[Security Solution][Endpoint] Update warning text for event filter matches operator #127958
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ashokaditya
added
release_note:skip
ashokaditya
force-pushed
the
task/olm-3199-update-warning-event-filter-matches-operator
branch
from
30262a5
to
4683816
Compare
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
kevinlog
reviewed
Mar 17, 2022
x-pack/plugins/lists/public/exceptions/components/builder/entry_renderer.tsx
Show resolved
Hide resolved
dasansol92
approved these changes
Mar 17, 2022
x-pack/plugins/lists/public/exceptions/components/builder/entry_renderer.tsx
Outdated
Show resolved
Hide resolved
review changes
FrankHassanabad
approved these changes
Mar 17, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Mar 17, 2022
…ists This works out of the box and we don't add endpoint related `file.name` or `process.name` entry when it already is added by the user refs elastic/pull/127958#discussion_r829086447 elastic/security-team/issues/3199
💛 Build succeeded, but was flakyTest Failures
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @ashokaditya |
⚪ Backport skippedThe pull request was not backported as there were no branches to backport to. If this is a mistake, please apply the desired version labels or run the backport tool manually. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
ashokaditya
deleted the
task/olm-3199-update-warning-event-filter-matches-operator
branch
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Mar 18, 2022
Add `file.name` and `process.name` entry for wildcard path values only when file.name and process.name entries do not already exist. The earlier commit 8a516ae was mistakenly labeled as this worked out of the box. In the same commit we notice that the test data had a wildcard file path that did not add a `file.name` or `process.name` entry. For more see: elastic/pull/127958#discussion_r829086447 elastic/security-team/issues/3199
kibanamachine
added
the
backport missing
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
kevinlog
added
backport:skip
ashokaditya
added a commit
that referenced
this pull request
Mar 23, 2022
…wildcard) in wildcard-ed event filter `file.path.text` (#127432) * update filename regex to include multiple hyphens and periods Uses a much simpler pattern that covers a whole gamut file name patterns. fixes elastic/security-team/issues/3294 * remove duplicated code * add tests for `process.name` entry for filenames with wildcard path refs /pull/120349 /pull/125202 * Add file.name optimized entry when wildcard filepath in file.path.text has a filename fixes elastic/security-team/issues/3294 * update regex to include unicode chars review changes * add tests for `file.name` and `process.name` entries if it already exists This works out of the box and we don't add endpoint related `file.name` or `process.name` entry when it already is added by the user refs /pull/127958#discussion_r829086447 elastic/security-team/issues/3199 * fix `file.name` and `file.path.text` entries for linux and mac/linux refs /pull/127098 * do not add endpoint optimized entry Add `file.name` and `process.name` entry for wildcard path values only when file.name and process.name entries do not already exist. The earlier commit 8a516ae was mistakenly labeled as this worked out of the box. In the same commit we notice that the test data had a wildcard file path that did not add a `file.name` or `process.name` entry. For more see: /pull/127958#discussion_r829086447 elastic/security-team/issues/3199 * update regex to include gamut of unicode characters review suggestions * remove regex altogether simplifies the logic to check if path is without wildcard characters. This way it includes all other strings as valid filenames that do not have * or ? * update artifact creation for `file.path.text` entries Similar to when we normalize `file.path.caseless` entries, except that the `type` is `*_cased` for linux and `*_caseless` for non-linux
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Show a more descriptive warning when the filename has a wildcard when using matches operator in event filters.
related
/pull/127432
/pull/125202
Checklist
Delete any items that are not applicable to this PR.