-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Move ES|QL parsing functionality into @kbn/securitysolution-utils
package
#202772
[Security Solution] Move ES|QL parsing functionality into @kbn/securitysolution-utils
package
#202772
Conversation
…itysolution-utils` package
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Public APIs missing comments
Async chunks
History
cc @e40pud |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM on the server/lib/siem_migrations
changes 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
errors: EditorError[]; | ||
isEsqlQueryAggregating: boolean; | ||
hasMetadataOperator: boolean; | ||
} | ||
|
||
/** | ||
* check if esql query valid for Security rule: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: It'd be nice to have a bit more elaborated comment to describe what this function does. And why it should be used instead of parse
from @kbn/esql-ast
. It doesn't only checks query for validity but also checks whether an ES|QL query is aggregating and/or having a METADATA
operator.
Starting backport for target branches: 8.x |
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit efb7890)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…;@kbn/securitysolution-utils` package (#202772) (#203053) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Move ES|QL parsing functionality into `@kbn/securitysolution-utils` package (#202772)](#202772) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ievgen Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2024-12-05T09:12:32Z","message":"[Security Solution] Move ES|QL parsing functionality into `@kbn/securitysolution-utils` package (#202772)\n\n## Summary\r\n\r\nWith this PR we move existing `parseEsqlQuery` method into a shared\r\nsecurity solution utils package. We need to the same functionality in\r\n\"SIEM migrations\" feature. Previously we duplicated the code in [this\r\nPR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)\r\nand these are the follow-up changes to make parsing functionality shared\r\nfor easier re-use within security solution.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"efb7890efeb6337cc4665eeeecf6129759294c59","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting","Team: SecuritySolution","backport:prev-minor","Team:Detection Engine"],"title":"[Security Solution] Move ES|QL parsing functionality into `@kbn/securitysolution-utils` package","number":202772,"url":"https://github.com/elastic/kibana/pull/202772","mergeCommit":{"message":"[Security Solution] Move ES|QL parsing functionality into `@kbn/securitysolution-utils` package (#202772)\n\n## Summary\r\n\r\nWith this PR we move existing `parseEsqlQuery` method into a shared\r\nsecurity solution utils package. We need to the same functionality in\r\n\"SIEM migrations\" feature. Previously we duplicated the code in [this\r\nPR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)\r\nand these are the follow-up changes to make parsing functionality shared\r\nfor easier re-use within security solution.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"efb7890efeb6337cc4665eeeecf6129759294c59"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202772","number":202772,"mergeCommit":{"message":"[Security Solution] Move ES|QL parsing functionality into `@kbn/securitysolution-utils` package (#202772)\n\n## Summary\r\n\r\nWith this PR we move existing `parseEsqlQuery` method into a shared\r\nsecurity solution utils package. We need to the same functionality in\r\n\"SIEM migrations\" feature. Previously we duplicated the code in [this\r\nPR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54)\r\nand these are the follow-up changes to make parsing functionality shared\r\nfor easier re-use within security solution.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\nReviewers should verify this PR satisfies this list as well.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"efb7890efeb6337cc4665eeeecf6129759294c59"}}]}] BACKPORT--> Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…itysolution-utils` package (elastic#202772) ## Summary With this PR we move existing `parseEsqlQuery` method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in [this PR](https://github.com/elastic/kibana/pull/202331/files#diff-b5f1a952a5e5a9685a4fef5d1f5a4c3b53ce338333e569bb6f92ccf2681100b7R54) and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Summary
With this PR we move existing
parseEsqlQuery
method into a shared security solution utils package. We need to the same functionality in "SIEM migrations" feature. Previously we duplicated the code in this PR and these are the follow-up changes to make parsing functionality shared for easier re-use within security solution.Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.