-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Remove the advanced sorting switch from the rules management page #149840
Conversation
6971bd6
to
cd5e413
Compare
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
86811f1
to
1375e45
Compare
...doc.attributes, | ||
lastRun: { | ||
...doc.attributes.lastRun, | ||
outcomeOrder: RuleLastRunOutcomeOrderMap[outcome], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't recall off hand, but are there any old legacy outcome
's that a user could have lingering around that wouldn't be included in the RuleLastRunOutcomeOrderMap
? If so, is undefined
fine here until the next rule execution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The outcome
field was added in 8.6 with only three values specified in the RuleLastRunOutcomeOrderMap
. So I don't expect any other values there. That said, undefined
should also work just fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Problem is, the outcomeOrder
is defined as a number
, but in the case of a outcome: undefined
- or some change in the future that would add a new outcome but forget to add the order - the order will end up being undefined
. Feels like we should change outcomeOrder
to be number | undefined
, or write a function to generate the updated value that deals with the potential undefined
value, where it's generated in execution.
If we want to keep it typed as a number, then I think we need to supply a number here, but not sure what we'd use. If we go with making outcome_order
as number | undefined
, then this code is fine as-is , as it would generate an undefined
(if outcome is not set or an unexpected value).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I miss something, outcome
cannot be undefined
. See the 8.6 migration, for example:
https://github.com/elastic/kibana/blob/2d675b47a7c3210a1b430e89ff51c9d7485d1fd2/x-pack/plugins/alerting/server/saved_objects/migrations/8.6/index.ts#L22-L35
If the outcome
is unknown, the whole lastRun
structure is omitted.
Furthermore, adding a new outcome value will cause a type error if the value is not added to the outcome->order
map:
So TypeScript protects us from forgetting to add values to the linked structures.
That said, if you feel strongly about changing the type of outcomeOrder
to number | undefined
, I'm okay with that. It doesn't affect the code of Security Solution in any way, as we don't work with that field directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! We've become more sensitive to migrations recently so wanted to understand this one well.
The main thing I'm worrying about is some bug where we would unintentionally have outcome
set to some invalid value, as part of normal (presumably buggy!) operation. And then the migration would end up writing out an undefined
for the order. But ... that's valid for that field :-)
So, even in that case, I don't think there's anything else we can do to improve the migration.
The rest of the type-checking on outcome looks good, thanks for explaining.
...ty_solution/server/lib/detection_engine/rule_management/logic/search/transform_sort_field.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out, tested locally, code reviewed and rules area changes LGTM! 👍
One issue with sorting on Version
, but I think we can just remove that column (as intended in #148196) and call it a day.
As always, super clean work here @xcrzx! Thank you for seeing this feature full-circle -- the in-memory table served our users well in the interim, and it's now nice to have mapped_params
support where we need it, awesome! 😀
ce10b97
to
2d675b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
security-solution-platform changes LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, reviewed the diff and tested the PR locally. LGTM 👍
I left a bunch of non-blocking comments that can be addressed in a follow-up one, if needed.
x-pack/plugins/alerting/server/saved_objects/migrations/8.7/index.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
Outdated
Show resolved
Hide resolved
export const SortField = t.union([ | ||
t.literal('created_at'), | ||
t.literal('createdAt'), // Legacy notation, keeping for backwards compatibility | ||
t.literal('enabled'), | ||
t.literal('execution_summary.last_execution.date'), | ||
t.literal('execution_summary.last_execution.metrics.execution_gap_duration_s'), | ||
t.literal('execution_summary.last_execution.metrics.total_indexing_duration_ms'), | ||
t.literal('execution_summary.last_execution.metrics.total_search_duration_ms'), | ||
t.literal('execution_summary.last_execution.status'), | ||
t.literal('name'), | ||
t.literal('risk_score'), | ||
t.literal('riskScore'), // Legacy notation, keeping for backwards compatibility | ||
t.literal('severity'), | ||
t.literal('updated_at'), | ||
t.literal('updatedAt'), // Legacy notation, keeping for backwards compatibility | ||
]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not forget to update the docs with this info. I can open a ticket if you haven't already.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, this is a type that applies specifically to the find rules API endpoint, but it's not common. Let's rename it to FindRulesSortField
and move it to x-pack/plugins/security_solution/common/detection_engine/rule_management/api/rules/find_rules/request_schema.ts
}, | ||
{ | ||
refetchInterval: isRefreshOn && !isActionInProgress && autoRefreshSettings.value, | ||
keepPreviousData: true, // Use this option so that the state doesn't jump between "success" and "loading" on page change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Appreciate the comment!
...on/public/detection_engine/rule_management_ui/components/rules_table/rules_table_toolbar.tsx
Show resolved
Hide resolved
import { assertUnreachable } from '../../../../../../common/utility_types'; | ||
|
||
/** | ||
* Transform the sort field name from the request to the Alerting framework |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for all these comments, it's a ton of help for our future self or anyone new to this codebase.
I'm thinking now: what about filtering? We should probably do the same for filters as well, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reviewed alerting framework changes; I think we need to do something about the order potentially being undefined
, and there are notes to add some additional tests. Other than that, LGTM
...doc.attributes, | ||
lastRun: { | ||
...doc.attributes.lastRun, | ||
outcomeOrder: RuleLastRunOutcomeOrderMap[outcome], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Problem is, the outcomeOrder
is defined as a number
, but in the case of a outcome: undefined
- or some change in the future that would add a new outcome but forget to add the order - the order will end up being undefined
. Feels like we should change outcomeOrder
to be number | undefined
, or write a function to generate the updated value that deals with the potential undefined
value, where it's generated in execution.
If we want to keep it typed as a number, then I think we need to supply a number here, but not sure what we'd use. If we go with making outcome_order
as number | undefined
, then this code is fine as-is , as it would generate an undefined
(if outcome is not set or an unexpected value).
@@ -173,6 +173,7 @@ export default function createAlertTests({ getService }: FtrProviderContext) { | |||
}, | |||
outcome: 'succeeded', | |||
outcome_msg: null, | |||
outcome_order: 0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add tests for 'warning' and 'failed' to ensure the outcome_order
is expected. I think that can just be added to any other test that receives those outcomes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what tests you mean here. I've added more test cases to the migrations suite, and haven't found any explicit integrational tests for the lastRun
or outcome
fields. This file is the only place in x-pack/test/alerting_api_integration
besides migrations where execution outcome is surfaced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see! I figured we had some - I do see some outcome
FT for the event log, but not seeing any for the rule itself.
@XavierM, did I miss some? Looks like you were involved in some of this work in a previous PR. Seems like we should add some (in a separate issue/PR) if we don't have any.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, we will add specific test around that in the near future. We will use the same one for executionStatus
if they exist
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They do exist! So here a ticket #150487 to add them for last_run
x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
Outdated
Show resolved
Hide resolved
2d675b4
to
c67e600
Compare
@pmuellr @xcrzx My 2 cents: let's reserve
Having nullable fields makes the code more error-prone, and here it seems we could avoid that. |
c67e600
to
c61110b
Compare
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @xcrzx |
As I mentioned in my comment above, there normally shouldn't be a situation when |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for explaining, LGTM
Resolves: #138907
Resolves: #148196
Summary
outcomeOrder
field to the alerting frameworkThere's one caveat, though. The running status is represented as a different rule field. So when sorting by the last status, if there are any "running" rules, they could appear in any row on the table: