[SIEM] Fix: Empty Source / Destination shown when only ports are populated
#50843
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rendered by the Timeline row renderer when events have `source.port` or `destination.port` populated, but the corresponding `source.ip` or `destination.ip` is not. ### Before Chrome `78.0.3904.97`  ### After Chrome `78.0.3904.97`  ## Details The following JSON is from the event shown in the screenshots above: ``` "destination": { "port": 53 }, ``` In the JSON above, the `destination.port` field is populated, but the `destination.ip` field is **not** populated. The `destination.port` in the event is expected to be rendered in the "before" screenshot above, but an empty `Destination` label is rendered instead. ## To reproduce: 1. Create a new timeline with the following KQL: ``` destination.port: * and NOT destination.ip: * ``` **Expected Result** - The `destination.port` contained in the event is rendered in the `Destination` container **Actual result** - An empty `Destination` is rendered, per the "before" screenshot above ## Other Corner Cases An analysis of real data performed while desk testing this PR revealed other corner cases in real-world data, including port arrays with `null` values. The types and implementaion were updated to reflect the reality of the data found during desk testing. Unit tests were added to cover these cases. ### After Firefox `70.0.1`  ### After Safari `13.0.3`  Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in `master` * elastic/siem-team#476
andrew-goldstein
added
release_note:fix
loe:medium
|
Pinging @elastic/siem (Team:SIEM) |
|
@elasticmachine merge upstream |
💚 Build Succeeded |
stephmilovic
approved these changes
Nov 18, 2019
There was a problem hiding this comment.
This is @andrew-goldstein writing tests:
Nice fix and excellent testing! Passes code review + browser testing. LGTM
| @@ -104,7 +146,7 @@ IpAdressesWithPorts.displayName = 'IpAdressesWithPorts'; | |||
| * - a port, hyperlinked to a port lookup service, when it's populated | |||
| * - a summary of geolocation details, when they are populated | |||
| */ | |||
| export const SourceDestinationIp = pure<SourceDestinationIpProps>( | |||
| export const SourceDestinationIp = React.memo<SourceDestinationIpProps>( | |||
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Nov 18, 2019
…-fallback * 'master' of github.com:elastic/kibana: (116 commits) [Maps] move apply global filter settting from layer to source (elastic#50523) [SIEM] Fix: Empty `Source` / `Destination` shown when only ports are populated (elastic#50843) [Maps] Delay vector tile layer syncing until spritesheet is loaded (elastic#48955) [Maps] prevent users from overflowing URL when filtering by shape (elastic#50747) [DOCS] Mark Beats central management as discontinued (elastic#49423) [page_objects/common_page] convert to ts (elastic#50771) [NP Kibana Migrations ] kibana plugin home (elastic#50444) [DOCS] Shareables naming convention (elastic#50497) [ML] DF Analytics - auto-populate model_memory_limit (elastic#50714) Increase alerting test stability and reduce flakiness (elastic#50246) [ML] Remaning new_job_new folder (elastic#50917) [Telemetry] Show opt-in changes for OSS users (elastic#50831) [ML] Fix lat_long anomalies table links menu and value formatting (elastic#50916) [Dev] Fix serialising a really big string (elastic#50915) Better explanation about the Prettier recommendation (extension vs. NPM module) (elastic#50629) [Monitoring] Use a basic monitoring user for tests (elastic#47865) [Monitoring] Gracefully handle issue with filebeat indices (elastic#48929) [Monitoring] Improve permissions required around setup mode (elastic#50421) Additional validation for elasticsearch username (elastic#48247) Revert changes to use_kibana_ui_setting (elastic#50877) ... # Conflicts: # src/legacy/core_plugins/console/server/request.test.ts
andrew-goldstein
added a commit
that referenced
this pull request
Nov 18, 2019
…populated (#50843) (#50971) Fixes an issue where an empty `Source` or `Destination` container is rendered by the Timeline row renderer when events have `source.port` or `destination.port` populated, but the corresponding `source.ip` or `destination.ip` is not.   The following JSON is from the event shown in the screenshots above: ``` "destination": { "port": 53 }, ``` In the JSON above, the `destination.port` field is populated, but the `destination.ip` field is **not** populated. The `destination.port` in the event is expected to be rendered in the "before" screenshot above, but an empty `Destination` label is rendered instead. 1. Create a new timeline with the following KQL: ``` destination.port: * and NOT destination.ip: * ``` **Expected Result** - The `destination.port` contained in the event is rendered in the `Destination` container **Actual result** - An empty `Destination` is rendered, per the "before" screenshot above An analysis of real data performed while desk testing this PR revealed other corner cases in real-world data, including port arrays with `null` values. The types and implementaion were updated to reflect the reality of the data found during desk testing. Unit tests were added to cover these cases.   Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in `master` * elastic/siem-team#476
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes an issue where an empty
SourceorDestinationcontainer is rendered bythe Timeline row renderer when events have
source.portordestination.portpopulated,but the corresponding
source.ipordestination.ipis not.Before Chrome
78.0.3904.97After Chrome
78.0.3904.97Details
The following JSON is from the event shown in the screenshots above:
In the JSON above, the
destination.portfield is populated, but thedestination.ipfield is not populated.The
destination.portin the event is expected to be rendered in the"before" screenshot above, but an empty
Destinationlabel is renderedinstead.
To reproduce:
Expected Result
destination.portcontained in the event is rendered in theDestinationcontainerActual result
Destinationis rendered, per the "before" screenshot aboveOther Corner Cases
An analysis of real data performed while desk testing this PR revealed other
corner cases in real-world data, including port arrays with
nullvalues.The types and implementaion were updated to reflect the reality of the data
found during desk testing. Unit tests were added to cover these cases.
After Firefox
70.0.1After Safari
13.0.3Note: This PR was NOT tested in IE 11, due to unrelated IE 11 issues with dependencies in
master