Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[9.0][Deprecations][Detection Engine] Square brackets '[]' need to be removed in FROM METADATA declaration #196988

Closed
yctercero opened this issue Oct 21, 2024 · 4 comments · Fixed by #196991
Labels
Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v9.0.0

Comments

@yctercero
Copy link
Contributor

yctercero commented Oct 21, 2024

Parent ticket - https://github.com/elastic/kibana-team/issues/1173

Summary

Address API deprecations ahead of 9.0:

  • x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts
Elasticsearch deprecation: 299 Elasticsearch-9d3fc35316c008f2fa637c73d93ebc9df81f20e4 Line 1:20: Square brackets '[]' need to be removed in FROM METADATA declaration
Stack trace:
    at KibanaTransport.request (kibana/node_modules/@elastic/transport/lib/Transport.js:651:20)
    at KibanaTransport.request (kibana/node_modules/@kbn/core-elasticsearch-client-server-internal/src/create_transport.js:60:16)
    at search (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/esql/esql_request.js:21:27)
    at performEsqlRequest (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/esql/esql_request.js:37:11)
    at kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/esql/esql.js:96:26
    at kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.js:383:33
    at executor (kibana/node_modules/@kbn/rule-registry-plugin/server/utils/create_persistence_rule_type_wrapper.js:187:22)
    at runExecutors (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_preview/api/preview_rules/route.js:184:15)
    at Object.fn (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_preview/api/preview_rules/route.js:327:11)
    at kibana/node_modules/@kbn/core-http-router-server-internal/src/versioned_router/core_versioned_route.js:113:24
    at Router.handle (kibana/node_modules/@kbn/core-http-router-server-internal/src/router.js:214:30)
    at handler (kibana/node_modules/@kbn/core-http-router-server-internal/src/router.js:138:50)
    at exports.Manager.execute (kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (kibana/node_modules/@hapi/hapi/lib/request.js:370:32)
    at Request._execute (kibana/node_modules/@hapi/hapi/lib/request.js:280:9)
Query:
200
POST /_query
{query:from ecs_compliant [metadata _id] | where id==cb8b08af-e524-4b96-987a-46c981ee1991 | keep _id, agent.name | limit 101,filter:{bool:{filter:[{range:{@timestamp:{lte:2020-10-28T06:30:00.000Z,gte:2020-10-28T05:30:00.000Z,format:strict_date_optional_time}}},{bool:{must:[],filter:[],should:[],must_not:[]}}]}}}
  • x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/ess.config.ts
Elasticsearch deprecation: 299 Elasticsearch-9.0.0-5bf446ea2e10aac093f0e02dd123db39466b6c56 Line 1:20: Square brackets '[]' need to be removed in FROM METADATA declaration
Stack trace:
    at KibanaTransport.request (kibana/node_modules/@elastic/transport/lib/Transport.js:651:20)
    at KibanaTransport.request (kibana/node_modules/@kbn/core-elasticsearch-client-server-internal/src/create_transport.js:60:16)
    at search (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/esql/esql_request.js:21:27)
    at performEsqlRequest (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/esql/esql_request.js:37:11)
    at kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/esql/esql.js:96:26
    at kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.js:383:33
    at executor (kibana/node_modules/@kbn/rule-registry-plugin/server/utils/create_persistence_rule_type_wrapper.js:187:22)
    at runExecutors (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_preview/api/preview_rules/route.js:184:15)
    at Object.fn (kibana/node_modules/@kbn/security-solution-plugin/server/lib/detection_engine/rule_preview/api/preview_rules/route.js:327:11)
    at kibana/node_modules/@kbn/core-http-router-server-internal/src/versioned_router/core_versioned_route.js:113:24
    at Router.handle (kibana/node_modules/@kbn/core-http-router-server-internal/src/router.js:214:30)
    at handler (kibana/node_modules/@kbn/core-http-router-server-internal/src/router.js:138:50)
    at exports.Manager.execute (kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (kibana/node_modules/@hapi/hapi/lib/request.js:370:32)
    at Request._execute (kibana/node_modules/@hapi/hapi/lib/request.js:280:9)
Query:
200
POST /_query
{query:from ecs_compliant [metadata _id] | where id==f26f675c-b52f-4f17-a63a-89632b199d42 | keep _id, agent.name | limit 101,filter:{bool:{filter:[{range:{@timestamp:{lte:2020-10-28T06:30:00.000Z,gte:2020-10-28T05:30:00.000Z,format:strict_date_optional_time}}},{bool:{must:[],filter:[],should:[],must_not:[]}}]}}}
@yctercero yctercero added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team v9.0.0 labels Oct 21, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@yctercero
Copy link
Contributor Author

I think this PR will address this issue - #196991 (comment)

stratoula added a commit that referenced this issue Oct 31, 2024
## Summary
Hello, this PR addresses the deprecation of square brackets in FROM
METADATA declarations in Elasticsearch queries, in preparation for
Elasticsearch 9.0. Closes #196988

The changes involve removing square brackets around metadata fields
(e.g., `[metadata _id]` becomes `metadata _id`) across various parts of
the codebase. No functional changes to the UE, only internal query
syntax updates.

### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)
- [ ] This will appear in the **Release Notes** and follow the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Stratoula Kalafateli <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v9.0.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants