[SIEM] Use ECS categorisation for Authentication widgets #60734
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/siem (Team:SIEM) |
|
@elasticmachine merge upstream |
tsg
added
release_note:skip
|
@elasticmachine merge upstream |
|
To run this one unit test failure: cd kibana/x-pack
node scripts/jest.js x-pack/legacy/plugins/siem/server/lib/kpi_hosts/query_authentication.dsl.test.tsSide note: if you want to run all jest tests: cd kibana/x-pack
node scripts/jest.js siemDiff/PR of the fix for the test if you want it: |
FrankHassanabad
approved these changes
Mar 20, 2020
|
@elasticmachine merge upstream |
angorayc
approved these changes
Mar 23, 2020
tsg
added a commit
to tsg/kibana
that referenced
this pull request
Mar 23, 2020
* Update the Authentication histogram to use categorization fields * linting * Use categorization fields for the Authentications table * Use event.outcome for authentications KPIs * Adjust mock to fix unit test Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Mar 23, 2020
* master: (39 commits) [APM]Create custom link from Trace summary (elastic#59648) [ML] Fixing app clean up (elastic#60853) [SIEM] Use ECS categorisation for Authentication widgets (elastic#60734) [NP] Remove kbnUrl usage in discover/dashboard/visualize (elastic#60016) Skip failing test [Uptime]Update fetch effect failed action handling (elastic#60742) [npm] upgrade elastic/maki (elastic#60829) [Uptime] Add Settings Page (elastic#53550) [APM] service maps: avoid unnecesary `useDeepObjectIdentity` (elastic#60836) [Index management] Re-enable index template tests (elastic#60780) Fixed UI/UX issues: alerts delete confirmation, combobox behaviors (elastic#60703) [SIEM] Fix patching of ML Rules (elastic#60830) [APM] Service Map - Separate overlapping edges by rotating nodes (elastic#60477) [Alerting] fix flaky test for index threshold grouping (elastic#60792) [SIEM][Detection Engine] Adds test scripts for machine learning feature Flatten child api response for resolver (elastic#60810) Change "url" to "urls" in APM agent instructions (elastic#60790) [DOCS] Updates API requests and examples (elastic#60695) [SIEM] [Cases] Create case from timeline (elastic#60711) [Lens] Resetting a layer generates new suggestions (elastic#60674) ...
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Mar 23, 2020
…s/kibana into alerting/fix-duration-flaky-test * 'alerting/fix-duration-flaky-test' of github.com:gmmorris/kibana: [ML] Fixing app clean up (elastic#60853) [SIEM] Use ECS categorisation for Authentication widgets (elastic#60734)
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
tsg
added a commit
that referenced
this pull request
Mar 24, 2020
…0890) * Update the Authentication histogram to use categorization fields * linting * Use categorization fields for the Authentications table * Use event.outcome for authentications KPIs * Adjust mock to fix unit test Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The current authentication widgets make use of
event.typewhich currently has two possible values:authentication_successandauthentication_failure. In ECS 1.4,event.typeis being changed to containstart/stopinformation.The good news is, in both ECS < 1.4 and >=1.4,
event.categoryis set toauthenticationandevent.outcomeis set tosuccess/failure.After discussing with @MikePaquette, we have decided to ignore
event.typein our queries and only rely onevent.categoryandevent.outcome. This means that we can have the same queries work on both old and new data.There are two drawbacks:
event.type, this can result in counting more authentications. To our knowledge, that's not currently the case with our data sources.event.outcomewhich means that we don't display those events. This should be fixed on that integration.Once we get to 8.0, we should add an extra condition for
event.type.Checklist
Delete any items that are not applicable to this PR.
Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n supportDocumentation was added for features that require explanation or tutorialsThis was checked for keyboard-only and screenreader accessibilityThis renders correctly on smaller devices using a responsive layout. (You can test this in your browserThis was checked for cross-browser compatibility, including a check against IE11For maintainers