-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] [Maps] Network Map fails to create layers for Kibana Index Patterns containing multiple indices or exclusions #70914
Labels
bug
Fixes for quality problems that affect the customer experience
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Team:Threat Hunting
Security Solution Threat Hunting Team
Comments
spong
added
bug
Fixes for quality problems that affect the customer experience
[Deprecated-Use Team:Presentation]Team:Geo
Former Team Label for Geo Team. Now use Team:Presentation
Team:SIEM
labels
Jul 7, 2020
Pinging @elastic/kibana-gis (Team:Geo) |
Pinging @elastic/siem (Team:SIEM) |
MadameSheema
added
Team:Threat Hunting
Security Solution Threat Hunting Team
and removed
[Deprecated-Use Team:Presentation]Team:Geo
Former Team Label for Geo Team. Now use Team:Presentation
labels
Oct 7, 2020
@spong to confirm the results we want... Case 1:
Case 2:
Case 3:
|
1 task
Fixed by this PR: #80208 |
Merged, going to unassign myself and mark this as fixed 👍 |
Assigning to @MadameSheema to confirm fix! |
MindyRS
added
the
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
label
Oct 27, 2020
@stephmilovic we need to continue working on this issue :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Fixes for quality problems that affect the customer experience
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Team:Threat Hunting
Security Solution Threat Hunting Team
As part of #52565 (and fix), support was added for pattern matching
Kibana Index Patterns
againstsecuritySolution:defaultIndex
when generating layers for the Network Map.What this implementation doesn't take into account is that
Kibana Index Patterns
can contain multiple comma-separated Elasticsearch indices, e.g.filebeat-*,auditbeat-*
, and with CCS + wildcards as*:filebeat-*,*:auditbeat-*
, or even CCS + wildcards + exclusions as*:filebeat-*,-*:filebeat-7.6.0*
.This affects both the Elastic Security implementation as well as the Maps implementation (cc @nreese), since they use the non-split Kibana Index Pattern
title
as the pattern and the splitsecuritySolution:defaultIndex
as thepath
.As example, for the given:
securitySolution:defaultIndex:
cluster2:filebeat-*, cluser1:auditbeat-*
Kibana Index Pattern:
*:filebeat-*,*:auditbeat-*
The matching sequence would be:
which would result in no matches, and thus no generated map layers.
If we were to comma split the
Kibana Index Pattern
title
, use each of those as thepattern
and remove the duplicate matches we should then create layers for the correctKibana Index Patterns
that exist. Note: this would need to include logic for the exclusion case as well, which could be done using a filter on matchedpaths
against patterns with a leading-
.This behavior is present since
v7.6.0
.The text was updated successfully, but these errors were encountered: