elastic/kibana

[EQL] Remove usage of ignore:400 for syntax validation

Open

#169.042 aperta il 16 ott 2023

Vedi su GitHub
 (5 commenti) (0 reazioni) (1 assegnatario)TypeScript (8021 fork)batch import
Team: SecuritySolutionTeam:Detection EngineTeam:Detection Engineeringbuggood first issue

Metriche repository

Star
 (19.065 star)
Metriche merge PR
 (Merge medio 1g 16h) (999 PR mergiate in 30 g)

Descrizione

Describe the bug:

Currently, the EQL search strategy adds "ignore": [400] to the params sent to the elasticsearch-js client which causes the client to treat 400 errors as expected:

https://github.com/elastic/kibana/blob/6efef0496077f4e61d49e4e43f75941ff3d98d9e/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts#L42

As a result, the response back may indeed be a 400 error but it is returned as a normal 200 response.

This may have been necessary at some point but now ES properly sends a message back indicating syntax errors:

image

Guida contributor