[Security Solution] Fix incorrect time for dns histogram #83532
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
angorayc
added
release_note:fix
Team:Threat Hunting
2 tasks
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
| @@ -263,7 +263,101 @@ export const formattedSearchStrategyResponse = { | |||
| ...mockSearchStrategyResponse, | |||
| inspect: { | |||
| dsl: [ | |||
| '{\n "allowNoIndices": true,\n "index": [\n "apm-*-transaction*",\n "auditbeat-*",\n "endgame-*",\n "filebeat-*",\n "logs-*",\n "packetbeat-*",\n "winlogbeat-*"\n ],\n "ignoreUnavailable": true,\n "body": {\n "aggs": {\n "source": {\n "filter": {\n "term": {\n "source.ip": "35.196.65.164"\n }\n },\n "aggs": {\n "firstSeen": {\n "min": {\n "field": "@timestamp"\n }\n },\n "lastSeen": {\n "max": {\n "field": "@timestamp"\n }\n },\n "as": {\n "filter": {\n "exists": {\n "field": "source.as"\n }\n },\n "aggs": {\n "results": {\n "top_hits": {\n "size": 1,\n "_source": [\n "source.as"\n ],\n "sort": [\n {\n "@timestamp": "desc"\n }\n ]\n }\n }\n }\n },\n "geo": {\n "filter": {\n "exists": {\n "field": "source.geo"\n }\n },\n "aggs": {\n "results": {\n "top_hits": {\n "size": 1,\n "_source": [\n "source.geo"\n ],\n "sort": [\n {\n "@timestamp": "desc"\n }\n ]\n }\n }\n }\n }\n }\n },\n "destination": {\n "filter": {\n "term": {\n "destination.ip": "35.196.65.164"\n }\n },\n "aggs": {\n "firstSeen": {\n "min": {\n "field": "@timestamp"\n }\n },\n "lastSeen": {\n "max": {\n "field": "@timestamp"\n }\n },\n "as": {\n "filter": {\n "exists": {\n "field": "destination.as"\n }\n },\n "aggs": {\n "results": {\n "top_hits": {\n "size": 1,\n "_source": [\n "destination.as"\n ],\n "sort": [\n {\n "@timestamp": "desc"\n }\n ]\n }\n }\n }\n },\n "geo": {\n "filter": {\n "exists": {\n "field": "destination.geo"\n }\n },\n "aggs": {\n "results": {\n "top_hits": {\n "size": 1,\n "_source": [\n "destination.geo"\n ],\n "sort": [\n {\n "@timestamp": "desc"\n }\n ]\n }\n }\n }\n }\n }\n },\n "host": {\n "filter": {\n "term": {\n "host.ip": "35.196.65.164"\n }\n },\n "aggs": {\n "results": {\n "top_hits": {\n "size": 1,\n "_source": [\n "host"\n ],\n "sort": [\n {\n "@timestamp": "desc"\n }\n ]\n }\n }\n }\n }\n },\n "query": {\n "bool": {\n "should": []\n }\n },\n "size": 0,\n "track_total_hits": false\n }\n}', | |||
| @@ -58,7 +58,7 @@ export const buildTimelineEventsAllQuery = ({ | |||
| index: defaultIndex, | |||
| ignoreUnavailable: true, | |||
| body: { | |||
| ...(isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), | |||
| ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}), | |||
patrykkopycinski
approved these changes
Nov 24, 2020
💚 Build SucceededMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: |
angorayc
added a commit
to angorayc/kibana
that referenced
this pull request
Nov 24, 2020
* getSuitableUnit * update dns histogram query * update dns query * update dns histogram query * fix type error * fix lint error * remove unused comments * fix histogram query size * revert change * fix unit test * fix dns request options * clean up * cleanup types * fix dependency * review * review * revert * restore docValueFields * fix unit test * cleanup * restore docValueFields for dns histogram * review * review * lint Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
angorayc
added a commit
to angorayc/kibana
that referenced
this pull request
Nov 24, 2020
* getSuitableUnit * update dns histogram query * update dns query * update dns histogram query * fix type error * fix lint error * remove unused comments * fix histogram query size * revert change * fix unit test * fix dns request options * clean up * cleanup types * fix dependency * review * review * revert * restore docValueFields * fix unit test * cleanup * restore docValueFields for dns histogram * review * review * lint Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx # x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts
angorayc
added a commit
that referenced
this pull request
Nov 24, 2020
…4228) * getSuitableUnit * update dns histogram query * update dns query * update dns histogram query * fix type error * fix lint error * remove unused comments * fix histogram query size * revert change * fix unit test * fix dns request options * clean up * cleanup types * fix dependency * review * review * revert * restore docValueFields * fix unit test * cleanup * restore docValueFields for dns histogram * review * review * lint Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
angorayc
added a commit
that referenced
this pull request
Nov 24, 2020
…) (#84235) * [Security Solution] Fix incorrect time for dns histogram (#83532) * getSuitableUnit * update dns histogram query * update dns query * update dns histogram query * fix type error * fix lint error * remove unused comments * fix histogram query size * revert change * fix unit test * fix dns request options * clean up * cleanup types * fix dependency * review * review * revert * restore docValueFields * fix unit test * cleanup * restore docValueFields for dns histogram * review * review * lint Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> # Conflicts: # x-pack/plugins/security_solution/public/network/containers/network_dns/index.tsx # x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/dns/query.dns_network.dsl.ts * eslint
rylnd
added a commit
to rylnd/kibana
that referenced
this pull request
Nov 24, 2020
* master: (41 commits) [Maps] fix code-owners (elastic#84265) [@kbn/utils] Clean target before build (elastic#84253) [code coverage] collect for oss integration tests (elastic#83907) [APM] Use `asTransactionRate` consistently everywhere (elastic#84213) Attempt to fix incremental build error (elastic#84152) Unskip "Copy dashboards to space" (elastic#84115) Remove expressions.legacy from README (elastic#79681) Expression: Add render mode and use it for canvas interactivity (elastic#83559) [deb/rpm] Move systemd service to /usr/lib/systemd/system (elastic#83571) [Security Solution][Resolver] Allow a configurable entity_id field (elastic#81679) [ML] Space permision checks for job deletion (elastic#83871) [build] Provide ARM build of RE2 (elastic#84163) TSVB should use "histogram:maxBars" and "histogram:barTarget" settings for auto instead of a default 100 buckets (elastic#83628) [Workplace Search] Initial rendering of Org Sources (elastic#84164) update geckodriver to 0.28 (elastic#84085) Fix timelion vis escapes single quotes (elastic#84196) [Security Solution] Fix incorrect time for dns histogram (elastic#83532) [DX] Bump TS version to v4.1 (elastic#83397) [Security Solution] Add endpoint policy revision number (elastic#83982) [Fleet] Integration Policies List view (elastic#83634) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
#82728
Before this PR, we had an issue about DNS hitogram, that skip the data with empty value in the expected bucket.
I think that's because the query result return empty value in the expected buckets, so when our parser iterates them,
it return nothing. Therefor when the data reaches the bar chart, some buckets are missing.
So this PR updates the query to make histogram rendered as expected (should not skip the expected bucket)
Note: The DNS histogram also aligns the option
include PTR, with the table below. Means that if it is switched on in the table below, it applies to the histogram too.Checklist
Delete any items that are not applicable to this PR.