Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] Autojump to duplicated a detection rule #57423

Closed
philippkahr opened this issue Feb 12, 2020 · 9 comments
Closed

[SIEM] Autojump to duplicated a detection rule #57423

philippkahr opened this issue Feb 12, 2020 · 9 comments
Assignees
@xcrzx @spong
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@philippkahr
Copy link
Contributor

Describe the feature:

  1. When using built-in detection rules, and trying to modify them you need to duplicate those.
  2. When hitting the Duplicate rule... button
    2.1. The current rule should be deactivated (open for discussion)
  3. you should jump directly to the newly created and duplicated rule.

Hitting the duplicate button, then having to go back a page, select another filter within the table and then selecting the newly created rule feels a bit tedious.

ezgif-2-7e398fdd8f9f

I think it fits on the action item list from #53782
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@randomuserid
Copy link
Contributor

I think this is a good workflow idea & one that some other rule interfaces do

@spong
Copy link
Member

spong commented Feb 15, 2020

Thanks for taking some time to use the Detection Engine @PhilippBaranovskiy -- appreciate the feedback! 🙂

This had come up in our post feature freeze design review, and will likely be taken care of in the near term.

As for deactivating a rule on duplication -- that'd be a nice improvement for this flow. Perhaps we could make the Duplication action a split button with a Duplicate and deactivate option or even a separate action entirely that is only present if the rule is currently activated. Thoughts @MichaelMarcialis?

@spong spong self-assigned this Feb 15, 2020
@MichaelMarcialis
Copy link
Contributor

As for deactivating a rule on duplication -- that'd be a nice improvement for this flow. Perhaps we could make the Duplication action a split button with a Duplicate and deactivate option or even a separate action entirely that is only present if the rule is currently activated. Thoughts @MichaelMarcialis?

Yeah, I like that idea. When the rule that is desired to be duplicated is active, the user can select "Duplicate" or "Deactivate & Duplicate" from that rule's overflow menu.

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@xcrzx
Copy link
Contributor

xcrzx commented Apr 8, 2021

Related issues: #82566, #82100

@PhilippBaranovskiy
Copy link
Contributor

image

Thanks go to @philippkahr, appreciate your feedback!

@spong
Copy link
Member

spong commented Apr 12, 2021

Linking #96520 as a related enhancement for removing the appended [Duplicate] title text in favor of a Duplicate tag.

@xcrzx xcrzx linked a pull request Apr 13, 2021 that will close this issue
[Security Solution][Detections] - Improves rule duplication user experience #96760
Merged
2 tasks
@xcrzx xcrzx mentioned this issue Apr 15, 2021
Merged
2 tasks
@xcrzx xcrzx removed a link to a pull request Apr 15, 2021
[Security Solution][Detections] - Improves rule duplication user experience #96760
Merged
2 tasks
@banderror banderror added the Team:Detections and Resp Security Detection Response Team label Apr 20, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror added the Feature:Detection Rules Security Solution rules and Detection Engine label Apr 20, 2021
@spong
Copy link
Member

spong commented Apr 23, 2021

Closing, resolved via #96760

@spong spong closed this as completed Apr 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

@spong spong

Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@cjcenizal @PhilippBaranovskiy @xcrzx @randomuserid @MindyRS @spong @MichaelMarcialis @banderror @philippkahr @elasticmachine