Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.11] [Security Solution][Bug] Render esql tab only when needed (#173484) #173640

Merged
merged 6 commits into from
Jan 3, 2024
Merged

[8.11] [Security Solution][Bug] Render esql tab only when needed (#173484) #173640

merged 6 commits into from
Jan 3, 2024

Conversation

michaelolo24
Copy link
Contributor

@michaelolo24 michaelolo24 commented Dec 19, 2023
edited
Loading

Backport

This will backport the following commits from main to 8.11:

**NOTE: ** Requires a review due to the removal of the isEsqlSettingEnabled check which was introduced in 8.12, but is only utilized for serverless. Fyi @semd

DEMO:

Screen.Recording.2023-12-28.at.12.14.42.PM.mov

Questions ?

Please refer to the Backport tool documentation

\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n\n\nCo-authored-by: Sergi Massaneda "}},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com//pull/173484","number":173484,"mergeCommit":{"message":"[Security Solution][Bug] Render esql tab only when needed (#173484)\n\n## Summary\r\n\r\nRenders ES|QL tab only when it is visible, so ES|QL queries are not\r\ntriggered only by having the Timeline bottom bar available.","sha":"f9f22d5d554a14e8cd215caa3fe11fb3ea82acc3"}},{"branch":"8.11","label":"v8.11.4","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->

@semd
[Security Solution][Bug] Render esql tab only when needed (elastic#17…
a14cf29 
…3484)

## Summary

Renders ES|QL tab only when it is visible, so ES|QL queries are not
triggered only by having the Timeline bottom bar available.

(cherry picked from commit f9f22d5)

# Conflicts:
#	x-pack/plugins/security_solution/public/timelines/components/timeline/tabs_content/index.tsx
@michaelolo24 michaelolo24 enabled auto-merge (squash) December 19, 2023 14:41
@michaelolo24 michaelolo24 mentioned this pull request Dec 19, 2023
Merged
@elasticmachine
Copy link
Contributor

CI was triggered for this PR, but this PR targets 8.11 which should not receive a future release. CI is not supported for these branches. Please consult the release schedule, or contact #kibana-operations if you believe this is an error.

The following branches are currently considered to be open:

  • main
  • 8.12
  • 7.17

@michaelolo24
Copy link
Contributor Author

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

CI was triggered for this PR, but this PR targets 8.11 which should not receive a future release. CI is not supported for these branches. Please consult the release schedule, or contact #kibana-operations if you believe this is an error.

The following branches are currently considered to be open:

  • main
  • 8.12
  • 7.17

@michaelolo24 michaelolo24 requested a review from semd December 26, 2023 19:31
@michaelolo24
Copy link
Contributor Author

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

CI was triggered for this PR, but this PR targets 8.11 which should not receive a future release. CI is not supported for these branches. Please consult the release schedule, or contact #kibana-operations if you believe this is an error.

The following branches are currently considered to be open:

  • main
  • 8.12
  • 7.17

@ghost
Copy link

ghost commented Jan 2, 2024

@MadameSheema please find below observation for this issue . currently we are getting bsearch network logs

Screen.Recording.2024-01-02.at.11.45.38.AM.mov

image

image

HAR Files shared over mail as it may contains sensitive information.

@MadameSheema
Copy link
Member

Thanks @karanbirsingh-qasource please note the following:

  • The original issue was introduced because the query of ES|QL tab is executed even when the tab was not directly opened
  • The overall issue is fixed by different PRs
  • The fix introduced by this PR is to DON'T execute ES|QL tab when the tab is not selected
  • Hence the described behaviour in the ticket is expected when the ES|QL tab is opened.

To make sure this PR works as expected we need to:

  • Navigate to a page where you have the tiemeline in the bottom of the page i.e.: alerts page and make sure no bsearch call with a payload containing strategy: "esql".

Can you please recheck and make sure the bsearch call is not executed? Thanks! :)

@ghost
Copy link

ghost commented Jan 2, 2024

thanks @MadameSheema for clearning it and we have checked the network and no payload with strategy: "esql" was present in bsearch network log

image

payload:

{
  "batch": [
    {
      "request": {
        "featureIds": [
          "siem"
        ],
        "fields": [
          {
            "field": "@timestamp",
            "include_unmapped": true
          },
          {
            "field": "kibana.alert.rule.name",
            "include_unmapped": true
          },
          {
            "field": "kibana.alert.severity",
            "include_unmapped": true
          },
          {
            "field": "kibana.alert.risk_score",
            "include_unmapped": true
          },
          {
            "field": "kibana.alert.reason",
            "include_unmapped": true
          },
          {
            "field": "host.name",
            "include_unmapped": true
          },
          {
            "field": "host.risk.calculated_level",
            "include_unmapped": true
          },
          {
            "field": "user.name",
            "include_unmapped": true
          },
          {
            "field": "user.risk.calculated_level",
            "include_unmapped": true
          },
          {
            "field": "process.name",
            "include_unmapped": true
          },
          {
            "field": "file.name",
            "include_unmapped": true
          },
          {
            "field": "source.ip",
            "include_unmapped": true
          },
          {
            "field": "destination.ip",
            "include_unmapped": true
          }
        ],
        "pagination": {
          "pageSize": 10,
          "pageIndex": 0
        },
        "query": {
          "bool": {
            "filter": {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "match_phrase": {
                      "kibana.alert.workflow_status": "open"
                    }
                  },
                  {
                    "range": {
                      "@timestamp": {
                        "gte": "2024-01-01T18:30:00.000Z",
                        "lte": "2024-01-02T18:29:59.999Z",
                        "format": "strict_date_optional_time"
                      }
                    }
                  }
                ],
                "should": [],
                "must_not": [
                  {
                    "exists": {
                      "field": "kibana.alert.building_block_type"
                    }
                  }
                ]
              }
            }
          }
        },
        "runtimeMappings": {},
        "sort": [
          {
            "@timestamp": {
              "order": "desc"
            }
          }
        ]
      },
      "options": {
        "strategy": "privateRuleRegistryAlertsSearchStrategy",
        "isSearchStored": false,
        "executionContext": {
          "type": "application",
          "name": "securitySolutionUI",
          "url": "/app/security/alerts",
          "page": "/alerts"
        }
      }
    }
  ]
}

@spong spong mentioned this pull request Jan 2, 2024
Merged
@spong
Copy link
Member

spong commented Jan 2, 2024
edited
Loading

FYI, in backporting #174029 (comment) to 8.11, there were conflicts and the backport tool had mentioned to ensure this was merged before proceeding. The changes now include isEsqlSettingsEnabled flag which were included, which I don't think is correct, so could you confirm @michaelolo24 ? I was just trying to help out here since @logeekal is on holiday and #174029 needed my review, but looks like this need to be merged and the disable FF backport updated to remove isEsqlSettingEnabled as well.

@spong spong mentioned this pull request Jan 2, 2024
Merged
@spong
Copy link
Member

spong commented Jan 2, 2024

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

CI was triggered for this PR, but this PR targets 8.11 which should not receive a future release. CI is not supported for these branches. Please consult the release schedule, or contact #kibana-operations if you believe this is an error.

The following branches are currently considered to be open:

  • main
  • 8.12
  • 7.17

@spong
Copy link
Member

spong commented Jan 2, 2024

/ci

@elasticmachine
Copy link
Contributor

CI was triggered for this PR, but this PR targets 8.11 which should not receive a future release. CI is not supported for these branches. Please consult the release schedule, or contact #kibana-operations if you believe this is an error.

The following branches are currently considered to be open:

  • main
  • 8.12
  • 7.17

spong added a commit to spong/kibana that referenced this pull request Jan 2, 2024
@spong
Update index.tsx
1770d51 
Resolving conflicts as detailed from elastic#173640
@jbudz
Copy link
Member

jbudz commented Jan 2, 2024

buildkite test this

@kibana-ci
Copy link
Collaborator

kibana-ci commented Jan 2, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.0MB 13.0MB +35.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@PhilippeOberti PhilippeOberti merged commit be6013d into elastic:8.11 Jan 3, 2024
24 of 28 checks passed
@PhilippeOberti PhilippeOberti mentioned this pull request Jan 5, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PhilippeOberti PhilippeOberti PhilippeOberti approved these changes

@semd semd Awaiting requested review from semd

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@michaelolo24 @elasticmachine @MadameSheema @spong @jbudz @kibana-ci @PhilippeOberti @semd @kibanamachine