B

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

spong
spong reviewed Oct 6, 2020
View reviewed changes
x-pack/plugins/security_solution/common/detection_engine/get_query_filter.ts
@@ -110,27 +110,35 @@ export const buildEqlSearchRequest = (
exceptionFilter = buildExceptionFilter(exceptionQueries, indexPattern, config, true, 1024);
}
const indexString = index.join();
const requestFilter: unknown[] = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you could use EsRangeFilter here in place of the unknown:

Suggested change
const requestFilter: unknown[] = [
const requestFilter: EsRangeFilter[] = [

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, since you're pushing the bool object below as well, not sure what the recommended generic Filter type that should be used here...

spong
spong approved these changes Oct 6, 2020
View reviewed changes
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍

@marshallmain marshallmain merged commit 7f5b824 into elastic:master Oct 6, 2020
@marshallmain marshallmain mentioned this pull request Oct 6, 2020
Merged
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 6, 2020
@marshallmain
Fix EQL search request filter when built with exceptions (elastic#79753)
3173ed6
spong pushed a commit that referenced this pull request Oct 7, 2020
@marshallmain
Fix EQL search request filter when built with exceptions (#79753) (#7…
6bb8519 
…9801)
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spong spong spong approved these changes

Assignees
No one assigned
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@marshallmain @elasticmachine @kibanamachine @spong @MindyRS