Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 #192535

Merged
merged 13 commits into from
Sep 14, 2024

Conversation

animehart
Copy link
Contributor

@animehart animehart commented Sep 11, 2024

In an attempt to make Reviewing easier and more accurate, the implementation of Misconfiguration Data grid on Host.name flyout in Alerts Page will be split into 2 Phases

Phase 1: Move Functions, Utils or Helpers, Hooks, constants to Package
Phase 2: Implementing the feature

This is Phase 2 of the process
Screenshot 2024-09-11 at 2 16 20 PM

How to test:
Pre req: In order to test this, you need to generate some fake alerts. This repo will help you do that

  1. Generate Some Alerts
  2. Use the Reindex API to get some Findings data in (change the host.name field to match the host.name from alerts generated if you want to test Findings table in the left panel flyout)
  3. Turn on Risky Entity Score if you want to test if both Risk Contribution and Insights tabs shows up, follow this guide to turn on Risk Entity Score

@animehart
Copy link
Contributor Author

/ci

@animehart
Copy link
Contributor Author

/ci

@animehart
Copy link
Contributor Author

/ci

@animehart
Copy link
Contributor Author

/ci

@animehart animehart marked this pull request as ready for review September 12, 2024 22:00
@animehart animehart requested review from a team as code owners September 12, 2024 22:01
@animehart animehart added v8.16.0 Team:Cloud Security Cloud Security team related labels Sep 12, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

@animehart animehart added the release_note:skip Skip the PR/issue when compiling release notes label Sep 12, 2024
Copy link
Contributor

@tiansivive tiansivive left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from Entity Analytics

@animehart animehart added backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) ci:project-deploy-security Create a Security Serverless Project labels Sep 13, 2024
Comment on lines 136 to 137
isMisconfigurationFindingsIndexExist: hasMisconfigurationFindingsIndex,
isMisconfigurationFindingsForThisQueryExist: hasMisconfigurationFindingsForThisQuery,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

having two names for the same thing might be confusing (isMisconfigurationFindingsIndexExist and hasMisconfigurationFindingsIndex), ideally, we should stick with one naming only.

hasMisconfigurationFindingsIndex seems to me easier to read and understand than isMisconfigurationFindingsIndexExist, is is often used for boolean states or conditions (e.g., isEnabled, isVisible), and has is used for existence or possession (e.g., hasItems, hasError).

can we update the references of isMisconfigurationFindingsIndexExist and isMisconfigurationFindingsForThisQueryExist to hasMisconfigurationFindingsIndex and hasMisconfigurationFindingsForThisQuery respectively across the PR?

Comment on lines 72 to 73
isMisconfigurationFindingsIndexExist={false}
isMisconfigurationFindingsForThisQueryExist={true}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how this use case can happen? index does not exist, but the data exist?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

woops, you are right
this one is redundant


const insightsButtons: EuiButtonGroupOptionProps[] = [
{
id: 'misconfigurationTabId',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's add this id to a constant, so we avoid updating the id name and forgetting to update the activeInsightsId

data-test-subj={'insightButtonGroupsTestId'}
/>
<EuiSpacer size="xl" />
<MisconfigurationFindingsDetailsTable fieldName={'host.name'} queryName={name} />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

having the fieldName fixed to host.name here might prevent this component from being reusable in the future, I would suggest including the fieldName in the props and pass it down from the getInsightsInputTab function.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was planning to just do that on my next ticket (do this with user.name column) as shown in this branch that i made to see how much stuff i need to change
but now that u mentioned it, might as well change it now

navToFindings({ 'rule.id': ruleId, 'resource.id': resourceId });
};

const columns: Array<EuiBasicTableColumn<Pick<CspFinding, 'result' | 'rule' | 'resource'>>> = [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this type Pick<CspFinding, 'result' | 'rule' | 'resource'> is being reused multiple times, what about create one type for it:

type MisconfigurationFindingDetailFields = Pick<CspFinding, 'result' | 'rule' | 'resource'>

Comment on lines 72 to 78
return {
index: CDR_MISCONFIGURATIONS_INDEX_PATTERN,
size: isPreview ? 0 : 500,
aggs: getFindingsCountAggQueryMisconfiguration(),
ignore_unavailable: true,
query: buildMisconfigurationsFindingsQueryWithFilters(query, mutedRulesFilterQuery),
};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are only using a couple of fields, it would be nice to update the query to only retrieve the fields we need. We can do that by including a source filtering:

const MISCONFIGURATIONS_SOURCE_FIELDS = ['result.*', 'rule.*', 'resource.*'];

//...

return {
  index: CDR_MISCONFIGURATIONS_INDEX_PATTERN,
  size: isPreview ? 0 : 500,
  aggs: getFindingsCountAggQueryMisconfiguration(),
  ignore_unavailable: true,
  query: buildMisconfigurationsFindingsQueryWithFilters(query, mutedRulesFilterQuery),
  _source: MISCONFIGURATIONS_SOURCE_FIELDS
};

That's important in this context since the Alerts component already loads a bunch of data at the same time, we can save some bandwidth by not loading unnecessary data.

Copy link
Contributor Author

@animehart animehart Sep 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ooo good thing to know, i never knew this

@animehart animehart requested a review from opauloh September 13, 2024 20:42
Copy link
Contributor

@opauloh opauloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking good, just a few more questions


// Determine if the Insights tab should be included
const insightsTab =
hasMisconfigurationFindingsIndex && hasMisconfigurationFindingsForThisQuery
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it really useful to have both hasMisconfigurationFindingsIndex and hasMisconfigurationFindingsForThisQuery?

Most of the conditions seem to be checking for hasMisconfigurationFindingsIndex && hasMisconfigurationFindingsForThisQuery, in that case, wouldn't it be better to work only the hasMisconfigurationFindingsForThisQuery? since when hasMisconfigurationFindingsForThisQuery is true it means hasMisconfigurationFindingsIndex is also true.

Unless there is a use case for having only the hasMisconfigurationFindingsIndex that I'm missing

fieldName,
}: {
name: string;
fieldName: 'host.name' | 'user.name';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice 🚀

Comment on lines 64 to 66
css={css`
font-weight: ${euiTheme.font.weight.bold};
`}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't font-weight: bold applied by default in EuiTitle?

Copy link
Contributor

@opauloh opauloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just left with a nit after the changes

const passedFindings = data?.count.passed || 0;
const failedFindings = data?.count.failed || 0;

const hasMisconfigurationFindingsForThisQuery = passedFindings > 0 || failedFindings > 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we could rename this to hasMisconfigurationFindings now

@kibana-ci
Copy link
Collaborator

kibana-ci commented Sep 14, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #4 / FilterPopover renders button label correctly

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 5758 5764 +6

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/cloud-security-posture 63 74 +11
@kbn/cloud-security-posture-common 56 60 +4
total +15

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 20.3MB 20.4MB +45.4KB
Unknown metric groups

API count

id before after diff
@kbn/cloud-security-posture 63 74 +11
@kbn/cloud-security-posture-common 57 61 +4
total +15

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@animehart animehart merged commit 28becfd into elastic:main Sep 14, 2024
42 checks passed
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Sep 14, 2024
…lugin PHASE 2 (elastic#192535)

In an attempt to make Reviewing easier and more accurate, the
implementation of Misconfiguration Data grid on Host.name flyout in
Alerts Page will be split into 2 Phases

Phase 1: Move Functions, Utils or Helpers, Hooks, constants to Package
Phase 2: Implementing the feature

This is **Phase 2** of the process
<img width="1712" alt="Screenshot 2024-09-11 at 2 16 20 PM"
src="https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4">

How to test:
Pre req: In order to test this, you need to generate some fake alerts.
This [repo](https://github.com/elastic/security-documents-generator)
will help you do that
1. Generate Some Alerts
2. Use the Reindex API to get some Findings data in (change the
host.name field to match the host.name from alerts generated if you want
to test Findings table in the left panel flyout)
3. Turn on Risky Entity Score if you want to test if both Risk
Contribution and Insights tabs shows up, follow this
[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)
to turn on Risk Entity Score

(cherry picked from commit 28becfd)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Sep 19, 2024
…ctor CSP Plugin PHASE 2 (#192535) (#192942)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Cloud Security] Host Name Misconfiguration Datagrid &amp; Refactor
CSP Plugin PHASE 2
(#192535)](#192535)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Rickyanto
Ang","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-14T04:41:41Z","message":"[Cloud
Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin
PHASE 2 (#192535)\n\nIn an attempt to make Reviewing easier and more
accurate, the\r\nimplementation of Misconfiguration Data grid on
Host.name flyout in\r\nAlerts Page will be split into 2
Phases\r\n\r\nPhase 1: Move Functions, Utils or Helpers, Hooks,
constants to Package\r\nPhase 2: Implementing the feature\r\n\r\nThis is
**Phase 2** of the process\r\n<img width=\"1712\" alt=\"Screenshot
2024-09-11 at 2 16
20 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4\">\r\n\r\nHow
to test:\r\nPre req: In order to test this, you need to generate some
fake alerts.\r\nThis
[repo](https://github.com/elastic/security-documents-generator)\r\nwill
help you do that\r\n1. Generate Some Alerts\r\n2. Use the Reindex API to
get some Findings data in (change the\r\nhost.name field to match the
host.name from alerts generated if you want\r\nto test Findings table in
the left panel flyout)\r\n3. Turn on Risky Entity Score if you want to
test if both Risk\r\nContribution and Insights tabs shows up, follow
this\r\n[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)\r\nto
turn on Risk Entity
Score","sha":"28becfdce90ff5a0cec0345070c301aa7ca338ed","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Cloud
Security","backport:prev-minor","ci:project-deploy-security","v8.16.0"],"title":"[Cloud
Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin
PHASE
2","number":192535,"url":"https://github.com/elastic/kibana/pull/192535","mergeCommit":{"message":"[Cloud
Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin
PHASE 2 (#192535)\n\nIn an attempt to make Reviewing easier and more
accurate, the\r\nimplementation of Misconfiguration Data grid on
Host.name flyout in\r\nAlerts Page will be split into 2
Phases\r\n\r\nPhase 1: Move Functions, Utils or Helpers, Hooks,
constants to Package\r\nPhase 2: Implementing the feature\r\n\r\nThis is
**Phase 2** of the process\r\n<img width=\"1712\" alt=\"Screenshot
2024-09-11 at 2 16
20 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4\">\r\n\r\nHow
to test:\r\nPre req: In order to test this, you need to generate some
fake alerts.\r\nThis
[repo](https://github.com/elastic/security-documents-generator)\r\nwill
help you do that\r\n1. Generate Some Alerts\r\n2. Use the Reindex API to
get some Findings data in (change the\r\nhost.name field to match the
host.name from alerts generated if you want\r\nto test Findings table in
the left panel flyout)\r\n3. Turn on Risky Entity Score if you want to
test if both Risk\r\nContribution and Insights tabs shows up, follow
this\r\n[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)\r\nto
turn on Risk Entity
Score","sha":"28becfdce90ff5a0cec0345070c301aa7ca338ed"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192535","number":192535,"mergeCommit":{"message":"[Cloud
Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin
PHASE 2 (#192535)\n\nIn an attempt to make Reviewing easier and more
accurate, the\r\nimplementation of Misconfiguration Data grid on
Host.name flyout in\r\nAlerts Page will be split into 2
Phases\r\n\r\nPhase 1: Move Functions, Utils or Helpers, Hooks,
constants to Package\r\nPhase 2: Implementing the feature\r\n\r\nThis is
**Phase 2** of the process\r\n<img width=\"1712\" alt=\"Screenshot
2024-09-11 at 2 16
20 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4\">\r\n\r\nHow
to test:\r\nPre req: In order to test this, you need to generate some
fake alerts.\r\nThis
[repo](https://github.com/elastic/security-documents-generator)\r\nwill
help you do that\r\n1. Generate Some Alerts\r\n2. Use the Reindex API to
get some Findings data in (change the\r\nhost.name field to match the
host.name from alerts generated if you want\r\nto test Findings table in
the left panel flyout)\r\n3. Turn on Risky Entity Score if you want to
test if both Risk\r\nContribution and Insights tabs shows up, follow
this\r\n[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)\r\nto
turn on Risk Entity
Score","sha":"28becfdce90ff5a0cec0345070c301aa7ca338ed"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Rickyanto Ang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) ci:project-deploy-security Create a Security Serverless Project release_note:skip Skip the PR/issue when compiling release notes Team:Cloud Security Cloud Security team related v8.16.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants