Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Add defaults to Rule Execution log API for from/to #131095

Open
spong opened this issue Apr 27, 2022 · 2 comments
Open

[Security Solution][Detections] Add defaults to Rule Execution log API for from/to #131095

spong opened this issue Apr 27, 2022 · 2 comments
Labels
enhancement New value added to drive a business result Feature:Rule Monitoring Security Solution Detection Rule Monitoring area impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@spong
Copy link
Member

spong commented Apr 27, 2022

As detailed in this review comment #129003 (comment), we can improve the Rule Execution Log API by not requiring to/from params, and instead default to something like last 24hrs. Would also be nice to add support back for datemath strings like now-5m for easier use.

This API is currently internal only, and is always used with explicit datetimes, so marking as low impact for now.
@spong spong added enhancement New value added to drive a business result impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Monitoring Security Solution Detection Rule Monitoring area Team:Detection Rule Management Security Detection Rule Management Team labels Apr 27, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

This was referenced Apr 27, 2022
Merged
Merged
spong added a commit that referenced this issue May 4, 2022
@spong
[Security Solution][Detections] Rule Execution Log Feedback and Fixes…
683463e 
… Part Deux (#130072)

## Summary

Addresses feedback and fixes identified in #126215 & #129003

##### Feedback addressed includes:
* Adds toast for restoring global query state after performing `view alerts for execution` action
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" />
</p>

* Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters)
  * See above gif
* Remove redundant `RuleExecutionStatusType` (#129003 (comment))
* Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" />
</p>

* Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`)
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" />
</p> 

* Support `disabled rule` platform error (#126215 (comment))
  * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering.
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" />
</p>

* Verify StatusFilter issue #126215 (comment)
  * Unable to reproduce, I believe the query updates around first querying for status may've fixed this?
* Provide helpful defaults for `to`/`from` and support datemath strings again (#129003 (comment))
  * Created enhancement for this here: #131095
* Adds UI Unit tests for RuleExecutionLog Table
* Finalize API Integration tests for gap remediation events
  * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc.
* Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0`
* Fixes restore filters action to restore either absolute or relative datepicker as it originally was
* Resolves #130946
  * Adds `min-height` to tab container
  * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log
---

##### Remaining follow-ups:

None! 🎉 






### Checklist

Delete any items that are not applicable to this PR.

- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
- [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
spong added a commit to spong/kibana that referenced this issue May 4, 2022
@spong
[Security Solution][Detections] Rule Execution Log Feedback and Fixes…
23d318e 
… Part Deux (elastic#130072)

## Summary

Addresses feedback and fixes identified in elastic#126215 & elastic#129003

##### Feedback addressed includes:
* Adds toast for restoring global query state after performing `view alerts for execution` action
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" />
</p>

* Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters)
  * See above gif
* Remove redundant `RuleExecutionStatusType` (elastic#129003 (comment))
* Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" />
</p>

* Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`)
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" />
</p>

* Support `disabled rule` platform error (elastic#126215 (comment))
  * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering.
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" />
</p>

* Verify StatusFilter issue elastic#126215 (comment)
  * Unable to reproduce, I believe the query updates around first querying for status may've fixed this?
* Provide helpful defaults for `to`/`from` and support datemath strings again (elastic#129003 (comment))
  * Created enhancement for this here: elastic#131095
* Adds UI Unit tests for RuleExecutionLog Table
* Finalize API Integration tests for gap remediation events
  * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc.
* Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0`
* Fixes restore filters action to restore either absolute or relative datepicker as it originally was
* Resolves elastic#130946
  * Adds `min-height` to tab container
  * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log
---

##### Remaining follow-ups:

None! 🎉

### Checklist

Delete any items that are not applicable to this PR.

- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
- [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))

(cherry picked from commit 683463e)

# Conflicts:
#	x-pack/plugins/security_solution/cypress/tasks/alerts.ts
#	x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts
#	x-pack/test/detection_engine_api_integration/utils/index_event_log_execution_events.ts
spong added a commit that referenced this issue May 5, 2022
@spong
[8.2] [Security Solution][Detections] Rule Execution Log Feedback and…
ba3dc27 
… Fixes Part Deux (#130072) (#131574)

* [Security Solution][Detections] Rule Execution Log Feedback and Fixes Part Deux (#130072)

## Summary

Addresses feedback and fixes identified in #126215 & #129003

##### Feedback addressed includes:
* Adds toast for restoring global query state after performing `view alerts for execution` action
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" />
</p>

* Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters)
  * See above gif
* Remove redundant `RuleExecutionStatusType` (#129003 (comment))
* Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" />
</p>

* Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`)
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" />
</p>

* Support `disabled rule` platform error (#126215 (comment))
  * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering.
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" />
</p>

* Verify StatusFilter issue #126215 (comment)
  * Unable to reproduce, I believe the query updates around first querying for status may've fixed this?
* Provide helpful defaults for `to`/`from` and support datemath strings again (#129003 (comment))
  * Created enhancement for this here: #131095
* Adds UI Unit tests for RuleExecutionLog Table
* Finalize API Integration tests for gap remediation events
  * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc.
* Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0`
* Fixes restore filters action to restore either absolute or relative datepicker as it originally was
* Resolves #130946
  * Adds `min-height` to tab container
  * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log
---

##### Remaining follow-ups:

None! 🎉

### Checklist

Delete any items that are not applicable to this PR.

- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
- [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))

(cherry picked from commit 683463e)

# Conflicts:
#	x-pack/plugins/security_solution/cypress/tasks/alerts.ts
#	x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts
#	x-pack/test/detection_engine_api_integration/utils/index_event_log_execution_events.ts

* Fixing import
kertal pushed a commit to kertal/kibana that referenced this issue May 24, 2022
@spong @kertal
[Security Solution][Detections] Rule Execution Log Feedback and Fixes…
8fa80b7 
… Part Deux (elastic#130072)

## Summary

Addresses feedback and fixes identified in elastic#126215 & elastic#129003

##### Feedback addressed includes:
* Adds toast for restoring global query state after performing `view alerts for execution` action
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" />
</p>

* Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters)
  * See above gif
* Remove redundant `RuleExecutionStatusType` (elastic#129003 (comment))
* Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" />
</p>

* Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`)
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" />
</p> 

* Support `disabled rule` platform error (elastic#126215 (comment))
  * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering.
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" />
</p>

* Verify StatusFilter issue elastic#126215 (comment)
  * Unable to reproduce, I believe the query updates around first querying for status may've fixed this?
* Provide helpful defaults for `to`/`from` and support datemath strings again (elastic#129003 (comment))
  * Created enhancement for this here: elastic#131095
* Adds UI Unit tests for RuleExecutionLog Table
* Finalize API Integration tests for gap remediation events
  * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc.
* Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0`
* Fixes restore filters action to restore either absolute or relative datepicker as it originally was
* Resolves elastic#130946
  * Adds `min-height` to tab container
  * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log
---

##### Remaining follow-ups:

None! 🎉 






### Checklist

Delete any items that are not applicable to this PR.

- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
- [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Rule Monitoring Security Solution Detection Rule Monitoring area impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spong @elasticmachine