Skip to content

[7.x] [SIEM] Fix: Empty Source / Destination shown when only ports are populated (#50843) #50971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 18, 2019
Merged

[7.x] [SIEM] Fix: Empty Source / Destination shown when only ports are populated (#50843) #50971

merged 1 commit into from
Nov 18, 2019

Conversation

@andrew-goldstein
Copy link
Contributor

@andrew-goldstein andrew-goldstein commented Nov 18, 2019

Backports the following commits to 7.x:

@andrew-goldstein
[SIEM] Fix: Empty Source / Destination shown when only ports are …
7c32423 
…populated (elastic#50843)

Fixes an issue where an empty `Source` or `Destination` container is rendered by
the Timeline row renderer when events have `source.port` or `destination.port` populated,
but the corresponding `source.ip` or `destination.ip` is not.

![chrome-before](https://user-images.githubusercontent.com/4459398/68985053-fd26ec80-07d0-11ea-99e3-1180a3e9d7fb.png)

![chrome-after](https://user-images.githubusercontent.com/4459398/68985058-0912ae80-07d1-11ea-990a-1a66802cad0e.png)

The following JSON is from the event shown in the screenshots above:

```
  "destination": {
    "port": 53
  },
```

In the JSON above, the `destination.port` field is populated, but the
`destination.ip` field is **not** populated.

The `destination.port` in the event is expected to be rendered in the
"before" screenshot above, but an empty `Destination` label is rendered
instead.

1. Create a new timeline with the following KQL:

```
destination.port: * and NOT destination.ip: *
```

**Expected Result**

- The `destination.port` contained in the event is rendered in the `Destination` container

**Actual result**

- An empty `Destination` is rendered, per the "before" screenshot above

An analysis of real data performed while desk testing this PR revealed other
corner cases in real-world data, including port arrays with `null` values.

The types and implementaion were updated to reflect the reality of the data
found during desk testing. Unit tests were added to cover these cases.

![firefox-after](https://user-images.githubusercontent.com/4459398/68985063-10d25300-07d1-11ea-9c17-d962c0f1015e.png)

![safari-after](https://user-images.githubusercontent.com/4459398/68985067-162f9d80-07d1-11ea-8773-d3e71a84a440.png)

Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in `master`

* elastic/siem-team#476
@andrew-goldstein andrew-goldstein added the backport This PR is a backport of another PR label Nov 18, 2019
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 18, 2019

💚 Build Succeeded

@andrew-goldstein andrew-goldstein merged commit 94d69f2 into elastic:7.x Nov 18, 2019
@andrew-goldstein andrew-goldstein deleted the backport/7.x/pr-50843 branch November 18, 2019 22:45
@andrew-goldstein andrew-goldstein self-assigned this Nov 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@andrew-goldstein andrew-goldstein

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andrew-goldstein @elasticmachine