Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Platform] Adds support for data views and runtime field mappings in rule creation, exceptions, and during execution #130929

Merged
merged 107 commits into from
Jun 16, 2022
Merged

[Security Solution] [Platform] Adds support for data views and runtime field mappings in rule creation, exceptions, and during execution #130929

merged 107 commits into from
Jun 16, 2022

Conversation

dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Apr 25, 2022
edited by yctercero
Loading

Summary

Ref: #103587 and #97778

Overview

Users will now have the option of selecting a data view or an index pattern when creating rules. Data views will be available in the EQL, Query, Threat Indicator** , and Threshold rule types.

If a rule is configured to query a data view, any runtime field mappings defined on that data view will also be available as fields to execute during the query and for any applicable override fields such as the severity override, risk score override, rule name override, and timestamp override.

** for querying source documents only. There is not support for threat indicator data views, only index patterns for now.

Affected flows

Rule Creation

  • User can select to use index pattern, or data view
  • Only selection of a single data view, not multiple, is supported
  • Runtime fields associated with data view are viewable in preview
  • Options to overwrite fields will also display runtime fields if relevant (timestamp override, risk score...)
Rule creation eql_rule_with_data_view_and_runtime_field
Rule Preview eql_rule_preview

Rule Edit

  • User can select to use index pattern, or data view
  • Only selection of a single data view, not multiple, is supported
  • Runtime fields associated with data view are viewable in preview
  • 👀 If the selected data view no longer exists (like it was deleted), user is prompted with a warning, letting them know
    • To test create a rule with a data view, go to Stack Management --> Data Views --> delete the data view you selected, go back to the rule and click to edit
Rule Edit when error present Screen Shot 2022-05-19 at 1 44 23 PM

Rule Details

  • User can see what data view they've selected
  • 👀 If the selected data view no longer exists (like it was deleted), user is prompted with an error, letting them know that rule execution failed
    • To test create a rule with a data view, go to Stack Management --> Data Views --> delete the data view you selected, go back to the rule
Rule details when error present Screen Shot 2022-05-19 at 1 47 14 PM

Rules Management

  • User can select to bulk edit rule index patterns
    • If they select to apply changes to rules with data views, those rules will be updated as well
    • If they do not select to apply changes to rules with data views, those rules are not updated, but the rest are
  • To test:
    • Create a rule with a data view and a rule with index patterns. Go to rule management and select both rules. Select 'Bulk actions' --> Add index patterns --> go through flow to add index pattern (don't select any boxes). The rule using index patterns should be updated, the rule using data views should not be.
    • Create a rule with a data view and a rule with index patterns. Go to rule management and select both rules. Select 'Bulk actions' --> Add index patterns --> go through flow to add index pattern --> check the box Apply changes to rules configured with data views. The rule using index patterns should be updated, the rule using data views should not be.
Bulk action flyout Screen Shot 2022-05-19 at 1 54 00 PM
Bulk action flyout success toast Screen Shot 2022-05-19 at 1 28 22 PM

Add rule exception modal

  • If rule list is assigned to is using runtime fields, runtime fields show as a field option to add an exception for

Example

A user has a runtime field mapping they developed on the logs-* data view in Discover

Add runtime field in Discover

data_view_runtime

And the user would now like to use that runtime field mapping as part of a query for an EQL rule (or any of the rules listed above)

Rule creation eql_rule_with_data_view_and_runtime_field
Rule Preview eql_rule_preview
Runtime field is populated in the preview alert eql_rule_alert_preview

Checklist

Delete any items that are not applicable to this PR.

For maintainers

dhurley14 and others added 30 commits February 9, 2022 10:02
@dhurley14
WIP
4ab6be4
@dhurley14
WIP - reset me
195480b
@dhurley14
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
c29db7d
@dhurley14
more WIP, added runtime_mappings field to search after function in ru…
1e5de0d 
…le executor. Future goal is to save the data view id on the rule during rule creation / editing, then when the rule executes we query for the runtime mappings in the index-pattern SO using the data view id, then stuff those runtime mappings into the search after query and we're all good
@dhurley14
data view id saved on rule creation, then pull runtime mappings from …
452e7ea 
…index-pattern SO with that data view id. update this to use SO references later.
@dhurley14
fix bug where runtime mappings were not parsed
818e0eb
@dhurley14
merge with master
51c9db1
@dhurley14
Merge branch 'main' into dataview-rule-exec
111e7c0
@dhurley14
undo me - combo box. not working / funtional / demo-able right now
c241aa6
@dhurley14
merge with main
e3c0d21
@dhurley14
working data view selector
a463132
@dhurley14
adds radio group buttons, need to update callback to disable when one…
628e7e7 
… or the other is selected.
@dhurley14
on change of radio selection we update which index patterns to use
1744714
@dhurley14
more working stuff, need to fix rule preview and getIsRulePreviewDisa…
603b72c 
…bled
@dhurley14
WIP - undo me
47c9baf
@dhurley14
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
95bebf0
@dhurley14
when editing a rule, the data view id stored on that rules params wil…
9f554de 
…l be the default displayed in the data view drop down when editing that rule, the security-solution-dataview will be the default for creating a new rule
@dhurley14
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
b684a26
@dhurley14
add dataViewId to preview rule route + preview rule state
1c51bea
@dhurley14
fixes types
8ab0609
@dhurley14
fix test
864c178
@dhurley14
fixes linting errors
2e7381a
@dhurley14
remove extra console.log
c77ec73
@dhurley14
remove unnecessary new line
d68a8b9
@dhurley14
possibly fixed everything
c6088f2
@dhurley14
we do not use this field anymore so we can probably get rid of it.
bad4c7e
@dhurley14
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
b152cf8
@kibanamachine
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
52985b2 
…-fix'
@dhurley14
Merge remote-tracking branch 'upstream/main' into dataview-rule-exec
9966b44
@dhurley14
Merge remote-tracking branch 'origin/dataview-rule-exec' into datavie…
120e02f 
…w-rule-exec
madirey
madirey approved these changes Jun 9, 2022
View reviewed changes
Copy link
Contributor

@madirey madirey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like all the comments were addressed, thank you!

yctercero
yctercero approved these changes Jun 13, 2022
View reviewed changes
Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks so much for all your work on this feature. Have played around with it and it's looking awesome. So many edge cases you were able to cover here.

Just left some nits around dead code left in some files.

🎉 🎉 🎉

x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/public/detections/components/rules/step_define_rule/index.tsx Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/types.ts Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_events_query.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/rules/bulk_action_edit.ts Outdated Show resolved Hide resolved
kqualters-elastic
kqualters-elastic approved these changes Jun 15, 2022
View reviewed changes
Copy link
Contributor

@kqualters-elastic kqualters-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

think it would be a good idea to do the data fetching and munging of the result outside of useEffects, perhaps use react query or even better in a redux middleware, but outside of that the code owners changes lgtm minus some small things already commented on 👍

@dhurley14 dhurley14 enabled auto-merge (squash) June 16, 2022 15:00
@dhurley14 dhurley14 merged commit fec18ba into elastic:main Jun 16, 2022
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #25 / apis Machine Learning data frame analytics POST data_frame/_evaluate "before all" hook in "POST data_frame/_evaluate"

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 3077 3079 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 5.2MB 5.3MB +8.0KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 250.6KB 250.7KB +140.0B
Unknown metric groups

ESLint disabled line counts

id before after diff
securitySolution 444 443 -1

Total ESLint disabled count

id before after diff
securitySolution 519 518 -1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dhurley14

@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Jun 16, 2022
@dhurley14 dhurley14 mentioned this pull request Jul 6, 2022
Closed
@brokensound77 brokensound77 mentioned this pull request Jul 12, 2022
Closed
@tylersmalley tylersmalley added ci:cloud-deploy Create or update a Cloud deployment and removed ci:deploy-cloud labels Aug 17, 2022
@vitaliidm vitaliidm mentioned this pull request Aug 31, 2022
Merged
3 tasks
@christineweng christineweng mentioned this pull request Aug 31, 2023
Merged
1 task
christineweng added a commit that referenced this pull request Sep 1, 2023
@christineweng
[Security Solution] Expandable flyout - Update index field in analyze…
88c04e5 
…r preview (#165398)

## Summary

This PR addresses a bug that when a rule is created using data view,
analyzer preview is blank. This is due to a check on if index exists
before rendering the analyzer preview. This PR updated the index field
from `kibana.alert.rule.parameter.index` to 'kibana.alert.rule.indices`,
the later is introduced in #130929
and is available when a rule is created using either index patterns or
data view.

**How to reproduce the bug**
- Refer to bug report #164829

**How to test**
- Create a rule using data view
- Generate some alerts
- Go to alerts page, expand a row in alerts table
- Go to Visualization -> Analyzer preview, the analyzer preview tree
should be present


![image](https://github.com/elastic/kibana/assets/18648970/cbe0668e-335d-436a-992c-8970e75a3635)


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Sep 1, 2023
@christineweng
[Security Solution] Expandable flyout - Update index field in analyze…
91d6170 
…r preview (elastic#165398)

## Summary

This PR addresses a bug that when a rule is created using data view,
analyzer preview is blank. This is due to a check on if index exists
before rendering the analyzer preview. This PR updated the index field
from `kibana.alert.rule.parameter.index` to 'kibana.alert.rule.indices`,
the later is introduced in elastic#130929
and is available when a rule is created using either index patterns or
data view.

**How to reproduce the bug**
- Refer to bug report elastic#164829

**How to test**
- Create a rule using data view
- Generate some alerts
- Go to alerts page, expand a row in alerts table
- Go to Visualization -> Analyzer preview, the analyzer preview tree
should be present

![image](https://github.com/elastic/kibana/assets/18648970/cbe0668e-335d-436a-992c-8970e75a3635)

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 88c04e5)
kibanamachine referenced this pull request Sep 1, 2023
@kibanamachine @christineweng
[8.10] [Security Solution] Expandable flyout - Update index field in …
edca22b 
…analyzer preview (#165398) (#165508)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Security Solution] Expandable flyout - Update index field in
analyzer preview
(#165398)](#165398)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"christineweng","email":"18648970+christineweng@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-09-01T17:45:26Z","message":"[Security
Solution] Expandable flyout - Update index field in analyzer preview
(#165398)\n\n## Summary\r\n\r\nThis PR addresses a bug that when a rule
is created using data view,\r\nanalyzer preview is blank. This is due to
a check on if index exists\r\nbefore rendering the analyzer preview.
This PR updated the index field\r\nfrom
`kibana.alert.rule.parameter.index` to
'kibana.alert.rule.indices`,\r\nthe later is introduced in
https://github.com/elastic/kibana/pull/130929\r\nand is available when a
rule is created using either index patterns or\r\ndata
view.\r\n\r\n**How to reproduce the bug**\r\n- Refer to bug report
https://github.com/elastic/kibana/issues/164829\r\n\r\n**How to
test**\r\n- Create a rule using data view\r\n- Generate some alerts\r\n-
Go to alerts page, expand a row in alerts table\r\n- Go to Visualization
-> Analyzer preview, the analyzer preview tree\r\nshould be
present\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/18648970/cbe0668e-335d-436a-992c-8970e75a3635)\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"88c04e5c94f81c0c7b7ba4b965725a8878480bd9","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat
Hunting:Investigations","v8.10.0","v8.11.0"],"number":165398,"url":"https://github.com/elastic/kibana/pull/165398","mergeCommit":{"message":"[Security
Solution] Expandable flyout - Update index field in analyzer preview
(#165398)\n\n## Summary\r\n\r\nThis PR addresses a bug that when a rule
is created using data view,\r\nanalyzer preview is blank. This is due to
a check on if index exists\r\nbefore rendering the analyzer preview.
This PR updated the index field\r\nfrom
`kibana.alert.rule.parameter.index` to
'kibana.alert.rule.indices`,\r\nthe later is introduced in
https://github.com/elastic/kibana/pull/130929\r\nand is available when a
rule is created using either index patterns or\r\ndata
view.\r\n\r\n**How to reproduce the bug**\r\n- Refer to bug report
https://github.com/elastic/kibana/issues/164829\r\n\r\n**How to
test**\r\n- Create a rule using data view\r\n- Generate some alerts\r\n-
Go to alerts page, expand a row in alerts table\r\n- Go to Visualization
-> Analyzer preview, the analyzer preview tree\r\nshould be
present\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/18648970/cbe0668e-335d-436a-992c-8970e75a3635)\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"88c04e5c94f81c0c7b7ba4b965725a8878480bd9"}},"sourceBranch":"main","suggestedTargetBranches":["8.10"],"targetPullRequestStates":[{"branch":"8.10","label":"v8.10.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/165398","number":165398,"mergeCommit":{"message":"[Security
Solution] Expandable flyout - Update index field in analyzer preview
(#165398)\n\n## Summary\r\n\r\nThis PR addresses a bug that when a rule
is created using data view,\r\nanalyzer preview is blank. This is due to
a check on if index exists\r\nbefore rendering the analyzer preview.
This PR updated the index field\r\nfrom
`kibana.alert.rule.parameter.index` to
'kibana.alert.rule.indices`,\r\nthe later is introduced in
https://github.com/elastic/kibana/pull/130929\r\nand is available when a
rule is created using either index patterns or\r\ndata
view.\r\n\r\n**How to reproduce the bug**\r\n- Refer to bug report
https://github.com/elastic/kibana/issues/164829\r\n\r\n**How to
test**\r\n- Create a rule using data view\r\n- Generate some alerts\r\n-
Go to alerts page, expand a row in alerts table\r\n- Go to Visualization
-> Analyzer preview, the analyzer preview tree\r\nshould be
present\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/18648970/cbe0668e-335d-436a-992c-8970e75a3635)\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"88c04e5c94f81c0c7b7ba4b965725a8878480bd9"}}]}]
BACKPORT-->

Co-authored-by: christineweng <18648970+christineweng@users.noreply.github.com>
sphilipse pushed a commit to sphilipse/kibana that referenced this pull request Sep 4, 2023
@christineweng @sphilipse
[Security Solution] Expandable flyout - Update index field in analyze…
a99a410 
…r preview (elastic#165398)

## Summary

This PR addresses a bug that when a rule is created using data view,
analyzer preview is blank. This is due to a check on if index exists
before rendering the analyzer preview. This PR updated the index field
from `kibana.alert.rule.parameter.index` to 'kibana.alert.rule.indices`,
the later is introduced in elastic#130929
and is available when a rule is created using either index patterns or
data view.

**How to reproduce the bug**
- Refer to bug report elastic#164829

**How to test**
- Create a rule using data view
- Generate some alerts
- Go to alerts page, expand a row in alerts table
- Go to Visualization -> Analyzer preview, the analyzer preview tree
should be present


![image](https://github.com/elastic/kibana/assets/18648970/cbe0668e-335d-436a-992c-8970e75a3635)


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
@Mikaayenson Mikaayenson mentioned this pull request Mar 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-tavares paul-tavares paul-tavares left review comments

@dplumlee dplumlee dplumlee left review comments

@marshallmain marshallmain marshallmain left review comments

@MadameSheema MadameSheema MadameSheema left review comments

@joeypoon joeypoon joeypoon left review comments

@nkhristinin nkhristinin nkhristinin left review comments

@pzl pzl pzl left review comments

@kqualters-elastic kqualters-elastic kqualters-elastic approved these changes

@yctercero yctercero yctercero approved these changes

@spong spong spong approved these changes

@madirey madirey madirey approved these changes

Assignees

@dhurley14 dhurley14

Labels
backport:skip This commit does not require backporting ci:cloud-deploy Create or update a Cloud deployment release_note:enhancement review Team:Detection Alerts Security Detection Alerts Area Team Team:Detection Rule Management Security Detection Rule Management Team Team:Security Solution Platform Security Solution Platform Team Team:Threat Hunting:Investigations Security Solution Investigations Team v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.