[Security Solution][Detections][Threshold Rules] Threshold Rule Bug Fixes #84918
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
madirey
added
release_note:enhancement
v8.0.0
v7.11.0
Team:Detections and Resp
cjcenizal
approved these changes
Dec 3, 2020
madirey
changed the title
peluja1012
added
the
Team: SecuritySolution
…threshold field present
This reverts commit 6482374.
| } as unknown) as Filter); | ||
| const esFilter = await getFilter({ | ||
| type, | ||
| filters: filters?.concat(bucketFilters), |
There was a problem hiding this comment.
filters?.concat(bucketFilters) returns undefined if filters is undefined. Looks like filters ? filters.concat(bucketFilters) : bucketFilters would give the intended result? filters defaults to [] if not provided in the UI but it's optional in the API so it could be undefined here.
Suggested change
| filters: filters?.concat(bucketFilters), | |
| filters: filters ? filters.concat(bucketFilters) : bucketFilters, |
💚 Build SucceededMetrics [docs]Async chunks
Distributable file count
History
To update your PR or re-run it, just comment with: |
marshallmain
approved these changes
Dec 20, 2020
madirey
added a commit
to madirey/kibana
that referenced
this pull request
Dec 20, 2020
…ixes (elastic#84918) * Move threshold dupe detection logic to its own function * Minor fixup * Refactor and remove property injection for threshold signals * Only show aggregatable fields for threshold rule grouping * Add threshold rule kql filter to timeline * Remove outdated getThresholdSignalQueryFields tests * Filter aggregatable fields on client * Revert "Only show aggregatable fields for threshold rule grouping" This reverts commit 539fa49. * Fix bug with incorrect calculation of threshold signal dupes when no threshold field present * Revert "Add threshold rule kql filter to timeline" This reverts commit 6482374. * Add test skeleton * Finish tests * Address comment
madirey
added a commit
to madirey/kibana
that referenced
this pull request
Dec 20, 2020
…ixes (elastic#84918) * Move threshold dupe detection logic to its own function * Minor fixup * Refactor and remove property injection for threshold signals * Only show aggregatable fields for threshold rule grouping * Add threshold rule kql filter to timeline * Remove outdated getThresholdSignalQueryFields tests * Filter aggregatable fields on client * Revert "Only show aggregatable fields for threshold rule grouping" This reverts commit 539fa49. * Fix bug with incorrect calculation of threshold signal dupes when no threshold field present * Revert "Add threshold rule kql filter to timeline" This reverts commit 6482374. * Add test skeleton * Finish tests * Address comment
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Dec 21, 2020
* master: (48 commits) Fix request with disabled aggregation (elastic#85696) [Security Solution][Detections][Threshold Rules] Threshold Rule Bug Fixes (elastic#84918) Removed a possibility to define two different names for Alert types on API and UI level. (elastic#86236) Bump Node.js from version 14.15.2 to 14.15.3 (elastic#86593) [index patterns] Fleep app - Keep saved object field list until field caps provides fields (elastic#85370) [Security Solutions] fix timeline tabs + layout (elastic#86581) Upgrade to hapi version 20 (elastic#85406) App Services: Remove remaining uiActions, expressions, data, embeddable circular dependencies. (elastic#82791) Rename chartLibrary setting to legacyChartsLibrary (elastic#86529) [CI] TeamCity updates (elastic#85843) [Maps] Use Json for mvt-tests (elastic#86492) [Rollup Jobs] Added autofocus to cron editor (elastic#86324) [Monitoring][Alerting] CCR read exceptions alert (elastic#85908) [CI] Bump memory for main CI workers (elastic#86541) Explicitly set Elasticsearch heap size during CI and local development (elastic#86513) [App Search] Updates to results on the documents view (elastic#86181) [Discover] Change default sort handling (elastic#85561) [App Search] Convert DocumentCreationModal to DocumentCreationFlyout (elastic#86508) [App Search] Sample Engines should have access to the Crawler (elastic#86502) Fixed duplication of create new modal (elastic#86489) ...
madirey
added a commit
that referenced
this pull request
Dec 21, 2020
…ixes (#84918) (#86606) * Move threshold dupe detection logic to its own function * Minor fixup * Refactor and remove property injection for threshold signals * Only show aggregatable fields for threshold rule grouping * Add threshold rule kql filter to timeline * Remove outdated getThresholdSignalQueryFields tests * Filter aggregatable fields on client * Revert "Only show aggregatable fields for threshold rule grouping" This reverts commit 539fa49. * Fix bug with incorrect calculation of threshold signal dupes when no threshold field present * Revert "Add threshold rule kql filter to timeline" This reverts commit 6482374. * Add test skeleton * Finish tests * Address comment Co-authored-by: Kibana Machine <[email protected]>
yctercero
pushed a commit
that referenced
this pull request
Dec 21, 2020
…ixes (#84918) (#86607) * Move threshold dupe detection logic to its own function * Minor fixup * Refactor and remove property injection for threshold signals * Only show aggregatable fields for threshold rule grouping * Add threshold rule kql filter to timeline * Remove outdated getThresholdSignalQueryFields tests * Filter aggregatable fields on client * Revert "Only show aggregatable fields for threshold rule grouping" This reverts commit 539fa49. * Fix bug with incorrect calculation of threshold signal dupes when no threshold field present * Revert "Add threshold rule kql filter to timeline" This reverts commit 6482374. * Add test skeleton * Finish tests * Address comment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Addresses:
[Security Solution][Detections] Threshold rules can be created with fields that can't be aggregated on #79948 (filters aggregatable fields before displaying as threshold.field choices: https://github.com/elastic/kibana/pull/84918/files#diff-14d03cbb6c633190285d6749ffb521827071ea2f0ad920de5a2aa0a52266bc21R171)
[Security Solution][Detections] Threshold rules can generate signals with overridden fields #83218 (removes population of matching fields in threshold synthetic signals; these were not useful anyway, as it's impossible to populate all potential matches... we were only using the last matching document, which was misleading and bug-prone).
Minor refactoring that was suggested by @rylnd in a previous PR.
Checklist
For maintainers