[7.x] [Security Solution] Siem signals -> alerts as data field and index aliases (#106049) #107817
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…iases (elastic#106049) * Add aliases mapping signal fields to alerts as data fields * Add aliases mapping alerts as data fields to signal fields * Replace siem signals templates per space and add AAD index aliases to siem signals indices * Remove first version of new mapping json file * Convert existing legacy siem-signals templates to new ES templates * Catch 404 if siem signals templates were already updated * Enhance error message when index exists but is not write index for alias * Check if alias write index exists before creating new write index * More robust write target creation logic * Add RBAC required fields for AAD to siem signals indices * Fix index name in index mapping update * Throw errors if bulk retry fails or existing indices are not writeable * Add new template to routes even without experimental rule registry flag enabled * Check template version before updating template * First pass at modifying routes to handle inserting field aliases * Always insert field aliases when create_index_route is called * Update snapshot test * Remove template update logic from plugin setup * Use aliases_version field to detect if aliases need update * Fix bugs * oops update snapshot * Use internal user for PUT alias to fix perms issue * Update comment * Disable new resource creation if ruleRegistryEnabled * Only attempt to add aliases if siem-signals index already exists * Fix types, add aliases to aad indices, use package field names * Undo adding aliases to AAD indices * Remove unused import * Update test and snapshot oops * Filter out kibana.* fields from generated signals * Update cypress test to account for new fields in table * Properly handle space ids with dashes in them Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts # x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
Unknown metric groupsAPI count
API count missing comments
To update your PR or re-run it, just comment with: |
| @@ -58,7 +58,7 @@ describe('Alert details with unmapped fields', () => { | |||
|
|
|||
| it('Displays the unmapped field on the table', () => { | |||
| const expectedUnmmappedField = { | |||
| row: 56, | |||
| row: 89, | |||
There was a problem hiding this comment.
@marshallmain In your original PR this is 88, any idea why there's a difference between master and this: https://github.com/elastic/kibana/pull/106049/files#r687374268?
There was a problem hiding this comment.
No, I saw that this PR adjusted the row by 1 so applied the same change to mine to get it to pass. Not sure where the difference comes from.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports the following commits to 7.x: