Skip to content

[Security Solution][Detection Engine] Fixes critical date time format issues#79911

Merged
FrankHassanabad merged 2 commits intoelastic:masterfrom
FrankHassanabad:add-time-format
Oct 8, 2020
Merged

[Security Solution][Detection Engine] Fixes critical date time format issues#79911
FrankHassanabad merged 2 commits intoelastic:masterfrom
FrankHassanabad:add-time-format

Conversation

@FrankHassanabad
Copy link
Copy Markdown
Contributor

@FrankHassanabad FrankHassanabad commented Oct 7, 2020
edited
Loading

Summary

Fixes #79865

Also fixes:

  • Timestamp override not being pushed down into threshold rules to use
  • Timestamp override not being used for lastValidDate
  • The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well.
  • Fixes one small type issue with fields.

Checklist

Delete any items that are not applicable to this PR.

@FrankHassanabad FrankHassanabad requested review from a team as code owners October 7, 2020 19:50
@FrankHassanabad FrankHassanabad self-assigned this Oct 7, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Oct 7, 2020

Pinging @elastic/siem (Team:SIEM)

@FrankHassanabad FrankHassanabad added bug Fixes for quality problems that affect the customer experience v7.10.0 v7.11.0 v8.0.0 labels Oct 7, 2020
@FrankHassanabad FrankHassanabad changed the title [Security Solution][Detection Engine] Fixes date time format issues [Security Solution][Detection Engine] fixes critical date time format issues Oct 7, 2020
spong
spong approved these changes Oct 8, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@spong spong left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out, tested locally with multiple test records (some with @timestamp, some with only specific time fields like event.ingested (in epoch as well)), and all cases outlined in the PR description appear to be functioning as intended.

In testing I did find a few issues, but not related to this PR, so LGTM! 👍 😉

Related issues:

  • Threshold rules allow non-aggregate fields to be selected #79948

  • Timeline is including the docvalue_fields in event details which makes it look like these fields are part of the record: cc @XavierM @andrew-goldstein

  • Threshold rules are looking like they just generate an id for signal.parent.id and signal.parents[].id. We should verify this implementation, and consider not setting a parent id as there isn't a single event that the alert corresponds to (but rather a bucket of events). cc @marshallmain

@FrankHassanabad FrankHassanabad merged commit 7732a21 into elastic:master Oct 8, 2020
@FrankHassanabad FrankHassanabad deleted the add-time-format branch October 8, 2020 00:53
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Oct 8, 2020
@FrankHassanabad
Adds date time query and return fields for timestamps and overrides (e…
7b7d931 
…lastic#79911)

## Summary

Fixes elastic#79865

Also fixes:
* Timestamp override not being pushed down into threshold rules to use
* Timestamp override not being used for lastValidDate
* The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well.
* Fixes one small type issue with fields.


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@FrankHassanabad FrankHassanabad mentioned this pull request Oct 8, 2020
Merged
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Oct 8, 2020
@FrankHassanabad
Adds date time query and return fields for timestamps and overrides (e…
d44e04b 
…lastic#79911)

## Summary

Fixes elastic#79865

Also fixes:
* Timestamp override not being pushed down into threshold rules to use
* Timestamp override not being used for lastValidDate
* The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well.
* Fixes one small type issue with fields.


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@FrankHassanabad FrankHassanabad mentioned this pull request Oct 8, 2020
Merged
@FrankHassanabad FrankHassanabad added the Feature:Detection Rules Security Solution rules and Detection Engine label Oct 8, 2020
@FrankHassanabad FrankHassanabad changed the title [Security Solution][Detection Engine] fixes critical date time format issues [Security Solution][Detection Engine] Fixes critical date time format issues Oct 8, 2020
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Oct 8, 2020

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

FrankHassanabad added a commit that referenced this pull request Oct 8, 2020
@FrankHassanabad
Adds date time query and return fields for timestamps and overrides (#…
88400cb 
…79911) (#79965)

## Summary

Fixes #79865

Also fixes:
* Timestamp override not being pushed down into threshold rules to use
* Timestamp override not being used for lastValidDate
* The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well.
* Fixes one small type issue with fields.


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit that referenced this pull request Oct 8, 2020
@FrankHassanabad
Adds date time query and return fields for timestamps and overrides (#…
72114b4 
…79911) (#79964)

## Summary

Fixes #79865

Also fixes:
* Timestamp override not being pushed down into threshold rules to use
* Timestamp override not being used for lastValidDate
* The return format of the date time might have been different depending on the customer mapping for both the override and the regular @timestamp so this fixes that as well.
* Fixes one small type issue with fields.


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 8, 2020
@gmmorris
Merge branch 'master' into task-manager/health
2f12de5 
* master: (217 commits)
  Fix dashboard "snapshot share" is not sharing panel state in view mode (elastic#79837)
  fix can't edit a scripted field with special char (elastic#79842)
  [ML] clear selection action (elastic#79834)
  [TSVB] Show tooltip on external pointer events (elastic#77306)
  Fixes bug where the same index was being passed in (elastic#79949)
  Adds date time query and return fields for timestamps and overrides (elastic#79911)
  [Security Solution][Detections] Reverts rules table tag filter to use AND operator (elastic#79920)
  add the correct class to truncate the names (elastic#79921)
  [kbn/optimizer] report limits with ci metrics (elastic#78205)
  [release notes] extract "dev docs" comment too (elastic#79351)
  Revert "skips test failing promotion (elastic#79777)" (elastic#79904)
  share tslib across bundles (elastic#79915)
  remove entire suite as partial skips aren't doing the trick
  skip flaky suite (elastic#78689)
  Skip failing suite (elastic#79522)
  skip flaky suite (elastic#79910)
  [es/mappings] remove doc_values from text fields (elastic#79869)
  remove skipped snapshots
  skip flaky tests (elastic#79891)
  chore(NA): add missing branches into backportrc configuration file (elastic#79848)
  ...
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spong spong spong approved these changes

Assignees

@FrankHassanabad FrankHassanabad

Labels

bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine release_note:fix Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v7.11.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Solutions][Detection Engine] Throws date time format errors on custom mappings

5 participants

@FrankHassanabad @elasticmachine @kibanamachine @spong @MindyRS