[Security Solution] Bulk editing rule custom highlighted fields #179312
Conversation
e40pud
added
release_note:enhancement
Team: SecuritySolution
|
/ci |
|
@elasticmachine merge upstream |
e40pud
changed the title
|
@elasticmachine merge upstream |
|
/ci |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
Left a couple questions and one nit but overall looks good @e40pud! I pulled down and tested all the edge cases I could think of. This is the first time I've seen the feature flag stuff used so heavily for the backend code, I think it's a pretty good way to go about it albeit adding a bit of complexity to the implementation as (correct me if I'm wrong) we aren't able to enable/disable routes themselves using the flags.
...ity_solution/server/lib/detection_engine/rule_management/api/rules/bulk_get_sources/route.ts
Outdated
Show resolved
Hide resolved
.../server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.test.ts
Show resolved
Hide resolved
.../server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.test.ts
Outdated
Show resolved
Hide resolved
...sponse/rules_management/rule_bulk_actions/trial_license_complete_tier/perform_bulk_action.ts
Show resolved
Hide resolved
Yes, I had to add extra complexity in order to be able to block API behind feature flag. I think we can benefit from ti in future with other features that require adding public API and needs to be hidden for some time. |
| const rules = fetchRulesOutcome.results.map(({ result }) => result); | ||
| const indexPatterns: string[] = []; | ||
| const dataViewIds: string[] = []; | ||
| rules.forEach((rule) => { |
There was a problem hiding this comment.
@e40pud
I only checked ES|QL rules since they do not have index.
Index for this rules is extracted from rule query
Without extracting index, it will display empty highlighted fields combobox.
Another case is custom ES|QL fields. They can be created in query, but I don't think it's feasible for bulk edit(since every query needs to be performed and custom fields identified).
So, we probably just should mention in docs, custom ES|QL fields are not supported.
Which would make bulk editing rules with aggregating query not working properly. As these rule have a small number of fields available.
More details on ES|QL highlighted fields can be found here: #177746
There was a problem hiding this comment.
Similar behaviour also applicable to ML rules.
Index for this rule type is extracted from ML jobs, as this rule type does not have index or data view id
There was a problem hiding this comment.
Thanks for pointing out to this one! We discussed performance and limitation issues and decided to go with this solution
There was a problem hiding this comment.
Overall looks great! Appreciate the updates to the tests and additional tests too. A few small nits too.
I do believe we could simplify the code and have some performance improvements if we introduce the logic for fetching and gathering the data view titles into the bulk_get_sources route, update the hook useBulkGetRulesSources to reflect the new server-side functionality, and remove the useGetAllIndexPatternsFromSources. This would also have the added benefit of reducing the number of hooks we need to maintain and test.
...e/rule_management_ui/components/rules_table/bulk_actions/forms/investigation_fields_form.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/translations.ts
Show resolved
Hide resolved
...ution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts
Outdated
Show resolved
Hide resolved
| const fieldOptions = indexPatterns.fields.map((field) => ({ | ||
| label: field.name, | ||
| })); |
There was a problem hiding this comment.
Seeing as we are pulling every field (runtime included) from every index pattern for every rule in the rules table, this could be a lot of fields. Not sure what the limitations are on rendering all these fields but would be neat to see where the rendering starts to slow down.
There was a problem hiding this comment.
We will show fields from the index patterns defined in Security Solution advanced settings instead
Hey @dhurley14, we discussed potential performance issue and limitations with ES|QL and ML rules. To avoid those issues, we decided to go with the next solution for the list of fields available in "custom highlighted fields" flyout: the dropdown will include fields from the index patterns defined in Security Solution advanced settings (more details here). This means, I will remove the route to fetch all indices for selected rules. |
...ution/server/lib/detection_engine/rule_management/logic/bulk_actions/rule_params_modifier.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Devin W. Hurley <[email protected]>
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @e40pud |
Resolves: #164301
Resolves: https://github.com/elastic/security-team/issues/8958
Summary
With these changes we introduce a new feature - Bulk custom highlighted fields update. It works similarly to bulk tags and indices update.
Here is the overview of the work that has been done:
Screen.Recording.2024-04-15.at.14.17.08.mov
Checklist
Delete any items that are not applicable to this PR.