[Cases] Link cases to alerts #146864
Comments
cnasikas
added
Team:ResponseOps
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Great write-up, @cnasikas! Everything you're planning on doing here looks great with the exception of the following:
There's nothing guaranteeing that the first eight characters of the UUID are sufficiently unique to be used as a short ID. Git is using a short SHA-1 and then using the first few characters. It looks like they got away with using the first 7 digits for a while before having to make this configurable per git/git@dce9648. This seems like a reasonable precedent to rely on, but I think we should be open to others as well. |
|
I feel like we should show the name of the case and not just the ID or a subset because it does not mean anything to our user and if we worry about the length we should let the the cell rendering dealing with that. |
That's fine as well. |
|
@kobelb You are right. I misused the term "short ID". The purpose was to save space in the table column and not use it as a way to refer to a case across Kibana. If we want a truly short ID we should hash the UUID ( @XavierM About the title, the reason I decided to not put it in the schema is for security/privacy reasons. If the user has access to the alert but not access to the case we leak sensitive information to the user about the case. The title may contain private information. If we are ok with leaking information then we can add it to the schema. Be aware that the title can be up to 160 characters and if an alert is attached to multiple cases the column may not fit everything. By the way, should we put a limit to the number of cases an alert can be attached to? |
|
I think we could make either option work, and we should defer to @shanisagiv1 on his preference: To work around the security concern, we don't necessarily have to put the Case title in the alert schema, and we can retrieve the case titles either when retrieving the alerts or when rendering the alerts table. Obviously, we'd need to limit the number of case titles that we retrieve per alert, but we'd likely want to do so anyway because we only have so much room in the UI to display them.
Absolutely! We shouldn't set this artificially low, but having reasonable bounds in place will allow us to make a much more resilient system. |
|
I am not against displaying the title. @XavierM is right that the ids do not mean anything to our users but on the other hand, it is much simpler to use them. The initial designs proposed the short ID to be an incrementing ID (
What do you think about 10 cases per alert? |
My gut says this is tolerable. We don't need to load the entire case, just the title.
Seems reasonable to me. |
If we put a limit on how many cases an alert can be attached to we'll probably need to introduce some reference counter so we can quickly determine if the attach alert API call should fail. The other option I can think of is to do an aggregation during that API call. It gets worse for bulk attaching alerts although maybe we can still do the check using a single cardinality aggregation during the attach API call. If we hit the limit, what do we expect the user to do if they really really want to attach that alert to another case? They'd have to go find a case where that alert is attached to and unattach it. Security solution provides the behavior to find the cases an alert is attached to so maybe that wouldn't be too bad. An alternative would be to limit the number of cases we display in the alert table to say 10 and then if the user really wanted to see more they could view the alert details to see more. That way the user can attach the alert to as many cases as they want. |
This request is going to be a bulk get right? That should be reasonably fast since we don't have to search. |
To avoid extra calls we can get the information from the alert's data. If
@shanisagiv1 What is your opinion on this?
Yes, it will be a bulk get. |
|
@kobelb @XavierM We discuss it with @shanisagiv1 and we decided to show the title of the Case in the table instead of the short ID. I updated the issue accordingly. |
|
yep^ Also, I asked Christos to check if it's possible to query how many alerts today are associated with more than one case. My gut feeling is that an alert should be associated with just one if it's a classic escalation of alerts to a case, but maybe I'm wrong... anyway having more context without asking the user to click is always preferred. |
## Summary This PR adds case information to the alerts' schema. More information here: #146864. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary This PR creates the bulk get cases internal API. The endpoint is needed for the alerts table to be able to get all cases the alerts are attached to with one call. Reference: #146864 ### Request - ids: (Required, array) An array of IDs of the retrieved cases. - fields: (Optional, array) The fields to return in the attributes key of the object response. ``` POST <kibana host>:<port>/internal/cases/_bulk_get { "ids": ["case-id-1", "case-id-2", "123", "not-authorized"], "fields": ["title"] } ``` ### Response ``` { "cases": [ { "title": "case1", "owner": "securitySolution", "id": "case-id-1", "version": "WzIzMTU0NSwxNV0=" }, { "title": "case2", "owner": "observability", "id": "case-id-2", "version": "WzIzMTU0NSwxNV0=" } ], "errors": [ { "error": "Not Found", "message": "Saved object [cases/123] not found", "status": 404, "caseId": "123" }, { "error": "Forbidden", "message": "Unauthorized to access case with owner: \"cases\"", "status": 403, "caseId": "not-authorized" } ] } ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary This PR creates the bulk get cases internal API. The endpoint is needed for the alerts table to be able to get all cases the alerts are attached to with one call. Reference: elastic#146864 ### Request - ids: (Required, array) An array of IDs of the retrieved cases. - fields: (Optional, array) The fields to return in the attributes key of the object response. ``` POST <kibana host>:<port>/internal/cases/_bulk_get { "ids": ["case-id-1", "case-id-2", "123", "not-authorized"], "fields": ["title"] } ``` ### Response ``` { "cases": [ { "title": "case1", "owner": "securitySolution", "id": "case-id-1", "version": "WzIzMTU0NSwxNV0=" }, { "title": "case2", "owner": "observability", "id": "case-id-2", "version": "WzIzMTU0NSwxNV0=" } ], "errors": [ { "error": "Not Found", "message": "Saved object [cases/123] not found", "status": 404, "caseId": "123" }, { "error": "Forbidden", "message": "Unauthorized to access case with owner: \"cases\"", "status": 403, "caseId": "not-authorized" } ] } ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary This PR adds a tooltip component (High OrderComponent) to @kbn/cases-components package. #146864 **Details of tooltip**  **status: Open, tooltip position : Top**  **status: In-progress, tooltip position: bottom, long title and description**  ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [x] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### How to Test: - run `yarn storybook cases` and test on http://localhost:9001/ Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
… to a case (#147985) ## Summary PR #147013 extended the alert's schema to be able to store the case id an alert is attached to. This PR adds the ability to update the `case_ids` field of the alert when an alert is attached to a case. It also limits the number of cases an alert can be attached to ten. ### Permissions A user to attach an alert to a case needs a) to have read access to the solution via the kibana feature privileges and b) to have write access to the case. The user that did the request should not need to have written access to the alert for Cases to add the case ID to the alert's data. For that reason, the alert data client is extended to cover this particular need: update an alert even if the user has read access. ## Alerts client aside For future reference, the alerts client uses the request to check the kibana feature authorization but uses the internal system user to perform any write and get operations on the alert indices themselves. For security solution this means that a user with only read access to the security solution kibana feature, write access to cases, and no read or write access to the alert indices could attach an alert to a case and have the case id stored in the alert. For observability, users intentionally do not have access to the alert indices so we want to bypass the authorization check on the indices which is why the current alerts client uses an es client that is an internal system user. Related issue: #146864 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary This PR adds the cases column to the alerts table. Assumptions: - I will not change the label of the case column. I will do it on another PR. - The column will not be part of the default columns. The user has to add it from the fields. - If there are multiple cases they will be shown as a comma-separated list. It will change later to include a "show more" button or similar to show only the latest case in the column. - Due to circular dependencies, Cases types and utility functions were not imported. I duplicate the code. I opened two issues (#151648, #151649) to create packages that will contain the case types and utility functions. Issue: #146864 <img width="1649" alt="Screenshot 2023-02-17 at 7 37 25 PM" src="https://user-images.githubusercontent.com/7871006/219728708-a0922d32-8aaf-4433-88bb-5536f5e6b880.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ## Release notes Adds the Cases column to the alerts table. The column shows, for each alert, all cases the alert is attached to.
#154024) ## Summary Users can remove alerts from a case by deleting the whole alert attachment. This PR removes the case id from the alerts when deleting an attachment of type alert. It does not remove the case info from all alerts attached to a case when deleting a case. It also fixes a bug where the success toaster will not show when deleting an attachment. Related: #146864, #140800 ## Testing 1. Create a case and attach some alerts to the case. 2. Verify that the alerts table (in security or in o11y) shows the case the alert is attached to. You can enable the cases column by pressing "Fields", searching for "Cases", and then selecting the field. 3. Go to the case and find the alerts' user activity. 4. Press the `...` and press "Remove alerts(s)" 5. Go back to the alert table and verify that the case is not shown in the Cases column for each alert. Please check that when you remove alert(s), attachments (ml, etc), and comments you get a success toaster with the correct text. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Summary
Alerts can be attached to a case. You can see alerts' data from within a case but when viewing alerts in the alerts table it is not possible to understand if an alert is being investigated on a Case. The alerts table should have a column that shows the cases the alert is attached to.
Technical description
Schema
To link a case to an alert the alert's schema needs to be updated to store the cases to which the alert is being attached. The alert's schema should be extended to include:
To avoid leaking case information to users that do not have access to the case we will not save any other information (like the title for example) at the moment.
User flow
When a user attaches an alert to a case the alert's ID and index are stored in the case. Cases will update the alert's data to add the case ID to which the alert is attached. To do that, Cases will use the alert data client.
Permissions
A user to attach an alert to a case needs a) to have read access to the alert and b) to have write access to the case. The user that did the request should not have written access to the alert for Cases to add the case ID to the alert's data. The alert data client should be extended to cover this particular need: update an alert even if the user has read access. This scenario should only be used by system plugins like Cases and should not be exposed for public use.
### Short IDTo avoid taking up much space in the cases column in the alerts table, a short ID will be shown for each case. For the reasons described here #115808 (comment), #115808 (comment), and #115808 (comment) the first eight characters of the UUID of the case will be used as the short ID. For example, the short ID of a case with IDffb0bc30-6031-11ed-9d7d-55e40a56bb38will beffb0bc30.Fetching cases data
For privacy reasons, the alert will only contain the case IDs it is attached to. To show the title on the table and to construct the link (the link needs the owner of the case) we need to get the information of all cases shown in the table. To do that we will do one bulk get call to Cases to get all cases shown on the current page of the alerts table. The response will contain only the title and the owner of the case. If the user changes the total number of alerts shown on the table or the page of the table another bulk get call will be made.
Cases column on the alerts table
A new column that shows the cases the alert is attached to will be available to the users. The title of the first case will be shown. If more than one case is shown in the column, a
+ <remaining_cases> morebutton will be available for users to see the remaining cases. Users should be able to configure the display of the case columns in the "Columns" option and Solutions should decide if they want the column to be shown by default.When hovering over a short ID a tooltip will be shown with all available information about the case. An HTTP call will be made to the Cases API to get all information regarding the case of interest. For example (design taken from #114378):
Guardrails
An alert cannot be attached to more than 10 cases
Edit history
Tasks
bulk_getAPI for Cases ([Cases] Create Bulk get cases internal API #147674)Related issues: #114378, #115808, #132772, #140800
The text was updated successfully, but these errors were encountered: