Skip to content

[Automatic Migrations] Add support for Qradar Sequence and toggle for its translation capability#254879

Open
logeekal wants to merge 5 commits intoelastic:mainfrom
logeekal:feat/qradar_sequences
Open

[Automatic Migrations] Add support for Qradar Sequence and toggle for its translation capability#254879
logeekal wants to merge 5 commits intoelastic:mainfrom
logeekal:feat/qradar_sequences

Conversation

@logeekal
Copy link
Contributor

@logeekal logeekal commented Feb 25, 2026
edited
Loading

Summary

This PR adds ability for Rule Migration graph to understand Sequence, DoubleSequence and CauseAndEffectfunction.

Below we can see the natural language description and ESQL translation summary of the Temporal Correlation sequences. As can be clearly seen and after communicating with ESQL Team, we can confirm that Sequences are not supported by ESQL. Because of this, we have also added a toggle function to add/remove support for QRadar function.

Natural description of the Sequence

 image

ESQL Translation

Currently, ESQL responds appropriately that it cannot do Sequence Correlations. This is the expected output.

image

Comment without Sequence Support

Since we know that Sequences are not supported by ESQL and as it was confirmed with ESQL Team as well, we have add Sequence to unsupported list of functions so that we do not waste Tokens doing the translation. When we have the capability, we can simply enable it.

image

More Improvements

Better ESQL Query Translation Summary

  • Shows how much of the query can/cannot be translated.
  • Shows the reasons for which some part of the query cannot be translated.
  • Introduces a minimum threshold ( 20% ) below which query is marked Non Translated citing the reasons.
Screenshot image

Inclusion Integrations indices field mapping

As can be seen in below screenshot, field mappings are now included in the translation node which results in better query. Screenshot of this trace is included below:

Screenshot Screenshot 2026-02-25 at 15 27 01

This inevitably results in better query. See before/after screenshots below:

Without Index mappings With index mappings
image image

Desk Testing Plan

Testing the New Feature

Sequence Rule Migrations without pre-built rule match

  • Run Qradar Rule Migrations with this sequences export
  • Expectation : Rule should be Not Translated and explanation in the Summary section as to why.

Sequence Rule Migrations with pre-built rule match

  • Run Qradar Rule Migrations with this sequences export
  • Expectation :
    • Rule should be Not Translated and explanation as to why as shown above.
    • A pre-built rule should be a match.

Regression Testing

  • Rule QRadar Rule Migrations export without sequences
  • It should run successfully with integrations matches for Netflow or Network packet capture or Oracle with corresponding indices and correct columns.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
  • Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.

@logeekal logeekal changed the title Feat/qradar sequences [Automatic Migrations] Add support for Qradar Sequence and toggle for its translation capability Feb 25, 2026
@logeekal logeekal added release_note:skip Skip the PR/issue when compiling release notes backport:version Backport to applied version labels Team:Threat Hunting Security Solution Threat Hunting Team Team:Automatic Migrations Label for Security Automatic Migrations project related task and bugs v9.4.0 labels Feb 25, 2026
@logeekal logeekal requested a review from angorayc February 25, 2026 10:35
@logeekal logeekal marked this pull request as ready for review February 25, 2026 10:40
@logeekal logeekal requested a review from a team as a code owner February 25, 2026 10:40
@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 25, 2026

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

jonwalstedt
jonwalstedt reviewed Feb 26, 2026
View reviewed changes
...ution/server/lib/siem_migrations/rules/task/agent/nodes/resolve_dependencies_node/prompts.ts
*This is FLATTENED list of conditions from main rule and complete dependency tree.
- Test Condition [test_id] [group_id] ( Human-readable description of the test condition 1 )
- Test Condition [test_id] [group_id] ( Human-readable description of the test condition 2 )
#### Key Commands ( including the negate attribute handling):
Copy link
Contributor

@jonwalstedt jonwalstedt Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#### Key Commands ( including the negate attribute handling):
#### Key Commands (including the negate attribute handling):

@jonwalstedt
Copy link
Contributor

jonwalstedt commented Feb 26, 2026

@logeekal It looks like the links to the xmls for the Qradar rule migrations (the one without pre-built rule match and with pre-built rule match) are the same file, both links point to the same file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonwalstedt jonwalstedt jonwalstedt left review comments

@angorayc angorayc Awaiting requested review from angorayc

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

backport:version Backport to applied version labels release_note:skip Skip the PR/issue when compiling release notes Team:Automatic Migrations Label for Security Automatic Migrations project related task and bugs Team:Threat Hunting Security Solution Threat Hunting Team v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@logeekal @elasticmachine @jonwalstedt