[SIEM] Fix custom date time mapping bug #70713

cnasikas · 2020-07-03T13:32:07Z

Summary

This PR addresses various date time bugs.

Changes:

All time-related fields changed to ISO standard.
The type of time-related fields changed from number to string.
All URLs have ISO dates instead of Unix timestamps.
Timeline's time range removed from filtersQuery.
docValuesFields are being passed to Elasticsearch.
If source or indexPatter is loading no timeline queries are being made.

Compatibility:

Old URLs, with unix timestamps, are loaded correctly.
Timeline's saved objects that contain dateRange as timestamps are loaded correctly.

Reference: #58965, #57649, https://discuss.elastic.co/t/siem-app-doesnt-use-timezone-setting/216906/12, https://github.com/elastic/sdh-siem/issues/26

Manual testing:

Test with mapping:

PUT my-mapping
{
    "date_detection": true,
    "numeric_detection": false,
    "dynamic_date_formats": [
        "strict_date_optional_time",
        "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
    ],
    "dynamic": "true",
    "properties": {
        "@timestamp": {
            "type": "date",
            "format": "strict_date_optional_time"
        }
    }
}

PUT my-mapping/_doc/1
{ "@timestamp": "2020-07-13T05:35:10.073Z" }

Test with mapping:

PUT timestamp-without-tz-designator
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date",
        "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis"
      }
    }
  }
}

PUT timestamp-without-tz-designator/_doc/1
{ "@timestamp": "2020-02-11 23:59:55" }

Test if old URLs behave as expected.
Navigate to all pages and see if an error is occurred (console and toaster).
Change the date range to each page and see if the returned documents respect the date range.
Test relative and absolute dates.
Test global time and timeline time.

Out of scope:

Fix a parsing bug. When you drag a timestamp to the timeline's query area and the value of that timestamp is a Unix timestamp but typeof value === 'string then the value is converted to NaN and you get a parsing error. Example: value = '1521848183232'

Checklist

Delete any items that are not applicable to this PR.

Unit or functional tests were updated or added to match the most common scenarios

For maintainers

This was checked for breaking API changes and was labeled appropriately

FrankHassanabad

Thanks for the comprehensive fix! 👍

spong

LGTM! Thank you soooo much @cnasikas and @XavierM -- our users are going to be so happy with these fixes! 🙂

cnasikas · 2020-07-14T19:32:31Z

@elasticmachine merge upstream

x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx

...ck/plugins/security_solution/public/common/components/ml/anomaly/use_anomalies_table_data.ts

x-pack/plugins/security_solution/public/common/containers/source/index.tsx

x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts

stephmilovic · 2020-07-14T21:19:05Z

ok idk that its because of this PR but i found this bug. ill check master now:

stephmilovic · 2020-07-14T21:21:25Z

ok same thing happens on master, not your PR. we'll make a new ticket for this bug

stephmilovic

Manual review (woof) passes, just a few nits but do not block over them. Manual testing was all good besides the bug mentioned, but it's also on master so I'd say go ahead and merge this and we can fix the bug in a follow up. Great work, a lot of heavy lifting here. LGTM 🚀

kibanamachine · 2020-07-14T21:26:04Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request
Commit: 439ceec

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
securitySolution	763	+1	762

History

💚 Build #61609 succeeded 439ceec
💔 Build #61539 failed 7c4b903
💔 Build #61522 failed 5fe8948
💔 Build #61479 failed b24f604
💔 Build #61448 failed f21e4cd

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co> Co-authored-by: Xavier Mouligneau <189600+XavierM@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/security_solution/public/timelines/components/open_timeline/helpers.test.ts # x-pack/plugins/security_solution/public/timelines/store/timeline/defaults.ts

…te_optional_time (#74211) ## Summary Related closed issues: #58965 #70713 If you add a custom mapping and go to the hosts details page you will get an error toaster: <img width="838" alt="Screen Shot 2020-08-03 at 7 53 16 PM" src="https://user-images.githubusercontent.com/1151048/89244409-a7df7500-d5c3-11ea-933c-99d96bffc589.png"> If running local host you can configure your index patterns to use a custom one I setup with custom date time formats and a single record which can cause this: <img width="1223" alt="Screen Shot 2020-08-03 at 7 50 12 PM" src="https://user-images.githubusercontent.com/1151048/89243967-8fbb2600-d5c2-11ea-8de2-4422e870f9f0.png"> Then visit this URL and set your date time to go backwards by 1 year ```ts http://localhost:5601/app/security/hosts/app/security/hosts/MacBook-Pro.local/alerts ``` And with the fix you no longer get the error toaster.

…te_optional_time (elastic#74211) ## Summary Related closed issues: elastic#58965 elastic#70713 If you add a custom mapping and go to the hosts details page you will get an error toaster: <img width="838" alt="Screen Shot 2020-08-03 at 7 53 16 PM" src="https://user-images.githubusercontent.com/1151048/89244409-a7df7500-d5c3-11ea-933c-99d96bffc589.png"> If running local host you can configure your index patterns to use a custom one I setup with custom date time formats and a single record which can cause this: <img width="1223" alt="Screen Shot 2020-08-03 at 7 50 12 PM" src="https://user-images.githubusercontent.com/1151048/89243967-8fbb2600-d5c2-11ea-8de2-4422e870f9f0.png"> Then visit this URL and set your date time to go backwards by 1 year ```ts http://localhost:5601/app/security/hosts/app/security/hosts/MacBook-Pro.local/alerts ``` And with the fix you no longer get the error toaster.

…te_optional_time (#74211) (#74245) ## Summary Related closed issues: #58965 #70713 If you add a custom mapping and go to the hosts details page you will get an error toaster: <img width="838" alt="Screen Shot 2020-08-03 at 7 53 16 PM" src="https://user-images.githubusercontent.com/1151048/89244409-a7df7500-d5c3-11ea-933c-99d96bffc589.png"> If running local host you can configure your index patterns to use a custom one I setup with custom date time formats and a single record which can cause this: <img width="1223" alt="Screen Shot 2020-08-03 at 7 50 12 PM" src="https://user-images.githubusercontent.com/1151048/89243967-8fbb2600-d5c2-11ea-8de2-4422e870f9f0.png"> Then visit this URL and set your date time to go backwards by 1 year ```ts http://localhost:5601/app/security/hosts/app/security/hosts/MacBook-Pro.local/alerts ``` And with the fix you no longer get the error toaster.

…te_optional_time (#74211) (#74244) ## Summary Related closed issues: #58965 #70713 If you add a custom mapping and go to the hosts details page you will get an error toaster: <img width="838" alt="Screen Shot 2020-08-03 at 7 53 16 PM" src="https://user-images.githubusercontent.com/1151048/89244409-a7df7500-d5c3-11ea-933c-99d96bffc589.png"> If running local host you can configure your index patterns to use a custom one I setup with custom date time formats and a single record which can cause this: <img width="1223" alt="Screen Shot 2020-08-03 at 7 50 12 PM" src="https://user-images.githubusercontent.com/1151048/89243967-8fbb2600-d5c2-11ea-8de2-4422e870f9f0.png"> Then visit this URL and set your date time to go backwards by 1 year ```ts http://localhost:5601/app/security/hosts/app/security/hosts/MacBook-Pro.local/alerts ``` And with the fix you no longer get the error toaster.

elasticmachine · 2021-09-23T14:31:51Z

Pinging @elastic/security-solution (Team: SecuritySolution)

cnasikas self-assigned this Jul 3, 2020

cnasikas changed the title ~~[SIEM] Fix custom date time mapping bug~~ [SIEM][skip-ci] Fix custom date time mapping bug Jul 3, 2020

cnasikas force-pushed the timestamp_fix branch 7 times, most recently from 1f191c1 to a91e33e Compare July 7, 2020 18:29

cnasikas changed the title ~~[SIEM][skip-ci] Fix custom date time mapping bug~~ [SIEM] Fix custom date time mapping bug Jul 8, 2020

cnasikas force-pushed the timestamp_fix branch from 5e7e165 to a5ecd49 Compare July 8, 2020 15:20

cnasikas added bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes Team:SIEM v7.9.0 v8.0.0 labels Jul 8, 2020

cnasikas requested review from XavierM, rylnd, yctercero, stephmilovic, FrankHassanabad, spong, patrykkopycinski, angorayc and andrew-goldstein July 8, 2020 16:00

cnasikas force-pushed the timestamp_fix branch 5 times, most recently from 5decd1d to 763ee02 Compare July 11, 2020 15:59

Fix parsing bug

b24f604

cnasikas force-pushed the timestamp_fix branch from 9105b69 to b24f604 Compare July 14, 2020 16:11

FrankHassanabad approved these changes Jul 14, 2020

View reviewed changes

Fix itegration test

5fe8948

spong approved these changes Jul 14, 2020

View reviewed changes

Minor fix

7c4b903

Merge branch 'master' into timestamp_fix

439ceec

stephmilovic reviewed Jul 14, 2020

View reviewed changes

x-pack/plugins/security_solution/public/common/components/events_viewer/events_viewer.test.tsx Show resolved Hide resolved

stephmilovic reviewed Jul 14, 2020

View reviewed changes

...ck/plugins/security_solution/public/common/components/ml/anomaly/use_anomalies_table_data.ts Show resolved Hide resolved

stephmilovic reviewed Jul 14, 2020

View reviewed changes

x-pack/plugins/security_solution/public/common/containers/source/index.tsx Show resolved Hide resolved

stephmilovic reviewed Jul 14, 2020

View reviewed changes

x-pack/plugins/security_solution/public/timelines/store/timeline/helpers.ts Show resolved Hide resolved

stephmilovic approved these changes Jul 14, 2020

View reviewed changes

cnasikas merged commit 754ade5 into elastic:master Jul 14, 2020

cnasikas deleted the timestamp_fix branch July 14, 2020 21:26

cnasikas mentioned this pull request Jul 14, 2020

[7.x] [SIEM] Fix custom date time mapping bug (#70713) #71776

Merged

cnasikas mentioned this pull request Jul 15, 2020

[EuiSuperDatePicker] Error occurs when changing absolute date elastic/eui#3746

Closed

FrankHassanabad mentioned this pull request Aug 4, 2020

[SIEM] Fixes error toaster in one spot with custom date time formats #74211

Merged

MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SIEM] Fix custom date time mapping bug #70713

[SIEM] Fix custom date time mapping bug #70713

cnasikas commented Jul 3, 2020 •

edited

FrankHassanabad left a comment

spong left a comment

cnasikas commented Jul 14, 2020

stephmilovic commented Jul 14, 2020

stephmilovic commented Jul 14, 2020

stephmilovic left a comment

kibanamachine commented Jul 14, 2020

elasticmachine commented Sep 23, 2021

[SIEM] Fix custom date time mapping bug #70713

[SIEM] Fix custom date time mapping bug #70713

Conversation

cnasikas commented Jul 3, 2020 • edited

Summary

Checklist

For maintainers

FrankHassanabad left a comment

Choose a reason for hiding this comment

spong left a comment

Choose a reason for hiding this comment

cnasikas commented Jul 14, 2020

stephmilovic commented Jul 14, 2020

stephmilovic commented Jul 14, 2020

stephmilovic left a comment

Choose a reason for hiding this comment

kibanamachine commented Jul 14, 2020

💚 Build Succeeded

Build metrics

@kbn/optimizer bundle module count

History

elasticmachine commented Sep 23, 2021

cnasikas commented Jul 3, 2020 •

edited