Skip to content

[Security Solution][Detections] Specify format for date range in EQL query#81025

Merged
marshallmain merged 1 commit intoelastic:masterfrom
marshallmain:format-eql-query-date
Oct 20, 2020
Merged

[Security Solution][Detections] Specify format for date range in EQL query#81025
marshallmain merged 1 commit intoelastic:masterfrom
marshallmain:format-eql-query-date

Conversation

@marshallmain
Copy link
Copy Markdown
Contributor

@marshallmain marshallmain commented Oct 19, 2020

If no date format is specified in the range filter then elasticsearch will attempt to format the dates using the format of the field in the index mapping. Our queries use strict_date_optional_time formatted dates which leads to parsing exceptions if customers run rules against indices that use a different format for their timestamp.

Adding the format here tells ES how to parse the dates we pass in so they can be properly compared against any other date format.

Thanks Frank H for discovering this bug!

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@marshallmain marshallmain requested review from a team as code owners October 19, 2020 17:13
@marshallmain marshallmain added v7.10.0 v7.11.0 v8.0.0 Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team:SIEM labels Oct 19, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Oct 19, 2020

Pinging @elastic/siem (Team:SIEM)

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Oct 19, 2020

💚 Build Succeeded

Metrics [docs]

async chunks size

id before after diff
securitySolution 8.1MB 8.1MB +35.0B

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

yctercero
yctercero approved these changes Oct 19, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks @FrankHassanabad for having pointed this out to me too in my code.

@marshallmain marshallmain merged commit 39242f1 into elastic:master Oct 20, 2020
@marshallmain marshallmain deleted the format-eql-query-date branch October 20, 2020 14:55
@marshallmain marshallmain mentioned this pull request Oct 20, 2020
Merged
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 20, 2020
@marshallmain
Specify format for date range query (elastic#81025)
abd1ed2
@marshallmain marshallmain mentioned this pull request Oct 20, 2020
Merged
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 20, 2020
@marshallmain
Specify format for date range query (elastic#81025)
1c70a84
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 20, 2020
@gmmorris
Merge branch 'master' into task-manager/health-refactored
600863f 
* master: (64 commits)
  Rename Security Solution Bug Template (elastic#81187)
  Update links (elastic#81125)
  Specify format for date range query (elastic#81025)
  [Alerting] Improve toast when alert is created (elastic#80327)
  [UX] Add empty states (elastic#80904)
  Add TS config for kibana_legacy (elastic#80992)
  [Telemetry] Add method to enable endpoint security data usage example (elastic#80940)
  [Alerting] Add scoped cluster client to alerts and actions services (elastic#80794)
  Fix reactRouterNavigate when used with a string (elastic#80520)
  [Security Solution] [Detections] Read privileges for dependencies (elastic#80852)
  [ML] Fixing exclude frequent in advanced wizard (elastic#81121)
  Fix security solution template label (elastic#80976)
  [DOCS] Update index management docs (elastic#80893)
  [APM] Error rate on service list page is not in sync with the value at the transaction page (elastic#80814)
  skip flaky suite (elastic#81072)
  [Task Manager] Cleans up legacy plugin structure (elastic#80381)
  Support unsigned_long fields (elastic#81115)
  [Form lib] Export internal state instead of raw state (elastic#80842)
  [Lens] Add toast notification when visualization is saved (elastic#80788)
  Index pattern edit field formatter API (elastic#78352)
  ...
marshallmain added a commit that referenced this pull request Oct 20, 2020
@marshallmain
Specify format for date range query (#81025) (#81179)
f7108a9
marshallmain added a commit that referenced this pull request Oct 20, 2020
@marshallmain @kibanamachine
Specify format for date range query (#81025) (#81180)
27f324c 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yctercero yctercero yctercero approved these changes

Assignees

No one assigned

Labels

Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v7.11.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@marshallmain @elasticmachine @kibanamachine @yctercero @MindyRS