Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Add threshold, machine_learning_job_id and anomaly_threshold editable fields #200323

Merged
merged 49 commits into from
Dec 18, 2024

Conversation

nikitaindik
Copy link
Contributor

@nikitaindik nikitaindik commented Nov 16, 2024

Partially addresses: #171520

Summary

Changes in this PR:

  • threshold and machine_learning_job_id, anomaly_threshold are now editable in the Rule Upgrade flyout
Scherm­afbeelding 2024-11-26 om 08 59 24

Testing

  • Ensure the prebuiltRulesCustomizationEnabled feature flag is enabled.
  • To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the PATCH api/detection_engine/rules API.
    • Set version: 1 in the request body to downgrade it to version 1.
    • Modify other rule fields in the request body as needed to test the changes.

@nikitaindik nikitaindik added release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team backport:version Backport to applied version labels v8.17.0 labels Nov 16, 2024
@nikitaindik nikitaindik self-assigned this Nov 16, 2024
@nikitaindik nikitaindik force-pushed the machine-learning-fields branch from c195e14 to ff1858e Compare November 17, 2024 18:08
@banderror banderror added v8.18.0 and removed v8.17.0 labels Nov 21, 2024
@nikitaindik nikitaindik force-pushed the machine-learning-fields branch from ff1858e to d13fb76 Compare November 26, 2024 07:22
@nikitaindik nikitaindik marked this pull request as ready for review November 26, 2024 07:58
@nikitaindik nikitaindik requested review from a team as code owners November 26, 2024 07:58
@nikitaindik nikitaindik requested a review from rylnd November 26, 2024 07:58
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@nikitaindik nikitaindik requested a review from maximpn November 26, 2024 07:58
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@nikitaindik nikitaindik force-pushed the machine-learning-fields branch from f198cad to b6a9d92 Compare November 26, 2024 09:01
@nikitaindik nikitaindik requested a review from xcrzx November 26, 2024 09:02
@banderror banderror added the Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area label Nov 26, 2024
@nikitaindik
Copy link
Contributor Author

Why use 1280px as default width?

I guess, it's my bias. That's the default width I use for browsing. It takes half of a 27-inch screen.

Before changing UI, I would want to hear opinion of @ARWNightingale

I've prepared deployments for you folks, so you can see how it behaves.

You can use a rule called Potential LSASS Memory Dump via PssCaptureSnapShot in both deployments. Try resizing the window with this rule open in Rule editing page and in the Upgrade flyout to see the difference.

With default styles: (link) elastic/changeme

With styles from this branch: (link) elastic/changeme

Looking forward to your feedback!

@ARWNightingale
Copy link

Hey @nikitaindik, I dont mind the new width but do not particularly like the error message and the way it bumps things down that sways me to the narrower field approach.

@nikitaindik
Copy link
Contributor Author

@vitaliidm @ARWNightingale Hey folks, I've simplified the styling a bit, removed reliance on constants, and ensured that the error text doesn't shrink. Here's how it looks:

rep.mov
flyout.mov

What do you think?

@ARWNightingale
Copy link

@nikitaindik looks great! thanks

@vitaliidm
Copy link
Contributor

Screen.Recording.2024-12-18.at.12.05.26.mov

I have noticed when number input changes status from invalid to valid and vice versa, cursor position changes automatically due to error message appearing and disappearing.
While vertical shift of content was addressed, it introduced shift of cursor and user's focus.

@ARWNightingale, what your thoughts on this? Should we leave it as it is now?

@ARWNightingale
Copy link

@vitaliidm I dont like it to be honest, I did not notice that quick shift, ideally no movement would be best. Maybe that requires a little more room or a shorter error message?

@nikitaindik
Copy link
Contributor Author

nikitaindik commented Dec 18, 2024

@ARWNightingale @vitaliidm Since error message can have different length in different languages, I guess our options are:

Have a fixed size for number inputs, but it'll cause text to wrap (which is fine, imo)

Schermopname.2024-12-18.om.17.15.45.mov

Limit the width of dropdowns to have some space left over for number inputs to expand

Schermopname.2024-12-18.om.17.18.29.mov

The downside with these options is that ideally we want to have as much width as possible for the dropdown since field names can be quite long.

Schermopname.2024-12-18.om.17.24.11.mov

@ARWNightingale
Copy link

@nikitaindik Im happy with the small drop and text wrap, I dont see this as a major UX issue.

@nikitaindik
Copy link
Contributor Author

@vitaliidm I pushed the change, please take a look.

@vitaliidm
Copy link
Contributor

@nikitaindik, I am approving this PR

But before merge, let's address ML change too:

Custom job button located far away on the right side of column, which does not look good

Old UI

Screenshot 2024-12-18 at 17 14 00

New UI

Screenshot 2024-12-18 at 17 13 52

@nikitaindik
Copy link
Contributor Author

@vitaliidm Thanks for the review! 🙏 I've addressed your last comment about the spacing for ML button before merging.

After the fix
Scherm­afbeelding 2024-12-18 om 19 31 43

@nikitaindik nikitaindik enabled auto-merge (squash) December 18, 2024 19:36
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 18, 2024

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 6449 6473 +24

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 21.4MB 21.4MB +3.5KB

History

cc @nikitaindik

@nikitaindik nikitaindik merged commit 042344e into elastic:main Dec 18, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12401252816

@kibanamachine
Copy link
Contributor

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

You might need to backport the following PRs to 8.x:
- [Security Solution] Add history_window_start and new_terms_fields editable fields (#200304)

Manual backport

To create the backport manually run:

node scripts/backport --pr 200323

Questions ?

Please refer to the Backport tool documentation

nikitaindik added a commit to nikitaindik/kibana that referenced this pull request Dec 18, 2024
…nomaly_threshold` editable fields (elastic#200323)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now
editable in the Rule Upgrade flyout

<img width="1840" alt="Scherm­afbeelding 2024-11-26 om 08 59 24"
src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83">

### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.

(cherry picked from commit 042344e)
@nikitaindik
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

nikitaindik added a commit that referenced this pull request Dec 18, 2024
…and `anomaly_threshold` editable fields (#200323) (#204840)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Add `threshold`, `machine_learning_job_id` and
`anomaly_threshold` editable fields
(#200323)](#200323)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Nikita
Indik","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-18T21:01:57Z","message":"[Security
Solution] Add `threshold`, `machine_learning_job_id` and
`anomaly_threshold` editable fields (#200323)\n\n**Partially addresses:
https://github.com/elastic/kibana/issues/171520**\n\n##
Summary\n**Changes in this PR**:\n- `threshold` and
`machine_learning_job_id`, `anomaly_threshold` are now\neditable in the
Rule Upgrade flyout\n\n<img width=\"1840\" alt=\"Scherm­afbeelding
2024-11-26 om 08 59
24\"\nsrc=\"https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83\">\n\n\n###
Testing\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag
is\nenabled.\n- To simulate the availability of prebuilt rule upgrades,
downgrade a\ncurrently installed prebuilt rule using the
`PATCH\napi/detection_engine/rules` API.\n - Set `version: 1` in the
request body to downgrade it to version 1.\n- Modify other rule fields
in the request body as needed to test
the\nchanges.","sha":"042344e27db3b9ae07f5af3b7b1840105afc2a5b","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","ci:cloud-deploy","ci:project-deploy-security","backport:version","v8.18.0"],"number":200323,"url":"https://github.com/elastic/kibana/pull/200323","mergeCommit":{"message":"[Security
Solution] Add `threshold`, `machine_learning_job_id` and
`anomaly_threshold` editable fields (#200323)\n\n**Partially addresses:
https://github.com/elastic/kibana/issues/171520**\n\n##
Summary\n**Changes in this PR**:\n- `threshold` and
`machine_learning_job_id`, `anomaly_threshold` are now\neditable in the
Rule Upgrade flyout\n\n<img width=\"1840\" alt=\"Scherm­afbeelding
2024-11-26 om 08 59
24\"\nsrc=\"https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83\">\n\n\n###
Testing\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag
is\nenabled.\n- To simulate the availability of prebuilt rule upgrades,
downgrade a\ncurrently installed prebuilt rule using the
`PATCH\napi/detection_engine/rules` API.\n - Set `version: 1` in the
request body to downgrade it to version 1.\n- Modify other rule fields
in the request body as needed to test
the\nchanges.","sha":"042344e27db3b9ae07f5af3b7b1840105afc2a5b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200323","number":200323,"mergeCommit":{"message":"[Security
Solution] Add `threshold`, `machine_learning_job_id` and
`anomaly_threshold` editable fields (#200323)\n\n**Partially addresses:
https://github.com/elastic/kibana/issues/171520**\n\n##
Summary\n**Changes in this PR**:\n- `threshold` and
`machine_learning_job_id`, `anomaly_threshold` are now\neditable in the
Rule Upgrade flyout\n\n<img width=\"1840\" alt=\"Scherm­afbeelding
2024-11-26 om 08 59
24\"\nsrc=\"https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83\">\n\n\n###
Testing\n- Ensure the `prebuiltRulesCustomizationEnabled` feature flag
is\nenabled.\n- To simulate the availability of prebuilt rule upgrades,
downgrade a\ncurrently installed prebuilt rule using the
`PATCH\napi/detection_engine/rules` API.\n - Set `version: 1` in the
request body to downgrade it to version 1.\n- Modify other rule fields
in the request body as needed to test
the\nchanges.","sha":"042344e27db3b9ae07f5af3b7b1840105afc2a5b"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
JoseLuisGJ pushed a commit to JoseLuisGJ/kibana that referenced this pull request Dec 19, 2024
…nomaly_threshold` editable fields (elastic#200323)

**Partially addresses: elastic#171520

## Summary
**Changes in this PR**:
- `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now
editable in the Rule Upgrade flyout

<img width="1840" alt="Scherm­afbeelding 2024-11-26 om 08 59 24"
src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83">


### Testing
- Ensure the `prebuiltRulesCustomizationEnabled` feature flag is
enabled.
- To simulate the availability of prebuilt rule upgrades, downgrade a
currently installed prebuilt rule using the `PATCH
api/detection_engine/rules` API.
   - Set `version: 1` in the request body to downgrade it to version 1.
- Modify other rule fields in the request body as needed to test the
changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:version Backport to applied version labels ci:cloud-deploy Create or update a Cloud deployment ci:project-deploy-security Create a Security Serverless Project Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants