Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] clipboard-copy when selecting a draggable field in Timeline #59472

Closed
mbarretta opened this issue Mar 5, 2020 · 5 comments · Fixed by #61207 or #63816
Closed

[SIEM] clipboard-copy when selecting a draggable field in Timeline #59472

mbarretta opened this issue Mar 5, 2020 · 5 comments · Fixed by #61207 or #63816
Labels
enhancement New value added to drive a business result Team:SIEM

Comments

@mbarretta
Copy link

Describe the feature:
The value of a draggable field should automatically be copied to your clipboard when you click on it.

Describe a specific use case for the feature:
Currently, draggable fields have no easy way to copy their values:

  • Selecting by a click and using keyboard shortcuts (ctrl-c) doesn't work
  • Right-clicking a draggable field doesn't give you a copy option

The only way to get the text value of a draggable field is to drag it to the Timeline query builder, edit the resulting filter, and copy it there. This makes it hard to use those values in other Kibana apps or in external applications.

One example use would be finding the md5sum of some process in Timeline, then wanting to filter for that value in a dashboard.
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@MikePaquette
Copy link

Thanks @mbarretta for raising this. There are indeed some inconsistencies and limitations in the copy-to-clipboard capabilities in SIEM that we need to address.

As a workaround, there are some cases where it does indeed work correctly using right-clicking. For example in the various SIEM widgets found in the Hosts and Network views in 7.6.0:

  • The SHA1 hash shown in the TLS widget.

image

  • the IP address in the IP details view

image

  • the host.name field in the Hosts Event table

image

In addition, the SIEM Timeline, Hosts Events table, Hosts External Alerts table, and Network External Alerts tables all have explicit copy-to-clipboard functions in their expanded views as shown here:

image

Thanks again!

@MikePaquette MikePaquette added the enhancement New value added to drive a business result label Mar 6, 2020
@mbarretta mbarretta changed the title [SIEM] clipboard-copy when selecting a draggable field [SIEM] clipboard-copy when selecting a draggable field in Timeline Mar 9, 2020
@mbarretta
Copy link
Author

@MikePaquette thank you for the response and pointing out the areas where clipboard-copy is implemented. I was working from the timeline, where there are fewer options outside of expanding the full record.

I updated the title to call out Timeline specifically.

As an aside, is the Timeline going to gain some type of integration with the rest of the Kibana search/filter bar so that the search/filter set there can be "reused" in other apps without having to rebuild the search?

@MikePaquette
Copy link

Thanks @mbarretta

As an aside, is the Timeline going to gain some type of integration with the rest of the Kibana search/filter bar so that the search/filter set there can be "reused" in other apps without having to rebuild the search?

If I understand your question correctly, this feature exists now. For example if you save your query in the Timeline KQL bar (I just saved RUNDLL32)...

image

You can use the same saved query across Kibana, say in Discover...
image

Likewise, you can use a query you saved in Discover when using timeline, or when creating a SIEM signal detection rule.

@andrew-goldstein andrew-goldstein mentioned this issue Apr 14, 2020
Merged
andrew-goldstein added a commit to andrew-goldstein/kibana that referenced this issue Apr 16, 2020
@andrew-goldstein
Enhancements to the threat hunting experience
ba34f6d 
![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif)

A new context menu with the following items has been added to all draggables:

- Filter for value
- Filter out value
- Show top _field name_
- Copy to Clipboard

as shown in the following animated gif:

![new-context-menu](https://user-images.githubusercontent.com/4459398/79173935-4dbd6880-7db6-11ea-9253-7746481e1b17.gif)

The _Filter for value_ context menu action adds the draggable to the global filter bar, which is applicable to all pages in the SIEM app, per the following animated gif:

![filter-in-value](https://user-images.githubusercontent.com/4459398/79176624-f91deb80-7dbd-11ea-9b01-799145d776c8.gif)

The _Filter out value_ context menu action adds the draggable to the global filter bar as a _negated_ (`NOT`) filter, per the following animated gif:

![filter-out-value](https://user-images.githubusercontent.com/4459398/79178474-9f6bf000-7dc2-11ea-9423-512ad7f89a18.gif)

The _Show top field_ context menu action displays an interactive Top 10 histogram, per the following animated gif:

![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif)

- The contents of the histogram are filtered by the global KQL bar / filters and current date range
- Brushing over the bars in the histogram updates the global date range / picker
- Select _Events_ or _Signals_
- The _Show top field_ action is also available in the Fields Browser, per the following animated gif:

![in-fields-browser](https://user-images.githubusercontent.com/4459398/79179548-1a360a80-7dc5-11ea-9ad7-cdd7fef0cc64.gif)

The _Copy to clipboard_ context menu action copies the draggable field and value to the clipboard in KQL format (e.g. `process.name: "nice"`).

Per the following animated gifs, it's now possible to copy _any_ draggable to the clipboard, and paste it in KQL format, which addresses [this feature request from a user](elastic#59472):

![copy-to-clipboard](https://user-images.githubusercontent.com/4459398/79178893-a7785f80-7dc3-11ea-868a-5d7bc2824912.gif)

![pasted-value](https://user-images.githubusercontent.com/4459398/79179126-2c637900-7dc4-11ea-92a7-86c7d6377688.gif)

You may now pivot from chart legends by dragging and dropping them to a timeline, or by selecting the Filter for / out context menu action, per the following animated gif:

![draggable-legend](https://user-images.githubusercontent.com/4459398/79179769-9deff700-7dc5-11ea-9153-b472914f2dfe.gif)

Desk tested in:

- Chrome `81.0.4044.92`
- Firefox `75.0`
- Safari `13.1`
andrew-goldstein added a commit that referenced this issue Apr 17, 2020
@andrew-goldstein
[SIEM] Threat hunting enhancements: Filter for/out value, Show top fi…
c2293cb 
…eld, Copy to Clipboard, Draggable chart legends (#61207)

## [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends

Enhancements to the threat hunting experience

![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif)

### New draggable context menu

A new context menu with the following items has been added to all draggables:

- Filter for value
- Filter out value
- Show top _field name_
- Copy to Clipboard

as shown in the following animated gif:

![new-context-menu](https://user-images.githubusercontent.com/4459398/79173935-4dbd6880-7db6-11ea-9253-7746481e1b17.gif)

### Filter for value

The _Filter for value_ context menu action adds the draggable to the global filter bar, which is applicable to all pages in the SIEM app, per the following animated gif:

![filter-in-value](https://user-images.githubusercontent.com/4459398/79176624-f91deb80-7dbd-11ea-9b01-799145d776c8.gif)

### Filter out value

The _Filter out value_ context menu action adds the draggable to the global filter bar as a _negated_ (`NOT`) filter, per the following animated gif:

![filter-out-value](https://user-images.githubusercontent.com/4459398/79178474-9f6bf000-7dc2-11ea-9423-512ad7f89a18.gif)

### Show top _field_

The _Show top field_ context menu action displays an interactive Top 10 histogram, per the following animated gif: 

![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif)

- The contents of the histogram are filtered by the global KQL bar / filters and current date range
- Brushing over the bars in the histogram updates the global date range / picker
- Select _Events_ or _Signals_
- The _Show top field_ action is also available in the Fields Browser, per the following animated gif:

![in-fields-browser](https://user-images.githubusercontent.com/4459398/79179548-1a360a80-7dc5-11ea-9ad7-cdd7fef0cc64.gif)

### Copy to Clipboard

The _Copy to clipboard_ context menu action copies the draggable field and value to the clipboard in KQL format (e.g. `process.name: "nice"`).

Per the following animated gifs, it's now possible to copy _any_ draggable to the clipboard, and paste it in KQL format, which addresses [this feature request from a user](#59472):

![copy-to-clipboard](https://user-images.githubusercontent.com/4459398/79178893-a7785f80-7dc3-11ea-868a-5d7bc2824912.gif)

![pasted-value](https://user-images.githubusercontent.com/4459398/79179126-2c637900-7dc4-11ea-92a7-86c7d6377688.gif)

### Draggable chart legends

You may now pivot from chart legends by dragging and dropping them to a timeline, or by selecting the Filter for / out context menu action, per the following animated gif:

![draggable-legend](https://user-images.githubusercontent.com/4459398/79179769-9deff700-7dc5-11ea-9153-b472914f2dfe.gif)

#### Desk testing

Desk tested in:

- Chrome `81.0.4044.92`
- Firefox `75.0`
- Safari `13.1`
andrew-goldstein added a commit that referenced this issue Apr 17, 2020
@andrew-goldstein
[SIEM] Threat hunting enhancements: Filter for/out value, Show top fi…
32ade23 
…eld, Copy to Clipboard, Draggable chart legends (#61207) (#63816)

## [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends

Enhancements to the threat hunting experience

![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif)

### New draggable context menu

A new context menu with the following items has been added to all draggables:

- Filter for value
- Filter out value
- Show top _field name_
- Copy to Clipboard

as shown in the following animated gif:

![new-context-menu](https://user-images.githubusercontent.com/4459398/79173935-4dbd6880-7db6-11ea-9253-7746481e1b17.gif)

### Filter for value

The _Filter for value_ context menu action adds the draggable to the global filter bar, which is applicable to all pages in the SIEM app, per the following animated gif:

![filter-in-value](https://user-images.githubusercontent.com/4459398/79176624-f91deb80-7dbd-11ea-9b01-799145d776c8.gif)

### Filter out value

The _Filter out value_ context menu action adds the draggable to the global filter bar as a _negated_ (`NOT`) filter, per the following animated gif:

![filter-out-value](https://user-images.githubusercontent.com/4459398/79178474-9f6bf000-7dc2-11ea-9423-512ad7f89a18.gif)

### Show top _field_

The _Show top field_ context menu action displays an interactive Top 10 histogram, per the following animated gif: 

![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif)

- The contents of the histogram are filtered by the global KQL bar / filters and current date range
- Brushing over the bars in the histogram updates the global date range / picker
- Select _Events_ or _Signals_
- The _Show top field_ action is also available in the Fields Browser, per the following animated gif:

![in-fields-browser](https://user-images.githubusercontent.com/4459398/79179548-1a360a80-7dc5-11ea-9ad7-cdd7fef0cc64.gif)

### Copy to Clipboard

The _Copy to clipboard_ context menu action copies the draggable field and value to the clipboard in KQL format (e.g. `process.name: "nice"`).

Per the following animated gifs, it's now possible to copy _any_ draggable to the clipboard, and paste it in KQL format, which addresses [this feature request from a user](#59472):

![copy-to-clipboard](https://user-images.githubusercontent.com/4459398/79178893-a7785f80-7dc3-11ea-868a-5d7bc2824912.gif)

![pasted-value](https://user-images.githubusercontent.com/4459398/79179126-2c637900-7dc4-11ea-92a7-86c7d6377688.gif)

### Draggable chart legends

You may now pivot from chart legends by dragging and dropping them to a timeline, or by selecting the Filter for / out context menu action, per the following animated gif:

![draggable-legend](https://user-images.githubusercontent.com/4459398/79179769-9deff700-7dc5-11ea-9153-b472914f2dfe.gif)

#### Desk testing

Desk tested in:

- Chrome `81.0.4044.92`
- Firefox `75.0`
- Safari `13.1`
This was linked to pull requests Apr 18, 2020
[SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends #61207
Merged
[7.x] [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends (#61207) #63816
Merged
@andrew-goldstein
Copy link
Contributor

Thanks again for your feedback @mbarretta!

This merged pull request adds the Copy to Clipboard hover action to all draggables in the SIEM app, including the Timeline. Per the details below, the field and value are copied in KQL format.

Copy to Clipboard

The Copy to Clipboard context menu action copies the draggable field and value to the clipboard in KQL format (e.g. process.name: "nice").

Per the following animated gifs, it's now possible to copy any draggable to the clipboard, and paste it in KQL format:

copy-to-clipboard

pasted-value

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Team:SIEM
Projects
None yet
Milestone
No milestone
4 participants
@mbarretta @andrew-goldstein @elasticmachine @MikePaquette