[Security Solution][Detection Engine] Fixes critical date time format issues #79911
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/siem (Team:SIEM) |
FrankHassanabad
added
bug
FrankHassanabad
changed the title
spong
approved these changes
Oct 8, 2020
There was a problem hiding this comment.
Checked out, tested locally with multiple test records (some with @timestamp, some with only specific time fields like event.ingested (in epoch as well)), and all cases outlined in the PR description appear to be functioning as intended.
In testing I did find a few issues, but not related to this PR, so LGTM! 👍 😉
Related issues:
-
Threshold rules allow non-aggregate fields to be selected [Security Solution][Detections] Threshold rules can be created with fields that can't be aggregated on #79948
-
Timelineis including thedocvalue_fieldsin event details which makes it look like these fields are part of the record: cc @XavierM @andrew-goldstein
- Threshold rules are looking like they just generate an id for
signal.parent.idandsignal.parents[].id. We should verify this implementation, and consider not setting a parent id as there isn't a single event that the alert corresponds to (but rather a bucket of events). cc @marshallmain
FrankHassanabad
added a commit
to FrankHassanabad/kibana
that referenced
this pull request
Oct 8, 2020
…lastic#79911) ## Summary Fixes elastic#79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
to FrankHassanabad/kibana
that referenced
this pull request
Oct 8, 2020
…lastic#79911) ## Summary Fixes elastic#79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added
the
Feature:Detection Rules
FrankHassanabad
changed the title
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
FrankHassanabad
added a commit
that referenced
this pull request
Oct 8, 2020
…79911) (#79965) ## Summary Fixes #79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad
added a commit
that referenced
this pull request
Oct 8, 2020
…79911) (#79964) ## Summary Fixes #79865 Also fixes: * Timestamp override not being pushed down into threshold rules to use * Timestamp override not being used for lastValidDate * The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well. * Fixes one small type issue with fields. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Oct 8, 2020
* master: (217 commits) Fix dashboard "snapshot share" is not sharing panel state in view mode (elastic#79837) fix can't edit a scripted field with special char (elastic#79842) [ML] clear selection action (elastic#79834) [TSVB] Show tooltip on external pointer events (elastic#77306) Fixes bug where the same index was being passed in (elastic#79949) Adds date time query and return fields for timestamps and overrides (elastic#79911) [Security Solution][Detections] Reverts rules table tag filter to use AND operator (elastic#79920) add the correct class to truncate the names (elastic#79921) [kbn/optimizer] report limits with ci metrics (elastic#78205) [release notes] extract "dev docs" comment too (elastic#79351) Revert "skips test failing promotion (elastic#79777)" (elastic#79904) share tslib across bundles (elastic#79915) remove entire suite as partial skips aren't doing the trick skip flaky suite (elastic#78689) Skip failing suite (elastic#79522) skip flaky suite (elastic#79910) [es/mappings] remove doc_values from text fields (elastic#79869) remove skipped snapshots skip flaky tests (elastic#79891) chore(NA): add missing branches into backportrc configuration file (elastic#79848) ...
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #79865
Also fixes:
Checklist
Delete any items that are not applicable to this PR.