-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Detection Rules] Add updates from 7.11.2 rules #91553
Conversation
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Flakiness w/ an ML test: #91450 @elasticmachine merge upstream |
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out, tested locally, and all 356
updates were identified and was able to update without error! 🙌 Scanned rules and those changes LGTM as well.
In testing however, an issue was uncovered (#91594) within the Detection Engine where in some cases we're not falling back to @timestamp
when the timestampOverride
field isn't mapped. This was the result of a different ES error response format than expected.
We'll be fixing this for 7.11.2
, however this raises the question of whether or not the Elastic Endgame
rules which only point to the endgame-*
index should be updated to use the event.ingested
timestamp override as (afaik) it will never exist. Going to approve this PR as to not hold up the 7.12
changes pending on this, but we should re-visit not updating those rules if they are expected to always fallback to @timestamp
since it's added overhead to the cluster (extra queries), and the rule will be in a partial failure/warning state saying that event.ingested
is not mapped when there's nothing the user can do to resolve this issue.
That sounds good to me @spong, thanks for running those errors down! |
* [Detection Rules] Add 7.11.2 rules * update timestamp_override fields for certain rules
* master: (157 commits) [DOCS] Adds machine learning to the security section of alerting (elastic#91501) [Uptime] Ping list step screenshot caption formatting (elastic#91403) [Vislib] Use timestamp on brush event instead of iso dates (elastic#91483) [Application Usage] Remove deprecated & unused legacy.appChanged API (elastic#91464) Migrate logstash, monitoring, url_drilldowns, xpack_legacy to ts projects (elastic#91194) [APM] Wrap Elasticsearch client errors (elastic#91125) [APM] Fix optimize-tsconfig script (elastic#91487) [Discover][docs] Add searchFieldsFromSource description (elastic#90980) Adds support for 'ip' data type (elastic#85087) [Detection Rules] Add updates from 7.11.2 rules (elastic#91553) [SECURITY SOLUTION] Eql in timeline (elastic#90816) [APM] Correlations Beta (elastic#86477) (elastic#89952) [Security Solutions][Detection Engine] Adds a warning banner when the alerts data has not been migrated yet. (elastic#90258) [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (elastic#91446) skip flaky suite (elastic#91450) skip flaky suite (elastic#91592) [Security Solution][Endpoint][Admin] Endpoint Details UX Enhancements (elastic#90870) [ML] Add better UI support for runtime fields Transforms (elastic#90363) [Security Solution] [Detections] Replace 'partial failure' with 'warning' for rule statuses (elastic#91167) [Security Solution][Detections] Adds Indicator path config for indicator match rules (elastic#91260) ...
* [Detection Rules] Add 7.11.2 rules * update timestamp_override fields for certain rules
#91771) ## Summary Pulls updates from elastic/detection-rules#951. This basically reverts the changes made in #91553 for _only_ the endgame promotion rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
elastic#91771) ## Summary Pulls updates from elastic/detection-rules#951. This basically reverts the changes made in elastic#91553 for _only_ the endgame promotion rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
#91771) (#91784) ## Summary Pulls updates from elastic/detection-rules#951. This basically reverts the changes made in #91553 for _only_ the endgame promotion rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after elastic#91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after elastic#91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
## Summary Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.12 This should not merge until after #91553 is merged and backported ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Summary
Rule updates from https://github.com/elastic/detection-rules/tree/7.11
The only update here is adding the
timestamp_override
field to many of the rules. Details hereThe existing rules PR #91082, should merge after this is merged and backported
Checklist