Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Detection Engine][Rule Suppression] Add suppression fields to EQL schema #176391

Merged
merged 3 commits into from
Feb 7, 2024
Merged

[Detection Engine][Rule Suppression] Add suppression fields to EQL schema #176391

merged 3 commits into from
Feb 7, 2024

Conversation

WafaaNasr
Copy link
Contributor

Summary

  • Address schema changes
  • Add Tests in rule_converters to validate converting from/to snake case to/from camel case

@WafaaNasr WafaaNasr added the release_note:skip Skip the PR/issue when compiling release notes label Feb 7, 2024
@WafaaNasr WafaaNasr self-assigned this Feb 7, 2024
@WafaaNasr
Copy link
Contributor Author

/ci

@WafaaNasr
Copy link
Contributor Author

/ci

@WafaaNasr
Copy link
Contributor Author

/ci

@kibana-ci
Copy link
Collaborator

kibana-ci commented Feb 7, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #14 / getFileType getFileAttachmentViewObject event renders a clickable name if the file is an image
  • [job] [logs] FTR Configs #44 / Observability Rules Rules Endpoints Custom Threshold rule RATE - GROUP_BY - BYTES - FIRED Rule creation should set correct action variables
  • [job] [logs] FTR Configs #44 / Observability Rules Rules Endpoints Custom Threshold rule RATE - GROUP_BY - BYTES - FIRED Rule creation should set correct action variables
  • [job] [logs] Jest Integration Tests #1 / Serverless upgrade and rollback checks detect param changes to review for: siem.eqlRule
  • [job] [logs] Jest Integration Tests #1 / Serverless upgrade and rollback checks detect param changes to review for: siem.eqlRule
  • [job] [logs] Jest Tests #14 / useBulkGetUserProfiles calls bulkGetUserProfiles with correct arguments

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.4MB 11.4MB +132.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @WafaaNasr

@WafaaNasr WafaaNasr marked this pull request as ready for review February 7, 2024 16:48
@WafaaNasr WafaaNasr requested review from a team as code owners February 7, 2024 16:48
@WafaaNasr WafaaNasr requested review from jpdjere and rylnd and removed request for a team, rylnd and jpdjere February 7, 2024 16:48
@WafaaNasr WafaaNasr merged commit eeda81c into elastic:security/eql-suppression Feb 7, 2024
29 of 39 checks passed
@WafaaNasr WafaaNasr deleted the eql-suppression-schema-changes branch February 7, 2024 16:50
@WafaaNasr WafaaNasr mentioned this pull request Feb 7, 2024
Merged
8 tasks
rylnd added a commit that referenced this pull request Apr 17, 2024
@WafaaNasr @kibanamachine
@rylnd @banderror
[Detection Engine][Rule Suppression] Add Suppression to EQL Non-seque…
d01a5c4 
…nce based queries (#176422)

# Summary

- Address adding suppression to EQL rules
https://github.com/elastic/security-team/issues/7773
- Milestone details https://github.com/elastic/security-team/issues/8432

## Checklist
- [x] Functional changes are hidden behind a feature flag. If not
hidden, the PR explains why these changes are being implemented in a
long-living feature branch.
- [x] Functional changes are covered with a test plan and automated
tests. [Test plan](https://github.com/elastic/security-team/pull/9155)
- [ ] Stability of new and changed tests is verified using the [Flaky
Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner) in
both ESS and Serverless. By default, use 200 runs for ESS and 200 runs
for Serverless.
* Cypress ESS:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5686
* Cypress Serverless:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5687
* FTR ESS:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5688
* FTR Serverless:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5689
- [x] Comprehensive manual testing is done by two engineers: the PR
author and one of the PR reviewers. Changes are tested in both ESS and
Serverless.
- [x] Mapping changes are accompanied by a technical design document. It
can be a GitHub issue or an RFC explaining the changes. The design
document is shared with and approved by the appropriate teams and
individual stakeholders.
- [ ] (OPTIONAL) OpenAPI specs changes include detailed descriptions and
examples of usage and are ready to be released on
https://docs.elastic.co/api-reference. NOTE: This is optional because at
the moment we don't have yet any OpenAPI specs that would be fully
"documented" and "GA-ready" for publishing on
https://docs.elastic.co/api-reference.
- [x] Functional changes are communicated to the Docs team. A ticket is
opened in https://github.com/elastic/security-docs using the [`Internal
documentation request (Elastic
employees)`](https://github.com/elastic/security-docs/issues/new?assignees=&labels=&projects=&template=docs-request-internal.yaml&title=%5BRequest%5D+)
template. The following information is included: feature flags used,
target ESS version, planned timing for ESS and Serverless releases.
- [x] Check if in timeline we can show the suppression count column when
the user clicks on investigate on timeline for Eql suppressed Alerts
(#180976)

## Related Issues
* Sub-PRs
- Address EQL schema changes PR
#176391
- Adding Feature flag PR and updating the Frontend Part in Rule
Create/Edit #176398
- Adding Backend changes and FTR tests
#176597
- Fix Investigate in Timeline for the Suppressed Alerts
#177839
- Add Cypress e2e tests #177870
- Disable EQL sequence suppression in the UI and fix Cypress `after`
esArchive path #178531
- Docs Issue elastic/security-docs#4977
- Test plan https://github.com/elastic/security-team/pull/9155

## Screenshots/recordings

### Non-Sequence Suppression

1. Rule creation, Suppression based on a single value


https://github.com/elastic/kibana/assets/12671903/8d168bce-15d3-45c2-a5dc-238b3ac01626

2. Rule creation, Suppression based on an array of values
  

https://github.com/elastic/kibana/assets/12671903/0e3312a9-4eae-476b-9c1e-c68189bbaf95

3. Investigate In Timeline


https://github.com/elastic/kibana/assets/12671903/e10c8668-4d5b-4748-b8a1-678603b4a8a5


### Disabled Sequence Suppression

1. UI


https://github.com/elastic/kibana/assets/12671903/01faa649-ca8b-43e4-a398-42ab242e7a72

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
release_note:skip Skip the PR/issue when compiling release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@WafaaNasr @kibana-ci