[Security Solution] Adds normalization for filter meta field diff
#210191
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dplumlee
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
maximpn
reviewed
Feb 14, 2025
There was a problem hiding this comment.
@dplumlee Thanks for that improvement 🙏
There are a couple of comments to improve tests I believe should be addressed before merging the PR.
The PR was tested locally by going through the following scenarios
- Saving rule unchanged
- Negating and/or disabling filters
- Preview customized filters in Rule Upgrade Flyout
- Upgrading rules with customised filters
Conclusion: It works as expected.
Customization state is properly determined for a prebuilt rule with filters. It resets to not modified when filter's are restored to it's original state.
Rule upgrade works as expected. Upgraded rule has customized value unchanged.
There is a recorded video
https://github.com/user-attachments/assets/88b1a9c3-de6e-4eec-85e2-88bf5c421158
Future improvements (out of scope of this PR)
- Editing filters in Rule Upgrade Flyout leads to showing diff with fields normalization removes. It looks like we can apply the same normalization in the Rule Upgrade Diff View. But it's important to preserve values for rule upgrade API call to have values saved upon upgrade.
- Filter's editing doesn't look handling when specified fields are missing in ES. This is the existing behavior persisting in Kibana for long time. The same is applicable to editing filters in Rule Upgrade Flyout
| }); | ||
| }); | ||
|
|
||
| it('normalizes filters without disabled field', () => { |
There was a problem hiding this comment.
Ideally this test should be improved. Let's use it.each with inline filters to tested the following normalization scenarios
- all fields exists normalization
- negate field missing (removable fields missing)
- disabled field missing (removable fields missing)
- query field missing (removable fields missing)
There was a problem hiding this comment.
@dplumlee We can further improve tests isolation by having separate tests for filters[].query and filters[].meta. I gave it a try and got the tests below you can simply replace normalization tests with
describe('filters normalization', () => {
it('normalizes filters[].query when all fields present', () => {
const extractedKqlQuery = extractRuleKqlQuery(
'some:query',
'kuery',
[mockFilter],
undefined
);
expect(extractedKqlQuery).toMatchObject({
filters: [
{
query: {
term: {
field: 'value',
},
},
},
],
});
});
it('normalizes filters[].query when query object is missing', () => {
const extractedKqlQuery = extractRuleKqlQuery(
'some:query',
'kuery',
[{ ...mockFilter, query: undefined }],
undefined
);
expect(extractedKqlQuery).not.toMatchObject({
filters: [
{
query: expect.anything(),
},
],
});
});
it.each([
{
caseName: 'when all fields present',
filter: mockFilter,
expectedFilterMeta: {
negate: false,
disabled: false,
},
},
{
caseName: 'when disabled field is missing',
filter: { ...mockFilter, meta: { ...mockFilter.meta, disabled: undefined } },
expectedFilterMeta: {
negate: false,
disabled: false,
},
},
{
caseName: 'when negate field is missing',
filter: { ...mockFilter, meta: { ...mockFilter.meta, negate: undefined } },
expectedFilterMeta: {
disabled: false,
},
},
{
caseName: 'when query object is missing',
filter: { ...mockFilter, query: undefined },
expectedFilterMeta: {
negate: false,
disabled: false,
},
},
])('normalizes filters[].meta $caseName', ({ filter, expectedFilterMeta }) => {
const extractedKqlQuery = extractRuleKqlQuery('some:query', 'kuery', [filter], undefined);
expect(extractedKqlQuery).toMatchObject({
filters: [
{
meta: expectedFilterMeta,
},
],
});
});
it('normalizes filters[].meta when query object is missing', () => {
const extractedKqlQuery = extractRuleKqlQuery(
'some:query',
'kuery',
[{ ...mockFilter, query: undefined }],
undefined
);
expect(extractedKqlQuery).toMatchObject({
filters: [
{
meta: {
negate: false,
disabled: false,
},
},
],
});
});
});| type: KqlQueryType.inline_query, | ||
| query: 'event.kind:alert', | ||
| language: 'kuery', | ||
| filters: [ |
There was a problem hiding this comment.
In that test we are interested in filters field. Let's move type, query and language assertions to separate tests.
dplumlee
force-pushed
the
filter-meta-normalization
branch
from
834e1d9 to
164a8b1
Compare
|
@elasticmachine merge upstream |
maximpn
approved these changes
Feb 24, 2025
| }); | ||
| }); | ||
|
|
||
| it('normalizes filters without disabled field', () => { |
There was a problem hiding this comment.
@dplumlee We can further improve tests isolation by having separate tests for filters[].query and filters[].meta. I gave it a try and got the tests below you can simply replace normalization tests with
describe('filters normalization', () => {
it('normalizes filters[].query when all fields present', () => {
const extractedKqlQuery = extractRuleKqlQuery(
'some:query',
'kuery',
[mockFilter],
undefined
);
expect(extractedKqlQuery).toMatchObject({
filters: [
{
query: {
term: {
field: 'value',
},
},
},
],
});
});
it('normalizes filters[].query when query object is missing', () => {
const extractedKqlQuery = extractRuleKqlQuery(
'some:query',
'kuery',
[{ ...mockFilter, query: undefined }],
undefined
);
expect(extractedKqlQuery).not.toMatchObject({
filters: [
{
query: expect.anything(),
},
],
});
});
it.each([
{
caseName: 'when all fields present',
filter: mockFilter,
expectedFilterMeta: {
negate: false,
disabled: false,
},
},
{
caseName: 'when disabled field is missing',
filter: { ...mockFilter, meta: { ...mockFilter.meta, disabled: undefined } },
expectedFilterMeta: {
negate: false,
disabled: false,
},
},
{
caseName: 'when negate field is missing',
filter: { ...mockFilter, meta: { ...mockFilter.meta, negate: undefined } },
expectedFilterMeta: {
disabled: false,
},
},
{
caseName: 'when query object is missing',
filter: { ...mockFilter, query: undefined },
expectedFilterMeta: {
negate: false,
disabled: false,
},
},
])('normalizes filters[].meta $caseName', ({ filter, expectedFilterMeta }) => {
const extractedKqlQuery = extractRuleKqlQuery('some:query', 'kuery', [filter], undefined);
expect(extractedKqlQuery).toMatchObject({
filters: [
{
meta: expectedFilterMeta,
},
],
});
});
it('normalizes filters[].meta when query object is missing', () => {
const extractedKqlQuery = extractRuleKqlQuery(
'some:query',
'kuery',
[{ ...mockFilter, query: undefined }],
undefined
);
expect(extractedKqlQuery).toMatchObject({
filters: [
{
meta: {
negate: false,
disabled: false,
},
},
],
});
});
});
dplumlee
force-pushed
the
filter-meta-normalization
branch
from
aa7cf42 to
c5b0935
Compare
|
Starting backport for target branches: 8.18, 8.x, 9.0 |
💚 Build Succeeded
Metrics [docs]Async chunks
History
cc @dplumlee |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 25, 2025
…lastic#210191) **Fixes: elastic#206527 **Partially addresses: elastic#209518 ## Summary Adds a normalization to the `filters` field in the rule diffing calculation that omits all filter fields other than the `query` field and the `negate` and `disabled` fields within the `meta` object. This makes our diffing logic much more robust and resilient as we only compare data in the rule fields that have an impact on the query itself and not the fields that relate to UI implementation (`alias`, `key`, etc). ### To test - Open a prebuilt rule with `filters` in the non-customized rule parameters (e.g. `PowerShell Script with Discovery Capabilities`) - Edit the rule and save without editing - The rule should remain unmodified even though more fields have been added to the rule's `filters` field Unless the user adds or deletes a filter on the rule, the rule should only be marked as customized under 3 circumstances: - The user negates the filter (adds NOT to the beginning of the filter) - The user disables the filter - The user changes the filter query All other scenarios (such as adding a custom name for the filter) should not change the rule's customized status ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 3f3c8c8)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 25, 2025
…lastic#210191) **Fixes: elastic#206527 **Partially addresses: elastic#209518 ## Summary Adds a normalization to the `filters` field in the rule diffing calculation that omits all filter fields other than the `query` field and the `negate` and `disabled` fields within the `meta` object. This makes our diffing logic much more robust and resilient as we only compare data in the rule fields that have an impact on the query itself and not the fields that relate to UI implementation (`alias`, `key`, etc). ### To test - Open a prebuilt rule with `filters` in the non-customized rule parameters (e.g. `PowerShell Script with Discovery Capabilities`) - Edit the rule and save without editing - The rule should remain unmodified even though more fields have been added to the rule's `filters` field Unless the user adds or deletes a filter on the rule, the rule should only be marked as customized under 3 circumstances: - The user negates the filter (adds NOT to the beginning of the filter) - The user disables the filter - The user changes the filter query All other scenarios (such as adding a custom name for the filter) should not change the rule's customized status ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 3f3c8c8)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 25, 2025
…lastic#210191) **Fixes: elastic#206527 **Partially addresses: elastic#209518 ## Summary Adds a normalization to the `filters` field in the rule diffing calculation that omits all filter fields other than the `query` field and the `negate` and `disabled` fields within the `meta` object. This makes our diffing logic much more robust and resilient as we only compare data in the rule fields that have an impact on the query itself and not the fields that relate to UI implementation (`alias`, `key`, etc). ### To test - Open a prebuilt rule with `filters` in the non-customized rule parameters (e.g. `PowerShell Script with Discovery Capabilities`) - Edit the rule and save without editing - The rule should remain unmodified even though more fields have been added to the rule's `filters` field Unless the user adds or deletes a filter on the rule, the rule should only be marked as customized under 3 circumstances: - The user negates the filter (adds NOT to the beginning of the filter) - The user disables the filter - The user changes the filter query All other scenarios (such as adding a custom name for the filter) should not change the rule's customized status ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 3f3c8c8)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Feb 25, 2025
…diff (#210191) (#212320) # Backport This will backport the following commits from `main` to `9.0`: - [[Security Solution] Adds normalization for filter `meta` field diff (#210191)](#210191) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-25T00:19:55Z","message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Adds normalization for filter `meta` field diff","number":210191,"url":"https://github.com/elastic/kibana/pull/210191","mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/210191","number":210191,"mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Feb 25, 2025
… diff (#210191) (#212318) # Backport This will backport the following commits from `main` to `8.18`: - [[Security Solution] Adds normalization for filter `meta` field diff (#210191)](#210191) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-25T00:19:55Z","message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Adds normalization for filter `meta` field diff","number":210191,"url":"https://github.com/elastic/kibana/pull/210191","mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/210191","number":210191,"mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Feb 25, 2025
…diff (#210191) (#212319) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Adds normalization for filter `meta` field diff (#210191)](#210191) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-25T00:19:55Z","message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Adds normalization for filter `meta` field diff","number":210191,"url":"https://github.com/elastic/kibana/pull/210191","mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/210191","number":210191,"mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <[email protected]>
patrykkopycinski
pushed a commit
to patrykkopycinski/kibana
that referenced
this pull request
Feb 25, 2025
…lastic#210191) **Fixes: elastic#206527 **Partially addresses: elastic#209518 ## Summary Adds a normalization to the `filters` field in the rule diffing calculation that omits all filter fields other than the `query` field and the `negate` and `disabled` fields within the `meta` object. This makes our diffing logic much more robust and resilient as we only compare data in the rule fields that have an impact on the query itself and not the fields that relate to UI implementation (`alias`, `key`, etc). ### To test - Open a prebuilt rule with `filters` in the non-customized rule parameters (e.g. `PowerShell Script with Discovery Capabilities`) - Edit the rule and save without editing - The rule should remain unmodified even though more fields have been added to the rule's `filters` field Unless the user adds or deletes a filter on the rule, the rule should only be marked as customized under 3 circumstances: - The user negates the filter (adds NOT to the beginning of the filter) - The user disables the filter - The user changes the filter query All other scenarios (such as adding a custom name for the filter) should not change the rule's customized status ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this pull request
Feb 27, 2025
…lastic#210191) **Fixes: elastic#206527 **Partially addresses: elastic#209518 ## Summary Adds a normalization to the `filters` field in the rule diffing calculation that omits all filter fields other than the `query` field and the `negate` and `disabled` fields within the `meta` object. This makes our diffing logic much more robust and resilient as we only compare data in the rule fields that have an impact on the query itself and not the fields that relate to UI implementation (`alias`, `key`, etc). ### To test - Open a prebuilt rule with `filters` in the non-customized rule parameters (e.g. `PowerShell Script with Discovery Capabilities`) - Edit the rule and save without editing - The rule should remain unmodified even though more fields have been added to the rule's `filters` field Unless the user adds or deletes a filter on the rule, the rule should only be marked as customized under 3 circumstances: - The user negates the filter (adds NOT to the beginning of the filter) - The user disables the filter - The user changes the filter query All other scenarios (such as adding a custom name for the filter) should not change the rule's customized status ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this pull request
Mar 4, 2025
…diff (elastic#210191) (elastic#212319) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Adds normalization for filter `meta` field diff (elastic#210191)](elastic#210191) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Davis Plumlee","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-25T00:19:55Z","message":"[Security Solution] Adds normalization for filter `meta` field diff (elastic#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] Adds normalization for filter `meta` field diff","number":210191,"url":"https://github.com/elastic/kibana/pull/210191","mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (elastic#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/210191","number":210191,"mergeCommit":{"message":"[Security Solution] Adds normalization for filter `meta` field diff (elastic#210191)\n\n**Fixes: https://github.com/elastic/kibana/issues/206527**\n**Partially addresses: https://github.com/elastic/kibana/issues/209518**\n\n## Summary\n\nAdds a normalization to the `filters` field in the rule diffing\ncalculation that omits all filter fields other than the `query` field\nand the `negate` and `disabled` fields within the `meta` object. This\nmakes our diffing logic much more robust and resilient as we only\ncompare data in the rule fields that have an impact on the query itself\nand not the fields that relate to UI implementation (`alias`, `key`,\netc).\n\n### To test\n\n- Open a prebuilt rule with `filters` in the non-customized rule\nparameters (e.g. `PowerShell Script with Discovery Capabilities`)\n- Edit the rule and save without editing\n- The rule should remain unmodified even though more fields have been\nadded to the rule's `filters` field\n\nUnless the user adds or deletes a filter on the rule, the rule should\nonly be marked as customized under 3 circumstances:\n\n- The user negates the filter (adds NOT to the beginning of the filter)\n- The user disables the filter\n- The user changes the filter query\n\nAll other scenarios (such as adding a custom name for the filter) should\nnot change the rule's customized status\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"3f3c8c8a4898217c3d3c9314e50e6eb46ec4b9e0"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Davis Plumlee <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #206527
Partially addresses: #209518
Summary
Adds a normalization to the
filtersfield in the rule diffing calculation that omits all filter fields other than thequeryfield and thenegateanddisabledfields within themetaobject. This makes our diffing logic much more robust and resilient as we only compare data in the rule fields that have an impact on the query itself and not the fields that relate to UI implementation (alias,key, etc).To test
filtersin the non-customized rule parameters (e.g.PowerShell Script with Discovery Capabilities)filtersfieldUnless the user adds or deletes a filter on the rule, the rule should only be marked as customized under 3 circumstances:
All other scenarios (such as adding a custom name for the filter) should not change the rule's customized status
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.