[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists #71768
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dhurley14
added
Feature:Detection Rules
|
Pinging @elastic/siem (Team:SIEM) |
spong
reviewed
Jul 14, 2020
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
spong
approved these changes
Jul 14, 2020
There was a problem hiding this comment.
One nit about a potentially unnecessary null check, but other than that LGTM! Thanks @dhurley14!
💚 Build SucceededBuild metrics
History
To update your PR or re-run it, just comment with: |
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jul 15, 2020
* master: (82 commits) Fixed the spacing of child accordion items for policy response dialog. (elastic#71677) [SECURITY] Timeline bug 7.9 (elastic#71748) use fixed isChromeVisible method (elastic#71813) [SIEM][Detection Engine][Lists] Adds specific endpoint_list REST API and API for abilities to auto-create the endpoint_list if it gets deleted (elastic#71792) [test] Skips flaky Saved Objects Management test [APM] Remove watcher integration (elastic#71655) [APM] Increase `xpack.apm.ui.transactionGroupBucketSize` (elastic#71661) [test] Skips Ingest Manager test preventing ES promotion [test] Skips flaky detection engine tests Revert "re-fix navigate path for master add SAML login to login_page (elastic#71337)" [tests] Temporarily skipped Fleet tests [test] Skipped monitoring test [Security Solution][Detections] Associate Endpoint Exceptions List to Rule during rule creation/update (elastic#71794) Add endpoint exception creation API validation (elastic#71791) Skip jest tests that timeout waiting for react (elastic#71801) [Security Solution][Exceptions] - Adds filtering to endpoint index patterns by exceptional fields (elastic#71757) [Reporting] Re-delete a file (elastic#71730) [Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768) [Ingest Manager] Better display of Fleet requirements (elastic#71686) [tests] Temporarily skipped to promote snapshot ...
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jul 15, 2020
…en we hit max signals after filtering with lists (elastic#71768)" This reverts commit 56de45d.
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jul 15, 2020
…ons] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) This reverts commit 56de45d.
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jul 15, 2020
…ons] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) This reverts commit 56de45d.
3 tasks
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jul 16, 2020
* master: (37 commits) [Lens] Handle failing existence check (elastic#70718) [Security Solution]Fix in-app links and popup window text (elastic#71403) [esArchiver] automatically retry if alias creation fails (elastic#71910) Move data stream index pattern creation test to xpack (elastic#71511) [Maps] Improve language for mvt card (elastic#71947) [Security][Detections] Unskip failing modal tests (elastic#71969) skip flaky suite (elastic#71987) skip flaky suite (elastic#71979) [Security Solution] [Detections] Revert "[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) rename ilm policy to remove -default (elastic#71952) Adjust ordering of Management category apps to make Ingest Manager higher (elastic#71948) skip flaky suite (elastic#71971) skip flaky suite (elastic#71951) [kbn/optimizer] ignore compressed files when reporting stats (elastic#71940) skip flaky suite (elastic#71867) [ML] Fix new job with must_not saved search (elastic#71831) [Resolver] Fix bug where process detail panel doesn't show up (elastic#71754) Cleanup (elastic#71849) [Resolver] aria-level and aria-flowto support enhancements (elastic#71887) skip flaky suite (elastic#71304) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Jul 16, 2020
…feature-privileges * alerting/consumer-based-rbac: (491 commits) [Lens] Handle failing existence check (elastic#70718) [Security Solution]Fix in-app links and popup window text (elastic#71403) [esArchiver] automatically retry if alias creation fails (elastic#71910) Move data stream index pattern creation test to xpack (elastic#71511) [Maps] Improve language for mvt card (elastic#71947) [Security][Detections] Unskip failing modal tests (elastic#71969) skip flaky suite (elastic#71987) skip flaky suite (elastic#71979) [Security Solution] [Detections] Revert "[Security Solution] [Detections] Fixes bug for determining when we hit max signals after filtering with lists (elastic#71768)" (elastic#71956) rename ilm policy to remove -default (elastic#71952) Adjust ordering of Management category apps to make Ingest Manager higher (elastic#71948) skip flaky suite (elastic#71971) skip flaky suite (elastic#71951) [kbn/optimizer] ignore compressed files when reporting stats (elastic#71940) skip flaky suite (elastic#71867) [ML] Fix new job with must_not saved search (elastic#71831) [Resolver] Fix bug where process detail panel doesn't show up (elastic#71754) Cleanup (elastic#71849) [Resolver] aria-level and aria-flowto support enhancements (elastic#71887) skip flaky suite (elastic#71304) ...
dhurley14
added a commit
that referenced
this pull request
Jul 16, 2020
dhurley14
added a commit
that referenced
this pull request
Jul 16, 2020
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Before exceptions were introduced, we were determining when we hit max signals by checking how many events were searched, as those events were being sent straight to bulk create and would be indexed as signals.
Now with exceptions, each search result from the rule query doesn't necessarily mean we are going to index it as a signal, so we need to increment our counter for max signals by the count returned from bulk create (which does the indexing into the signals index), not the count returned from the search.
Checklist
Delete any items that are not applicable to this PR.
For maintainers