[Detection Engine][Rule Suppression] Add suppression fields to EQL Non-sequence based queries- Create/Edit FE components #176398
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WafaaNasr
added
the
release_note:skip
|
/ci |
|
/ci |
|
/ci |
Merged
8 tasks
|
/ci |
|
/ci |
|
/ci |
…E-FF-changes' of https://github.com/WafaaNasr/kibana into eql-suppression-FE-FF-changes
|
/ci |
|
/ci |
|
/ci |
WafaaNasr
changed the title
…faaNasr/kibana into eql-suppression-FE-FF-changes
|
/ci |
WafaaNasr
requested review from
nkhristinin and
maximpn
and removed request for
a team,
maximpn and
nkhristinin
WafaaNasr
merged commit a547408
into
elastic:security/eql-suppression
4 of 6 checks passed
💔 Build FailedFailed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @WafaaNasr |
rylnd
added a commit
that referenced
this pull request
Apr 17, 2024
…nce based queries (#176422) # Summary - Address adding suppression to EQL rules https://github.com/elastic/security-team/issues/7773 - Milestone details https://github.com/elastic/security-team/issues/8432 ## Checklist - [x] Functional changes are hidden behind a feature flag. If not hidden, the PR explains why these changes are being implemented in a long-living feature branch. - [x] Functional changes are covered with a test plan and automated tests. [Test plan](https://github.com/elastic/security-team/pull/9155) - [ ] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner) in both ESS and Serverless. By default, use 200 runs for ESS and 200 runs for Serverless. * Cypress ESS: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5686 * Cypress Serverless: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5687 * FTR ESS: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5688 * FTR Serverless: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5689 - [x] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [x] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. - [ ] (OPTIONAL) OpenAPI specs changes include detailed descriptions and examples of usage and are ready to be released on https://docs.elastic.co/api-reference. NOTE: This is optional because at the moment we don't have yet any OpenAPI specs that would be fully "documented" and "GA-ready" for publishing on https://docs.elastic.co/api-reference. - [x] Functional changes are communicated to the Docs team. A ticket is opened in https://github.com/elastic/security-docs using the [`Internal documentation request (Elastic employees)`](https://github.com/elastic/security-docs/issues/new?assignees=&labels=&projects=&template=docs-request-internal.yaml&title=%5BRequest%5D+) template. The following information is included: feature flags used, target ESS version, planned timing for ESS and Serverless releases. - [x] Check if in timeline we can show the suppression count column when the user clicks on investigate on timeline for Eql suppressed Alerts (#180976) ## Related Issues * Sub-PRs - Address EQL schema changes PR #176391 - Adding Feature flag PR and updating the Frontend Part in Rule Create/Edit #176398 - Adding Backend changes and FTR tests #176597 - Fix Investigate in Timeline for the Suppressed Alerts #177839 - Add Cypress e2e tests #177870 - Disable EQL sequence suppression in the UI and fix Cypress `after` esArchive path #178531 - Docs Issue elastic/security-docs#4977 - Test plan https://github.com/elastic/security-team/pull/9155 ## Screenshots/recordings ### Non-Sequence Suppression 1. Rule creation, Suppression based on a single value https://github.com/elastic/kibana/assets/12671903/8d168bce-15d3-45c2-a5dc-238b3ac01626 2. Rule creation, Suppression based on an array of values https://github.com/elastic/kibana/assets/12671903/0e3312a9-4eae-476b-9c1e-c68189bbaf95 3. Investigate In Timeline https://github.com/elastic/kibana/assets/12671903/e10c8668-4d5b-4748-b8a1-678603b4a8a5 ### Disabled Sequence Suppression 1. UI https://github.com/elastic/kibana/assets/12671903/01faa649-ca8b-43e4-a398-42ab242e7a72 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary