Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenSearch queries in DFIQ #2822

Merged
merged 13 commits into from
Jul 7, 2023
Merged

Support OpenSearch queries in DFIQ #2822

merged 13 commits into from
Jul 7, 2023

Conversation

berggren
Copy link
Contributor

@berggren berggren commented Jul 7, 2023
edited
Loading

This PR adds support for plain opensearch queries from DFIQ. This complements the current support for search templates.
There is also some UI performance gains and refactoring.

        timesketch:
          - description: Remote Desktop Logons
            type: searchtemplate
            value: 08b0384b-92d8-46bb-b260-f87676afcf64
          - description: Remote Desktop Logons (query)
            type: opensearch-query
            value: 'data_type:"windows:evtx:record" AND event_identifier:4624 AND logon_type:RemoteInteractive'
Screenshot 2023-07-07 at 12 31 27

@berggren berggren requested review from jkppr and jaegeral July 7, 2023 10:50
jaegeral
jaegeral approved these changes Jul 7, 2023
View reviewed changes
Copy link
Collaborator

@jaegeral jaegeral left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small comment on naming variables, but overall looks good to me

timesketch/frontend-ng/src/components/Scenarios/Question.vue
TsQuestionConclusion,
},
data: function () {
return {
expanded: false,
fullDescription: false,
conclusionText: '',
addConclusion: false,
opensearchQueries: [],
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General comment for this PR, in other places (like https://github.com/google/timesketch/blob/master/timesketch/frontend-ng/src/components/LeftPanel/SearchTemplate.vue#L103) we are using queryString. So maybe we could use something similar here as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to be explicit on what this is. We have queries coming from both searchtemplates and from "raw" opensearch queries.

jkppr
jkppr approved these changes Jul 7, 2023
View reviewed changes
Copy link
Collaborator

@jkppr jkppr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, just two small ux nits below.

timesketch/frontend-ng/src/components/Scenarios/SearchChip.vue Show resolved Hide resolved
timesketch/frontend-ng/src/components/Scenarios/ContextCard.vue Show resolved Hide resolved
@berggren berggren merged commit 00ec7cc into master Jul 7, 2023
@berggren berggren deleted the dfiq-ui branch July 7, 2023 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkppr jkppr jkppr approved these changes

@jaegeral jaegeral jaegeral approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@berggren @jaegeral @jkppr