github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[EDR Workflows][Bug] Fix filtering for unassigned event filters with process descendants (#186828)

Browse source 
## Summary

Fixes up `kuery` to be able to filter for Event filters by `unassigned`
policies, when they the policies contain other `tags` (like process
descendant)

for testing, follow the description in the linked issue. the feature
flag to be enabled is
`xpack.securitySolution.enableExperimental.filterProcessDescendantsForEventFiltersEnabled`

the second event filter on the screenshot is `Process descendant`, it's
just not visible yet on this UI part)
<img width="1186" alt="image"
src="15118896-5a44-46ea-8cb2-e669550f9968">

<img width="604" alt="image"
src="19c2b9eb-24cc-42a6-a105-ba7139c21682">

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Gergő Ábrahám 2024-06-27 17:46:00 +02:00 committed by GitHub
parent 0797e2455c
commit d0e239594d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 19 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
x-pack/plugins/security_solution/public/management/common/utils.test.ts
View file

@ -5,7 +5,7 @@
* 2.0.
*/
import { parseQueryFilterToKQL } from './utils';
import { getPolicyQuery, parseQueryFilterToKQL } from './utils';
describe('utils', () => {
const searchableFields = [`name`, `description`, `entries.value`, `entries.entries.value`];
@ -39,4 +39,20 @@ describe('utils', () => {
);
});
});
describe('getPolicyQuery', () => {
it('should translate policy ID to kuery', () => {
expect(getPolicyQuery('aaa')).toBe('exception-list-agnostic.attributes.tags:"policy:aaa"');
});
it('should translate global policy ID to kuery using `policy:all`', () => {
expect(getPolicyQuery('global')).toBe('exception-list-agnostic.attributes.tags:"policy:all"');
});
it('should translate unassigned policy ID to kuery using `policy:all`', () => {
expect(getPolicyQuery('unassigned')).toBe(
'(not exception-list-agnostic.attributes.tags:policy\\:*)'
);
});
});
});

4
x-pack/plugins/security_solution/public/management/common/utils.ts
View file

@ -25,9 +25,9 @@ export const parseQueryFilterToKQL = (
return `(${kuery})`;
};
const getPolicyQuery = (policyId: string): string => {
export const getPolicyQuery = (policyId: string): string => {
if (policyId === 'global') return 'exception-list-agnostic.attributes.tags:"policy:all"';
if (policyId === 'unassigned') return '(not exception-list-agnostic.attributes.tags:*)';
if (policyId === 'unassigned') return '(not exception-list-agnostic.attributes.tags:policy\\:*)';
return `exception-list-agnostic.attributes.tags:"policy:${policyId}"`;
};