[Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes #71321
Conversation
| '', | ||
| 'kuery', | ||
| [], | ||
| ['.siem-signals'], |
There was a problem hiding this comment.
I'll need to use the siemSignalsIndex hook here to get the right indexPattern
| }: { | ||
| query: Query; | ||
| language: Language; | ||
| lists: ExceptionListItemSchema[] | undefined; | ||
| lists: Array<ExceptionListItemSchema | CreateExceptionListItemSchema> | undefined; | ||
| exclude?: boolean; |
There was a problem hiding this comment.
This is needed because the logic is negated when adding an exception (we want to exclude), but when closing alerts we don't want to do that.
| exceptionItemsToAddOrUpdate, | ||
| false | ||
| ); | ||
| await updateAlertStatus({ |
There was a problem hiding this comment.
@FrankHassanabad I think we may need to use wait_for_completion=false on the updateByQuery here. Otherwise the request could take a while.
| ? [buildExceptionItemEntries({ lists: exceptionItem.entries, language, exclude })] | ||
| : []), | ||
| ]; | ||
| }, [] as string[]); |
There was a problem hiding this comment.
You should be able to do, lists.reduce<string>( and avoid the as string cast fwiw.
| 'kuery', | ||
| [], | ||
| ['.siem-signals'], | ||
| exceptionItemsToAddOrUpdate, |
There was a problem hiding this comment.
The query for bulk closing has to account for the event fields in the original event being moved to original_event in the signal - https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts#L57
There was a problem hiding this comment.
Does this mean that i'll have to replace any exception item fields that start with event. with signal.original_event. before creating the ES Filter?
There was a problem hiding this comment.
Yeah in general signal.original_event holds the original event's event fieldset and event. in the signal refers to the "signal creation" event rather than the original event - so replacing all event. uses with signal.original_event. would be safest in case we use more signal specific event fields later on. Right now the only difference between I know of between event and signal.original_event is that event.kind is hardcoded to signal.
peluja1012
force-pushed
the
exception-modal-bulk-close
branch
from
a9a3ea5
to
6d4e4f1
Compare
|
Pinging @elastic/siem (Team:SIEM) |
| @@ -22,10 +22,82 @@ import { | |||
| EntryMatch, | |||
| EntryMatchAny, | |||
| EntriesArray, | |||
There was a problem hiding this comment.
Lots of changes in this file because I refactored the code a bit to keep it more DRY, especially since I was going to use similar expected values for the tests I was adding. The end result looks like this:
peluja1012
force-pushed
the
exception-modal-bulk-close
branch
from
6d4e4f1
to
e7ecadc
Compare
|
|
||
| return exceptionItems.map((item: ExceptionListItemSchema | CreateExceptionListItemSchema) => { | ||
| if (item.entries !== undefined) { | ||
| const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => { |
There was a problem hiding this comment.
| const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => { | |
| const newEntries = item.entries.map((itemEntry: Entry | EntryNested) => { |
There was a problem hiding this comment.
I'm adding this too
| if (item.entries !== undefined) { | ||
| const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => { | ||
| if (itemEntry.type === 'nested') { | ||
| const newNestedEntries = itemEntry.entries.map((nestedEntry: EntryMatch) => { |
There was a problem hiding this comment.
I think we only want to replace top level entries that start with event. so we can remove the whole if (itemEntry.type === 'nested') { block and always execute what is currently the else part.
| entries: [ | ||
| { | ||
| ...getEntryMatchMock(), | ||
| field: 'event.module', |
There was a problem hiding this comment.
the full path to this field would be host.name.event.module? In that case the field would stay the same, it wouldn't move to host.name.signal.original_event.module
💚 Build SucceededBuild metrics@kbn/optimizer bundle module count
History
To update your PR or re-run it, just comment with: |
* master: (314 commits) [APM] Use status_code field to calculate error rate (elastic#71109) [Observability] Change appLink passing the date range (elastic#71259) [Security] Add Timeline improvements (elastic#71506) adjust vislib bar opacity (elastic#71421) Fix ScopedHistory mock and adapt usages (elastic#71404) [Security Solution] Add hook for reading/writing resolver query params (elastic#70809) [APM] Bug fixes from ML integration testing (elastic#71564) [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404) [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275) [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321) Change signal.rule.risk score mapping from keyword to float (elastic#71126) Added help text where needed on connectors and alert actions UI (elastic#69601) [SIEM][Detections] Value Lists Management Modal (elastic#67068) [test] Skips test preventing promotion of ES snapshot elastic#71582 [test] Skips test preventing promotion of ES snapshot elastic#71555 [ILM] Fix alignment of the timing field (elastic#71273) [SIEM][Detection Engine][Lists] Adds the ability for exception lists to be multi-list queried. (elastic#71540) initial telemetry setup (elastic#69330) [Reporting] Formatting fixes for CSV export in Discover, CSV download from Dashboard panel (elastic#67027) Search across spaces (elastic#67644) ...
…t-apps-page-titles * 'master' of github.com:elastic/kibana: (88 commits) [ML] Functional tests - disable DFA creation and cloning tests [APM] Use status_code field to calculate error rate (elastic#71109) [Observability] Change appLink passing the date range (elastic#71259) [Security] Add Timeline improvements (elastic#71506) adjust vislib bar opacity (elastic#71421) Fix ScopedHistory mock and adapt usages (elastic#71404) [Security Solution] Add hook for reading/writing resolver query params (elastic#70809) [APM] Bug fixes from ML integration testing (elastic#71564) [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404) [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275) [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321) Change signal.rule.risk score mapping from keyword to float (elastic#71126) Added help text where needed on connectors and alert actions UI (elastic#69601) [SIEM][Detections] Value Lists Management Modal (elastic#67068) [test] Skips test preventing promotion of ES snapshot elastic#71582 [test] Skips test preventing promotion of ES snapshot elastic#71555 [ILM] Fix alignment of the timing field (elastic#71273) [SIEM][Detection Engine][Lists] Adds the ability for exception lists to be multi-list queried. (elastic#71540) initial telemetry setup (elastic#69330) [Reporting] Formatting fixes for CSV export in Discover, CSV download from Dashboard panel (elastic#67027) ... # Conflicts: # x-pack/plugins/index_management/public/application/index.tsx
* master: (72 commits) [test] Skips test preventing promotion of ES snapshot elastic#71612 [Logs UI] Remove UUID from Alert Instances (elastic#71340) [Metrics UI] Remove UUID from Alert Instance IDs (elastic#71335) [ML] Functional tests - disable DFA creation and cloning tests [APM] Use status_code field to calculate error rate (elastic#71109) [Observability] Change appLink passing the date range (elastic#71259) [Security] Add Timeline improvements (elastic#71506) adjust vislib bar opacity (elastic#71421) Fix ScopedHistory mock and adapt usages (elastic#71404) [Security Solution] Add hook for reading/writing resolver query params (elastic#70809) [APM] Bug fixes from ML integration testing (elastic#71564) [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404) [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275) [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321) Change signal.rule.risk score mapping from keyword to float (elastic#71126) Added help text where needed on connectors and alert actions UI (elastic#69601) [SIEM][Detections] Value Lists Management Modal (elastic#67068) [test] Skips test preventing promotion of ES snapshot elastic#71582 [test] Skips test preventing promotion of ES snapshot elastic#71555 [ILM] Fix alignment of the timing field (elastic#71273) ...
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Adds the bulk close feature to the Exception modal. A couple of items of note:
.signalsindex that match the exception's fields and values included in the Exception ModalBulk close disabled when "is in list" operator is selected
Bulk closing 4,100 alerts from Edit Modal
Testing
Navigate to the Alerts page, click on the overflow menu and select
Add exception. After selecting the exception attributes, click the checkbox with textClose all alerts that match attributes in this exception.Checklist
Delete any items that are not applicable to this PR.
For maintainers