[Security solution] [RAC] Add row renderer popover to alert table "reason" field #108054

machadoum · 2021-08-10T14:54:13Z

Summary

It displays a popover containing the row renderer when the user clicks on the reason field value.
It creates a new column renderer (reason_column_renderer.tsx) for the reason field that renders the row renderer on click.
It passes down the props required for the reason_column_renderer to call row renderer.

Checklist

Unit or functional tests were updated or added to match the most common scenarios
Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)

mdefazio · 2021-08-10T21:05:35Z

Do we need to include the event render type in the title of the popover? I'm not super knowledgable about how all these differ and how useful that is to know.

machadoum · 2021-08-11T11:20:39Z

Do we need to include the event render type in the title of the popover? I'm not super knowledgable about how all these differ and how useful that is to know.

I also don't know how useful it would be. The event renderer name column isn't very informative:

Maybe @paulewing can help us with that.

mdefazio · 2021-08-11T12:22:06Z

The more I think about it, at the very least, I do think we should include a title of 'Event renderer'. When we bring in the view of all these event renderers, we will want that correlation between the two.

I will discuss with @paulewing whether we need a title, but even then, I think it's better to do something like:
Event renderer: {event_renderer_name}.

mdefazio · 2021-08-11T13:10:27Z

Spoke with @paulewing , let's go with Event renderer: {event_renderer_name} for the popover title

michaelolo24 · 2021-08-11T22:49:35Z

@elasticmachine merge upstream

x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts

elasticmachine · 2021-08-12T09:46:19Z

Pinging @elastic/kibana-security (Team:Security)

elasticmachine · 2021-08-12T09:46:20Z

Pinging @elastic/security-solution (Team: SecuritySolution)

machadoum · 2021-08-12T09:52:33Z

Spoke with @paulewing , let's go with Event renderer: {event_renderer_name} for the popover title

I added a new commit with the title change.

@michaelolo24 The PR is ready for review!

michaelolo24 · 2021-08-12T12:04:34Z

...lugins/security_solution/public/timelines/components/row_renderers_browser/catalog/index.tsx

+  [RowRendererId.suricata]: 'Suricata',
+  [RowRendererId.threat_match]: i18n.THREAT_MATCH_NAME,
+  [RowRendererId.zeek]: i18n.ZEEK_NAME,
+  [RowRendererId.plain]: '',


Do we want a default name for the plain renderer? We can do that in a follow up PR, but we should find out

I am struggling to find a scenario where we would display the plain RowRenderer. I think that it won't be displayed on the alert page.

When I call getRowRenderer and no ronRenderer is found it returns null Instead of returning plainRowRenderer.

I couldn't find any reference to plain_row_renderer.tsx on the code.

Here there is a comment mentioning it but the comment is outdated because plainRowRenderer is not included on defaultRowRenderers

If I am right, we could delete plain_row_renderer.tsx

jportner · 2021-08-12T12:05:50Z

It looks like Team:Security was mistakenly added, I'll remove it

...solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.test.tsx

michaelolo24 · 2021-08-12T12:18:13Z

...solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.test.tsx

@@ -0,0 +1,148 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one


Thank you for adding tests!

...rity_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx

elasticmachine · 2021-08-12T12:24:54Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

...rity_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx

michaelolo24 · 2021-08-12T12:35:45Z

...rity_solution/public/timelines/components/timeline/body/renderers/reason_column_renderer.tsx

+
+  const rowRenderer = useMemo(() => getRowRenderer(ecsData, rowRenderers), [ecsData, rowRenderers]);
+
+  const rowRender =


can you update this to:

useMemo(() => { return rowRenderer && rowRenderer.renderRow({ browserFields, data: ecsData, isDraggable: true, timelineId, }); }, [..deps]);

michaelolo24

This really looks great! Tested out a couple different renderers such as auditd and netflow and they worked great. Just a few comments, but nothing blocking! Great job! 💪🏾

machadoum · 2021-08-12T12:51:11Z

@michaelolo24 Thank you for reviewing the PR 🙇‍♂️

I fixed all issues. Feel free to take a second look.

kibanamachine · 2021-08-12T15:11:51Z

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
`securitySolution`	2360	2361	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	6.5MB	6.5MB	+6.3KB
`timelines`	267.6KB	267.7KB	+108.0B
total			+6.4KB

History

💚 Build #144731 succeeded c252e78
💔 Build #144709 failed 0ead1cce40a0d6df2ee23954a6640d6523eb9729
💔 Build #144627 failed 6c7f6be59c0d730e14203fcbb1f6db0f30d5e900
💔 Build #144475 failed f97f934015e246eb90c4479ef828a50050bbee7f
💔 Build #144381 failed c8e54042629f1c389447c92e557b4b6daf406835

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @machadoum

…ason" field (elastic#108054) * Add row renderer popover to alert table reason field * Add a title to row renderer popover on alert table * Fix issues found during code review

kibanamachine · 2021-08-12T15:15:02Z

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.

…ason" field (#108054) (#108385) * Add row renderer popover to alert table reason field * Add a title to row renderer popover on alert table * Fix issues found during code review Co-authored-by: Pablo Machado <pablo.nevesmachado@elastic.co>

machadoum force-pushed the rac-event-renderer-popup branch from 60e18b6 to 536410e Compare August 10, 2021 15:00

machadoum changed the title ~~Add row renderer popover to user.name alert table field~~ [Security solution] [RAC] Add row renderer popover to "user.name" alert table field Aug 10, 2021

machadoum self-assigned this Aug 10, 2021

machadoum force-pushed the rac-event-renderer-popup branch from 9ba5c39 to c8e5404 Compare August 11, 2021 11:59

machadoum changed the title ~~[Security solution] [RAC] Add row renderer popover to "user.name" alert table field~~ [Security solution] [RAC] Add row renderer popover to alert table "reason" field Aug 11, 2021

machadoum requested a review from michaelolo24 August 11, 2021 15:15

machadoum force-pushed the rac-event-renderer-popup branch 2 times, most recently from d0cc470 to f97f934 Compare August 11, 2021 15:24

michaelolo24 mentioned this pull request Aug 11, 2021

[Security Solution][RAC] - 7.15 Checklist #108071

Closed

48 tasks

mdefazio requested a review from a team August 11, 2021 19:39

michaelolo24 reviewed Aug 11, 2021

View reviewed changes

x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_bulk_body.ts Outdated Show resolved Hide resolved

Add row renderer popover to alert table reason field

aec9fba

machadoum force-pushed the rac-event-renderer-popup branch from 6c7f6be to 0ead1cc Compare August 12, 2021 09:44

machadoum marked this pull request as ready for review August 12, 2021 09:46

machadoum requested review from a team as code owners August 12, 2021 09:46

machadoum added the release_note:enhancement label Aug 12, 2021

Add a title to row renderer popover on alert table

c252e78

machadoum force-pushed the rac-event-renderer-popup branch from 0ead1cc to c252e78 Compare August 12, 2021 11:24