-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 #192535
[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 #192535
Conversation
…ks into common file
/ci |
/ci |
/ci |
…x and findingsResult check
/ci |
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from Entity Analytics
isMisconfigurationFindingsIndexExist: hasMisconfigurationFindingsIndex, | ||
isMisconfigurationFindingsForThisQueryExist: hasMisconfigurationFindingsForThisQuery, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having two names for the same thing might be confusing (isMisconfigurationFindingsIndexExist
and hasMisconfigurationFindingsIndex
), ideally, we should stick with one naming only.
hasMisconfigurationFindingsIndex
seems to me easier to read and understand than isMisconfigurationFindingsIndexExist
, is
is often used for boolean states or conditions (e.g., isEnabled, isVisible), and has
is used for existence or possession (e.g., hasItems, hasError).
can we update the references of isMisconfigurationFindingsIndexExist
and isMisconfigurationFindingsForThisQueryExist
to hasMisconfigurationFindingsIndex
and hasMisconfigurationFindingsForThisQuery
respectively across the PR?
isMisconfigurationFindingsIndexExist={false} | ||
isMisconfigurationFindingsForThisQueryExist={true} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how this use case can happen? index does not exist, but the data exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
woops, you are right
this one is redundant
|
||
const insightsButtons: EuiButtonGroupOptionProps[] = [ | ||
{ | ||
id: 'misconfigurationTabId', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's add this id to a constant, so we avoid updating the id name and forgetting to update the activeInsightsId
data-test-subj={'insightButtonGroupsTestId'} | ||
/> | ||
<EuiSpacer size="xl" /> | ||
<MisconfigurationFindingsDetailsTable fieldName={'host.name'} queryName={name} /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having the fieldName
fixed to host.name
here might prevent this component from being reusable in the future, I would suggest including the fieldName
in the props and pass it down from the getInsightsInputTab
function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was planning to just do that on my next ticket (do this with user.name column) as shown in this branch that i made to see how much stuff i need to change
but now that u mentioned it, might as well change it now
navToFindings({ 'rule.id': ruleId, 'resource.id': resourceId }); | ||
}; | ||
|
||
const columns: Array<EuiBasicTableColumn<Pick<CspFinding, 'result' | 'rule' | 'resource'>>> = [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this type Pick<CspFinding, 'result' | 'rule' | 'resource'>
is being reused multiple times, what about create one type for it:
type MisconfigurationFindingDetailFields = Pick<CspFinding, 'result' | 'rule' | 'resource'>
return { | ||
index: CDR_MISCONFIGURATIONS_INDEX_PATTERN, | ||
size: isPreview ? 0 : 500, | ||
aggs: getFindingsCountAggQueryMisconfiguration(), | ||
ignore_unavailable: true, | ||
query: buildMisconfigurationsFindingsQueryWithFilters(query, mutedRulesFilterQuery), | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we are only using a couple of fields, it would be nice to update the query to only retrieve the fields we need. We can do that by including a source filtering:
const MISCONFIGURATIONS_SOURCE_FIELDS = ['result.*', 'rule.*', 'resource.*'];
//...
return {
index: CDR_MISCONFIGURATIONS_INDEX_PATTERN,
size: isPreview ? 0 : 500,
aggs: getFindingsCountAggQueryMisconfiguration(),
ignore_unavailable: true,
query: buildMisconfigurationsFindingsQueryWithFilters(query, mutedRulesFilterQuery),
_source: MISCONFIGURATIONS_SOURCE_FIELDS
};
That's important in this context since the Alerts component already loads a bunch of data at the same time, we can save some bandwidth by not loading unnecessary data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ooo good thing to know, i never knew this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looking good, just a few more questions
|
||
// Determine if the Insights tab should be included | ||
const insightsTab = | ||
hasMisconfigurationFindingsIndex && hasMisconfigurationFindingsForThisQuery |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really useful to have both hasMisconfigurationFindingsIndex
and hasMisconfigurationFindingsForThisQuery
?
Most of the conditions seem to be checking for hasMisconfigurationFindingsIndex && hasMisconfigurationFindingsForThisQuery
, in that case, wouldn't it be better to work only the hasMisconfigurationFindingsForThisQuery
? since when hasMisconfigurationFindingsForThisQuery
is true it means hasMisconfigurationFindingsIndex
is also true.
Unless there is a use case for having only the hasMisconfigurationFindingsIndex
that I'm missing
fieldName, | ||
}: { | ||
name: string; | ||
fieldName: 'host.name' | 'user.name'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice 🚀
css={css` | ||
font-weight: ${euiTheme.font.weight.bold}; | ||
`} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't font-weight: bold
applied by default in EuiTitle?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just left with a nit after the changes
const passedFindings = data?.count.passed || 0; | ||
const failedFindings = data?.count.failed || 0; | ||
|
||
const hasMisconfigurationFindingsForThisQuery = passedFindings > 0 || failedFindings > 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: we could rename this to hasMisconfigurationFindings
now
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: |
…lugin PHASE 2 (elastic#192535) In an attempt to make Reviewing easier and more accurate, the implementation of Misconfiguration Data grid on Host.name flyout in Alerts Page will be split into 2 Phases Phase 1: Move Functions, Utils or Helpers, Hooks, constants to Package Phase 2: Implementing the feature This is **Phase 2** of the process <img width="1712" alt="Screenshot 2024-09-11 at 2 16 20 PM" src="https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4"> How to test: Pre req: In order to test this, you need to generate some fake alerts. This [repo](https://github.com/elastic/security-documents-generator) will help you do that 1. Generate Some Alerts 2. Use the Reindex API to get some Findings data in (change the host.name field to match the host.name from alerts generated if you want to test Findings table in the left panel flyout) 3. Turn on Risky Entity Score if you want to test if both Risk Contribution and Insights tabs shows up, follow this [guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html) to turn on Risk Entity Score (cherry picked from commit 28becfd)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…ctor CSP Plugin PHASE 2 (#192535) (#192942) # Backport This will backport the following commits from `main` to `8.x`: - [[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 (#192535)](#192535) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Rickyanto Ang","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-14T04:41:41Z","message":"[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 (#192535)\n\nIn an attempt to make Reviewing easier and more accurate, the\r\nimplementation of Misconfiguration Data grid on Host.name flyout in\r\nAlerts Page will be split into 2 Phases\r\n\r\nPhase 1: Move Functions, Utils or Helpers, Hooks, constants to Package\r\nPhase 2: Implementing the feature\r\n\r\nThis is **Phase 2** of the process\r\n<img width=\"1712\" alt=\"Screenshot 2024-09-11 at 2 16 20 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4\">\r\n\r\nHow to test:\r\nPre req: In order to test this, you need to generate some fake alerts.\r\nThis [repo](https://github.com/elastic/security-documents-generator)\r\nwill help you do that\r\n1. Generate Some Alerts\r\n2. Use the Reindex API to get some Findings data in (change the\r\nhost.name field to match the host.name from alerts generated if you want\r\nto test Findings table in the left panel flyout)\r\n3. Turn on Risky Entity Score if you want to test if both Risk\r\nContribution and Insights tabs shows up, follow this\r\n[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)\r\nto turn on Risk Entity Score","sha":"28becfdce90ff5a0cec0345070c301aa7ca338ed","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Cloud Security","backport:prev-minor","ci:project-deploy-security","v8.16.0"],"title":"[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2","number":192535,"url":"https://github.com/elastic/kibana/pull/192535","mergeCommit":{"message":"[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 (#192535)\n\nIn an attempt to make Reviewing easier and more accurate, the\r\nimplementation of Misconfiguration Data grid on Host.name flyout in\r\nAlerts Page will be split into 2 Phases\r\n\r\nPhase 1: Move Functions, Utils or Helpers, Hooks, constants to Package\r\nPhase 2: Implementing the feature\r\n\r\nThis is **Phase 2** of the process\r\n<img width=\"1712\" alt=\"Screenshot 2024-09-11 at 2 16 20 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4\">\r\n\r\nHow to test:\r\nPre req: In order to test this, you need to generate some fake alerts.\r\nThis [repo](https://github.com/elastic/security-documents-generator)\r\nwill help you do that\r\n1. Generate Some Alerts\r\n2. Use the Reindex API to get some Findings data in (change the\r\nhost.name field to match the host.name from alerts generated if you want\r\nto test Findings table in the left panel flyout)\r\n3. Turn on Risky Entity Score if you want to test if both Risk\r\nContribution and Insights tabs shows up, follow this\r\n[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)\r\nto turn on Risk Entity Score","sha":"28becfdce90ff5a0cec0345070c301aa7ca338ed"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192535","number":192535,"mergeCommit":{"message":"[Cloud Security] Host Name Misconfiguration Datagrid & Refactor CSP Plugin PHASE 2 (#192535)\n\nIn an attempt to make Reviewing easier and more accurate, the\r\nimplementation of Misconfiguration Data grid on Host.name flyout in\r\nAlerts Page will be split into 2 Phases\r\n\r\nPhase 1: Move Functions, Utils or Helpers, Hooks, constants to Package\r\nPhase 2: Implementing the feature\r\n\r\nThis is **Phase 2** of the process\r\n<img width=\"1712\" alt=\"Screenshot 2024-09-11 at 2 16 20 PM\"\r\nsrc=\"https://github.com/user-attachments/assets/29ab56db-8561-486c-ae8d-c254b932cea4\">\r\n\r\nHow to test:\r\nPre req: In order to test this, you need to generate some fake alerts.\r\nThis [repo](https://github.com/elastic/security-documents-generator)\r\nwill help you do that\r\n1. Generate Some Alerts\r\n2. Use the Reindex API to get some Findings data in (change the\r\nhost.name field to match the host.name from alerts generated if you want\r\nto test Findings table in the left panel flyout)\r\n3. Turn on Risky Entity Score if you want to test if both Risk\r\nContribution and Insights tabs shows up, follow this\r\n[guide](https://www.elastic.co/guide/en/security/current/turn-on-risk-engine.html)\r\nto turn on Risk Entity Score","sha":"28becfdce90ff5a0cec0345070c301aa7ca338ed"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Rickyanto Ang <[email protected]>
In an attempt to make Reviewing easier and more accurate, the implementation of Misconfiguration Data grid on Host.name flyout in Alerts Page will be split into 2 Phases
Phase 1: Move Functions, Utils or Helpers, Hooks, constants to Package
Phase 2: Implementing the feature
This is Phase 2 of the process
How to test:
Pre req: In order to test this, you need to generate some fake alerts. This repo will help you do that