Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Data Views] - Add alerts on alerts data view warning #138186

Merged
merged 8 commits into from
Aug 9, 2022
Merged

[Security Solution][Data Views] - Add alerts on alerts data view warning #138186

merged 8 commits into from
Aug 9, 2022

Conversation

yctercero
Copy link
Contributor

@yctercero yctercero commented Aug 4, 2022
edited
Loading

Summary

The default security data view includes the alerts index. This means that a rule that uses this data view can result in alerts on alerts. At first glance, it seems the default data view is equivalent to the default index patterns we normally display on rule creation, but it is not in that it includes the alerts index.

Screen Shot 2022-08-08 at 10 10 24 AM

Checklist

@yctercero yctercero added release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. auto-backport Deprecated - use backport:version if exact versions are needed Team:Security Solution Platform Security Solution Platform Team v8.4.0 v8.5.0 labels Aug 4, 2022
@yctercero yctercero requested a review from a team August 4, 2022 22:56
@yctercero yctercero requested a review from a team as a code owner August 4, 2022 22:56
@yctercero yctercero self-assigned this Aug 4, 2022
@yctercero yctercero requested a review from xcrzx August 4, 2022 22:56
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@yctercero yctercero requested a review from yiyangliu9286 August 4, 2022 22:59
@banderror banderror requested review from vitaliidm and removed request for xcrzx August 7, 2022 10:59
dhurley14
dhurley14 approved these changes Aug 8, 2022
View reviewed changes
Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

...ck/plugins/security_solution/public/detections/components/rules/data_view_selector/index.tsx Outdated Show resolved Hide resolved
@dhurley14
Copy link
Contributor

@elasticmachine merge upstream

joepeeples
joepeeples reviewed Aug 8, 2022
View reviewed changes
Copy link
Contributor

@joepeeples joepeeples left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looping in the docs team! I added a couple of suggestions for the callout message.

...ins/security_solution/public/detections/components/rules/data_view_selector/translations.tsx Outdated Show resolved Hide resolved
...ins/security_solution/public/detections/components/rules/data_view_selector/translations.tsx Outdated Show resolved Hide resolved
@yctercero yctercero mentioned this pull request Aug 8, 2022
Closed
@yctercero
Copy link
Contributor Author

@elasticmachine merge upstream

@banderror banderror requested review from banderror and removed request for vitaliidm August 8, 2022 20:50
@yctercero yctercero enabled auto-merge (squash) August 9, 2022 01:43
@yctercero
Copy link
Contributor Author

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 5.6MB 5.6MB +755.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @yctercero

banderror
banderror approved these changes Aug 9, 2022
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some nits @yctercero, thanks for the enhancement!

Thinking about this from the usability side, why do we allow the user to select this data view if likely in most situations this will lead to users shooting themselves in the foot? Some thoughts off the top of my head:

  • this default data view seems to be suitable for "Explore" pages like Hosts, but is dangerous for rules to be used => so we might want to filter it out when showing the data view selector
  • some kind of "default data view for security rules" could help - this one would exclude the alerts index and include the source event indices
  • "alerts on alerts" could be an explicit "data source" in the UI in addition to index patterns and data views

cc @jethr0null

...ck/plugins/security_solution/public/detections/components/rules/data_view_selector/index.tsx
const dataViewsTitle = kibanaDataViews[dataViewId].title;
const dataViewsId = kibanaDataViews[dataViewId].id;

setShowDataViewAlertsOnAlertsWarning(dataViewsId === 'security-solution-default');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: is there a subtle reason why this is implemented via useEffect when showDataViewAlertsOnAlertsWarning is a state derivative from dataViewId? Seems like could be implemented via useMemo.

...ck/plugins/security_solution/public/detections/components/rules/data_view_selector/index.tsx
const dataViewsTitle = kibanaDataViews[dataViewId].title;
const dataViewsId = kibanaDataViews[dataViewId].id;

setShowDataViewAlertsOnAlertsWarning(dataViewsId === 'security-solution-default');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a common constant for security-solution-default?

...ck/plugins/security_solution/public/detections/components/rules/data_view_selector/index.tsx
{showDataViewAlertsOnAlertsWarning && (
<>
<EuiCallOut
title={i18n.DDATA_VIEW_ALERTS_ON_ALERTS_WARNING_LABEL}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: DDATA

@yctercero yctercero merged commit b406632 into elastic:main Aug 9, 2022
@kibanamachine kibanamachine mentioned this pull request Aug 9, 2022
Merged
kibanamachine pushed a commit that referenced this pull request Aug 9, 2022
@yctercero
[Security Solution][Data Views] - Add alerts on alerts data view warn…
e8c448a 
…ing (#138186)

## Summary

The default security data view includes the alerts index. This means that a rule that uses this data view can result in alerts on alerts. At first glance, it seems the default data view is equivalent to the default index patterns we normally display on rule creation, but it is not in that it includes the alerts index.

(cherry picked from commit b406632)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.4

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

@yctercero
Copy link
Contributor Author

Just some nits @yctercero, thanks for the enhancement!

Thinking about this from the usability side, why do we allow the user to select this data view if likely in most situations this will lead to users shooting themselves in the foot? Some thoughts off the top of my head:

  • this default data view seems to be suitable for "Explore" pages like Hosts, but is dangerous for rules to be used => so we might want to filter it out when showing the data view selector
  • some kind of "default data view for security rules" could help - this one would exclude the alerts index and include the source event indices
  • "alerts on alerts" could be an explicit "data source" in the UI in addition to index patterns and data views

cc @jethr0null

Thanks for the review! I'll follow up to address the nits. They may just not go in 8.4. Completely agree with your observations. We're currently re-examining the sourcerer architecture and one of my suggestions includes breaking the default data view differently - at the very least having it not include alerts and having the alerts be a data view all its own. Please feel free to add any thoughts you might have in that ticket as well.

cc @YulNaumenko

@yctercero yctercero deleted the data_views_warning branch August 9, 2022 14:00
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Aug 9, 2022
@kibanamachine @yctercero
[Security Solution][Data Views] - Add alerts on alerts data view warn…
cd37a21 
…ing (elastic#138186) (elastic#138397)

## Summary

The default security data view includes the alerts index. This means that a rule that uses this data view can result in alerts on alerts. At first glance, it seems the default data view is equivalent to the default index patterns we normally display on rule creation, but it is not in that it includes the alerts index.

(cherry picked from commit b406632)

Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
yiyangliu9286
yiyangliu9286 reviewed Aug 9, 2022
View reviewed changes
Copy link

@yiyangliu9286 yiyangliu9286 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yiyangliu9286 yiyangliu9286 yiyangliu9286 left review comments

@dhurley14 dhurley14 dhurley14 approved these changes

@banderror banderror banderror approved these changes

@joepeeples joepeeples joepeeples approved these changes

Assignees

@yctercero yctercero

Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Security Solution Platform Security Solution Platform Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.4.0 v8.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@yctercero @elasticmachine @dhurley14 @kibana-ci @kibanamachine @banderror @yiyangliu9286 @joepeeples