Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Move ES|QL parsing functionality into @kbn/securitysolution-utils package #202772

Merged
merged 3 commits into from
Dec 5, 2024

Conversation

e40pud
Copy link
Contributor

@e40pud e40pud commented Dec 3, 2024

Summary

With this PR we move existing parseEsqlQuery method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in this PR and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

@e40pud e40pud added release_note:skip Skip the PR/issue when compiling release notes Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Team:Detection Engine Security Solution Detection Engine Area labels Dec 3, 2024
@e40pud e40pud self-assigned this Dec 3, 2024
@e40pud e40pud requested review from a team as code owners December 3, 2024 16:49
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner December 3, 2024 17:10
@elasticmachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
lists 343 426 +83
securitySolution 6308 6309 +1
total +84

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/securitysolution-utils 55 60 +5

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 14.6MB 14.6MB -2.0B
Unknown metric groups

API count

id before after diff
@kbn/securitysolution-utils 63 69 +6

History

cc @e40pud

Copy link
Member

@P1llus P1llus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on the server/lib/siem_migrations changes 👍

Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

errors: EditorError[];
isEsqlQueryAggregating: boolean;
hasMetadataOperator: boolean;
}

/**
* check if esql query valid for Security rule:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It'd be nice to have a bit more elaborated comment to describe what this function does. And why it should be used instead of parse from @kbn/esql-ast. It doesn't only checks query for validity but also checks whether an ES|QL query is aggregating and/or having a METADATA operator.

@e40pud e40pud merged commit efb7890 into elastic:main Dec 5, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12176628334

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 5, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit efb7890)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 5, 2024
…;@kbn/securitysolution-utils&#x60; package (#202772) (#203053)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Move ES|QL parsing functionality into
&#x60;@kbn/securitysolution-utils&#x60; package
(#202772)](#202772)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2024-12-05T09:12:32Z","message":"[Security
Solution] Move ES|QL parsing functionality into
`@kbn/securitysolution-utils` package (#202772)\n\n##
Summary\r\n\r\nWith this PR we move existing `parseEsqlQuery` method
into a shared\r\nsecurity solution utils package. We need to the same
functionality in\r\n\"SIEM migrations\" feature. Previously we
duplicated the code in
[this\r\nPR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)\r\nand
these are the follow-up changes to make parsing functionality
shared\r\nfor easier re-use within security solution.\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"efb7890efeb6337cc4665eeeecf6129759294c59","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting","Team: SecuritySolution","backport:prev-minor","Team:Detection
Engine"],"title":"[Security Solution] Move ES|QL parsing functionality
into `@kbn/securitysolution-utils`
package","number":202772,"url":"https://github.com/elastic/kibana/pull/202772","mergeCommit":{"message":"[Security
Solution] Move ES|QL parsing functionality into
`@kbn/securitysolution-utils` package (#202772)\n\n##
Summary\r\n\r\nWith this PR we move existing `parseEsqlQuery` method
into a shared\r\nsecurity solution utils package. We need to the same
functionality in\r\n\"SIEM migrations\" feature. Previously we
duplicated the code in
[this\r\nPR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)\r\nand
these are the follow-up changes to make parsing functionality
shared\r\nfor easier re-use within security solution.\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"efb7890efeb6337cc4665eeeecf6129759294c59"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202772","number":202772,"mergeCommit":{"message":"[Security
Solution] Move ES|QL parsing functionality into
`@kbn/securitysolution-utils` package (#202772)\n\n##
Summary\r\n\r\nWith this PR we move existing `parseEsqlQuery` method
into a shared\r\nsecurity solution utils package. We need to the same
functionality in\r\n\"SIEM migrations\" feature. Previously we
duplicated the code in
[this\r\nPR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)\r\nand
these are the follow-up changes to make parsing functionality
shared\r\nfor easier re-use within security solution.\r\n\r\n###
Checklist\r\n\r\nCheck the PR satisfies following conditions.
\r\n\r\nReviewers should verify this PR satisfies this list as
well.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"efb7890efeb6337cc4665eeeecf6129759294c59"}}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Dec 9, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Dec 9, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 9, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Samiul-TheSoccerFan pushed a commit to Samiul-TheSoccerFan/kibana that referenced this pull request Dec 10, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
mykolaharmash pushed a commit to mykolaharmash/kibana that referenced this pull request Dec 11, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
…itysolution-utils` package (elastic#202772)

## Summary

With this PR we move existing `parseEsqlQuery` method into a shared
security solution utils package. We need to the same functionality in
"SIEM migrations" feature. Previously we duplicated the code in [this
PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)
and these are the follow-up changes to make parsing functionality shared
for easier re-use within security solution.

### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants