[SECURITY SOLUTION] Eql in timeline #90816

XavierM · 2021-02-09T17:10:23Z

Summary

Timeline can support EQL query.

Checklist

Unit or functional tests were updated or added to match the most common scenarios

elasticmachine · 2021-02-09T17:10:25Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

src/plugins/data/public/ui/query_string_input/language_switcher.test.tsx

x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts

x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/footer.tsx

src/plugins/data/public/ui/query_string_input/language_switcher.tsx

x-pack/plugins/security_solution/public/detections/components/rules/eql_query_bar/footer.tsx

..._solution/public/timelines/components/timeline/body/column_headers/header/header_content.tsx

andrew-goldstein · 2021-02-10T03:24:18Z

x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/index.tsx

@@ -6,6 +6,7 @@
 */

 import React from 'react';
+import { isEmpty } from 'lodash';


consider changing this to

import { isEmpty } from 'lodash/fp';

for consistency with other imports of isEmpty

Kibana wants us to use lodash directly

andrew-goldstein · 2021-02-10T03:27:55Z

x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx

+ * 2.0.
+ */
+
+import { isEmpty, isEqual } from 'lodash';


consider changing this to

import { isEmpty, isEqual } from 'lodash/fp';

…ql textarea

andrew-goldstein · 2021-02-16T20:38:29Z

I can tab through all the elements on the page when in the Query tab, but I can't tab past the events table on the Correlation tab. I'm wondering if we need to update the onTimelineTabKeyPressed function, or one of the helpers invoked by it.

...lugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.test.tsx

andrew-goldstein · 2021-02-16T23:57:20Z

The event count badge on the Correlation tab doesn't appear to be reset when a new timeline is created:

andrew-goldstein · 2021-02-17T00:47:16Z

Per the following screenshot, when a case is created from a Resolver view, additional URL state is included to re-open the Resolver view when users click the rule from a case:

Consider appending the active tab to the URL state such that when users click on a timeline link from a case, timeline opens the Correlation tab, because the Query tab will likely be empty when the timeline is opened, which may be confusing.

XavierM · 2021-02-17T01:33:08Z

Would you be willing to confirm that the 200 results shown in the screenshot below is the expected behavior because size is a multiplier that's applied to each instance of a [ ] in the EQL syntax?

I'm 99% sure this is the intended behavior, and experimentally, when I add a third event.category, registry in the example below:
sequence
  [ file where file.extension == "exe" ]
  [ process where true ]
  [ registry where true ]
i get 300 results, so I think it's working as intended.

Yes it is working as expected

XavierM · 2021-02-17T02:29:30Z

The event count badge on the Correlation tab doesn't appear to be reset when a new timeline is created:

I can not reproduce it

…in-timeline

andrew-goldstein

Thanks for this milestone PR @XavierM! 🎉
LGTM 🚀

kibanamachine · 2021-02-17T06:08:33Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request
Commit: c888f33

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
`securitySolution`	2197	2203	+6

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	7.6MB	7.7MB	+91.3KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
`securitySolution`	237.2KB	237.4KB	+168.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id	before	after	diff
`siem-ui-timeline`	91	97	+6

Unknown metric groups

async chunk count

id	before	after	diff
`securitySolution`	24	25	+1

History

💚 Build #106539 succeeded 3f7b62e
💔 Build #106516 failed 70d6e55
💔 Build #106391 failed ab8f02e
💔 Build #106388 failed 4c42158
💔 Build #105465 failed 909941f

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

* master: (157 commits) [DOCS] Adds machine learning to the security section of alerting (elastic#91501) [Uptime] Ping list step screenshot caption formatting (elastic#91403) [Vislib] Use timestamp on brush event instead of iso dates (elastic#91483) [Application Usage] Remove deprecated & unused legacy.appChanged API (elastic#91464) Migrate logstash, monitoring, url_drilldowns, xpack_legacy to ts projects (elastic#91194) [APM] Wrap Elasticsearch client errors (elastic#91125) [APM] Fix optimize-tsconfig script (elastic#91487) [Discover][docs] Add searchFieldsFromSource description (elastic#90980) Adds support for 'ip' data type (elastic#85087) [Detection Rules] Add updates from 7.11.2 rules (elastic#91553) [SECURITY SOLUTION] Eql in timeline (elastic#90816) [APM] Correlations Beta (elastic#86477) (elastic#89952) [Security Solutions][Detection Engine] Adds a warning banner when the alerts data has not been migrated yet. (elastic#90258) [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (elastic#91446) skip flaky suite (elastic#91450) skip flaky suite (elastic#91592) [Security Solution][Endpoint][Admin] Endpoint Details UX Enhancements (elastic#90870) [ML] Add better UI support for runtime fields Transforms (elastic#90363) [Security Solution] [Detections] Replace 'partial failure' with 'warning' for rule statuses (elastic#91167) [Security Solution][Detections] Adds Indicator path config for indicator match rules (elastic#91260) ...

* add EQL as a language * add eql in timeline * fix type + unit test * move eql to it sown tab * fix merge issue + a liitle bug when creating anew timeline to reset eql textarea * fix cypress tests * fix lint error * fix bug from review Co-authored-by: Angela Chuang <yi-chun.chuang@elastic.co>

* add EQL as a language * add eql in timeline * fix type + unit test * move eql to it sown tab * fix merge issue + a liitle bug when creating anew timeline to reset eql textarea * fix cypress tests * fix lint error * fix bug from review Co-authored-by: Angela Chuang <yi-chun.chuang@elastic.co> Co-authored-by: Angela Chuang <yi-chun.chuang@elastic.co>

XavierM added 3 commits February 8, 2021 21:45

add EQL as a language

2a07407

add eql in timeline

114f7b8

Merge branch 'master' of github.com:elastic/kibana into eql-in-timeline

4da7ff5

XavierM added v8.0.0 v7.12.0 Team:Threat Hunting Security Solution Threat Hunting Team Feature:Timeline Security Solution Timeline feature release_note:feature Makes this part of the condensed release notes labels Feb 9, 2021

XavierM self-assigned this Feb 9, 2021

XavierM requested review from a team as code owners February 9, 2021 17:10

andrew-goldstein reviewed Feb 9, 2021

View reviewed changes

src/plugins/data/public/ui/query_string_input/language_switcher.test.tsx Outdated Show resolved Hide resolved

andrew-goldstein reviewed Feb 9, 2021

View reviewed changes

x-pack/plugins/security_solution/server/search_strategy/timeline/factory/events/all/helpers.ts Outdated Show resolved Hide resolved

This comment has been minimized.

Sign in to view