Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Host Risk metadata data to alerts flyout #113274

Merged
merged 25 commits into from
Oct 7, 2021
Merged

Add Host Risk metadata data to alerts flyout #113274

merged 25 commits into from
Oct 7, 2021

Conversation

machadoum
Copy link
Member

@machadoum machadoum commented Sep 28, 2021
edited
Loading

Summary

issue: https://github.com/elastic/security-team/issues/1309

  • Add Host Risk metadata data to alerts flyout
  • Filter out empty fields from the alerts flyout summary tab
  • Update the alerts flyout summary tab "Threat Summary" section to use the same layout as Host Risk. Read more

Screenshot 2021-09-28 at 17 21 57

Screenshot 2021-09-29 at 18 30 13

Screenshot 2021-09-29 at 18 30 13

How to test Host risk data:

  1. Log into the security app and visit the alert pages and open the flyout for an alert. It shouldn't display the host risk data panel.

  2. Enable the feature flag and check it again. It should display the panel and show that there is no data for the host. Add xpack.securitySolution.enableExperimental: ['riskyHostsEnabled'] to kibana.dev.yml

  3. if you are using a custom .siem-signals index as per your kibana.dev.yml, run the following reindex query to obtain a .siem-signals-default-* index
    note: this step is required for properly loading Drilldown of Host Risk Score dashboard, as it looks for the index pattern .siem-signals-default-*

Create default .siem-signals index 


POST _reindex
{
  "source": {
    "index": "my-custom-siem-signals-index-name"
  },
  "dest": {
    "index": ".siem-signals-default-test"
  }
}
  1. make the following requests in Kibana Dev Tools
Create ml_host_risk_score_latest index 


PUT ml_host_risk_score_latest
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
           }
         }
       },
      "ingest_timestamp": {
        "type": "date"
      },
      "risk": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "risk_score": {
        "type": "float"
      }
    }
  }
}

Add data to ml_host_risk_score_latest index (please replace {MY-HOST-NAME} by a valid hostname) 


POST ml_host_risk_score_latest/_doc
{"@timestamp":"2021-02-23T23:00:00.000Z","risk_score":21,"host":{"name":"{MY-HOST-NAME}"},"rules":{"Unusual Linux Username":{"average_risk":21,"rule_count":2,"rule_risk":42}},"ingest_timestamp":"2021-07-27T18:02:08.319296053Z","risk":"Low"}

Create ml_host_risk_score index 


POST _reindex
{
  "source": {
    "index": "ml_host_risk_score_latest"
  },
  "dest": {
    "index": "ml_host_risk_score"
  }
}

  1. Create an index pattern in Kibana / Stack Management / Index Patterns. The name of the id pattern should be ml-host-risk-score-index-pattern, and it should point to ml_host_risk_score

  2. Open the flyout for an event with the same hostname as the document you added to ml_host_risk_score_latest {MY-HOST-NAME}

How to test Threat Summary new design

  1. Install filebeat https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
  2. Enable threat intel module filebeat modules enable threatintel https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html
  3. Start filebeat
  4. Create an Indicator Match rule and map one threat intel field.
  5. Open the flyout for an generated event.

Remaining items todo

  • Fix rendering order of enriched data and investigation guide
  • Change enriched data panel border to make it rounded
  • The URL inside the tooltip isn't clickable

Checklist

Delete any items that are not applicable to this PR.

@machadoum machadoum force-pushed the siem-explore-issue-1309 branch 4 times, most recently from 52602fb to d32202e Compare September 29, 2021 15:58
@machadoum machadoum marked this pull request as ready for review September 29, 2021 16:42
@machadoum machadoum requested a review from a team as a code owner September 29, 2021 16:42
@machadoum machadoum self-assigned this Sep 29, 2021
@machadoum machadoum added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.16.0 v8.0.0 auto-backport Deprecated - use backport:version if exact versions are needed release_note:feature Makes this part of the condensed release notes labels Sep 29, 2021
@rylnd rylnd requested a review from ecezalp September 29, 2021 16:54
rylnd
rylnd reviewed Sep 29, 2021
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I mentioned inline, there appears to be a lot of duplicated logic between this branch and the code added in https://github.com/elastic/kibana/pull/109553/files; I think we need a pass here to ensure we're not reinventing the wheel. @ecezalp or I should be able to help as needed.

Additionally, we've just added https://github.com/elastic/security-team/issues/1785 to address the current lack of space awareness in the host risk pipeline; the changes described there are going to need to happen here, as well (namely: replacing RISKY_HOSTS_INDEX with a space-aware equivalent).

...plugins/security_solution/public/timelines/containers/host_risk_score/use_host_risk_score.ts Outdated Show resolved Hide resolved
@machadoum machadoum force-pushed the siem-explore-issue-1309 branch 2 times, most recently from 859f75b to ffd7534 Compare September 30, 2021 14:44
@monina-n
Copy link

monina-n commented Sep 30, 2021
edited
Loading

Updates to text styles, padding, and margins moved for 8.1 -> https://github.com/elastic/security-team/issues/1764

@machadoum machadoum force-pushed the siem-explore-issue-1309 branch 2 times, most recently from 698683b to 84c5616 Compare October 4, 2021 13:40
@angorayc
Copy link
Contributor

angorayc commented Oct 4, 2021

I have a small problem about the Host Risk Score link here, I tried hover onto in real fast, but I still couldn't reach it
Screenshot 2021-10-04 at 16 10 05

@machadoum
Copy link
Member Author

I have a small problem about the Host Risk Score link here, I tried hover onto in real fast, but I still couldn't reach it Screenshot 2021-10-04 at 16 10 05

Thank you Angela!

The Design team is aware and I am waiting for an alternative UI for this tooltip.

Tagging @monina-n

machadoum added 18 commits October 6, 2021 11:43
@machadoum
Add support for feature disable and no data for host available
9978912
@machadoum
Fix typescript error
450ccc4
@machadoum
Simplifies host risk query logic and improves types
0720ec2
@machadoum
Update jest snapshot
ae4333b
@machadoum
Swap investigation guide and enrichment data places in the UI
e66ffb8
@machadoum
Update alert flyout panels to have rounded corners
d93cfc4
@machadoum
Fix unit test
f16fe1b
@machadoum
UI improvements
1b5f850
@machadoum
Fix unit test
bb0167d
@machadoum
Refactor use_risky_host_links to be generic and resuable for alert fl…
2e599c0 
…yout
@machadoum
Improve getSummaryRows empty value check and move it to a new file
c338d4d 
As suggested by Angela here elastic#113274 (comment)
@machadoum
Please code review
8f48c18
@machadoum
Fix Host risk empty state
16eb7f8
@machadoum
Extract HostRiskData component to a file and add unit tests
5ea039b
@machadoum
Remove EuiSpacer from host risk and wrapp it with an EuiFlexGroup
fe8b8ac
@machadoum
Add a loading state to useHostsRiskScore to simplify the code
d286bde
@machadoum
Migrate alert_summary_view.test to react testing library
156b40c
@machadoum
Fix overview page crashing
7e27b6f
@machadoum machadoum force-pushed the siem-explore-issue-1309 branch from 2994a5b to 7e27b6f Compare October 6, 2021 11:32
@machadoum
Copy link
Member Author

I have a small problem about the Host Risk Score link here, I tried hover onto in real fast, but I still couldn't reach it Screenshot 2021-10-04 at 16 10 05

Issue fixed by this commit: 4a18a9d

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2293 2297 +4

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
securitySolution 1299 1307 +8

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.3MB 4.3MB +6.3KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 102.2KB 102.2KB +8.0B
Unknown metric groups

API count

id before after diff
securitySolution 1353 1361 +8

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @machadoum

stephmilovic
stephmilovic approved these changes Oct 6, 2021
View reviewed changes
Copy link
Contributor

@stephmilovic stephmilovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on turning this around quickly. Thank you for updating the tests to be in react testing library. LGTM! 🚀 🎸

@machadoum machadoum merged commit 95d53a2 into elastic:master Oct 7, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Oct 7, 2021
@machadoum @kibanamachine
Add Host Risk metadata data to alerts flyout (elastic#113274)
e58c9e7 
* Filter out empty values from alert flyout overview

* Add Host Risk metadata data to alerts flyout

* Add feature flag to host risk data query

* Swap investigation guide and enrichment data places in the UI

* Migrate alert_summary_view.test to react testing library

* Refactor threat summary by extracting components and renaming
@kibanamachine kibanamachine mentioned this pull request Oct 7, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Oct 7, 2021
@kibanamachine @machadoum
Add Host Risk metadata data to alerts flyout (#113274) (#114238)
bbaec75 
* Filter out empty values from alert flyout overview

* Add Host Risk metadata data to alerts flyout

* Add feature flag to host risk data query

* Swap investigation guide and enrichment data places in the UI

* Migrate alert_summary_view.test to react testing library

* Refactor threat summary by extracting components and renaming

Co-authored-by: Pablo Machado <pablo.nevesmachado@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ecezalp ecezalp ecezalp left review comments

@angorayc angorayc angorayc left review comments

@rylnd rylnd rylnd left review comments

@stephmilovic stephmilovic stephmilovic approved these changes

Assignees

@machadoum machadoum

Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:feature Makes this part of the condensed release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.16.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@machadoum @monina-n @angorayc @kibanamachine @rylnd @stephmilovic @ecezalp