Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CTI] Adds indicator match rule improvements #97310

Merged
merged 2 commits into from
Jul 19, 2021
Merged

[CTI] Adds indicator match rule improvements #97310

merged 2 commits into from
Jul 19, 2021

Conversation

ecezalp
Copy link
Contributor

@ecezalp ecezalp commented Apr 15, 2021
edited
Loading

Acceptance Criteria

  • Add track_total_hits: false to reduce unnecessary query overhead
  • Sort by @timestamp: desc to allow short-circuiting

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@ecezalp ecezalp added v7.13.0 release_note:feature Makes this part of the condensed release notes auto-backport Deprecated - use backport:version if exact versions are needed 7.13 candidate Team: CTI labels Apr 15, 2021
@ecezalp ecezalp requested review from rylnd and a team April 15, 2021 19:13
@ecezalp ecezalp self-assigned this Apr 15, 2021
rylnd
rylnd previously approved these changes Apr 15, 2021
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :shipit:

@rylnd rylnd self-requested a review April 15, 2021 19:21
@rylnd rylnd dismissed their stale review April 15, 2021 21:25

I rescind my hasty approval; this is not the correct approach.

@rylnd
Copy link
Contributor

rylnd commented Apr 16, 2021

Closing this for now as the change is not as straightforward as we'd hoped, and too risky to be a candidate for 7.13.0.

@rylnd rylnd closed this Apr 16, 2021
@ecezalp ecezalp reopened this Jul 19, 2021
@ecezalp
Copy link
Contributor Author

ecezalp commented Jul 19, 2021

@elasticmachine merge upstream

@ecezalp ecezalp added v7.15.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. and removed 7.13 candidate v7.13.0 labels Jul 19, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ecezalp ecezalp requested a review from a team July 19, 2021 15:25
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

rylnd
rylnd approved these changes Jul 19, 2021
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. This does not address/affect the events query, but in certain circumstances it should improve performance of the indicator query 👍

@ecezalp ecezalp merged commit 7e4c73a into elastic:master Jul 19, 2021
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Jul 19, 2021
@ecezalp @kibanamachine
[CTI] Adds indicator match rule improvements (elastic#97310)
23079d2 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@kibanamachine kibanamachine mentioned this pull request Jul 19, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Jul 19, 2021
@kibanamachine @ecezalp
[CTI] Adds indicator match rule improvements (#97310) (#106152)
6fff2ea 
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Ece Özalp <ozale272@newschool.edu>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Jul 20, 2021
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into reporting/onl…
17cbcc0 
…y-show-migrate-to-authzd-users

* 'master' of github.com:elastic/kibana: (187 commits)
  Space management page UX improvements (elastic#100448)
  [Reporting] Unskip flaky test when downloading CSV with "no data" (elastic#105252)
  Update dependency @elastic/charts to v33 (master) (elastic#105633)
  [Observability RAC] Improve alerts table columns (elastic#105446)
  Introduce `preboot` lifecycle stage (elastic#103636)
  [Security Solution] Invalid kql query timeline refresh bug (elastic#105525)
  skip flaky suite (elastic#106121)
  [Security Solution][Endpoint] Fix UI inconsistency between isolation forms and remove display of Pending isolation statuses (elastic#106118)
  docs: APM RUM Source map API (elastic#105332)
  [CTI] Adds indicator match rule improvements (elastic#97310)
  [Security Solution] update text for Isolation action submissions (elastic#105956)
  EP Meta Telemetry Perf (elastic#104396)
  [Metrics UI] Drop partial buckets from ALL Metrics UI queries (elastic#104784)
  Remove beta admonitions for Fleet docs (elastic#106010)
  [Observability RAC] Remove indexing of rule evaluation documents (elastic#104970)
  Parameterize migration test for kibana version (elastic#105417)
  [Alerting] Allow rule to execute if the value is 0 and that mets the condition (elastic#105626)
  [ML] Fix Index data visualizer sometimes shows wrong doc count for saved searches (elastic#106007)
  [Security Solution] UX fixes for Policy page and Case Host Isolation comment (elastic#106027)
  [Security Solution]Memory protection configuration card for policies integration. (elastic#101365)
  ...

# Conflicts:
#	x-pack/plugins/reporting/public/management/report_listing.test.tsx
#	x-pack/plugins/reporting/public/management/report_listing.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylnd rylnd rylnd approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:feature Makes this part of the condensed release notes Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ecezalp @rylnd @elasticmachine @kibanamachine