Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detection Engine] Fixes bug with timeline templates not working #60476

Merged
merged 1 commit into from Mar 18, 2020
Merged

[SIEM][Detection Engine] Fixes bug with timeline templates not working #60476

merged 1 commit into from Mar 18, 2020

Conversation

FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Mar 18, 2020
edited

Summary

Fixes a bug with the timeline templates not working when specifying filters.

  • Creates a type safe mechanism for getting StringArrays or regular strings
  • AddsType Script function returns to functions in the helpers file
  • Adds unit tests for the effected areas of code and corner cases

Before this fix you would get these toaster errors if you tried to use a template name such as host.name in the timeline filters:

Screen Shot 2020-03-18 at 12 58 01 AM

After this fix it will work for you.

Testing:

  1. Create a timeline template that has a host.name as both a query and a filter such as this. You can give the value of the host.name any value such as placeholder.

Screen Shot 2020-03-18 at 12 56 04 AM

  1. Create a signal that uses it and produces a lot of signals off of something such as all host names

Screen Shot 2020-03-18 at 12 50 47 AM

  1. Ensure you select your Timeline template you saved by using the drop down

Screen Shot 2020-03-18 at 12 51 21 AM

  1. Once your signals have run, go to the signals page and send one of the signals for your newly crated rule which has a host name to the timeline from "View in timeline"

Screen Shot 2020-03-18 at 12 52 10 AM

You should notice that your timeline has both the query and the filter set correctly such as this
Screen Shot 2020-03-18 at 12 56 23 AM

Other notes

All the different fields you can choose from for templates are:

  'host.name',
  'host.hostname',
  'host.domain',
  'host.id',
  'host.ip',
  'client.ip',
  'destination.ip',
  'server.ip',
  'source.ip',
  'network.community_id',
  'user.name',
  'process.name',

And it should not work with anything outside of those. You should be able to mix and match them into different filters and queries to have a multiples of them.

Checklist

@FrankHassanabad FrankHassanabad self-assigned this Mar 18, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

yctercero
yctercero approved these changes Mar 18, 2020
View reviewed changes
Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pulled down and ran through test steps. LGTM - thanks for adding the unit tests!

dhurley14
dhurley14 approved these changes Mar 18, 2020
View reviewed changes
Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks for the bug fix!

rylnd
rylnd approved these changes Mar 18, 2020
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I appreciate the tests!

@FrankHassanabad FrankHassanabad merged commit 3e10276 into elastic:master Mar 18, 2020
@FrankHassanabad FrankHassanabad deleted the timeline-template-fix branch March 18, 2020 17:00
@FrankHassanabad FrankHassanabad mentioned this pull request Mar 18, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylnd rylnd rylnd approved these changes

@dhurley14 dhurley14 dhurley14 approved these changes

@yctercero yctercero yctercero approved these changes

Assignees

@FrankHassanabad FrankHassanabad

Labels
release_note:fix Team:SIEM v7.7.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@FrankHassanabad @elasticmachine @kibanamachine @rylnd @dhurley14 @yctercero