[Security Solution][Detections] - Auto refresh all rules/monitoring tables #82062
Conversation
yctercero
added
release_note:enhancement
Team:SIEM
v8.0.0
Feature:Detection Rules
|
Pinging @elastic/siem (Team:SIEM) |
|
I see 3 things being updated, is that what you want? 3 back end requests each time? Also, I would suggest adding something to "advanced settings" to change/configure the amount of time it takes and be able to turn it off with something such as a -1 to be on the safe side for customers. |
It should be the 3 calls as it's updating both all rules and monitoring table. If you see the initial render, it makes those three calls to get the necessary info for both tables. @marrasherrier and I had chatted about giving the user the option to opt out of the auto-refresh. Is this something we want to reconsider Marra? |
|
The "refresh every" if it was available like it is from the date picker would be a nice consistency. |
|
I found a couple of potential problems in testing the functionality of this improvement. First, it seems like clicking on "Stop" currently has no effect. See gif below.
I also noticed that when the interval is low, for example 1 second, the refresh/update calls never complete and table doesn't actually get updated (see gif below). It might be better to set a minimum or to only allow minutes and hours. Thoughts?
|
|
My only concern with this design is that it's not immediately obvious what the new dropdown does (until you click on it).
@peluja1012 @MikePaquette @lindseypoli do you think this is an issue? we can't add text to the dropdown values or icon due to EUI constraints. we could add a label above, but it may look a bit awkward. |
@peluja1012 thanks for the feedback! For your first point - there's a couple bugs in that version you checked out. I was trying to do a quick POC of using the refresh component, but that should all now be fixed. For your second point, super valid. I actually checked in with the EUI team and they mentioned that restricting intervals is not yet an option and opened a ticket here - elastic/eui#4211 If I finish the other tickets, I can try to circle back and see if it's something I could try to add to the EUI component. We do have the option to "intercept" the interval change and warn the user about auto refresh intervals of < ~30 seconds. @marrasherrier I tagged you in the slack convo about customizations with EUI. It seems that one of the reasons there isn't as much customization available is because they want to keep it the same across the app, but I think a discussion ticket was opened to discuss it. elastic/eui#4213 |
| @@ -0,0 +1,47 @@ | |||
| /* | |||
There was a problem hiding this comment.
The files under components/last_updated were just moved from under timeline. Not new code.
| @@ -210,7 +210,7 @@ export const getColumns = ({ | |||
| getEmptyTagValue() | |||
| ) : ( | |||
| <LocalizedDateTooltip fieldName={i18n.COLUMN_LAST_UPDATE} date={new Date(value)}> | |||
| <FormattedRelative value={value} /> | |||
| <FormattedDate value={value} fieldName={'last rule update date'} /> | |||
There was a problem hiding this comment.
Changed this here because all the relative times (updated at, last run, last update, etc) felt overwhelming. @marrasherrier what do you think?
| @@ -85,27 +93,24 @@ export const allRulesReducer = ( | |||
| }; | |||
| } | |||
| case 'updateRules': { | |||
| if (state.rules != null) { | |||
There was a problem hiding this comment.
Removed this as at no point is it typed or set to null or undefined, it's defaulted to empty array.
| if (!isRefreshPaused) { | ||
| idleTimeoutId.current = setTimeout(() => { | ||
| setShowIdleModal(true); | ||
| }, 2700000); |
There was a problem hiding this comment.
Set idle timeout to 45 minutes. Any thoughts on this?
| const { loading: isLoadingRulesStatuses, rulesStatuses } = useRulesStatuses(rules); | ||
| const history = useHistory(); | ||
| const [, dispatchToaster] = useStateToaster(); | ||
| const mlCapabilities = useMlCapabilities(); | ||
| const [allRulesTab, setAllRulesTab] = useState(AllRulesTabs.rules); | ||
| const { formatUrl } = useFormatUrl(SecurityPageName.detections); | ||
|
|
||
| // Auto rules info refresh refs | ||
| const idleTimeoutId = useRef<NodeJS.Timeout | null>(null); |
There was a problem hiding this comment.
Such a weird world between NodeJS and the browser. The browser puts all the globals on window and then NodeJS puts them all on global. But we run the unit tests on the backend within NodeJS and not really the front end.
What's interesting is actually a 3rd way called globalThis:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/globalThis
https://www.typescriptlang.org/docs/handbook/release-notes/typescript-3-4.html#type-checking-for-globalthis
I don't know if/when that will catch on enough, but in the meantime you can remove that NodeJS.Timeout with a handy trick like this:
const idleTimeoutId = useRef<ReturnType<typeof setTimeout> | null>(null);It's interesting to change that ReturnType to be window.setTimeout instead but notice that TypeScript didn't really replace it all the way correctly, so it's a bit of workaround to avoid just having the words NodeJS in your front end types.
💚 Build SucceededMetrics [docs]@kbn/optimizer bundle module count
async chunks size
page load bundle size
Saved Objects .kibana field count
History
To update your PR or re-run it, just comment with: |
| cy.get(ASYNC_LOADING_PROGRESS).should('not.exist'); | ||
| }; | ||
|
|
||
| // when using, ensure you've called cy.clock prior in test |
There was a problem hiding this comment.
Is this comment still valid? Didn't see a cy.clock anywhere?
There was a problem hiding this comment.
Deleted in followup #83023
| describe('AllRules', () => { | ||
| it('renders AllRulesUtilityBar total rules and selected rules', () => { | ||
| const wrapper = mount( | ||
| <ThemeProvider theme={() => ({ eui: euiDarkVars, darkMode: true })}> |
There was a problem hiding this comment.
nit: In tests I think the pattern of declaring a theme at the top:
const theme = () => ({ eui: euiDarkVars, darkMode: true });And then using it everywhere is better:
<ThemeProvider theme={theme}>It's just less syntax noise and repetition. At least that's the pattern I follow at the moment.
There was a problem hiding this comment.
👍 thanks, that's a nice pattern. Updated in #83023
| expect(mockSwitch).toHaveBeenCalledTimes(1); | ||
| }); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
Thanks for all these tests btw 👍
| 'xpack.securitySolution.uiSettings.rulesTableRefreshDescription', | ||
| { | ||
| defaultMessage: | ||
| '<p>Enables auto refresh on the all rules and monitoring tables, in milliseconds</p>', |
There was a problem hiding this comment.
This is the first time I have seen HTML mixed in with a defaultMessage like this? Is this correct or are the <p> going to end up in the translation file?
There was a problem hiding this comment.
It looks like it's fine and they translate around it:
"xpack.securitySolution.uiSettings.defaultAnomalyScoreDescription": "<p>機械学習ジョブの異常がこの値を超えると、セキュリティアプリに表示されます。</p><p>有効な値:0 ~ 100。</p>",So no changes with this PR needed, but that just feels weird and off to me and maybe in a follow up or something one of us should just fix these weird things going on.
There was a problem hiding this comment.
Yea, I followed the existing pattern in that file but then also saw the i18n documentation have instances of it.
| "value": ${DEFAULT_RULE_REFRESH_INTERVAL_VALUE}, | ||
| "idleTimeout": ${DEFAULT_RULE_REFRESH_IDLE_VALUE} | ||
| }`, | ||
| category: ['securitySolution'], |
There was a problem hiding this comment.
Wondering if this whole file should have used APP_ID from constants at some point instead of the hard coded names of securitySolution. No changes if you don't want to, but I would try to update that and see if it works? I am curious if has to be this hard coded name and cannot use the variable we have.
There was a problem hiding this comment.
I went ahead and changed it to use APP_ID in #83023 - it seemed to work just fine on testing it.
There was a problem hiding this comment.
Checked it out, tested each scenario per the docs about tests and everything looks to be functioning as expected.
Few pointers, questions, nits, but this is a really awesome improvement so I don't want those to drown out all the good that is coming from this PR.
👍
|
Thanks @FrankHassanabad ! I'm gonna go ahead and merge and address the various things you pointed out in a follow up PR. |
…ables (elastic#82062) ## Summary This PR addresses elastic#63865 . Please read the issue for more detail, but essentially, stale data on the tables and use of relative date format leads to confusion as to whether the table was auto refreshing or not.
* master: (68 commits) [Fleet] Make stream id unique in agent policy (elastic#82447) skip flaky suite (elastic#82915) skip flaky suite (elastic#75794) Copy `dateAsStringRt` to observability plugin (elastic#82839) [Maps] rename connected_components/map folder to mb_map (elastic#82897) [Security Solution] Fix EventsViewer DnD cypress tests (elastic#82619) [Security Solution] Adds logging and performance fan out API for threat/Indicator matching (elastic#82546) Implemented Alerting health status pusher by using task manager and status pooler for Kibana status plugins 'kibanahost/api/status' (elastic#79056) [APM] Adds new configuration 'xpack.apm.maxServiceEnvironments' (elastic#82090) Move single use function in line (elastic#82885) [ML] Add unsigned_long support to data frame analytics and anomaly detection (elastic#82636) Add flot_chart dependency from shared_deps to Shareable Runtime (elastic#81649) [Security Solution][Detections] - Auto refresh all rules/monitoring tables (elastic#82062) [APM] Fix apm e2e runner script commands (elastic#82798) [Ingest Manager] Move cache functions to from registry to archive (elastic#82871) Update webpack-dev-server and webpack-cli (elastic#82844) [Uptime] Migrate to new es client (elastic#82003) Move parseAndVerify* functions to validation.ts (elastic#82845) Remove yeoman & yo (elastic#82825) [Canvas] Fix elements not being updated properly when filter is changed on workpad (elastic#81863) ...
Followed up in #83023 |
…ules (elastic#83023) ### Summary This is a follow up cleanup PR to elastic#82062 . There were a few comments I hadn't gotten to and wanted to follow up on.
Summary
This PR addresses #63865 . Please read the issue for more detail, but essentially, stale data on the tables and use of relative date format leads to confusion as to whether the table was auto refreshing or not.
Went with the third suggestion in the issue ticket. The rules and monitoring tables auto refresh every 1 minute. An updated at relative data line was added in the header of the tables to give users a sense of how fresh the data is. I did end up changing theLast updatedcolumn to use standard format date as opposed to relative time because it seemed with the addition of the last table update, there were a lot of shifting relative dates.Update: per @FrankHassanabad suggestion, updated UI to use EUI's refresh component, giving user option to change interval or stop all together. It also uses local storage to store the interval selection so if a user navigates away and comes back to the page, they don't have to reset the interval every time.Update 2.0: After chatting with the team this feature includes the following:
Initial table load
Refresh
Idle modal
Advanced settings
Advanced settings - user adds interval lower than 1 min
Things to test
x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/all/index.tsxline 380 to a shorter interval like 3000 --> set interval --> leave window idle --> idle modal should pop up and pause interval --> hit continue and interval should continueI also tested that filters stick on rules refresh. A bug was found with sort on the page, will be addressed separately.
Note
Checklist