[Security Solution] Add EQL query editable component with EQL options fields #199115
+1,127
−1,045
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maximpn
added
release_note:skip
maximpn
commented
Nov 7, 2024
| @@ -33,7 +33,6 @@ export const timelineDefaults: SubsetTimelineModel & | |||
| description: '', | |||
| eqlOptions: { | |||
| eventCategoryField: 'event.category', | |||
| tiebreakerField: '', | |||
There was a problem hiding this comment.
tiebreakerField as an empty doesn't look correct for the EQL validator. It sends requests to /internal/search/eql to validate the request. It returns an error when a tiebreaker field has an empty string.
Additionally it looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
69 tasks
banderror
added
backport:version
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
2291ad0 to
db856ba
Compare
|
Thanks for all the work here! Pulled down and tested in rule creation/edit flow. So far LGTM. Confirmed that logic around disabling suppression for sequence queries remains. cc @dhurley14 |
nikitaindik
reviewed
Nov 11, 2024
| QueryLanguageEnum, | ||
| } from '../../../../../../../../../common/api/detection_engine'; | ||
| import { EqlQueryEditAdapter } from './eql_query_edit_adapter'; | ||
| // import { |
There was a problem hiding this comment.
Commented out code. Can be removed.
nikitaindik
reviewed
Nov 11, 2024
| eqlQuery: { | ||
| validations: [ | ||
| // { | ||
| // validator: debounceAsync(eqlValidator, 300), |
There was a problem hiding this comment.
Commented out code. Can be removed.
nikitaindik
reviewed
Nov 11, 2024
| ); | ||
| } | ||
|
|
||
| const kqlQuerySchema = { |
There was a problem hiding this comment.
Since there are no validations we can probably remove the schema
There was a problem hiding this comment.
RuleFieldEditFormWrapper's ruleFieldFormSchema property is required. We still should pass an empty object. So removing it completely it's possible.
There was a problem hiding this comment.
Got it. Then let's rename it to eqlQuerySchema.
|
For some reason getting an EQL validation error in the upgrade flyout, but on the the Rule Editing page. The error is shown right away, after opening the edit mode. Prevents me from saving. 
EQL query I usedapi where host.os.type == "win" and
process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and
not
(
process.executable : (
"?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
"?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe",
"?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe",
"?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe",
"?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe",
"?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\aciseagent.exe",
"?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpndownloader.exe",
"?:\\Program Files (x86)\\eScan\\reload.exe",
"?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
"?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe",
"?:\\Program Files (x86)\\microsoft intune management extension\\microsoft.management.services.intunewindowsagent.exe",
"?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe",
"?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe",
"?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe",
"?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe",
"?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe",
"?:\\Program Files*\\Windows Defender\\MsMpEng.exe",
"?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe",
"?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
"?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe",
"?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe",
"?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe",
"?:\\Program Files\\ESET\\ESET Security\\ekrn.exe",
"?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe",
"?:\\Program Files\\Fortinet\\FortiClient\\FortiSSLVPNdaemon.exe",
"?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe",
"?:\\Program Files\\Huntress\\HuntressAgent.exe",
"?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe",
"?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe",
"?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe",
"?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
"?:\\Program Files\\smart-x\\controlupagent\\version*\\cuagent.exe",
"?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe",
"?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe",
"?:\\Program Files\\Trend Micro\\Deep Security Agent\\netagent\\tm_netagent.exe",
"?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
"?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe",
"?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe",
"?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe",
"?:\\Windows\\Sysmon.exe",
"?:\\Windows\\Sysmon64.exe",
"?:\\Windows\\System32\\csrss.exe",
"?:\\Windows\\System32\\MRT.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\taskhostw.exe",
"?:\\Windows\\System32\\RtkAudUService64.exe",
"?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
"?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe"
) and not ?process.code_signature.trusted == false
)
|
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
326eeb0 to
64b371f
Compare
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
d11b456 to
45bfabc
Compare
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Unknown metric groupsAPI count
References to deprecated APIs
History
cc @maximpn |
maximpn
force-pushed
the
add-eql-query-edit-component
branch
from
568ea87 to
9f5d1f8
Compare
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11968313271 |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
maximpn
added a commit
to maximpn/kibana
that referenced
this pull request
Nov 22, 2024
… fields (elastic#199115) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done - EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible. - Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component. - Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options. ## How to test The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"2a692072-d78d-42f3-a48a-775677d79c4e","version":1,"query":"process where process.name == \"cmd.exe\"","language":"eql","event_category_override": "test","timestamp_field": "@timestamp","tiebreaker_field": "tiebreaker"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots - EQL Query in Prebuilt Rules Update workflow <img width="2560" alt="image" src="https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2"> - event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow <img width="2552" alt="image" src="https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a"> - Examples of invalid EQL <img width="2560" alt="image" src="https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c"> <img width="2548" alt="image" src="https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523"> (cherry picked from commit c0c803c) # Conflicts: # x-pack/plugins/security_solution/public/timelines/components/timeline/query_bar/eql/index.tsx
maximpn
added a commit
that referenced
this pull request
Nov 22, 2024
…ptions fields (#199115) (#201314) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Add EQL query editable component with EQL options fields (#199115)](#199115) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2024-11-22T07:27:40Z","message":"[Security Solution] Add EQL query editable component with EQL options fields (#199115)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done\r\n\r\n- EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible.\r\n- Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component.\r\n- Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.\r\n\r\n## How to test\r\n\r\nThe simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Run Kibana locally\r\n- Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e`\r\n- Patch the installed rule by running a query below\r\n\r\n```bash\r\ncurl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"version\":1,\"query\":\"process where process.name == \\\"cmd.exe\\\"\",\"language\":\"eql\",\"event_category_override\": \"test\",\"timestamp_field\": \"@timestamp\",\"tiebreaker_field\": \"tiebreaker\"}' http://localhost:5601/kbn/api/detection_engine/rules\r\n```\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\n- EQL Query in Prebuilt Rules Update workflow\r\n<img width=\"2560\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2\">\r\n\r\n- event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow\r\n<img width=\"2552\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a\">\r\n\r\n- Examples of invalid EQL\r\n<img width=\"2560\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c\">\r\n\r\n<img width=\"2548\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523\">","sha":"c0c803c8830c10f1df1b204a7d7b859f1f584991","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0"],"number":199115,"url":"https://github.com/elastic/kibana/pull/199115","mergeCommit":{"message":"[Security Solution] Add EQL query editable component with EQL options fields (#199115)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done\r\n\r\n- EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible.\r\n- Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component.\r\n- Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.\r\n\r\n## How to test\r\n\r\nThe simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Run Kibana locally\r\n- Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e`\r\n- Patch the installed rule by running a query below\r\n\r\n```bash\r\ncurl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"version\":1,\"query\":\"process where process.name == \\\"cmd.exe\\\"\",\"language\":\"eql\",\"event_category_override\": \"test\",\"timestamp_field\": \"@timestamp\",\"tiebreaker_field\": \"tiebreaker\"}' http://localhost:5601/kbn/api/detection_engine/rules\r\n```\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\n- EQL Query in Prebuilt Rules Update workflow\r\n<img width=\"2560\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2\">\r\n\r\n- event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow\r\n<img width=\"2552\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a\">\r\n\r\n- Examples of invalid EQL\r\n<img width=\"2560\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c\">\r\n\r\n<img width=\"2548\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523\">","sha":"c0c803c8830c10f1df1b204a7d7b859f1f584991"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199115","number":199115,"mergeCommit":{"message":"[Security Solution] Add EQL query editable component with EQL options fields (#199115)\n\n**Partially addresses:** https://github.com/elastic/kibana/issues/171520\r\n\r\n## Summary\r\n\r\nThis PR adds is built on top of #193828 and #196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.\r\n\r\n## Details\r\n\r\nThis PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done\r\n\r\n- EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible.\r\n- Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component.\r\n- Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.\r\n\r\n## How to test\r\n\r\nThe simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below\r\n\r\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled\r\n- Run Kibana locally\r\n- Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e`\r\n- Patch the installed rule by running a query below\r\n\r\n```bash\r\ncurl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H \"elastic-api-version: 2023-10-31\" -d '{\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"version\":1,\"query\":\"process where process.name == \\\"cmd.exe\\\"\",\"language\":\"eql\",\"event_category_override\": \"test\",\"timestamp_field\": \"@timestamp\",\"tiebreaker_field\": \"tiebreaker\"}' http://localhost:5601/kbn/api/detection_engine/rules\r\n```\r\n\r\n- Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button\r\n\r\n## Screenshots\r\n\r\n- EQL Query in Prebuilt Rules Update workflow\r\n<img width=\"2560\" alt=\"image\" src=\"https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2\">\r\n\r\n- event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow\r\n<img width=\"2552\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a\">\r\n\r\n- Examples of invalid EQL\r\n<img width=\"2560\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c\">\r\n\r\n<img width=\"2548\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523\">","sha":"c0c803c8830c10f1df1b204a7d7b859f1f584991"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Nov 26, 2024
… fields (elastic#199115) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done - EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible. - Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component. - Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options. ## How to test The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"2a692072-d78d-42f3-a48a-775677d79c4e","version":1,"query":"process where process.name == \"cmd.exe\"","language":"eql","event_category_override": "test","timestamp_field": "@timestamp","tiebreaker_field": "tiebreaker"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots - EQL Query in Prebuilt Rules Update workflow <img width="2560" alt="image" src="https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2"> - event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow <img width="2552" alt="image" src="https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a"> - Examples of invalid EQL <img width="2560" alt="image" src="https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c"> <img width="2548" alt="image" src="https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523">
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 12, 2024
… fields (elastic#199115) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done - EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible. - Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component. - Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options. ## How to test The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"2a692072-d78d-42f3-a48a-775677d79c4e","version":1,"query":"process where process.name == \"cmd.exe\"","language":"eql","event_category_override": "test","timestamp_field": "@timestamp","tiebreaker_field": "tiebreaker"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots - EQL Query in Prebuilt Rules Update workflow <img width="2560" alt="image" src="https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2"> - event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow <img width="2552" alt="image" src="https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a"> - Examples of invalid EQL <img width="2560" alt="image" src="https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c"> <img width="2548" alt="image" src="https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523">
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Partially addresses: #171520
Summary
This PR adds is built on top of #193828 and #196948 and adds an EQL Query editable component with EQL Options fields (
event_category_override,timestamp_fieldandtiebreaker_field) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow.Details
This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done
EqlQueryEditcomponent withUseFieldinside. It helps to make it type safe avoiding issues like passing invalid types toEqlQueryBar.UseFieldtypes component properties asRecord<string, any>so potentially any refactoring can break some functionality. For example code in Timeline passesDataViewSpecwhereDataViewBaseis expected while these two types aren't fully compatible.EqlQueryEdit. Passing field configuration toUseFieldrewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration forUseFields. Additionally we can reduce reusing complexity by incapsulating absolutely required validation inEqlQueryEditcomponent.tiebreakerFieldwas removed in Timelines.tiebreakerFieldis part of EQL options used for EQL validation. EQL validation endpoint/internal/search/eqlreturns an error when an empty string provided fortiebreakerField. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options.How to test
The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below
prebuiltRulesCustomizationEnabledfeature flag is enabledPotential Code Execution via Postgresqlwith rule_id2a692072-d78d-42f3-a48a-775677d79c4eDetection Rules (SIEM)Page ->Rule Updates-> click onPotential Code Execution via Postgresqlrule -> expandEQL Queryto see EQL Query -> pressEditbuttonScreenshots