[Security Detections] Fixes ip on threshold preview button when selecting an ip data type such as source.ip (#105126)
## Summary See https://github.com/elastic/kibana/issues/100433 for details and test instructions. This is considered critical and a small fix for 7.14.0 has been requested. * Wrote Cypress test that exercises the bug * Fixed mutation in one part of the Cypress Test * Decided to remove the "missing" that we were telling users was "others" since missing is not the same as others. It no longer errors, but some users might be asking why we don't show "others" anymore. The reality is that we only showed "missing" which isn't adding value to the preview of what detections will end up looking like. * Later if we want a true "others" we should implement it as a larger feature request and not a bug fix IMHO Before you would get errors in your network panel: ![errors_threshold](https://user-images.githubusercontent.com/1151048/125126681-b0380e00-e0b8-11eb-9f2c-a75e2909754c.png) After you now get the `source.ip` without errors: <img width="1074" alt="Screen Shot 2021-07-09 at 1 28 24 PM" src="https://user-images.githubusercontent.com/1151048/125127326-94813780-e0b9-11eb-9367-bb3b406ff55a.png"> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
This commit is contained in:
parent
937a4f381a
commit
c07f51e5be
3 changed files with 25 additions and 5 deletions
|
@ -6,7 +6,7 @@
|
|||
*/
|
||||
|
||||
import { formatMitreAttackDescription } from '../../helpers/rules';
|
||||
import { indexPatterns, newRule, newThresholdRule } from '../../objects/rule';
|
||||
import { indexPatterns, newRule, newThresholdRule, ThresholdRule } from '../../objects/rule';
|
||||
|
||||
import {
|
||||
ALERT_RULE_METHOD,
|
||||
|
@ -180,9 +180,9 @@ describe('Detection rules, threshold', () => {
|
|||
cy.get(ALERT_RULE_RISK_SCORE).first().should('have.text', rule.riskScore);
|
||||
});
|
||||
|
||||
it('Preview results', () => {
|
||||
const previewRule = { ...newThresholdRule };
|
||||
previewRule.index!.push('.siem-signals*');
|
||||
it('Preview results of keyword using "host.name"', () => {
|
||||
const previewRule: ThresholdRule = { ...newThresholdRule };
|
||||
previewRule.index = [...previewRule.index, '.siem-signals*'];
|
||||
|
||||
createCustomRuleActivated(newRule);
|
||||
goToManageAlertsDetectionRules();
|
||||
|
@ -194,4 +194,23 @@ describe('Detection rules, threshold', () => {
|
|||
|
||||
cy.get(PREVIEW_HEADER_SUBTITLE).should('have.text', '3 unique hits');
|
||||
});
|
||||
|
||||
it('Preview results of "ip" using "source.ip"', () => {
|
||||
const previewRule: ThresholdRule = {
|
||||
...newThresholdRule,
|
||||
thresholdField: 'source.ip',
|
||||
threshold: '1',
|
||||
};
|
||||
previewRule.index = [...previewRule.index, '.siem-signals*'];
|
||||
|
||||
createCustomRuleActivated(newRule);
|
||||
goToManageAlertsDetectionRules();
|
||||
waitForRulesTableToBeLoaded();
|
||||
goToCreateNewRule();
|
||||
selectThresholdRuleType();
|
||||
fillDefineThresholdRule(previewRule);
|
||||
previewResults();
|
||||
|
||||
cy.get(PREVIEW_HEADER_SUBTITLE).should('have.text', '10 unique hits');
|
||||
});
|
||||
});
|
||||
|
|
|
@ -275,7 +275,7 @@ export const fillDefineThresholdRule = (rule: ThresholdRule) => {
|
|||
cy.get(TIMELINE(rule.timeline.id!)).click();
|
||||
cy.get(COMBO_BOX_CLEAR_BTN).click();
|
||||
|
||||
rule.index!.forEach((index) => {
|
||||
rule.index.forEach((index) => {
|
||||
cy.get(COMBO_BOX_INPUT).first().type(`${index}{enter}`);
|
||||
});
|
||||
|
||||
|
|
|
@ -118,6 +118,7 @@ export const PreviewQuery = ({
|
|||
startDate: toTime,
|
||||
filterQuery: queryFilter,
|
||||
indexNames: index,
|
||||
includeMissingData: false,
|
||||
histogramType: MatrixHistogramType.events,
|
||||
stackByField: 'event.category',
|
||||
threshold: ruleType === 'threshold' ? threshold : undefined,
|
||||
|
|
Loading…
Reference in a new issue