Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Editing rules independently of source data #5758

Open
Tracked by #180407
e40pud opened this issue Aug 30, 2024 · 1 comment
Open
Tracked by #180407

Editing rules independently of source data #5758

e40pud opened this issue Aug 30, 2024 · 1 comment
Assignees
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security enhancement New feature or request Team: Detections/Response Detections and Response v8.16.0

Comments

@e40pud
Copy link
Contributor

e40pud commented Aug 30, 2024

Description

We need to add documentation for the new behaviour during the rule creation and editing workflows.

Right now when user tries to create or save the rule during editing and there are validation errors within the query bar indicating misconfiguration in data source, mappings and missing data fields we would not allow user to create or save the rule in these cases.

Instead of blocking the creation and editing of a rule when the rule's data source has not enough data for the query to work, the UX would only warn the user but continue to proceed with creation and saving the rule.

Here is the epic describing the effort elastic/kibana#180407

NOTE: Right now this behaviour happens with EQL and ES|QL rule types, since do query validation for these rule types.

The screenshot of the confirmation that we gonna show:

Image

Screenshot of the EQL rule creation workflow with existing non-blocking validation errors:

Screen.Recording.2024-08-27.at.13.44.14.mov

Screenshot of the EQL rule updating workflow with existing non-blocking validation errors:

Screen.Recording.2024-08-27.at.13.46.19.mov

Related links / assets

Please include each of the following, if applicable:
Doc URL: https://www.elastic.co/guide/en/security/current/rules-ui-create.html
Github issue link(s):

Which documentation set needs improvement?

ESS and serverless

Software version

This functionality will be introduced in 8.16

Collaborators

PM: @approksiu
Developer: @e40pud (different team now) @banderror

Timeline / deliverables

Correct me if I'm wrong @approksiu and @banderror, but would be nice to finish these docs before 8.16 release.

@e40pud e40pud added the enhancement New feature or request label Aug 30, 2024
@e40pud e40pud changed the title [Enhancement]: [Enhancement]: Editing rules independently of source data Aug 30, 2024
e40pud added a commit to elastic/kibana that referenced this issue Aug 30, 2024
…) (#191487)

## Summary

Addresses #180407
Addresses #178611

With these changes we allow user to create and update a rule even if
there are certain query bar validation error exist. Right now, we will
make any non-syntax validation errors in `EQL` and `ES|QL` rules types
to be non-blocking during the rule creation and rule updating workflows.

### Screenshot of the EQL rule creation workflow with existing
non-blocking validation errors:


https://github.com/user-attachments/assets/06b7f76c-e600-4a99-8ead-1445d429e9d3

### Screenshot of the EQL rule updating workflow with existing
non-blocking validation errors:


https://github.com/user-attachments/assets/9b35e113-b127-487b-bc23-afecf704db9d

## UPDATE

After discussing confirmation modal with @approksiu, we decided to
simplify it and show only title with generic description to avoid too be
too literal in the modal. User can see the full error description during
rule creation/editing workflows in the query bar where we show each
validation error as part of the query bar form item.

<img width="702" alt="Screenshot 2024-08-28 at 12 50 14"
src="https://github.com/user-attachments/assets/edfb791e-4e45-4fa5-8a46-c7e2772abdf9">

### Some test cases for local testing

<details>
  <summary><b>Create EQL rule with missing data source</b></summary>

#### Steps:
1. Open rules management page
2. Click create new rule button
3. Select EQL rule type
4. Set non-existing index in index patterns field
5. Add some valid EQL query (for example `any where true`)
6. Continue with other steps
7. Click create rule button

**Expected**: You will see the confirmation modal that warns user about
potentially failing rule executions. Clicking `Confirm` button will
create a rule.

</details>

<details>
  <summary><b>Create EQL rule with missing data field</b></summary>

#### Steps:
1. Open rules management page
2. Click create new rule button
3. Select EQL rule type
4. Set existing indices in index patterns field
5. Add some valid EQL query referring non-existing data field (for
example `any where agent.non_existing_field`)
6. Continue with other steps
7. Click create rule button

**Expected**: You will see the confirmation modal that warns user about
potentially failing rule executions. Clicking `Confirm` button will
create a rule.

</details>

<details>
<summary><b>Create EQL rule with syntax error in the query</b></summary>

#### Steps:
1. Open rules management page
2. Click create new rule button
3. Select EQL rule type
4. Set existing indices in index patterns field
5. Add some syntactically invalid EQL query (for example `hello world`)

**Expected**: The continue button does not allow user to proceed to the
About step due to existing syntax error.

</details>

<details>
  <summary><b>Create ES|QL rule with missing data source</b></summary>

#### Steps:
1. Open rules management page
2. Click create new rule button
3. Select ES|QL rule type
4. Add some valid ES|QL query with non-existing data source (for example
`from non-existing-index-* metadata _id, _version, _index | SORT
@timestamp`)
6. Continue with other steps
7. Click create rule button

**Expected**: You will see the confirmation modal that warns user about
potentially failing rule executions. Clicking `Confirm` button will
create a rule.

</details>

<details>
  <summary><b>Create ES|QL rule with missing data field</b></summary>

#### Steps:
1. Open rules management page
2. Click create new rule button
3. Select ES|QL rule type
4. Add some valid ES|QL query with non-existing data field (for example
`from logs-* metadata _id, _version, _index | SORT
agent.non_existing_field`)
6. Continue with other steps
7. Click create rule button

**Expected**: You will see the confirmation modal that warns user about
potentially failing rule executions. Clicking `Confirm` button will
create a rule.

</details>

<details>
<summary><b>Create ES|QL rule with syntax error in the
query</b></summary>

#### Steps:
1. Open rules management page
2. Click create new rule button
3. Select ES|QL rule type
4. Add some syntactically invalid ES|QL query (for example `hello
world`)

**Expected**: The continue button does not allow user to proceed to the
About step due to existing syntax error.

</details>

Same behaviour applies to the rule updating workflow. For example, you
can try to install one of the EQL or ES|QL rules that point to
non-existing data source or uses non-existing data field. User can still
update (add rule actions) to such installed pre-built rules.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
  * elastic/security-docs#5758
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
* [Detection Engine -
Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6831)
(100 ESS & 100 Serverless)
* [Rule Management -
Cypress](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6830)
(100 ESS & 100 Serverless)

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Vitalii Dmyterko <[email protected]>
@joepeeples
Copy link
Contributor

We can temporarily hold off on documenting this until we know what exactly the final state of this UI will be. For now, this docs ticket is more of a "just in case' placeholder.

@joepeeples joepeeples added Team: Detections/Response Detections and Response Docset: Serverless Issues for Serverless Security Docset: ESS Issues that apply to docs in the Stack release v8.16.0 labels Sep 9, 2024
@joepeeples joepeeples changed the title [Enhancement]: Editing rules independently of source data Editing rules independently of source data Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security enhancement New feature or request Team: Detections/Response Detections and Response v8.16.0
Projects
None yet
Development

No branches or pull requests

3 participants