-
Notifications
You must be signed in to change notification settings - Fork 8.5k
[SecuritySolution][PrivMon] Rewrite dashboard queries to use FORK #223212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecuritySolution][PrivMon] Rewrite dashboard queries to use FORK #223212
Conversation
d3c99f3
to
3149662
Compare
… when fields are not present in the dataview
919d2a1
to
5922872
Compare
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
...ntity_analytics/components/privileged_user_monitoring/queries/account_switches_esql_query.ts
Outdated
Show resolved
Hide resolved
...olution/public/entity_analytics/components/privileged_user_monitoring/queries/helper.test.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM, thanks for the comments explaining the intricacies of FORK 👍🏽
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
cc @machadoum |
…astic#223212) ## Summary ### What is included? * Improves the auth dashboard to display system events * Add data view index patterns as visualisations index * Move ESQL query generation to a shared folder * Parse ESQL query and validate if fields exist in the dataview * Rewrite the ESQL query if a FORK command has missing fields * Add a visualisation warning message when there is no valid FORK branch  ### Pros * To be able to render parts of the query depending on whether indices or fields exist in the cluster * The queries become much easier to read, maintain and fix ### Cons * We need to test the performance * FORK is in tech preview * The commands we can use in a fork are limited to “WHERE, LIMIT, SORT, EVAL, STATS, DISSECT” ### How to test it? * Open the dashboard without privmon data, some of the visualisations should display the warning message * Add privmon data, the visualisation should display the data (elastic/security-documents-generator#163) * Check if the visualisation displays the correct data. * To test if the FORK rewrite logic is working, I update the queries on my local environment to use a non-existent field and update the page. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Summary
What is included?
Pros
Cons
How to test it?
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:*
label is applied per the guidelines