Skip to content

[CTI] Adds indicator match rule improvements#97310

Merged
ecezalp merged 2 commits intoelastic:masterfrom
ecezalp:security-team-984
Jul 19, 2021
Merged

[CTI] Adds indicator match rule improvements#97310
ecezalp merged 2 commits intoelastic:masterfrom
ecezalp:security-team-984

Conversation

@ecezalp
Copy link
Copy Markdown
Contributor

@ecezalp ecezalp commented Apr 15, 2021
edited
Loading

Acceptance Criteria

  • Add track_total_hits: false to reduce unnecessary query overhead
  • Sort by @timestamp: desc to allow short-circuiting

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@ecezalp ecezalp added v7.13.0 release_note:feature Makes this part of the condensed release notes auto-backport Deprecated - use backport:version if exact versions are needed 7.13 candidate Team: CTI Security Solution labels Apr 15, 2021
@ecezalp ecezalp requested review from a team and rylnd April 15, 2021 19:13
@ecezalp ecezalp self-assigned this Apr 15, 2021
rylnd
rylnd previously approved these changes Apr 15, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:

@rylnd rylnd self-requested a review April 15, 2021 19:21
@rylnd rylnd dismissed their stale review April 15, 2021 21:25

I rescind my hasty approval; this is not the correct approach.

@rylnd
Copy link
Copy Markdown
Contributor

rylnd commented Apr 16, 2021

Closing this for now as the change is not as straightforward as we'd hoped, and too risky to be a candidate for 7.13.0.

@rylnd rylnd closed this Apr 16, 2021
@ecezalp ecezalp reopened this Jul 19, 2021
@ecezalp
Copy link
Copy Markdown
Contributor Author

ecezalp commented Jul 19, 2021

@elasticmachine merge upstream

@ecezalp ecezalp added v7.15.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. and removed 7.13 candidate v7.13.0 labels Jul 19, 2021
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 19, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

@ecezalp ecezalp requested a review from a team July 19, 2021 15:25
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Jul 19, 2021

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

rylnd
rylnd approved these changes Jul 19, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. This does not address/affect the events query, but in certain circumstances it should improve performance of the indicator query 👍

@ecezalp ecezalp merged commit 7e4c73a into elastic:master Jul 19, 2021
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Jul 19, 2021
@ecezalp @kibanamachine
[CTI] Adds indicator match rule improvements (elastic#97310)
23079d2 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@kibanamachine kibanamachine mentioned this pull request Jul 19, 2021
Merged
@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented Jul 19, 2021

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Jul 19, 2021
@kibanamachine @ecezalp
[CTI] Adds indicator match rule improvements (#97310) (#106152)
6fff2ea 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Ece Özalp <ozale272@newschool.edu>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Jul 20, 2021
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into reporting/onl…
17cbcc0 
…y-show-migrate-to-authzd-users

* 'master' of github.com:elastic/kibana: (187 commits)
  Space management page UX improvements (elastic#100448)
  [Reporting] Unskip flaky test when downloading CSV with "no data" (elastic#105252)
  Update dependency @elastic/charts to v33 (master) (elastic#105633)
  [Observability RAC] Improve alerts table columns (elastic#105446)
  Introduce `preboot` lifecycle stage (elastic#103636)
  [Security Solution] Invalid kql query timeline refresh bug (elastic#105525)
  skip flaky suite (elastic#106121)
  [Security Solution][Endpoint] Fix UI inconsistency between isolation forms and remove display of Pending isolation statuses (elastic#106118)
  docs: APM RUM Source map API (elastic#105332)
  [CTI] Adds indicator match rule improvements (elastic#97310)
  [Security Solution] update text for Isolation action submissions (elastic#105956)
  EP Meta Telemetry Perf (elastic#104396)
  [Metrics UI] Drop partial buckets from ALL Metrics UI queries (elastic#104784)
  Remove beta admonitions for Fleet docs (elastic#106010)
  [Observability RAC] Remove indexing of rule evaluation documents (elastic#104970)
  Parameterize migration test for kibana version (elastic#105417)
  [Alerting] Allow rule to execute if the value is 0 and that mets the condition (elastic#105626)
  [ML] Fix Index data visualizer sometimes shows wrong doc count for saved searches (elastic#106007)
  [Security Solution] UX fixes for Policy page and Case Host Isolation comment (elastic#106027)
  [Security Solution]Memory protection configuration card for policies integration. (elastic#101365)
  ...

# Conflicts:
#	x-pack/plugins/reporting/public/management/report_listing.test.tsx
#	x-pack/plugins/reporting/public/management/report_listing.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rylnd rylnd rylnd approved these changes

Assignees

No one assigned

Labels

auto-backport Deprecated - use backport:version if exact versions are needed release_note:feature Makes this part of the condensed release notes Team: CTI Security Solution Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.15.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ecezalp @rylnd @elasticmachine @kibanamachine