Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CTI] Threat Intel Card on Overview page needs to accommodate Fleet TI integrations #115940

Merged
merged 37 commits into from
Dec 3, 2021

Conversation

nkhristinin
Copy link
Contributor

@nkhristinin nkhristinin commented Oct 21, 2021

Summary

Instruction on how to install fleet and elastic-agent locally: https://docs.google.com/document/d/17QQTVi3Rk_Sh0BctNKCujucV3PApZvpbTDtWUvE8AX8/edit?usp=sharing

Video demo

Screen.Recording.2021-11-22.at.18.36.43.mov

Changes

  1. Naming - In the code I try to make the difference between integrations and data source
    Integrations - it's something related to fleet packages, which you can install. For example AbuseCH.

Data source - it's related to event.dataset field. For example, one integration AbuseCH has 3 data sources - AbuseCH URL, AbuseCH Malware, AbuseCH Malware.

  1. Added new searchStrategy, which looks for threat data sources with aggregation by threat.feed.name and threat.feed.dashboard_id

  2. Initially we get all available data sources. We use this list, to be able later to show 0 when the data source doesn't have any events in the time range.

  3. We fetch all TI integration packages from fleet API. We show a warning if there are some not installed integrations.

  4. Removed some components and hooks which are not used.

How to test:

At that moment, the fleet integrations don't have threat.feed.name, but filebeat-8 has it.

Fleet integrations

  1. Use instruction from the beginning to run Kibana with the fleet agent.
  2. Install AbuseCH.
  3. The overview card should display it's in the Others row. It's fine now, because the packages don't have threat.feed.name

Filebeat

  1. Pull the latest changes of beats
  2. add file beats as described here
  3. In Advanced settings, change securitySolution:defaultThreatIndex to : logs-ti_*, filebeat-8*

You should see the filebeat data source on Overview card.

Checklist

Delete any items that are not applicable to this PR.

@nkhristinin nkhristinin requested review from ecezalp and rylnd October 21, 2021 13:40
@nkhristinin nkhristinin added release_note:skip Skip the PR/issue when compiling release notes Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0 v7.16.1 v8.0.0 and removed v7.16.1 labels Oct 21, 2021
@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

1 similar comment
@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin nkhristinin marked this pull request as ready for review October 25, 2021 16:26
@nkhristinin nkhristinin requested a review from a team as a code owner October 25, 2021 16:26
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin nkhristinin added the auto-backport Deprecated - use backport:version if exact versions are needed label Oct 26, 2021
@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

Copy link
Contributor

@ecezalp ecezalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks great. I had some issues with the setup and wasn't able to obtain indicators, I will review again once I can locally test the feature.

Comment on lines +8 to +10
import { useBasePath } from '../../../common/lib/kibana';

export const useIntegrationsPageLink = () =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like this is not a hook, just a helper function. In that case we should probably rename it not to start with use. We could call it getIntegrationsPageLink or something along those lines. thanks for the modularization

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it is just a combination with other hookuseBasePath from x-pack/plugins/security_solution/public/common/lib/kibana/hooks.ts

And inside it uses useKibana which relay on useContext.

}

export const useTIIntegrations = () => {
const [TIIntegrationsStatus, setTIIntegrationsStatus] = useState<TIIntegrationStatus | null>(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure about TIIntegrationsStatus, I believe we don't want to start with a capital letter in this context, @rylnd seemed to have some opinions on this, maybe we can get his opinion here

Copy link
Contributor

@ecezalp ecezalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ecezalp
Copy link
Contributor

ecezalp commented Oct 27, 2021

@elasticmachine merge upstream

3 similar comments
@ecezalp
Copy link
Contributor

ecezalp commented Oct 27, 2021

@elasticmachine merge upstream

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can remove the 7.16.0 tag here and should target 8.0 instead, right?

@@ -33,6 +38,7 @@ export const CtiWithEventsComponent = ({
isPluginDisabled={isPluginDisabled}
listItems={listItems}
totalCount={totalCount}
isSomeIntegrationsDisabled={isSomeIntegrationsDisabled}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe at this level the prop should be closer to its semantic use:

Suggested change
isSomeIntegrationsDisabled={isSomeIntegrationsDisabled}
showIntegrationsCTA={isSomeIntegrationsDisabled}

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@elastic elastic deleted a comment from kibanamachine Nov 15, 2021
@ecezalp
Copy link
Contributor

ecezalp commented Nov 15, 2021

@elasticmachine merge upstream

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review only. LGTM.

*/

import { buildTiDataSourceQuery } from './query.threat_intel_source.dsl';
import { mockOptions, expectedDsl } from './__mocks__';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These __mocks__ files are a relic of jest auto-mocking that we aren't using, here. I would just name that file index.mock.ts instead (or e.g. query.threat_intel_source.dsl.mock.ts if that's more accurate)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just move the mock value, exactly to the tests

const datasets = result?.rawResponse?.aggregations?.dataset?.buckets ?? [];
const getChildAggregationValue = (aggregation?: Bucket) => aggregation?.buckets?.[0]?.key;

const integrationMap = datasets.reduce((acc: Record<string, TiDataSources>, dataset) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this is going to be a relatively small number? If not, we might need to consider not creating new objects on each loop here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it will be about how much data source clients have, not a big number

dashboardId?: string;
}
interface TiDataSourcesProps extends Partial<GlobalTimeArgs> {
allTiDataSources?: TiDataSources[];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this prop can be made non-optional, no?

Suggested change
allTiDataSources?: TiDataSources[];
allTiDataSources: TiDataSources[];

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really, we have a case when don't pass it, because we don't have it yet
x-pack/plugins/security_solution/public/overview/containers/overview_cti_links/use_all_ti_data_sources.ts

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 2793 2791 -2

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
securitySolution 1325 1357 +32

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.6MB 4.6MB -2.0KB

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
securitySolution 33 30 -3

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 249.5KB 251.5KB +2.1KB
Unknown metric groups

API count

id before after diff
securitySolution 1374 1406 +32

References to deprecated APIs

id before after diff
securitySolution 55 54 -1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Member

@MadameSheema MadameSheema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked just the Cypress updates, LGTM

@nkhristinin nkhristinin merged commit 6640357 into elastic:main Dec 3, 2021
brianseeders added a commit that referenced this pull request Dec 3, 2021
@brianseeders
Copy link
Contributor

@nkhristinin I apologize, I had to revert this PR as it was causing CI to fail. It must have been incompatible with another change that was merged since the last time you merged upstream.

See failures here and here

@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Dec 7, 2021
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 115940 or prevent reminders by adding the backport:skip label.

@nkhristinin nkhristinin added backport:skip This commit does not require backporting and removed backport missing Added to PRs automatically when the are determined to be missing a backport. auto-backport Deprecated - use backport:version if exact versions are needed labels Dec 7, 2021
TinLe pushed a commit to TinLe/kibana that referenced this pull request Dec 22, 2021
…TI integrations (elastic#115940)

* Add support integrations

* Fix types

* fix unit tests

* Fix tests and types

* fix eslint

* fix file case

* add cy tests

* Revert test

* Add tests

* Add support of installed integrations

* Fix types

* Add isntalled ingtegration case for cypress tests

* Fix cypress tests

* Fix comments

* Fix capital naming

* Fix again capital naming

* Add dynamic dashboard for a new integrations packages

* intermidiate changes, to keep it remote

* Big refactoring

* Tests and refactoring

* Remove unused constanrs

* Fix e2e tests

* PR comments fix

* fix ts

* Fix translations

* Remove stubs

* Rename isSomeIntegrationsDisabled -> allIntegrationsInstalled

* Add buildQuery tests

* Fix type

* Add tests for Enable Source button

* Remove copied file

* Move api call to api.ts

* Rename fetchFleetIntegrations

* Remove __mocks__

Co-authored-by: Kibana Machine <[email protected]>
TinLe pushed a commit to TinLe/kibana that referenced this pull request Dec 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants