Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] [ML] Improve UX around managing ML Rules/Jobs #63624

Open
spong opened this issue Apr 15, 2020 · 2 comments
Open

[SIEM] [ML] Improve UX around managing ML Rules/Jobs #63624

spong opened this issue Apr 15, 2020 · 2 comments
Assignees
@dhru42
Labels
discuss enhancement New value added to drive a business result Feature:ML Rule Security Solution Machine Learning rule type Feature:Security ML Jobs Security Solution ML Jobs needs design Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@spong
Copy link
Member

spong commented Apr 15, 2020

In 7.7 the ML Rule type was introduced, which now tightly couples the running of a Detection Rule to the running of a ML Job. As a byproduct of this, we now have a few user flows we can improve UX around in effort to ensure that a user isn't enabling an ML Rule without also enabling the ML Job (and thus preventing a known error state).

Some of these enhancements were captured in #62396, which helped to add additional messaging when a user was enabling an ML Rule when the ML Job was not running, as well as #62383, which marks a Rule as failed if the ML Job is not running when the rule executes (ensuring Rule Details gives a clear picture to the user as to why a ML Rule is not functioning).

This issue is for capturing any remaining enhancements we can implement to provide a better UX around managing ML Rules and ML Jobs, including:

  • Providing a prompt when enabling a rule:
    • During create flow
    • Within Rule Details
    • On All Rules Table
  • Adding an Empty View to the Host/Network Anomalies Tables that provides a CTA to enabling ML Jobs
  • Adding a generic CTA to the Host/Network Anomalies Tables for enabling/disabling ML Job

To capture the comments from #58053

@marrasherrier:

From slack conversation:

Screen Recording 2020-04-14 at 9.31.41 AM.mov.zip

@spong:
The only thing I'm wondering about is with the anomalies table, and what logic we'll use to show the empty view. I think no jobs running + no data is probably the best bet. And of course if no permissions, whatever placeholder upsell/talk to your admin copy we want.

If there is anomaly data do show, will the button to enable jobs still be present (top right maybe?)

@marrasherrier:

@spong what do you mean by "no jobs running + no data is probably the best bet?"

I will update designs to include these 3 use cases:

  • anamoly data present
  • no anamoly data (because no persmissions)
  • no anamoly data (because no jobs + no data)

And to respond to:

what do you mean by "no jobs running + no data is probably the best bet?"

This is just the criteria I'm thinking we want to use for when the empty view is shown. I'm thinking this'll be best for both FTUE and handling corner cases where you don't have ML jobs running anymore (either permissions downgrade or just disabled) but still have anomaly data.

cc @marrasherrier @rylnd @MikePaquette
@spong spong added discuss enhancement New value added to drive a business result Team:SIEM Feature:Detection Rules Security Solution rules and Detection Engine labels Apr 15, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@peluja1012 peluja1012 added the Feature:ML Rule Security Solution Machine Learning rule type label Jul 28, 2021
@peluja1012 peluja1012 added Team:Detection Rule Management Security Detection Rule Management Team needs design labels Sep 15, 2021
@MindyRS MindyRS added the Team:Detections and Resp Security Detection Response Team label Feb 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@peluja1012 peluja1012 added Feature:Security ML Jobs Security Solution ML Jobs and removed Feature:Detection Rules Security Solution rules and Detection Engine labels Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dhru42 dhru42

Labels
discuss enhancement New value added to drive a business result Feature:ML Rule Security Solution Machine Learning rule type Feature:Security ML Jobs Security Solution ML Jobs needs design Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peluja1012 @MindyRS @spong @elasticmachine @dhru42