New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecuritySolution] Use correct queries and filters for prevalence calls #154544
[SecuritySolution] Use correct queries and filters for prevalence calls #154544
Conversation
// For fields with multiple values we need add an extra filter that makes sure | ||
// that only fields that match ALL the values are queried later on. | ||
let filters: Filter[] = []; | ||
if (arrayValues.length > 1) { | ||
filters = [ | ||
{ | ||
meta: {}, | ||
query: { | ||
bool: { | ||
must: arrayValues.map((value) => ({ term: { [field]: value } })), | ||
}, | ||
}, | ||
}, | ||
]; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure this logic should apply in cases other than alert prevalence. But I might just leave this here instead of in PrevalenceCell
so that in future this logic can be used in other places.
cb53239
to
1c401fa
Compare
…-ref HEAD~1..HEAD --fix'
…of github.com:janmonschke/kibana into fix-prevalence-counts-for-fields-with-multiple-values
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
x-pack/plugins/security_solution/cypress/e2e/detection_alerts/investigate_in_timeline.cy.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/cypress/e2e/detection_alerts/investigate_in_timeline.cy.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/cypress/e2e/detection_alerts/investigate_in_timeline.cy.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Left some minor/nit comments :)
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @janmonschke |
💔 All backports failed
Manual backportTo create the backport manually run:
Questions ?Please refer to the Backport tool documentation |
…ls (elastic#154544) ## Summary Bug ticket elastic#131967 describes an issue where the alert prevalence count is not correct for fields that have array values (such as `process.args`). ## Solution Getting the correct count for those fields involved adding more `term` conditions to the prevalence query and the timeline filter. This ensures that only alerts with the *exact* same array values match instead of partial matches as before. https://user-images.githubusercontent.com/68591/231395154-b5a1c968-8308-49fb-a218-f3611f8331c3.mov ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] Get approval from the product team --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Friendly reminder: Looks like this PR hasn’t been backported yet. |
Summary
Bug ticket #131967 describes an issue where the alert prevalence count is not correct for fields that have array values (such as
process.args
).Solution
Getting the correct count for those fields involved adding more
term
conditions to the prevalence query and the timeline filter. This ensures that only alerts with the exact same array values match instead of partial matches as before.Screen.Recording.2023-04-12.at.10.11.35.mov
Checklist