Skip to content

[Security Solution][Exceptions] - Updates exception item find sort field #76685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 4, 2020
Merged

[Security Solution][Exceptions] - Updates exception item find sort field #76685

merged 2 commits into from
Sep 4, 2020

Conversation

@yctercero
Copy link
Contributor

@yctercero yctercero commented Sep 3, 2020
edited
Loading

Summary

This is a bug that was introduced by ✋ in #76537 (not yet in prod). This previous PR added a sort_field and sort_order to the call for fetching exception lists' items so that the exception item order in the viewer wouldn't jump around any time there was an update. I noticed however that when a rule had both endpoint and detection lists associated with it, when trying to fetch items from both types of lists, the following error shows:

"Unable to sort multiple types by field created_at, not a root property"

I was a bit confused at first since created_at does in fact exist on both types, however, the wonderful Mr. Frank H. gave me insight into some of the nuances of _find with namespaces. Exception lists can live in multiple namespaces, we need to be more precise in specifying our sort_field. So for example, the endpoint list lives in exception-list-agnostic namespace and detections lists live in exception-list namespace. I found that updating the sort_field to exception-list.created_at worked in finding both or either list type items. I thought I might need to break it out into exception-list-agnostic.created_at and exception-list.created_at but that was not the case.

Checklist

@yctercero yctercero added bug Fixes for quality problems that affect the customer experience Team:SIEM v8.0.0 release_note:skip Skip the PR/issue when compiling release notes v7.10.0 Feature:Detection Rules Security Solution rules and Detection Engine labels Sep 3, 2020
@yctercero yctercero requested review from a team as code owners September 3, 2020 17:46
@yctercero yctercero self-assigned this Sep 3, 2020
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 3, 2020

Pinging @elastic/siem (Team:SIEM)

@yctercero yctercero removed the bug Fixes for quality problems that affect the customer experience label Sep 3, 2020
@yctercero
Copy link
Contributor Author

yctercero commented Sep 4, 2020

@elasticmachine merge upstream

FrankHassanabad
FrankHassanabad approved these changes Sep 4, 2020
View reviewed changes
Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kibanamachine
Copy link
Contributor

kibanamachine commented Sep 4, 2020

💚 Build Succeeded

Build metrics

page load bundle size

id value diff baseline
lists 164.1KB +15.0B 164.1KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@yctercero yctercero merged commit 8276afd into elastic:master Sep 4, 2020
yctercero added a commit to yctercero/kibana that referenced this pull request Sep 4, 2020
@yctercero
[Security Solution][Exceptions] - Updates exception item find sort fi…
6f8143f 
…eld (elastic#76685)

## Summary

This is a bug that was introduced by moi in 76537. This previous PR added a sort_field and sort_order to the call for fetching exception lists' items so that the exception item order in the viewer wouldn't jump around any time there was an update. I noticed however that when a rule had both endpoint and detection lists associated with it, when trying to fetch items from both types of lists, the following error shows:

```
"Unable to sort multiple types by field created_at, not a root property"
```
@yctercero yctercero mentioned this pull request Sep 4, 2020
Merged
gmmorris added a commit to gmmorris/kibana that referenced this pull request Sep 4, 2020
@gmmorris
Merge branch 'master' into alerting-exempt-rbac
6c99cde 
* master: (47 commits)
  Do not require id & description when creating a logstash pipeline (elastic#76616)
  Remove commented src/core/tsconfig file (elastic#76792)
  Replaced whitelistedHosts with allowedHosts in actions ascii docs (elastic#76731)
  [Dashboard First] Genericize Attribute Service (elastic#76057)
  [ci-metrics] unify distributable file count metrics (elastic#76448)
  [Security Solution][Detections] Handle conflicts on alert status update (elastic#75492)
  [eslint] convert to @typescript-eslint/no-unused-expressions (elastic#76471)
  [DOCS] Add default time range filter to advanced settings (elastic#76414)
  [Security Solution] Refactor NetworkTopNFlow to use Search Strategy (elastic#76249)
  [Dashboard] Update Index Patterns when Child Index Patterns Change (elastic#76356)
  [ML] Add option to Advanced Settings to set default time range filter for AD jobs (elastic#76347)
  Add CSM app to CODEOWNERS (elastic#76793)
  [Security Solution][Exceptions] - Updates exception item find sort field (elastic#76685)
  [Security Solution][Detections][Tech Debt] - Move to using common io-ts types (elastic#75009)
  [Lens] Drag dimension to replace (elastic#75895)
  URI encode the index names we fetch in the fetchIndices lib function. (elastic#76584)
  [Security Solution] Resolver retrieve entity id of documents without field mapped (elastic#76562)
  [Ingest Manager] validate agent route using AJV instead kbn-config-schema (elastic#76546)
  Updated non-dev usages of node-forge (elastic#76699)
  [Ingest Pipelines] Processor forms for processors K-S (elastic#75638)
  ...
yctercero added a commit that referenced this pull request Sep 4, 2020
@yctercero
[Security Solution][Exceptions] - Updates exception item find sort fi…
65685f1 
…eld (#76685) (#76782)

## Summary

This is a bug that was introduced by moi in 76537. This previous PR added a sort_field and sort_order to the call for fetching exception lists' items so that the exception item order in the viewer wouldn't jump around any time there was an update. I noticed however that when a rule had both endpoint and detection lists associated with it, when trying to fetch items from both types of lists, the following error shows:

```
"Unable to sort multiple types by field created_at, not a root property"
```
@yctercero yctercero deleted the exception_find branch October 14, 2020 11:59
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@FrankHassanabad FrankHassanabad FrankHassanabad approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@yctercero yctercero

Labels

Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@yctercero @elasticmachine @kibanamachine @FrankHassanabad @MindyRS