[SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends #61207

andrew-goldstein · 2020-03-25T05:31:21Z

[SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends

Enhancements to the threat hunting experience

New draggable context menu

A new context menu with the following items has been added to all draggables:

Filter for value
Filter out value
Show top field name
Copy to Clipboard

as shown in the following animated gif:

Filter for value

The Filter for value context menu action adds the draggable to the global filter bar, which is applicable to all pages in the SIEM app, per the following animated gif:

Filter out value

The Filter out value context menu action adds the draggable to the global filter bar as a negated (NOT) filter, per the following animated gif:

Show top field

The Show top field context menu action displays an interactive Top 10 histogram, per the following animated gif:

The contents of the histogram are filtered by the global KQL bar / filters and current date range
Brushing over the bars in the histogram updates the global date range / picker
Select Events or Signals
The Show top field action is also available in the Fields Browser, per the following animated gif:

Copy to Clipboard

The Copy to clipboard context menu action copies the draggable field and value to the clipboard in KQL format (e.g. process.name: "nice").

Per the following animated gifs, it's now possible to copy any draggable to the clipboard, and paste it in KQL format, which addresses this feature request from a user:

Draggable chart legends

You may now pivot from chart legends by dragging and dropping them to a timeline, or by selecting the Filter for / out context menu action, per the following animated gif:

Desk testing

Desk tested in:

Chrome 81.0.4044.92
Firefox 75.0
Safari 13.1

elasticmachine · 2020-03-25T05:31:23Z

Pinging @elastic/siem (Team:SIEM)

x-pack/legacy/plugins/siem/public/components/charts/barchart.tsx

x-pack/legacy/plugins/siem/public/components/drag_and_drop/draggable_wrapper.tsx

x-pack/legacy/plugins/siem/public/components/drag_and_drop/helpers.ts

x-pack/legacy/plugins/siem/public/components/header_section/index.tsx

x-pack/legacy/plugins/siem/public/components/matrix_histogram/index.tsx

x-pack/legacy/plugins/siem/public/components/timeline/query_bar/index.tsx

x-pack/legacy/plugins/siem/public/components/timeline/timeline.tsx

x-pack/legacy/plugins/siem/public/components/top_n/index.tsx

...gacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx

XavierM

Still LGTM ;) 🚀 💪 🚀Thank you for all the good test

![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif) A new context menu with the following items has been added to all draggables: - Filter for value - Filter out value - Show top _field name_ - Copy to Clipboard as shown in the following animated gif: ![new-context-menu](https://user-images.githubusercontent.com/4459398/79173935-4dbd6880-7db6-11ea-9253-7746481e1b17.gif) The _Filter for value_ context menu action adds the draggable to the global filter bar, which is applicable to all pages in the SIEM app, per the following animated gif: ![filter-in-value](https://user-images.githubusercontent.com/4459398/79176624-f91deb80-7dbd-11ea-9b01-799145d776c8.gif) The _Filter out value_ context menu action adds the draggable to the global filter bar as a _negated_ (`NOT`) filter, per the following animated gif: ![filter-out-value](https://user-images.githubusercontent.com/4459398/79178474-9f6bf000-7dc2-11ea-9423-512ad7f89a18.gif) The _Show top field_ context menu action displays an interactive Top 10 histogram, per the following animated gif: ![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif) - The contents of the histogram are filtered by the global KQL bar / filters and current date range - Brushing over the bars in the histogram updates the global date range / picker - Select _Events_ or _Signals_ - The _Show top field_ action is also available in the Fields Browser, per the following animated gif: ![in-fields-browser](https://user-images.githubusercontent.com/4459398/79179548-1a360a80-7dc5-11ea-9ad7-cdd7fef0cc64.gif) The _Copy to clipboard_ context menu action copies the draggable field and value to the clipboard in KQL format (e.g. `process.name: "nice"`). Per the following animated gifs, it's now possible to copy _any_ draggable to the clipboard, and paste it in KQL format, which addresses [this feature request from a user](elastic#59472): ![copy-to-clipboard](https://user-images.githubusercontent.com/4459398/79178893-a7785f80-7dc3-11ea-868a-5d7bc2824912.gif) ![pasted-value](https://user-images.githubusercontent.com/4459398/79179126-2c637900-7dc4-11ea-92a7-86c7d6377688.gif) You may now pivot from chart legends by dragging and dropping them to a timeline, or by selecting the Filter for / out context menu action, per the following animated gif: ![draggable-legend](https://user-images.githubusercontent.com/4459398/79179769-9deff700-7dc5-11ea-9153-b472914f2dfe.gif) Desk tested in: - Chrome `81.0.4044.92` - Firefox `75.0` - Safari `13.1`

kibanamachine · 2020-04-17T03:31:38Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request
Commit: a67d6b8

History

💛 Build #41425 was flaky ba34f6d
💚 Build #41070 succeeded ed082f78eacfff8afa4288579751deb34b9ccf0b
💚 Build #40902 succeeded 61748933f947cc289939dfc12e5bc275ae22cb36
💚 Build #40581 succeeded 9b9cac917ab6a02dccea79e034669ca812731d18
💚 Build #40573 succeeded 19b11bb271bfe14e6ec9867f2cb4f693db08eac3

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

…eld, Copy to Clipboard, Draggable chart legends (#61207) (#63816) ## [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends Enhancements to the threat hunting experience ![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif) ### New draggable context menu A new context menu with the following items has been added to all draggables: - Filter for value - Filter out value - Show top _field name_ - Copy to Clipboard as shown in the following animated gif: ![new-context-menu](https://user-images.githubusercontent.com/4459398/79173935-4dbd6880-7db6-11ea-9253-7746481e1b17.gif) ### Filter for value The _Filter for value_ context menu action adds the draggable to the global filter bar, which is applicable to all pages in the SIEM app, per the following animated gif: ![filter-in-value](https://user-images.githubusercontent.com/4459398/79176624-f91deb80-7dbd-11ea-9b01-799145d776c8.gif) ### Filter out value The _Filter out value_ context menu action adds the draggable to the global filter bar as a _negated_ (`NOT`) filter, per the following animated gif: ![filter-out-value](https://user-images.githubusercontent.com/4459398/79178474-9f6bf000-7dc2-11ea-9423-512ad7f89a18.gif) ### Show top _field_ The _Show top field_ context menu action displays an interactive Top 10 histogram, per the following animated gif: ![show-top-field](https://user-images.githubusercontent.com/4459398/79180753-f9bb7f80-7dc7-11ea-9ae2-d4e4fc79208c.gif) - The contents of the histogram are filtered by the global KQL bar / filters and current date range - Brushing over the bars in the histogram updates the global date range / picker - Select _Events_ or _Signals_ - The _Show top field_ action is also available in the Fields Browser, per the following animated gif: ![in-fields-browser](https://user-images.githubusercontent.com/4459398/79179548-1a360a80-7dc5-11ea-9ad7-cdd7fef0cc64.gif) ### Copy to Clipboard The _Copy to clipboard_ context menu action copies the draggable field and value to the clipboard in KQL format (e.g. `process.name: "nice"`). Per the following animated gifs, it's now possible to copy _any_ draggable to the clipboard, and paste it in KQL format, which addresses [this feature request from a user](#59472): ![copy-to-clipboard](https://user-images.githubusercontent.com/4459398/79178893-a7785f80-7dc3-11ea-868a-5d7bc2824912.gif) ![pasted-value](https://user-images.githubusercontent.com/4459398/79179126-2c637900-7dc4-11ea-92a7-86c7d6377688.gif) ### Draggable chart legends You may now pivot from chart legends by dragging and dropping them to a timeline, or by selecting the Filter for / out context menu action, per the following animated gif: ![draggable-legend](https://user-images.githubusercontent.com/4459398/79179769-9deff700-7dc5-11ea-9153-b472914f2dfe.gif) #### Desk testing Desk tested in: - Chrome `81.0.4044.92` - Firefox `75.0` - Safari `13.1`

* master: (40 commits) [APM]Upgrade apm-rum agent to latest version to fix full page reload (elastic#63723) add deprecation warning for legacy 3rd party plugins (elastic#62401) Migrate timelion vis (elastic#62819) Replacebad scope link with actual values (elastic#63444) Index pattern management UI -> TypeScript and New Platform Ready (create_index_pattern_wizard) (elastic#63111) [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends (elastic#61207) [Maps] fix term join agg key collision (elastic#63324) [Ingest] Fix agent config key sorting (elastic#63488) [Monitoring] Fixed server response errors (elastic#63181) update elastic charts to 18.3.0 (elastic#63732) Start services (elastic#63720) [APM] Encode spaces when creating ML job (elastic#63683) Uptime 7.7 docs (elastic#62228) [DOCS] Updates remote cluster and ccr docs (elastic#63517) [Maps] Add 3rd party vector tile support (elastic#62084) [Endpoint][EPM] Retrieve Index Pattern from Ingest Manager (elastic#63016) [Endpoint] Host Details Policy Response Panel (elastic#63518) [Uptime] Certificate expiration threshold settings (elastic#63682) Refactor saved object types to use `namespaceType` (elastic#63217) [SIEM][CASE] Create comments sequentially (elastic#63692) ...

elasticmachine · 2021-09-23T14:37:54Z

Pinging @elastic/security-solution (Team: SecuritySolution)

andrew-goldstein added release_note:enhancement Team:SIEM v8.0.0 v7.7.0 labels Mar 25, 2020

andrew-goldstein requested a review from a team as a code owner March 25, 2020 05:31

andrew-goldstein requested a review from XavierM March 25, 2020 05:31

XavierM approved these changes Mar 25, 2020

View reviewed changes

andrew-goldstein self-assigned this Mar 25, 2020

andrew-goldstein force-pushed the timeline-enhancements branch from 37e2ca9 to 531185b Compare March 25, 2020 08:24

andrew-goldstein added v7.8 v7.8.0 and removed v7.7.0 v7.8 labels Mar 25, 2020

andrew-goldstein force-pushed the timeline-enhancements branch 4 times, most recently from 504fd77 to bfa5400 Compare April 4, 2020 02:32

andrew-goldstein force-pushed the timeline-enhancements branch from bfa5400 to 511f797 Compare April 9, 2020 18:00

andrew-goldstein changed the title ~~[SIEM] Threat hunting enhancements~~ [SIEM] Threat hunting enhancements (Top N, Context Menu, Draggable Chart Legends) Apr 14, 2020

andrew-goldstein changed the title ~~[SIEM] Threat hunting enhancements (Top N, Context Menu, Draggable Chart Legends)~~ [SIEM] Threat hunting enhancements (Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends) Apr 14, 2020

andrew-goldstein force-pushed the timeline-enhancements branch 2 times, most recently from 19b11bb to 9b9cac9 Compare April 14, 2020 07:22

andrew-goldstein changed the title ~~[SIEM] Threat hunting enhancements (Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends)~~ [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends Apr 15, 2020

andrew-goldstein force-pushed the timeline-enhancements branch from 9b9cac9 to 6174893 Compare April 15, 2020 10:12