* Adding type field to client
* Removing context and adding association type
* Handle alerts from multiple indices
* Adding flow for adding a sub case
* Making progress on creating alerts from rules
* Refactored add comment to handle case and sub case
* Starting sub case API and refactoring of case client
* Fleshing out find cases
* Finished the find cases api
* Filtering comments by association type
* Fixing tests and types
* Updating snapshots
* Cleaning up comment references
* Working unit tests
* Fixing integration tests and got ES to work
* Unit tests and api integration test working
* Refactoring find and get_status
* Starting patch, and update
* script for sub cases
* Removing converted_by and fixing type errors
* Adding docs for script
* Removing converted_by and fixing integration test
* Adding sub case id to comment routes
* Removing stringify comparison
* Adding delete api and tests
* Updating license
* missed license files
* Integration tests passing
* Adding more tests for sub cases
* Find int tests, scoped client, patch sub user actions
* fixing types and call cluster
* fixing get sub case param issue
* Adding user actions for sub cases
* Preventing alerts on collections and refactoring user
* Allowing type to be updated for ind cases
* Refactoring and writing tests
* Fixing sub case status filtering
* Adding more tests not allowing gen alerts patch
* Working unit tests
* Push to connector gets all sub case comments
* Writing more tests and cleaning up
* Updating push functionality for generated alerts and sub cases
* Adding comment about updating collection sync
* Refactoring update alert status for sub cases and removing request and cleaning up
* Addressing alert service feedback
* Fixing sub case sync bug and cleaning up comment types
* Addressing more feedback
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Changed the embeddable state transfer service so that it is possible to clear all editor state at once. Used that method in the visualize listing page
* Adds basic integration test for threat enrichment
* Update signals mappings with indicator fields
* Simplify some ternaries with Math.min
* Remove outdated comments
* Add notes from walkthrough with devin
* Add an enrichment hook to the current signal creation pipeline
When this moves to individual rule-specific data transformations this
will be a little more explicit/configurable; for now to keep changes
minimal, we're using dependency injection to pass a function, which will
default to the identity function (e.g. a no-op).
* Add utility functions for encoding/decoding our threat query
This is what allows us to enrich the threat match signals using only the
signal search response.
* Add a name to each threat match filter clause
This gives us the information we need to enrich our signals after
they've been queried without having to perform a complicated reverse
query.
* Adds functions for signal enrichment of threat indicators
* Wire up threat enrichment to threat match rules
* Fleshes out threat match integration tests
Adds assertions to the existing test, and fleshes out another test for a
multi-match signal.
* Add more test cases to indicator match integration tests
* single indicator matching multiple events
* multiple indicators matching a single event
* multiple indicators, multiple events
* placeholder for deduplication logic
This also adds some descriptions to our threat intel documents, to give
a little context around how they're meant to function within the tests,
particularly as relates to the auditbeat/hosts data on which it is meant
to function.
* Implement signal deduplification
This handles the situation where the indicator match search has returned
the same signal multiple times due to the source event matching
different indicators in different query batches. In this case, we want
to generate a single signal with all matched indicators.
* Move default indicator path to constant
* Testing some edge cases with signal enrichment
* Cover and test edge cases with threat enrichment generation
* Fix logical error in TI enrichment
We were previously adding the indicator's field to matched.field,
instead of the corresponding event field that matched the indicator.
In the normal case, the expectation is that the indicator field is
self-evident, and thus we want to know the other side of the match on
the event itself.
Updates tests accordingly.
* Document behavior when an indicator matched but is absent on enrichment
This could occur if the indicator index is updated while a rule is being
run.
* Add followup note
* Add basic unit test for our enrichment function
This just verifies that the enrichment function gets invoked with search
results.
* Update license headers for new files
* Remove unused threatintel archive
I made both of these before we were clear on the direction we were
taking here.
* Bump signals version to allows some updates in patch releases
* Fix typings of threat list item
We were conflating the type of the underlying document with the type of
the search response for that document. This is now addressed with two
types: ThreatListDoc and ThreatListItem, respectively.
ThreatListDoc isn't the most distinguishing name but it avoids a lot of
unnecessary renaming for the existing concept of ThreatListItem.
* Update test mock to be aware of (but not care about) named queries
* Remove/update outdated comments
This code was modified to perform two searches instead of one; at that
time, a lot of this code was duplicated and modified slightly, and these
misleading comments were a result. I removed the ones that were no
longer relevant, but left a TODO for one that could be a bug.
* Remove outdated comment
Documents will always have _id.
* Update enriched signals' total to account for deduplication
If a given signal matched on multiple indicators in different loops of
our indicator query, it may appear multiple times. Our enrichment
performs the merging of those duplicated results, but did not previously
update the response's total field to account for this.
I don't believe that anything downstream is actually using this field and that we
are instead operating on the length of hits and the response from the
bulk create request, but this keeps things consistent in case that
changes.
* Remove development comments
* Add JSDoc for our special template version constant
* Remove outdated comments
* Add an additional test permutation for error cases
Ensure that we throw an error if the indicator field is either a
primitive or an array of primitives.
* Remove unnecessary coalescing
These values are already defaulted in the parent, and the types are
correct in that these cannot be undefined.
* Move logic to build threat enrichment function into helper
* Refactor code to allow typescript to infer our type narrowing
existingSignalHit could not be undefined on line 30 here, but typescript
could not infer this from the !acc.has() call.
* Use a POJO over a Map
We were using a map previously in order to use .has() for a predicate,
but code has since been refactored to make that unnecessary.
* Explicitly type our enriched signals
These are being typed implicitly and verified against SignalSourceHit[]
on the assignment below, but this makes the types explicit and surfaces
a type error here instead of the subsequent assignment.
* Add an explanatory note about these test results
* Remove unused imports
These references were moved into buildThreatEnrichment
* Remove threat mappings accidentally brought in with indicator work
I copied the entirety of the `threat` mappings in order to get the
`threat.indicator` ones, but it looks like these were added at some
point too.
I'd rather these not be added incidentally. If we need them, we should
do so explicitly.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Addresses #88450
Issue
Search was not working as expected was because the exception list property name is mapped as a keyword - this means it does not get tokenized which is why one word searches were working but if the name included multiple words and was partial, it was not filtering properly.
* fixes https://github.com/elastic/kibana/issues/74449
* unskip maps tests (#90323)
* unskip maps tests
* checking the baseline images
* updated the test to move the mouse away and close the Legend
* more changes to the test
* reducing the threshold limit
* updating the baseline images
* added a comment about the baseline images
* updating flights baseline image and adjusting threshold
* updated threshold and baseline image for web log
* session image of weblogsmap
* skipping layer_errors test
* skip the test - as it fails on cloud and windows on snapshot
* adjust network events
* add metaData to data formatting
* add useFlyout
* adjust waterfall data types
* adjust MiddleTruncatedText to use span instead of div
* add flyout
* adjust sidebar button style
* update tests
* convert content to use sentence case
* pass onBarClick and onProjectionClick as WaterfallChart props
* use undefined value for initial flyoutData state
* add telemetry
* adjust typo in get_network_events
* adjust connection time
* added space between value and units
* adjust flyout spacing, rearrange certificates, and right align values
* adjust flyout labels
* add focus management support to flyout
* improve performance with memoization
* add external link to MiddleTruncatedText
* update data_formatting function
* remove EuiPortal
* add moment mock to data_formatting test
* adjust data_formatting
* adjust network_events runtime types
* remove extra space in test tile
* toggle flyout on sidebar click
* update styling and html for open in new tab resource link
* rename metaData to metadata
* adjust MiddleTruncatedText styling
* adjust WaterfallFlyout heading
* adjust waterfall sidebar item types
* adjust SidebarItem onClick type
* fix license header
* align middle truncated text left
* move flyout logic to a render prop for better composability
* add ip to flyout
* update label for bytes downloaded (compressed)
* lowercase compressed
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Remove "Add a private content source" sidebar link
* Update groupsSentence to cover different number of groups
Different cases:
1 group: You have access to the following sources through the group Default.
2 groups: You have access to the following sources through the groups Default and Engineering. (no comma before 'and')
3+ groups: You have access to the following sources through the groups Default, Marketing, and Engineering. (comma before 'and')
* Create PrivateSourcesLayout as a copy of Layout
In this commit PrivateSourcesLayout is a full copy of Layout.
It's going to be updated in later commits.
* Remove unused code from PrivateSourcesLayout
* Update read-only mode warning copy for end-users
* Move copy to constants file
* Add width styles to new sidebar
Also moved private_sources_layout styles to sources.scss file. Having separate files for that little amount of custom styles is unnecessary.
* Move top-level header to sidebar
* Add missing padding to sidebar
* Replace ViewContentHeader with ContentSection props
* Move variables over the components
* Remove unused classnames
* DRY out privateSourcesTable and privateSourcesEmptyState
by extracting privateSourcesSection that contains common markup.
* DRY out sharedSourcesTable and sharedSourcesEmptyState
by extracting sharedSourcesSection that contains common markup.
* Reorder code blocks inside the file
To match the order the components appear in UI
* Add newline to the groups enumeration sentence
So it looks good with any number of groups
* Update x-pack/plugins/enterprise_search/public/applications/workplace_search/views/content_sources/private_sources_layout.tsx
Co-authored-by: Scotty Bollinger <scotty.bollinger@elastic.co>
Co-authored-by: Scotty Bollinger <scotty.bollinger@elastic.co>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Introduce new formatting logic for ping list, duration strings now converted to seconds when appropriate.
* Handle singular plurality case.
* Make limit for conversion 10 sec instead of 1 sec.
* Switch conversion threshold back to one second, add tests.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This PR addresses the bug #90985 . Please see link for bug details.
TLDR: SO _find filter does not take into consideration that filter string can refer to multi-fields which should be parsed differently. This addition adds to the helper method that checks if there are any errors in the filter formatting.
* exclude all the plugins from src/plugins
* move all the used fixtures to discover
* remove src/fixtures alias
* remove unused fixtures
* cleanup x-pack/tsconfig.json
* dont compile apm/scripts
* fix tests
* dont include infra in xpack/tsconfig.json
* update list of includes
* Create a copy of the existing overview as mvp
No files were changed here; only a copy
* Update index to point to MVP copy
* Wrap server calls in try/catch
Jest was complaining about this and it’s a good practice to have anyway
* Remove MVP temp EuiPage wrapper
* Add route and link in navigation
* Remove Launch Workplace Search button
This not needed in a post-MVP world. We have had discussions about giving the users the ability to relaunch the legacy app in the beta (pre-8.0) world, but that will be in a callout or some other element.
* Refactor onboarding card to use internal routing
I simplified this by not trying to recreate shared props and typecast them, but just create 2 variable components that fall back to an unclickable button that is disabled in the UI
* Refactor onboarding steps to use internal routing
* Refactor statistic card to use internal routing
* Refactor recent activity to use internal routing