[Detection Rules] Add updates from 7.11.2 rules #91553
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brokensound77
added
release_note:skip
brokensound77
added
Feature:Detection Rules
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
rw-access
approved these changes
Feb 16, 2021
|
Flakiness w/ an ML test: #91450 @elasticmachine merge upstream |
1 task
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
spong
approved these changes
Feb 17, 2021
There was a problem hiding this comment.
Checked out, tested locally, and all 356 updates were identified and was able to update without error! 🙌 Scanned rules and those changes LGTM as well.
In testing however, an issue was uncovered (#91594) within the Detection Engine where in some cases we're not falling back to @timestamp when the timestampOverride field isn't mapped. This was the result of a different ES error response format than expected.
We'll be fixing this for 7.11.2, however this raises the question of whether or not the Elastic Endgame rules which only point to the endgame-* index should be updated to use the event.ingested timestamp override as (afaik) it will never exist. Going to approve this PR as to not hold up the 7.12 changes pending on this, but we should re-visit not updating those rules if they are expected to always fallback to @timestamp since it's added overhead to the cluster (extra queries), and the rule will be in a partial failure/warning state saying that event.ingested is not mapped when there's nothing the user can do to resolve this issue.
|
That sounds good to me @spong, thanks for running those errors down! |
brokensound77
added a commit
to brokensound77/kibana
that referenced
this pull request
Feb 17, 2021
* [Detection Rules] Add 7.11.2 rules * update timestamp_override fields for certain rules
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Feb 17, 2021
* master: (157 commits) [DOCS] Adds machine learning to the security section of alerting (elastic#91501) [Uptime] Ping list step screenshot caption formatting (elastic#91403) [Vislib] Use timestamp on brush event instead of iso dates (elastic#91483) [Application Usage] Remove deprecated & unused legacy.appChanged API (elastic#91464) Migrate logstash, monitoring, url_drilldowns, xpack_legacy to ts projects (elastic#91194) [APM] Wrap Elasticsearch client errors (elastic#91125) [APM] Fix optimize-tsconfig script (elastic#91487) [Discover][docs] Add searchFieldsFromSource description (elastic#90980) Adds support for 'ip' data type (elastic#85087) [Detection Rules] Add updates from 7.11.2 rules (elastic#91553) [SECURITY SOLUTION] Eql in timeline (elastic#90816) [APM] Correlations Beta (elastic#86477) (elastic#89952) [Security Solutions][Detection Engine] Adds a warning banner when the alerts data has not been migrated yet. (elastic#90258) [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (elastic#91446) skip flaky suite (elastic#91450) skip flaky suite (elastic#91592) [Security Solution][Endpoint][Admin] Endpoint Details UX Enhancements (elastic#90870) [ML] Add better UI support for runtime fields Transforms (elastic#90363) [Security Solution] [Detections] Replace 'partial failure' with 'warning' for rule statuses (elastic#91167) [Security Solution][Detections] Adds Indicator path config for indicator match rules (elastic#91260) ...
brokensound77
added a commit
that referenced
this pull request
Feb 17, 2021
1 task
brokensound77
added a commit
to brokensound77/kibana
that referenced
this pull request
Feb 17, 2021
* [Detection Rules] Add 7.11.2 rules * update timestamp_override fields for certain rules
spong
pushed a commit
that referenced
this pull request
Feb 18, 2021
spong
pushed a commit
that referenced
this pull request
Feb 18, 2021
#91771) ## Summary Pulls updates from elastic/detection-rules#951. This basically reverts the changes made in #91553 for _only_ the endgame promotion rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 18, 2021
elastic#91771) ## Summary Pulls updates from elastic/detection-rules#951. This basically reverts the changes made in elastic#91553 for _only_ the endgame promotion rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
added a commit
that referenced
this pull request
Feb 18, 2021
#91771) (#91784) ## Summary Pulls updates from elastic/detection-rules#951. This basically reverts the changes made in #91553 for _only_ the endgame promotion rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
spong
pushed a commit
that referenced
this pull request
Feb 18, 2021
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 18, 2021
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after elastic#91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
added a commit
that referenced
this pull request
Feb 18, 2021
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
spong
pushed a commit
to spong/kibana
that referenced
this pull request
Feb 18, 2021
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after elastic#91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
spong
added a commit
that referenced
this pull request
Feb 18, 2021
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Rule updates from https://github.com/elastic/detection-rules/tree/7.11
The only update here is adding the
timestamp_overridefield to many of the rules. Details hereThe existing rules PR #91082, should merge after this is merged and backported
Checklist