[Security team: AWP] [Session view] Add alert fly out callback #127991
Conversation
zizhouW
requested review from
mitodrummer,
Tacklebox,
michaelolo24,
opauloh and
animehart
| // react-query caching keys | ||
| export const QUERY_KEY_PROCESS_EVENTS = 'sessionViewProcessEvents'; | ||
| export const QUERY_KEY_ALERTS = 'sessionViewAlerts'; | ||
|
|
There was a problem hiding this comment.
zizhouW
added
release_note:feature
| Object.keys(updatedAlertsStatus).forEach((alertUuid) => { | ||
| const process = processMap[updatedAlertsStatus[alertUuid].processEntityId]; | ||
| if (process) { | ||
| updateAlertEventStatus(process.getAlerts(), updatedAlertsStatus); |
There was a problem hiding this comment.
since getAlerts() comes from ProcessImpl, what about adding an update function to ProcessImpl? i.e process.setAlerts(), to make more explicit the intention of changing alerts in the process
then also, could change to a more functional approach using map transforms:
i.e:
process.setAlerts(updateAlertEventStatus(process.getAlerts(), updatedAlertsStatus))// updateAlertEventStatus
export const updateAlertEventStatus = (
events: ProcessEvent[],
updatedAlertsStatus: UpdateAlertStatus
) => (
events.map((event) => ({
...event, kibana: { ...event.kibana, alert: {
...event.kibana.alert,
workflow_status : updatedAlertsStatus[event.kibana.alert.uuid].status
}}
)})There was a problem hiding this comment.
The alerts currently are placed together with events in process.events. It's probably a good idea to separate them to process.events and process.alerts. It seems to relate to some changes made in #127500 in efforts to separate fetching events and alerts. Should we make the optimization in a separate PR?
cc: @mitodrummer
There was a problem hiding this comment.
Yea, separate PR seems best. Maybe after i merge the alerts tab stuff.
There was a problem hiding this comment.
yeah another PR sounds nice to me too
| ) => void; | ||
| } | ||
|
|
||
| export interface UpdateAlertStatus { |
There was a problem hiding this comment.
this type seems too generic and doesn't seem to tell much about it, can it be improved somehow?
| }; | ||
|
|
||
| export const searchAlertByUuid = async (client: ElasticsearchClient, alertUuid: string) => { | ||
| const search = await client.search({ |
There was a problem hiding this comment.
We may want to update this to use the AlertsClient once I've merged my alerts tab work. It handles authorized indexes and other rbac type stuff.
There was a problem hiding this comment.
Sounds good, I can do it in a separate PR since the flyout callback is also needed in your PR. I will get this one merged in first
| @@ -73,4 +75,46 @@ describe('process tree hook helpers tests', () => { | |||
| // session leader should have autoExpand to be true | |||
| expect(processMap[SESSION_ENTITY_ID].autoExpand).toBeTruthy(); | |||
| }); | |||
|
|
|||
| it('updateAlertEventStatus works', () => { | |||
| const events: ProcessEvent[] = JSON.parse(JSON.stringify([...mockEvents, ...mockAlerts])); | |||
There was a problem hiding this comment.
This is okay I think since we know the data, but using lodash clone might be safer long term and potentially faster? Not sure though...
| ) => { | ||
| events.forEach((event) => { | ||
| if (event.kibana?.alert.uuid && updatedAlertsStatus[event.kibana.alert.uuid]) { | ||
| event.kibana.alert.workflow_status = updatedAlertsStatus[event.kibana.alert.uuid].status; |
There was a problem hiding this comment.
With Kibana, I would never assume you'll actually get the data so I would do updatedAlertStatus[event.kibana?.alert?.uuid]
There was a problem hiding this comment.
Thanks for letting me know! There are other places in session_view that will require similar fixes. I will fix this one here and create a tech debt ticket to address the rest separately.
| @@ -36,6 +37,11 @@ interface ProcessTreeDeps { | |||
| selectedProcess?: Process | null; | |||
| onProcessSelected: (process: Process | null) => void; | |||
| setSearchResults?: (results: Process[]) => void; | |||
|
|
|||
| ...updatedAlertsStatus, | ||
| [alertUuid]: { | ||
| status: events[0].kibana?.alert.workflow_status ?? '', | ||
| processEntityId: events[0].process.entity_id, |
There was a problem hiding this comment.
| processEntityId: events[0].process.entity_id, | |
| processEntityId: events[0]?.process?.entity_id, |
There was a problem hiding this comment.
It should always be there, but best to err on the side of caution
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
| ) => | ||
| events.map((event) => { | ||
| // do nothing if event is not an alert | ||
| if (!event.kibana) { |
There was a problem hiding this comment.
Can do in a follow up PR, but in the future event.kibana may have other sub-properties, so may be best to use event?.kibana?.alert to be explicit
There was a problem hiding this comment.
Thanks Michael, will update in my follow up PR!
Issue: https://github.com/elastic/security-team/issues/3266
TODO: Add tests for
alert_status_routeand useAlertsClientafter #127500 is merged