[Security Solution][Detections] Updates Rule Details to show all historical alerts for a given Rule #120053
Conversation
spong
added
bug
| @@ -238,7 +238,7 @@ export const getFailingRules = async ( | |||
| try { | |||
| const errorRules = await Promise.all( | |||
| ids.map(async (id) => | |||
| rulesClient.get({ | |||
| rulesClient.resolve({ | |||
There was a problem hiding this comment.
We had a bug where the RuleStatus wouldn't be found because it was querying with the old legacyId. This would result in an error toast along with the redirect toast:
There was a problem hiding this comment.
That's a catch! I see that now with this PR getFailingRules is called only from the INTERNAL_DETECTION_ENGINE_RULE_STATUS_URL route, and I think we should be able to get rid of it completely when we rewrite this route to only return events from the rule execution log.
|
Hey @spong , I come in peace I promise 😅 I'd been chatting with @dhurley14 and @rylnd about
Please don't take this as me saying |
|
Peace offering accepted, haha! 🕊️ 😅 No worries at all @yctercero -- thank you for taking the time to think through the implications and potential externalities here, I really appreciate the extra 👀's and 🧠🔋! To summarize from our conversation for others (we chatted offline a bit), regardless of the path forward to resolve #118935 (whether pushing down Zooming out, the commonality that surfaced when we were discussing this is a platform need (of the SO Client most likely) to support specifying additional static field(s) when creating SO's. This pattern of specifying secondary static id's exists in quite a few places already within Security Solution (Timeline Templates, Exceptions/Trusted Apps, Rules), and all of these objects are going to need special care when SO sharing or SOM support are introduced if this functionality isn't added. At the very least, this change specifically is reversible, and if we need to go back to querying alerts via As an output, we discussed auditing Security Solution for two things:
|
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx
Outdated
Show resolved
Hide resolved
| ...buildShowBuildingBlockFilter(showBuildingBlockAlerts), | ||
| ...buildAlertStatusFilter(filterGroup), | ||
| ]), | ||
| ...buildAlertsRuleIdFilter(rule?.rule_id ?? ''), |
There was a problem hiding this comment.
Would be nice to refactor this component so that these checks aren't necessary. Right now we're fetching the rule via useRuleWithFallback and have the page in a loading state while rule == null, and all these filters that are being generated aren't needed till the rule returns anyway.
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @spong |
There was a problem hiding this comment.
LGTM 👍 Thank you so much for all the thought put into solving this issue, finding a better solution than just passing the legacy id to the FE, adjusting the exceptions logic, for the cleanup and super helpful comments in the code. So much great stuff in this PR!
I went through the code changes and didn't find any issues. Checked the filter used in useRuleWithFallback for fetching the last alert for the rule - seems like @madirey already updated it in her previous PR.
Sorry I didn't test the PR though, I hope that folks could help with that.
| const alertStatusFilter = buildAlertStatusesFilter([ | ||
| 'open', | ||
| 'acknowledged', | ||
| 'in-progress', | ||
| ]); |
There was a problem hiding this comment.
Garrett, do you know if a go/no-go decision has been made regarding going live with rule_registry in 8.0? There's still some ongoing discussions regarding AAD schema which is extremely concerning considering where we are in the release cycle. Wondering what are chances of us being asked to revert this stuff back to .siem-signals-* (which means we'd need the ruleRegistryEnabled feature flag in the code):
// TODO: Once we are past experimental phase this code should be removed
const alertStatusFilter = ruleRegistryEnabled
? buildAlertStatusesFilterRuleRegistry(['open', 'acknowledged', 'in-progress'])
: buildAlertStatusesFilter(['open', 'acknowledged', 'in-progress']);There was a problem hiding this comment.
Verified RuleRegistry is a go for security in 8.0, so all good here 🙂
| term: { | ||
| 'kibana.alert.workflow_status': status, | ||
| [ALERT_WORKFLOW_STATUS]: status, | ||
| }, | ||
| }, | ||
| { | ||
| term: { | ||
| 'kibana.alert.workflow_status': 'in-progress', | ||
| [ALERT_WORKFLOW_STATUS]: 'in-progress', |
There was a problem hiding this comment.
Thank you for all the clean up 🙏
| /** | ||
| * Builds Kuery filter for fetching alerts for a specific rule. Takes the rule's | ||
| * static id, i.e. `rule.ruleId` (not rule.id), so that alerts for _all | ||
| * historical instances_ of the rule are returned. | ||
| * | ||
| * @param ruleStaticId Rule's static id: `rule.ruleId` | ||
| */ | ||
| export const buildAlertsFilter = (ruleStaticId: string | null): Filter[] => |
There was a problem hiding this comment.
And thank you for the detailed comments on ruleStaticId explaining what it is and what are the implications of using it ("so that alerts for all historical instances of the rule are returned"). This is really helpful!
There was a problem hiding this comment.
Of course! It gets so confusing between rule.id and rule.rule_id I needed to start clearing things up with differentiating nomenclature. If we're consistent going forward with naming rule.rule_id params as ruleStaticId it should make things a bit easier to grok.
| @@ -238,7 +238,7 @@ export const getFailingRules = async ( | |||
| try { | |||
| const errorRules = await Promise.all( | |||
| ids.map(async (id) => | |||
| rulesClient.get({ | |||
| rulesClient.resolve({ | |||
There was a problem hiding this comment.
That's a catch! I see that now with this PR getFailingRules is called only from the INTERNAL_DETECTION_ENGINE_RULE_STATUS_URL route, and I think we should be able to get rid of it completely when we rewrite this route to only return events from the rule execution log.
|
Oh sorry, one more thing
So is this a known issue that is going to be fixed? Do we have a ticket? |
This is known (found during that review) and @marshallmain said he would have a fix for this in a follow-up PR, so no specific issue that I'm aware of. I'll check with Marshall to see if there's a draft PR floating around and create an issue if not just so we don't lose it. 👍 edit: Yup, this was added and being tracked as part of this issue/comment: https://github.com/elastic/security-team/issues/1018#issuecomment-937323352
|
…y RuleId instead of Rule SO ID (elastic#120053) * Switches RuleDetails to query alerts by ruleId instead of SO id * Increases integrity of test outputs * Cleans up duplicate RuleRegistry functions * Removes support for rule.id for alerts filter and updates exceptions to use new filter
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…y RuleId instead of Rule SO ID (elastic#120053) * Switches RuleDetails to query alerts by ruleId instead of SO id * Increases integrity of test outputs * Cleans up duplicate RuleRegistry functions * Removes support for rule.id for alerts filter and updates exceptions to use new filter
|
As per elastic/security-docs#1321 (comment), updating title and adding to release notes so the behavioral changes are appropriately communicated. |
spong
changed the title
spong
added
release_note:feature
…y RuleId instead of Rule SO ID (elastic#120053) * Switches RuleDetails to query alerts by ruleId instead of SO id * Increases integrity of test outputs * Cleans up duplicate RuleRegistry functions * Removes support for rule.id for alerts filter and updates exceptions to use new filter
## Closing alerts from flyout effect only alerts related to this rule Fix: #145675 For the exceptions component, we need to have `rule.rule_id` which wasn't initially in the timeline response. We can't safely use `rule.id`, it is [described here](#120053). Co-authored-by: Kibana Machine <[email protected]>
## Closing alerts from flyout effect only alerts related to this rule Fix: elastic#145675 For the exceptions component, we need to have `rule.rule_id` which wasn't initially in the timeline response. We can't safely use `rule.id`, it is [described here](elastic#120053). Co-authored-by: Kibana Machine <[email protected]> (cherry picked from commit 6102f0e)
# Backport This will backport the following commits from `main` to `8.6`: - [Fix close alerts from flyout (#145939)](#145939) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Khristinin Nikita","email":"[email protected]"},"sourceCommit":{"committedDate":"2022-11-23T17:21:04Z","message":"Fix close alerts from flyout (#145939)\n\n## Closing alerts from flyout effect only alerts related to this rule\r\n\r\nFix: https://github.com/elastic/kibana/issues/145675\r\n\r\nFor the exceptions component, we need to have `rule.rule_id` which\r\nwasn't initially in the timeline response.\r\nWe can't safely use `rule.id`, it is [described\r\nhere](https://github.com/elastic/kibana/pull/120053).\r\n\r\nCo-authored-by: Kibana Machine <[email protected]>","sha":"6102f0e39b1b4053886e1dc6ccd8696fe1bf6967","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Security Solution Platform","backport:prev-minor","v8.7.0"],"number":145939,"url":"https://github.com/elastic/kibana/pull/145939","mergeCommit":{"message":"Fix close alerts from flyout (#145939)\n\n## Closing alerts from flyout effect only alerts related to this rule\r\n\r\nFix: https://github.com/elastic/kibana/issues/145675\r\n\r\nFor the exceptions component, we need to have `rule.rule_id` which\r\nwasn't initially in the timeline response.\r\nWe can't safely use `rule.id`, it is [described\r\nhere](https://github.com/elastic/kibana/pull/120053).\r\n\r\nCo-authored-by: Kibana Machine <[email protected]>","sha":"6102f0e39b1b4053886e1dc6ccd8696fe1bf6967"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/145939","number":145939,"mergeCommit":{"message":"Fix close alerts from flyout (#145939)\n\n## Closing alerts from flyout effect only alerts related to this rule\r\n\r\nFix: https://github.com/elastic/kibana/issues/145675\r\n\r\nFor the exceptions component, we need to have `rule.rule_id` which\r\nwasn't initially in the timeline response.\r\nWe can't safely use `rule.id`, it is [described\r\nhere](https://github.com/elastic/kibana/pull/120053).\r\n\r\nCo-authored-by: Kibana Machine <[email protected]>","sha":"6102f0e39b1b4053886e1dc6ccd8696fe1bf6967"}}]}] BACKPORT--> Co-authored-by: Khristinin Nikita <[email protected]>
Summary
Resolves Part II of #118935 which fixes a bug where pre-8.x alerts are not displayed on the
Rule Detailspage if the Rule SO ID had been re-generated as part of the upgrade to 8.x. As discussed with the team and relevant product folks, we're resolving this issue by updating the alerts query to filter byruleIdinstead of the Rule SO ID, which will result in a slight workflow change where all alerts for a givenruleIdwill be displayed rather than just the latest instance -- i.e. create pre-package rule, generate alerts, delete/re-create pre-package rule, generate alerts, alerts are displayed from both Rule instances instead of just the most recent. This also updates the exceptions workflow such that if the user specifiesclose all associated alertswhen creating a Rule Exception, it will now close all alerts matching the exception for all historical instances of the rule, maintaining consistent behavior when managing alerts from a rule.The Previous Rule Deleted functionality stays mostly the same -- if you navigate to
Rule Detailsfrom an older alert whose rule has been deleted, the Rule Details page will still re-construct the rule's details from the alert, and now show all alerts (as above) instead of just that instances' alerts.Also cleaned up a lot of duplicate/redundant code over in
default_config.tsxthat was leftover from theRuleRegsitryfeature flag. Now condensed back to one function each for generating filters/columns/config.Test Instructions:
Clear
es-data, and start7.16ESNavigate to
kibana-7.16, checkout andyarn startLogin, create a rule, then inject some data
Verify Alerts, kill kibana, kill es, then start es
8.1.0(run fromkibana-mainor use--version=8.1.0)Navigate to
kibana-main, checkout andyarn startLogin, navigate to previous rule (toggling enable/disable to bypass this bug), then inject some data (previous
resolver_generatordata-gen command should've created enough future events, but if not re-run w/o--fleetflag)Verify
7.16and8.1alerts are visible in both the Alerts Histogram and Alerts Table:Note,
Severity/Risk Scorewill not display for pre-8.x alerts see this comment for details.Verify
7.16and8.1alerts are closed when adding a Rule Exception (that of course matches all alerts ;) and selectingClose all alerts that match this exception.Note: Initial approach was to plumb through the
legacyIdthrough the Read Rules route (#119031), so we can always revisit that method if necessary.Checklist
Delete any items that are not applicable to this PR.