Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Add more actions to alerts flyout #105767

Merged
merged 33 commits into from
Aug 4, 2021

Conversation

angorayc
Copy link
Contributor

@angorayc angorayc commented Jul 15, 2021

Summary

This PR is to implement take action button for alert flyout.

The action button should be available from case view and alerts table:

Screenshot 2021-08-02 at 14 50 55

Screenshot 2021-08-02 at 14 53 02

@angorayc angorayc changed the title [Security Solution] inspect alert in timeline from flyout [Security Solution] Add more actions to alerts flyout Jul 20, 2021
Copy link
Contributor

@parkiino parkiino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if it makes more sense to move the TakeActionDropdown component outside of the host_isolation folder into a more top level folder since now there are new actions that aren't necessarily related to host isolation? Also is it possible to make each menu item look the same?
image

@angorayc angorayc force-pushed the flyout-overview-inspect branch from c580050 to 51bef34 Compare July 26, 2021 16:52
@angorayc angorayc force-pushed the flyout-overview-inspect branch from 2a6c5a9 to 0aaece0 Compare July 30, 2021 11:08
@angorayc angorayc added Team:Threat Hunting Security Solution Threat Hunting Team v7.15.0 v8.0.0 labels Aug 2, 2021
@angorayc angorayc marked this pull request as ready for review August 2, 2021 15:48
@angorayc angorayc requested a review from a team as a code owner August 2, 2021 15:48
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

Copy link
Contributor

@semd semd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

{
name: isolateHostTitle,
onClick: isolateHostHandler,
disabled: loadingHostIsolationStatus || agentStatus === HostStatus.UNENROLLED,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found a fix for why the Isolate host options always remain disabled after some digging. It looks like the loadingHostIsolationStatus is always true b/c of some code I wrote before that no longer works. If you could modify the use_isolation_status.tsx file with the below diff, the isolate host option should work again. Let me know if you want me to send you a patch file, otherwise i just copy and pasted the diff below!

index 6a40898d0a1..0631964660b 100644
--- a/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/use_host_isolation_status.tsx
+++ b/x-pack/plugins/security_solution/public/detections/containers/detection_engine/alerts/use_host_isolation_status.tsx
@@ -37,6 +37,7 @@ export const useHostIsolationStatus = ({
     const abortCtrl = new AbortController();
     // isMounted tracks if a component is mounted before changing state
     let isMounted = true;
+    setLoading(true);
     let fleetAgentId: string;
     const fetchData = async () => {
       try {
@@ -73,15 +74,10 @@ export const useHostIsolationStatus = ({
       }
     };

-    setLoading((prevState) => {
-      if (prevState) {
-        return prevState;
-      }
-      if (!isEmpty(agentId)) {
-        fetchData();
-      }
-      return true;
-    });
+    if (!isEmpty(agentId)) {
+      fetchData();
+    }
+
     return () => {
       // updates to show component is unmounted
       isMounted = false;

const alertIds = useMemo(() => [actionsData.eventId], [actionsData.eventId]);
const isEvent = actionsData.eventKind === 'event';

const isEndpointAlert = useMemo((): boolean => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's actually a helper function written in public/common/utils/endpoint_alert_check.ts that you could use

import { useExceptionActions } from '../alerts_table/timeline_actions/use_add_exception_actions';
import { useAlertsActions } from '../alerts_table/timeline_actions/use_alerts_actions';
import { useInvestigateInTimeline } from '../alerts_table/timeline_actions/use_investigate_in_timeline';
/* Todo: Uncomment case action after getAddToCaseAction is split into action and modal
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is for another PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was planed to be part of this PR, but there is still another dependency.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2337 2348 +11

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.4MB 6.4MB +18.9KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Member

@cnasikas cnasikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LTGM! I tested cases actions. Everything is working as expected.

@angorayc angorayc merged commit 60f8da4 into elastic:master Aug 4, 2021
angorayc added a commit to angorayc/kibana that referenced this pull request Aug 5, 2021
* add investigate in timeline action to flyout

* close context menu on item clicked

* add investigate in timeline

* add investigat in timeline button

* fix failing tests

* add alerts status actions

* update unit test

* export alerts actions from hook

* add disable props

* add case action items

* clean up

* split alert status hook and hide add to case action

* add useHoseIsolationAction hook

* move out take action dropdown

* refeactor hooks to only manage one thing

* apply hooks to alerts table

* clean up

* fix unit tests

* replace euiCodeBlock

* take actions from case

* fetch ecs in flyout footer

* move fetch alert ecs to container

* add AddExceptionModalWrapperData interface

* fix cypress tests

* update snapshot for json view

* fix cypress test

* update AddEndpointExceptionComponent

* fix data retrieved from event details

* fix host isolation action

* use endpointAlertCheck

Co-authored-by: Xavier Mouligneau <[email protected]>
angorayc added a commit that referenced this pull request Aug 5, 2021
)

* add investigate in timeline action to flyout

* close context menu on item clicked

* add investigate in timeline

* add investigat in timeline button

* fix failing tests

* add alerts status actions

* update unit test

* export alerts actions from hook

* add disable props

* add case action items

* clean up

* split alert status hook and hide add to case action

* add useHoseIsolationAction hook

* move out take action dropdown

* refeactor hooks to only manage one thing

* apply hooks to alerts table

* clean up

* fix unit tests

* replace euiCodeBlock

* take actions from case

* fetch ecs in flyout footer

* move fetch alert ecs to container

* add AddExceptionModalWrapperData interface

* fix cypress tests

* update snapshot for json view

* fix cypress test

* update AddEndpointExceptionComponent

* fix data retrieved from event details

* fix host isolation action

* use endpointAlertCheck

Co-authored-by: Xavier Mouligneau <[email protected]>

Co-authored-by: Xavier Mouligneau <[email protected]>
streamich pushed a commit to vadimkibana/kibana that referenced this pull request Aug 8, 2021
* add investigate in timeline action to flyout

* close context menu on item clicked

* add investigate in timeline

* add investigat in timeline button

* fix failing tests

* add alerts status actions

* update unit test

* export alerts actions from hook

* add disable props

* add case action items

* clean up

* split alert status hook and hide add to case action

* add useHoseIsolationAction hook

* move out take action dropdown

* refeactor hooks to only manage one thing

* apply hooks to alerts table

* clean up

* fix unit tests

* replace euiCodeBlock

* take actions from case

* fetch ecs in flyout footer

* move fetch alert ecs to container

* add AddExceptionModalWrapperData interface

* fix cypress tests

* update snapshot for json view

* fix cypress test

* update AddEndpointExceptionComponent

* fix data retrieved from event details

* fix host isolation action

* use endpointAlertCheck

Co-authored-by: Xavier Mouligneau <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants