Skip to content

[Security Solution][Detections][Threshold Rules] Threshold rule exceptions#85103

Merged
madirey merged 15 commits intoelastic:masterfrom
madirey:threshold-exceptions
Dec 13, 2020
Merged

[Security Solution][Detections][Threshold Rules] Threshold rule exceptions#85103
madirey merged 15 commits intoelastic:masterfrom
madirey:threshold-exceptions

Conversation

@madirey
Copy link
Copy Markdown
Contributor

@madirey madirey commented Dec 6, 2020
edited
Loading

Summary

Addresses: #76631
Adds the ability for creating exceptions against threshold rules.

Does NOT currently include value list processing, as this will be a complex task for threshold rules...

image

image

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@madirey madirey added release_note:enhancement v8.0.0 v7.11.0 Team:Detections and Resp Security Detection Response Team Feature:Threshold Rule Security Solution Threshold rule type labels Dec 6, 2020
madirey
madirey commented Dec 7, 2020
View reviewed changes
x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
{
term: {
[threshold.field ?? 'signal.rule.rule_id']: bucket.key,
[threshold.field || 'signal.rule.rule_id']: bucket.key,
Copy link
Copy Markdown
Contributor Author

@madirey madirey Dec 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unrelated to exceptions, but fixes a bug which would break the query if threshold.field is an empty string.

@madirey madirey marked this pull request as ready for review December 7, 2020 21:14
@madirey madirey requested review from a team as code owners December 7, 2020 21:14
@madirey
Copy link
Copy Markdown
Contributor Author

madirey commented Dec 8, 2020

@elasticmachine merge upstream

@peluja1012 peluja1012 added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Dec 8, 2020
@madirey
Copy link
Copy Markdown
Contributor Author

madirey commented Dec 12, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Dec 12, 2020

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 8.3MB 8.3MB -595.0B

Distributable file count

id before after diff
default 47129 47889 +760

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@madirey madirey merged commit 9719932 into elastic:master Dec 13, 2020
@madirey madirey deleted the threshold-exceptions branch December 13, 2020 01:36
@madirey madirey mentioned this pull request Dec 13, 2020
Merged
madirey added a commit to madirey/kibana that referenced this pull request Dec 13, 2020
@madirey @kibanamachine
[Security Solution][Detections][Threshold Rules] Threshold rule excep…
91c2923 
…tions (elastic#85103)

* Threshold rule exceptions

* Clean up

* Disable value lists for threshold rule exceptions

* lint

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
madirey added a commit that referenced this pull request Dec 14, 2020
@madirey @kibanamachine
[Security Solution][Detections][Threshold Rules] Threshold rule excep…
08a19a6 
…tions (#85103) (#85717)

* Threshold rule exceptions

* Clean up

* Disable value lists for threshold rule exceptions

* lint

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@peluja1012 peluja1012 mentioned this pull request Dec 14, 2020
Closed
gmmorris added a commit to gmmorris/kibana that referenced this pull request Dec 14, 2020
@gmmorris
Merge branch 'master' into alerts/examples-plugin-broke
dbbe459 
* master: (116 commits)
  Fix UX E2E tests (elastic#85722)
  Increasing default api key removalDelay to 1h (elastic#85576)
  align cors settings names with elasticsearch (elastic#85738)
  unskip tests and make sure submit is not triggered too quickly (elastic#85567)
  Row trigger 2 (elastic#83167)
  Add session id to audit log (elastic#85451)
  [TSVB] Fields lists do not populate all the times (elastic#85530)
  [Visualize] Removes the external link icon from OSS badges (elastic#85580)
  fixes EQL tests (elastic#85712)
  [APM] enable 'log_level' for Go (elastic#85511)
  ini `1.3.5` -> `1.3.7` (elastic#85707)
  Fix fleet route protections (elastic#85626)
  [Monitoring] Some progress on making alerts better in the UI (elastic#81569)
  [Security Solution] Refactor Timeline Notes to use EuiCommentList (elastic#85256)
  [Security Solution][Detections][Threshold Rules] Threshold rule exceptions (elastic#85103)
  [Security Solution] Alerts details (elastic#83963)
  skip flaky suite (elastic#62060)
  skip flaky suite (elastic#85098)
  skip flaky suite (elastic#84020)
  skip flaky suite (elastic#85671)
  ...
@dplumlee dplumlee mentioned this pull request Dec 15, 2020
Closed
@peluja1012 peluja1012 mentioned this pull request Feb 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dplumlee dplumlee dplumlee approved these changes

Assignees

@madirey madirey

Labels

Feature:Threshold Rule Security Solution Threshold rule type release_note:enhancement Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@madirey @kibanamachine @dplumlee @peluja1012