-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Allow users to edit max_signals field for custom rules #173593
Comments
TODO:
Update: This value is exposed here and has to be accesible in the rules client by adding it to:
And that will make it available in the |
I don't think we really need designs for this (maybe for link to docs, and explanation in tooltip?), but I think we can agree on using the Number field from EUI: |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Deployment links have been added to the PR in the latest build message for acceptance and exploratory testing. cc @vgomez-el @approksiu |
All of our logic changes are now (hopefully) complete and the tickets/acceptance criteria have been updated to match. The new deployment links should be added to the latest build message. Would appreciate some eyes when you have a chance, thanks! cc: @vgomez-el @approksiu @ARWNightingale |
The latest deployment links are in the most recent build message. Would appreciate some eyes for acceptance/exploratory testing when everyone has a chance, thanks! cc: @vgomez-el @approksiu @ARWNightingale |
@dplumlee I did a quick testing in the ESS Cloud deployment and found a few issues: First, an attempt to reset Request body sent to the {"type":"query","index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"filters":[],"language":"kuery","query":"*","author":[],"exceptions_list":[],"false_positives":[],"references":[],"risk_score":21,"risk_score_mapping":[],"severity":"low","severity_mapping":[],"threat":[],"max_signals":"","name":"Georgii's test","description":"-","tags":[],"setup":"","license":"","interval":"5m","from":"now-360s","to":"now","meta":{"from":"1m","kibana_siem_app_url":"https://kibana-pr-179680.kb.us-west2.gcp.elastic-cloud.com:9243/app/security"},"actions":[],"enabled":false,"id":"929893cf-5021-44cb-8b99-01dea17108d3"}
Steps to reproduce:
Same eventually happens on rule creation, but the form allows to proceed from the About rule step to the next steps without showing any validation errors:
I'd expect the field to be optional in the UI, and defaultable on the BE side (if max_signals is undefined in the request body, we set it to 100). Secondly, in the AC we have:
Have we decided to not add this tooltip? Nit: In this warning, we should probably say Also not sure about using the |
@banderror This has been fixed in the most recent build, a leftover remnant from refactoring logic.
I didn't see that in the AC before, but I would say the description we have underneath the field in the form would suffice for this component. It's pretty straightforward and will have been documented externally - I'm struggling to think of what more we would even put in there. @approksiu might have a different opinion |
@ARWNightingale @vgomez-el Any update on acceptance/exploratory testing for this component? Hoping to merge before the next serverless branch on monday. |
@ARWNightingale @vgomez-el cc @dplumlee Here are the credentials so that you can access ESS and Serverless environments for testing: ESS: Serverless: Remember to select the option Login with Elasticsearch to input the user and passwords retrieved from the links above. |
Looks good to me, That environment has just gone down on me but one small issue is when I put 0 into the input I get an error saying " Max alerts must be greater than 0". I can still save as it just reverts it too the previous value. I think we should add that to the warning. " Max alerts must be greater than 0. The value will be set to default when saved, unless changed" or something similar. Apart from that, nice work! |
Agree with @ARWNightingale comment above, but I think the validation should fail on the API request, same as when the the value is negative. Left a comment in the PR on how to fix that. |
Feature LGTM, but I also have a couple of comments:
|
…rules (#179680) **Resolves: #173593 **Fixes: #164234 ## Summary Adds a number component in the create and edit rule forms so that users are able to customize the `max_signals` value for custom rules from the UI. Also adds validations to the rule API's for invalid values being passed in. This PR also exposes the `xpack.alerting.rules.run.alerts.max` config setting from the alerting framework to the frontend and backend so that we can validate against it as it supersedes our own `max_signals` value. [Flaky test run (internal) ](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5601) ### Screenshots **Form component** <p align="center"> <img width="887" alt="Screenshot 2024-04-08 at 11 02 12 PM" src="https://github.com/elastic/kibana/assets/56367316/58cd2f6d-61b6-4343-8025-ff867c050dd7"> </p> **Details Page** <p align="center"> <img width="595" alt="Screenshot 2024-04-08 at 11 04 04 PM" src="https://github.com/elastic/kibana/assets/56367316/d2c61593-3d35-408e-b047-b4d1f68898f8"> </p> **Error state** <p align="center"> <img width="857" alt="Screenshot 2024-04-08 at 11 01 55 PM" src="https://github.com/elastic/kibana/assets/56367316/86e64280-7b81-46f2-b223-fde8c20066c8"> </p> **Warning state** <p align="center"> <img width="601" alt="Screenshot 2024-04-16 at 3 20 00 PM" src="https://github.com/elastic/kibana/assets/56367316/eab07d62-3d3e-4c85-8468-36c3e56c5a99"> </p> ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Juan Pablo Djeredjian <jpdjeredjian@gmail.com>
The feature has been live in Serverless for a while. We also had a discussion on what should we do with 18 prebuilt rules that have max_signals equal to 10000 (context). Summary of the discussion:
@dplumlee Let's keep the behavior of the Warning status as is. My concerns did not get support from product, but I'm totally fine with that. I don't think we have any other immediate action items related to this feature (we can always revisit later), so I'll close the ticket. cc @jpdjere Thanks to everyone involved! We'll track elastic/security-docs#5029 separately. |
Here's the evidence about rules hitting max_signals and not saving all alerts, based on cloud telemetry. ( I am looking to find the data for on-prem for this issues.) In the past 30 days, we had about 10-12 clusters on average reporting errors when hitting max signals, of which about 5-9 clusters reporting this issues for prebuilt promotion rules. In this data we track > 3200 clusters that have reported data with rule mentioned. The most common rule is External Alerts. |
After more research here're the latest numbers: doc. |
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Related bug: #164234
Summary
We need to expose the max signals field in the rule details, and rule edit page.
Check the validity of the field (NOTE: To avoid rule failures, do not set the max_signals value higher than the value of
xpack.alerting.rules.run.alerts.max
.Provide default value (100 - according to the docs).
Background
We want to allow users more customisation options for their custom rules.
Max_signals field sets the maximum number of alerts that will be created during a single rule execution.
User story
Acceptance criteria
xpack.alerting.rules.run.alerts.max
- a warning is shown, but the rule can be saved.xpack.alerting.rules.run.alerts.max
- a warning is thrown during rule execution and the lower value of the two will be used for an upper limit.Release progress
Follow-up fixes are merged and released in Serverless. (PR)We'll open separate tickets for follow-up fixes, when/if needed.Planned release date in Serverless: Mon, May 13, 2024.
Planned release date in ESS: TBD (
v8.15.0
).The text was updated successfully, but these errors were encountered: