[Cases] Include rule registry client for updating alert statuses #108588
Conversation
jonathan-buttner
added
v8.0.0
release_note:skip
x-pack/plugins/cases/kibana.json
Outdated
| @@ -23,6 +23,7 @@ | |||
| "features", | |||
| "kibanaReact", | |||
| "kibanaUtils", | |||
| "ruleRegistry", | |||
There was a problem hiding this comment.
We depend on the rule registry to interact with the alerts now.
There was a problem hiding this comment.
ruleRegistry should be optional. Cases should still work without rule registry enabled.
| interface Alert { | ||
| id: string; | ||
| index: string; | ||
| destination?: { |
There was a problem hiding this comment.
We weren't referencing these fields. We're using a lodash get so we don't actually need the explicit fields defined in the type.
| import { CasesClient, CasesClientArgs, CasesClientInternal } from '..'; | ||
| import { Operations } from '../../authorization'; | ||
| import { casesConnectors } from '../../connectors'; | ||
|
|
There was a problem hiding this comment.
Just moved this below the caller of it.
| return; | ||
| } | ||
|
|
||
| return scopedClusterClient.bulk({ body }); | ||
| return await pMap( |
There was a problem hiding this comment.
Using pMap to limit the number of requests running at the same time.
| @@ -21,6 +21,7 @@ | |||
|
|
|||
| // Required from './kibana.json' | |||
| { "path": "../actions/tsconfig.json" }, | |||
| { "path": "../rule_registry/tsconfig.json" }, | |||
There was a problem hiding this comment.
Without this I get ts errors saying we can't import files from the rule_registry.
| @@ -29,6 +29,7 @@ export { | |||
| } from './utils/create_lifecycle_executor'; | |||
| export { createPersistenceRuleTypeFactory } from './utils/create_persistence_rule_type_factory'; | |||
| export * from './utils/persistence_types'; | |||
| export type { AlertsClient } from './alert_data_client/alerts_client'; | |||
There was a problem hiding this comment.
Exposing this type so other plugins can reference it when passing it around.
There was a problem hiding this comment.
| import { ruleDataPluginServiceMock } from './rule_data_plugin_service/rule_data_plugin_service.mock'; | ||
| import { createLifecycleAlertServicesMock } from './utils/lifecycle_alert_services_mock'; | ||
|
|
||
| export const ruleRegistryMocks = { | ||
| createLifecycleAlertServices: createLifecycleAlertServicesMock, | ||
| createRuleDataPluginService: ruleDataPluginServiceMock.create, | ||
| createAlertsClientMock: alertsClientMock, |
There was a problem hiding this comment.
Exposing the alerts client mock for cases unit tests.
| @@ -535,8 +535,8 @@ export default ({ getService }: FtrProviderContext): void => { | |||
| }); | |||
|
|
|||
| it('should update the status of multiple alerts attached to multiple cases', async () => { | |||
| const signalID = '5f2b9ec41f8febb1c06b5d1045aeabb9874733b7617e88a370510f2fb3a41a5d'; | |||
| const signalID2 = '4d0f4b1533e46b66b43bdd0330d23f39f2cf42a7253153270e38d30cce9ff0c6'; | |||
| const signalID = '4679431ee0ba3209b6fcd60a255a696886fe0a7d18f5375de510ff5b68fa6b78'; | |||
There was a problem hiding this comment.
These changed because I had to regenerate the es archives with new alerts.
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
jonathan-buttner
requested review from
XavierM,
michaelolo24,
marshallmain and
dhurley14
x-pack/plugins/cases/kibana.json
Outdated
| @@ -23,6 +23,7 @@ | |||
| "features", | |||
| "kibanaReact", | |||
| "kibanaUtils", | |||
| "ruleRegistry", | |||
There was a problem hiding this comment.
ruleRegistry should be optional. Cases should still work without rule registry enabled.
Thanks for the review Devin! Previous to the rule registry cases depended on Elasticsearch to handle updating the status of alerts and retrieving alerts. This was a required dependency. Would a user still be able to create alerts if the rule registry is disabled? If a user can still do this, then it's feasible that they could attach those alerts to a case. We don't currently have the ability to inform the user that the updating/retrieving of alerts functionality within cases is disabled in the situation that the rule registry is disabled. So I'm wondering for now if cases should not function if the rule registry is not available. |
|
@jonathan-buttner Maybe I'm misunderstanding something. Is it possible for a user to open a case without attaching / referencing an alert? If not, then I suppose the dependency makes sense. If a user should be able to open a case without referencing an alert, then cases doesn't really depend on alerts and should be functional without that dependency. |
Yeah it is possible. The problem I'm getting at is this scenario: Let's say the rule registry is disabled. A user attaches an alert to a case. They then update the status of the case hoping that the alert's status will change as well. Behind the scenes cases will skip trying to update the status of the alert. The way this PR is currently written, there will be no API error, so updating the status of the case will succeed but the alert's status will not change and the user won't know why without looking in the logs. The other option is we could respond with an API error when the case status is being changed. If we do this, the user won't be able to update their case status because it'll fail. There's no way to remove the alerts via the cases UI right now, so they'd have to do it through direct API requests if they want the ability to change the status of the case. The best solution would be to have the rule registry be an optional plugin and when it is disabled, disable the alerts functionality in the cases UI and make it clear to the user why that functionality is disabled. I just don't think we'd be able to accomplish that before FF today. That's why in the short term I was hoping to make the rule registry a required plugin of cases. |
jonathan-buttner
added
v7.16.0
auto-backport
💚 Build Succeeded
Metrics [docs]Unknown metric groupsAPI count
API count missing comments
Non-exported public API item count
History
To update your PR or re-run it, just comment with: |
| }); | ||
|
|
||
| if ( |
There was a problem hiding this comment.
These checks were moved into the CommentableCase class so they can be done immediately before creating a case but after some validation.
| source: { ip: '192.168.1.2' }, | ||
| file: { | ||
| hash: { sha256: '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08' }, | ||
| source: { |
There was a problem hiding this comment.
Everything is nested under source now.
| return acc; | ||
| }, sirFields); | ||
| sirFields = alerts | ||
| .filter((alert) => !alert.error && alert.source != null) |
There was a problem hiding this comment.
I added this to ignore alerts with errors and ones that don't have source.
| .filter((alert) => !alert.error && alert.source != null) | ||
| .reduce<Record<SirFieldKey, string | null>>((acc, alert) => { | ||
| fieldsToAdd.forEach((alertField) => { | ||
| const field = get(alertFieldMapping[alertField].alertPath, alert.source); |
There was a problem hiding this comment.
Grab the fields from alert.source now since everything is nested under there.
| index: alert._index, | ||
| ...alert._source, | ||
| })); | ||
| const alerts = await alertsService.getAlerts({ alertsInfo, logger }); |
There was a problem hiding this comment.
nice clean up here but are we sure we are not breaking other people stuff by making this change
|
Ey team, I think I found the following corner case, can you please take a look at it to make sure that I didn't mess with my testing? Preconditions:
Steps to reproduce:
Current behaviour:
|
@angorayc I do not think that we used the latest alertClientData to update the alert status and we should remove the menu items if user does not have the alerts permissions. Please check if what I say is true |
…stic#108588) * Trying to get import to work * Plumbed alerts client through and logging errors * No longer need the ES cluster client * Fixing types * Fixing imports * Fixing integration tests and refactoring * Throwing an error when rule registry is disabled * Reworking alert update and get to catch errors * Adding tests and fixing errors
…stic#108588) * Trying to get import to work * Plumbed alerts client through and logging errors * No longer need the ES cluster client * Fixing types * Fixing imports * Fixing integration tests and refactoring * Throwing an error when rule registry is disabled * Reworking alert update and get to catch errors * Adding tests and fixing errors
…8588) (#109335) * Trying to get import to work * Plumbed alerts client through and logging errors * No longer need the ES cluster client * Fixing types * Fixing imports * Fixing integration tests and refactoring * Throwing an error when rule registry is disabled * Reworking alert update and get to catch errors * Adding tests and fixing errors Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
…8588) (#109334) * Trying to get import to work * Plumbed alerts client through and logging errors * No longer need the ES cluster client * Fixing types * Fixing imports * Fixing integration tests and refactoring * Throwing an error when rule registry is disabled * Reworking alert update and get to catch errors * Adding tests and fixing errors Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
|
Hi @MadameSheema , regarding to #108588 (comment), could you please retest it, seemed that it's been fixed. Thank you! |
…ses (elastic#108588)" This reverts commit 1fd7038. This leaves the rule registry mock changes
* wip to remove rbac * Revert "[Cases] Include rule registry client for updating alert statuses (#108588)" This reverts commit 1fd7038. This leaves the rule registry mock changes * remove rbac on Trend/Count alert * update detection api for status * remove @kbn-alerts packages * fix leftover * Switching cases to leverage update by query for alert status * Adding missed files * fix bad logic * updating tests for use_alerts_privileges * remove index alias/fields * fix types * fix plugin to get the right index names * left over of alis on template * forget to use current user for create/read route index * updated alerts page to not show table when no privileges and updates to tests * fix bug when switching between o11y and security solution * updates tests and move to use privileges page when user tries to access alerts without proper access * updating jest tests * pairing with yara * bring back kbn-alerts after discussion with the team * fix types * fix index field for o11y * fix bug with updating index priv state * fix i18n issue and update api docs * fix refresh on alerts * fix render view on alerts * updating tests and checking for null in alerts page to not show no privileges page before load * fix details rules Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co> Co-authored-by: Yara Tercero <yara.tercero@elastic.co>
* wip to remove rbac * Revert "[Cases] Include rule registry client for updating alert statuses (elastic#108588)" This reverts commit 1fd7038. This leaves the rule registry mock changes * remove rbac on Trend/Count alert * update detection api for status * remove @kbn-alerts packages * fix leftover * Switching cases to leverage update by query for alert status * Adding missed files * fix bad logic * updating tests for use_alerts_privileges * remove index alias/fields * fix types * fix plugin to get the right index names * left over of alis on template * forget to use current user for create/read route index * updated alerts page to not show table when no privileges and updates to tests * fix bug when switching between o11y and security solution * updates tests and move to use privileges page when user tries to access alerts without proper access * updating jest tests * pairing with yara * bring back kbn-alerts after discussion with the team * fix types * fix index field for o11y * fix bug with updating index priv state * fix i18n issue and update api docs * fix refresh on alerts * fix render view on alerts * updating tests and checking for null in alerts page to not show no privileges page before load * fix details rules Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co> Co-authored-by: Yara Tercero <yara.tercero@elastic.co> # Conflicts: # x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
* wip to remove rbac * Revert "[Cases] Include rule registry client for updating alert statuses (elastic#108588)" This reverts commit 1fd7038. This leaves the rule registry mock changes * remove rbac on Trend/Count alert * update detection api for status * remove @kbn-alerts packages * fix leftover * Switching cases to leverage update by query for alert status * Adding missed files * fix bad logic * updating tests for use_alerts_privileges * remove index alias/fields * fix types * fix plugin to get the right index names * left over of alis on template * forget to use current user for create/read route index * updated alerts page to not show table when no privileges and updates to tests * fix bug when switching between o11y and security solution * updates tests and move to use privileges page when user tries to access alerts without proper access * updating jest tests * pairing with yara * bring back kbn-alerts after discussion with the team * fix types * fix index field for o11y * fix bug with updating index priv state * fix i18n issue and update api docs * fix refresh on alerts * fix render view on alerts * updating tests and checking for null in alerts page to not show no privileges page before load * fix details rules Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co> Co-authored-by: Yara Tercero <yara.tercero@elastic.co> # Conflicts: # x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
* [RAC] Remove rbac on security solution side (#110472) * wip to remove rbac * Revert "[Cases] Include rule registry client for updating alert statuses (#108588)" This reverts commit 1fd7038. This leaves the rule registry mock changes * remove rbac on Trend/Count alert * update detection api for status * remove @kbn-alerts packages * fix leftover * Switching cases to leverage update by query for alert status * Adding missed files * fix bad logic * updating tests for use_alerts_privileges * remove index alias/fields * fix types * fix plugin to get the right index names * left over of alis on template * forget to use current user for create/read route index * updated alerts page to not show table when no privileges and updates to tests * fix bug when switching between o11y and security solution * updates tests and move to use privileges page when user tries to access alerts without proper access * updating jest tests * pairing with yara * bring back kbn-alerts after discussion with the team * fix types * fix index field for o11y * fix bug with updating index priv state * fix i18n issue and update api docs * fix refresh on alerts * fix render view on alerts * updating tests and checking for null in alerts page to not show no privileges page before load * fix details rules Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co> Co-authored-by: Yara Tercero <yara.tercero@elastic.co> # Conflicts: # x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts * skip test Co-authored-by: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
* [Security Solution] Updates loock-back time on Cypress tests (#110609) * updates loock-back time * updates loock-back value for 'expectedExportedRule' * skips tests to unblock 7.15 branch * [RAC] Remove rbac on security solution side (#110472) * wip to remove rbac * Revert "[Cases] Include rule registry client for updating alert statuses (#108588)" This reverts commit 1fd7038. This leaves the rule registry mock changes * remove rbac on Trend/Count alert * update detection api for status * remove @kbn-alerts packages * fix leftover * Switching cases to leverage update by query for alert status * Adding missed files * fix bad logic * updating tests for use_alerts_privileges * remove index alias/fields * fix types * fix plugin to get the right index names * left over of alis on template * forget to use current user for create/read route index * updated alerts page to not show table when no privileges and updates to tests * fix bug when switching between o11y and security solution * updates tests and move to use privileges page when user tries to access alerts without proper access * updating jest tests * pairing with yara * bring back kbn-alerts after discussion with the team * fix types * fix index field for o11y * fix bug with updating index priv state * fix i18n issue and update api docs * fix refresh on alerts * fix render view on alerts * updating tests and checking for null in alerts page to not show no privileges page before load * fix details rules Co-authored-by: Jonathan Buttner <jonathan.buttner@elastic.co> Co-authored-by: Yara Tercero <yara.tercero@elastic.co> # Conflicts: # x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts * skip tests Co-authored-by: Gloria Hornero <snootchie.boochies@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
Issue: #102929
This PR switches the cases plugin to leverage the rule registry's
AlertsClientto perform updates and retrieval of alerts. This fixes a bug where the alert status would not be updated if the user does not have the appropriate permissions. Prior to this PR cases was interacting directly with the Elasticsearch indices that the alerts were stored in to update their status field and retrieve the alert.There are a few differences with using the
AlertsClient. The client provides a bulk update that accepts multiple ids that would be within the same index. Before we were relying on ES bulk update which accepted id and index pairs. Because of this we essentially do aPromise.all()for each alert that needs its status changed. The client has agetmethod to retrieve a single alert so we request each alert using a similarPromise.all()method.I had to update the ES archives to match the latest mapping and data for the alerts for a few of our integration tests.
I exported a few types in the
rule_registryso they could be imported by cases for tests and references theAlertsClienttype.