Skip to content

Conversation

machadoum
Copy link
Member

@machadoum machadoum commented Jun 10, 2025

Summary

What is included?

  • Improves the auth dashboard to display system events
  • Add data view index patterns as visualisations index
  • Move ESQL query generation to a shared folder
  • Parse ESQL query and validate if fields exist in the dataview
  • Rewrite the ESQL query if a FORK command has missing fields
  • Add a visualisation warning message when there is no valid FORK branch

Screenshot 2025-06-20 at 07 22 47

Pros

  • To be able to render parts of the query depending on whether indices or fields exist in the cluster
  • The queries become much easier to read, maintain and fix

Cons

  • We need to test the performance
  • FORK is in tech preview
  • The commands we can use in a fork are limited to “WHERE, LIMIT, SORT, EVAL, STATS, DISSECT”

How to test it?

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

@machadoum machadoum force-pushed the siem-ea-privmon-dashboards-improve-auth branch from d3c99f3 to 3149662 Compare June 10, 2025 10:51
@machadoum machadoum changed the title [SecuritySolution][PrivMon] Rewrite dashboard queries to use FORK [SecuritySolution][PrivMon] [SPIKE] Rewrite dashboard queries to use FORK Jun 10, 2025
@machadoum machadoum self-assigned this Jun 10, 2025
@machadoum machadoum force-pushed the siem-ea-privmon-dashboards-improve-auth branch from 919d2a1 to 5922872 Compare June 20, 2025 05:47
@machadoum machadoum changed the title [SecuritySolution][PrivMon] [SPIKE] Rewrite dashboard queries to use FORK [SecuritySolution][PrivMon] Rewrite dashboard queries to use FORK Jun 20, 2025
@machadoum machadoum marked this pull request as ready for review June 20, 2025 05:53
@machadoum machadoum requested a review from a team as a code owner June 20, 2025 05:53
@machadoum machadoum requested a review from CAWilson94 June 20, 2025 05:53
@machadoum machadoum added release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: entity_analytics Feature:Entity Analytics Security Solution Entity Analytics features Team:Entity Analytics Security Entity Analytics Team labels Jun 20, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

@machadoum machadoum added the backport:skip This PR does not require backporting label Jun 20, 2025
Copy link
Contributor

@tiansivive tiansivive left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, thanks for the comments explaining the intricacies of FORK 👍🏽

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 7672 7734 +62

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 9.4MB 9.8MB ⚠️ +397.3KB

History

cc @machadoum

@machadoum machadoum merged commit 85ba636 into elastic:main Jun 24, 2025
11 checks passed
akowalska622 pushed a commit to akowalska622/kibana that referenced this pull request Jun 25, 2025
…astic#223212)

## Summary


### What is included?
* Improves the auth dashboard to display system events
* Add data view index patterns as visualisations index
* Move ESQL query generation to a shared folder
* Parse ESQL query and validate if fields exist in the dataview
* Rewrite the ESQL query if a FORK command has missing fields
* Add a visualisation warning message when there is no valid FORK branch

![Screenshot 2025-06-20 at 07 22
47](https://github.com/user-attachments/assets/3ff85561-33b6-4f40-8037-4e983d6e4057)


### Pros
* To be able to render parts of the query depending on whether indices
or fields exist in the cluster
* The queries become much easier to read, maintain and fix

### Cons
* We need to test the performance
* FORK is in tech preview
* The commands we can use in a fork are limited to “WHERE, LIMIT, SORT,
EVAL, STATS, DISSECT”

### How to test it?
* Open the dashboard without privmon data, some of the visualisations
should display the warning message
* Add privmon data, the visualisation should display the data
(elastic/security-documents-generator#163)
* Check if the visualisation displays the correct data.
* To test if the FORK rewrite logic is working, I update the queries on
my local environment to use a non-existent field and update the page.


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport:skip This PR does not require backporting Feature:Entity Analytics Security Solution Entity Analytics features release_note:skip Skip the PR/issue when compiling release notes Team:Entity Analytics Security Entity Analytics Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: entity_analytics v9.1.0

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants