[Security Solution] Use sourcerer selected indices in resolver #90727
Conversation
…cerer-selected-indices
kqualters-elastic
added
release_note:skip
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-threat-hunting (Feature:Resolver) |
kqualters-elastic
changed the title
kqualters-elastic
changed the title
| @@ -336,10 +349,22 @@ export const timeRangeFilters = createSelector( | |||
| /** | |||
| * The indices to use for the requests with the backend. | |||
| */ | |||
| export const treeParamterIndices = createSelector(treeParametersToFetch, (parameters) => { | |||
| export const treeParameterIndices = createSelector(treeParametersToFetch, (parameters) => { | |||
There was a problem hiding this comment.
Spelling is hard 😂 Thanks
| @@ -71,6 +78,12 @@ const resolverTreeResponse = (state: DataState): NewResolverTree | undefined => | |||
| return state.tree?.lastResponse?.successful ? state.tree?.lastResponse.result : undefined; | |||
| }; | |||
|
|
|||
| const lastResponseIndices = (state: DataState): string[] | undefined => { | |||
There was a problem hiding this comment.
I'm probably missing something but could we get away without needing to look at the last response? Could we just use the current indices all the time?
There was a problem hiding this comment.
I think this helps us maintain the original indices which were used to successfully get data back. These are the "current" indices technically as far as I can see
There was a problem hiding this comment.
@jonathan-buttner The reason for doing this is because all of these event api requests are inherently tied to the tree the user is currently viewing, if a separate set of indices is passed to resolver as the middlewares are running, that would be a bug. Should not happen currently, as changing the indices with sourcerer forces the store to be recreated, but that won't necessarily always be the case. Added the sequence of actions that show the need for this here: https://github.com/elastic/kibana/pull/90727/files#diff-0a7459663dc51fee4faacb117efa940c3a4f5dfdfa1abc44ea873507e8de80aaR706
|
@jonathan-buttner added a screenshot of the request |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
| @@ -280,6 +280,7 @@ export enum TimelineId { | |||
| active = 'timeline-1', | |||
| casePage = 'timeline-case', | |||
| test = 'test', // Reserved for testing purposes | |||
| test2 = 'test2', | |||
There was a problem hiding this comment.
Maybe name this alternateTest or updateTester or something?
kqualters-elastic
deleted the
resolver-use-sourcerer-selected-indices
branch
…ic#90727) * Use sourcer indices * Add indices to panel requests * Use a separate indices selector for resolver events * Use valid timeline id in tests * Update TimelineId type usage, make selector test clearer * Update tests to use TimelineId type
…#90727) (#91009) * [Security Solution] Use sourcerer selected indices in resolver (#90727) * Use sourcer indices * Add indices to panel requests * Use a separate indices selector for resolver events * Use valid timeline id in tests * Update TimelineId type usage, make selector test clearer * Update tests to use TimelineId type * Remove non-existant 7.11 mocked import
… (#91008) * Use sourcer indices * Add indices to panel requests * Use a separate indices selector for resolver events * Use valid timeline id in tests * Update TimelineId type usage, make selector test clearer * Update tests to use TimelineId type
Summary
fixes #89337
This pr changes the list of indices passed to resolver to come from sourcer, matching the rest of the SIEM app. Previously this used only the default indices. Also fixes a bug in the selectors used by data fetching middleware that caused api requests to always use an empty array. Event requests now use the same set of indices used for the tree the user is viewing.
Checklist
Delete any items that are not applicable to this PR.