Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections][Threshold Rules] Threshold rule exceptions #85103

Merged
merged 15 commits into from
Dec 13, 2020
Merged

[Security Solution][Detections][Threshold Rules] Threshold rule exceptions #85103

merged 15 commits into from
Dec 13, 2020

Conversation

madirey
Copy link
Contributor

@madirey madirey commented Dec 6, 2020
edited
Loading

Summary

Addresses: #76631
Adds the ability for creating exceptions against threshold rules.

Does NOT currently include value list processing, as this will be a complex task for threshold rules...

image

image

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@madirey madirey added release_note:enhancement v8.0.0 v7.11.0 Team:Detections and Resp Security Detection Response Team Feature:Threshold Rule Security Solution Threshold rule type labels Dec 6, 2020
madirey
madirey commented Dec 7, 2020
View reviewed changes
x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@@ -337,7 +337,7 @@ export const signalRulesAlertType = ({
must: [
{
term: {
[threshold.field ?? 'signal.rule.rule_id']: bucket.key,
[threshold.field || 'signal.rule.rule_id']: bucket.key,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unrelated to exceptions, but fixes a bug which would break the query if threshold.field is an empty string.

@madirey madirey marked this pull request as ready for review December 7, 2020 21:14
@madirey madirey requested review from a team as code owners December 7, 2020 21:14
@madirey
Copy link
Contributor Author

madirey commented Dec 8, 2020

@elasticmachine merge upstream

@peluja1012 peluja1012 added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Dec 8, 2020
@madirey
Copy link
Contributor Author

madirey commented Dec 12, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 8.3MB 8.3MB -595.0B

Distributable file count

id before after diff
default 47129 47889 +760

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@madirey madirey merged commit 9719932 into elastic:master Dec 13, 2020
@madirey madirey deleted the threshold-exceptions branch December 13, 2020 01:36
@madirey madirey mentioned this pull request Dec 13, 2020
Merged
madirey added a commit to madirey/kibana that referenced this pull request Dec 13, 2020
@madirey @kibanamachine
[Security Solution][Detections][Threshold Rules] Threshold rule excep…
91c2923 
…tions (elastic#85103)

* Threshold rule exceptions

* Clean up

* Disable value lists for threshold rule exceptions

* lint

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
madirey added a commit that referenced this pull request Dec 14, 2020
@madirey @kibanamachine
[Security Solution][Detections][Threshold Rules] Threshold rule excep…
08a19a6 
…tions (#85103) (#85717)

* Threshold rule exceptions

* Clean up

* Disable value lists for threshold rule exceptions

* lint

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@peluja1012 peluja1012 mentioned this pull request Dec 14, 2020
Closed
gmmorris added a commit to gmmorris/kibana that referenced this pull request Dec 14, 2020
@gmmorris
Merge branch 'master' into alerts/examples-plugin-broke
dbbe459 
* master: (116 commits)
  Fix UX E2E tests (elastic#85722)
  Increasing default api key removalDelay to 1h (elastic#85576)
  align cors settings names with elasticsearch (elastic#85738)
  unskip tests and make sure submit is not triggered too quickly (elastic#85567)
  Row trigger 2 (elastic#83167)
  Add session id to audit log (elastic#85451)
  [TSVB] Fields lists do not populate all the times (elastic#85530)
  [Visualize] Removes the external link icon from OSS badges (elastic#85580)
  fixes EQL tests (elastic#85712)
  [APM] enable 'log_level' for Go (elastic#85511)
  ini `1.3.5` -> `1.3.7` (elastic#85707)
  Fix fleet route protections (elastic#85626)
  [Monitoring] Some progress on making alerts better in the UI (elastic#81569)
  [Security Solution] Refactor Timeline Notes to use EuiCommentList (elastic#85256)
  [Security Solution][Detections][Threshold Rules] Threshold rule exceptions (elastic#85103)
  [Security Solution] Alerts details (elastic#83963)
  skip flaky suite (elastic#62060)
  skip flaky suite (elastic#85098)
  skip flaky suite (elastic#84020)
  skip flaky suite (elastic#85671)
  ...
@dplumlee dplumlee mentioned this pull request Dec 15, 2020
Closed
@peluja1012 peluja1012 mentioned this pull request Feb 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dplumlee dplumlee dplumlee approved these changes

Assignees

@madirey madirey

Labels
Feature:Threshold Rule Security Solution Threshold rule type release_note:enhancement Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@madirey @kibanamachine @dplumlee @peluja1012