[Security Solutions] Change backend routes to use savedObject.resolve with signal id's

[FrankHassanabad]

Describe the feature:

We currently are using SO id's for rules when users go to a particular route such as this one:

${URL}/app/security/rules/id/d18f7640-ff87-11eb-b05e-ddcb529a7bc7

This is typically activated when a user clicks on a particular rule within timeline. When a user clicks on the row it prefers the Saved Object ID. However, that ID will be re-generated and we need to on the backend swap out the savedObject.get() call with a savedObject.resolve()

See https://www.elastic.co/guide/en/kibana/master/sharing-saved-objects.html#sharing-saved-objects-step-2

Eventually we would remove the resolve as time goes on and things are aged out, but really this is the least effort we can do. Otherwise we have to backtrack through the signals and re-write all of their saved object ID's to the new ones once the saved Object ID's will be regenerated for all rules on upgrade of the system.

Describe a specific use case for the feature:
As a user I want to continue to click on "old signals/alerts" and get to the correct ones even after upgrading my system.

Test Criteria

• After upgrading to 7.16, user can continue to access urls that include old alert ids
• After upgrading to 7.16, user can click on their old signals and not hit any errors

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[yctercero]

Reopening for QA check.

cc @MadameSheema

[ghost]

Hi Team,

We tested this ticket on the 7.14.0 release build and upgraded it to 7.16.0 BC2 and found that everything works as expected. After upgrading to 7.16.0, we are able to access the alerts and rules generated on the 7.14.0 build.

Please find below the testing details:

Build Details

- 7.14.0:
BUILD: 42747
COMMIT: f032cf9bdbf6f74b70db5e43b7b1d30f5de22d3e
- 7.16.0:
BUILD: 45662
COMMIT: ae8c5d7765636dd177c72ab19408a0791eba491f

Observations and screenshots

1. Created multiple rules on 7.14.0:

• Custom Query Rule
• EQL Rule
• Threshold Rule
• Elastic Security Rule (inbuilt)

2. Generated alerts for all the rule types:
   
   

3. Upgraded the build to 7.16.0 and observed, everything worked as expected.
   

Alerts.mp4

Please let us know if anything else is required from our end.

Thanks!!

c.c. @MadameSheema

[MadameSheema]

@dhurley14 can you please take a look at the above when you have the chance? Thanks!

[dhurley14]

It's not clear to me whether the alert that @deepikakeshav-qasource clicked on in the video was generated in 7.14 or 7.16. When I tested out the change I started with:

1. I created a rule + alerts in 7.14
2. Turned off the rule before upgrading so it would not generate more alerts in 7.16, guaranteeing that any alerts that show up after upgrade were generated in 7.14.
3. Upgraded to 7.16 with all the data from 7.14 still in Elasticsearch
4. Then checked to make sure the links to the rule details page in the alert details view (from alerts generated only in 7.14) are re-routed with the toast message shown in the first screenshot in my original PR: [Security Solution] [Platform] Utilize SO resolve api for reading rules by id #112478

Can we get confirmation this path works?

[ghost]

Hi @dhurley14,

It's not clear to me whether the alert that @deepikakeshav-qasource clicked on in the video was generated in 7.14 or 7.16. When I tested out the change I started with:

I have generated the alerts on 7.14.0

Thank you for sharing the steps. Please find the below observations:

Steps:

1. Created the rule and generated the alerts in 7.14.0 cloud build.
   

2. Copy the path of rule details page

3. Turned off the rule before upgrading so it would not generate more alerts in 7.16.
   

4. Upgraded to 7.16 with all the data from 7.14 still in Elasticsearch

5. Paste the copied path and its working fine

6. However, we are unable to see the toast message.
   

Note: We have tried the above steps with non default space. however, unable to see the toast message after upgrade the build from 7.14.0 to 7.16.0.

Please let us know if we are missing any step.

Thanks!!

[dhurley14]

@deepikakeshav-qasource I am so sorry. My instructions are incorrect. The upgrade should be from 7.14 to 8.0. The code for the toast message is in 7.16 but it won't appear unless the kibana version is 8.0 because 8.0 is when the breaking change from kibana security triggers the toast. If you can try the same instructions above but migrate from 7.14 to 8.0 the toast should appear. Apologies!

[MadameSheema]

Thanks @dhurley14! but right now is out of scope 8.0 since we are focusing on 7.16.0, but we'll take into consideration for the next testing cycle :)

ping @deepikakeshav-qasource

[dhurley14]

Okay sounds good. Let's keep this issue open until 8.0 BC's are available.

[yctercero]

Hey @MadameSheema @deepikakeshav-qasource can we re-test this with the 8.0 BC before closing out?

[dhurley14]

I believe we can close out this issue now? @MadameSheema @deepikakeshav-qasource ?

[ghost]

Hi @dhurley14 ,

For now we are unable to upgrade the build from 7.14.0 to 8.0.0.

Please let us know if we need to share our observation for any other build with upgrade path.

Thanks!!

[MadameSheema]

@deepikakeshav-qasource @dhurley14 as per my understanding, the only way to upgrade to 8.0 is from 7.17.x so it is going to be impossible to upgrade from 7.14 to 8.0 directly, the path should be 7.14 -> 7.17 -> 8.0.

@dhurley14 can you please confirm which is the upgrade path we need to verify? Thanks :)

[dhurley14]

Hi yes the upgrade path from 7.17 -> 8.0 should work the same (hopefully!) Sorry for the confusion!

[ghost]

Hi @dhurley14 ,

We have validated this ticket with upgrade path from 7.17 -> 8.0 . Please find the below observations:

Build Details:

Version: 8.0.0 Snapshot
Build: 49125
Commit: 1678a714924636da4f92cdfcf5b1e766d053cd5e

Steps:

1. Created the rule and generated the alerts in 7.17.0 cloud build.

2. Copy the path of rule details page
3. Turned off the rule before upgrading so it would not generate more alerts in 8.0.0.
4. Upgraded to 8.0.0 with all the data from 7.17.0 still in Elasticsearch
5. Paste the copied path and its working fine
6. However, we are unable to see the toast message.
   

Please let us know if it if expected?

Thanks!!

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[dhurley14]

@deepikakeshav-qasource Sorry I don't think I clarified the exact steps outside of the original pr: #112478

It looks like that rule was created in the default space? The popup will only appear for a rule created in a non-default space.

So the exact steps are to

1. create a new space in 7.x
2. create a rule in that new space (non-default space)
3. copy that URL for the rule details page
4. upgrade to 8.x
5. paste that old URL

There should be a redirect and a small toast message in the lower right corner similar to what appears in the screenshot in my original PR #112478

Sorry for the confusion!

[ghost]

Hi @dhurley14 ,

Thanks for sharing the detailed steps.

We have validated this ticket with above steps and observed that issue is fixed. 🟢 .

Please find the below testing details:

Build Details:

Version: 8.0.0 Snapshot
Build: 49125
Commit: 1678a714924636da4f92cdfcf5b1e766d053cd5e

Steps:

1. create a new space in 7.17.0
2. create a rule in that new space
3. copy that URL for the rule details page

rule_space.mp4

4. upgrade to 8.0
5. paste that old URL and able to see the toast message
   

Hence, We are closing this issue and marking as QA Validated.

Thanks!!