[SIEM] Add rule notifications #59004
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/siem (Team:SIEM) |
patrykkopycinski
changed the title
…e-notifications # Conflicts: # x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/helpers.tsx # x-pack/legacy/plugins/siem/public/shared_imports.ts
patrykkopycinski
changed the title
…patrykkopycinski/kibana into feat/siem-rule-notifications-alert-type
…patrykkopycinski/kibana into feat/siem-rule-notifications # Conflicts: # x-pack/legacy/plugins/siem/common/constants.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/create_notifications.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/get_signals_count.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/read_notifications.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/rules_notification_alert_type.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/rules_notification_alert_type.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/schedule_notification_actions.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/types.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/update_notifications.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts # x-pack/legacy/plugins/siem/server/plugin.ts
…riables, snakecase for rule params
…e-notifications # Conflicts: # x-pack/legacy/plugins/siem/common/constants.ts # x-pack/legacy/plugins/siem/public/pages/detection_engine/rules/components/step_define_rule/index.tsx # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/build_signals_query.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/build_signals_query.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/get_signals_count.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/rules_notification_alert_type.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/rules_notification_alert_type.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/schedule_notification_actions.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/utils.test.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/notifications/utils.ts # x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/signal_rule_alert_type.ts
spong
reviewed
Mar 24, 2020
| group: t.string, | ||
| id: t.string, | ||
| action_type_id: t.string, | ||
| params: t.record(t.string, t.any), |
There was a problem hiding this comment.
t.any is deprecated it looks like and t.unknown is recommended instead. However I think we may be able to just use UnknownRecord ala params: t.UnknownRecord, -- thoughts?
PS: Thanks for the comment above pointing to the action templates 👍
spong
reviewed
Mar 24, 2020
| import React, { useCallback, useEffect, useState } from 'react'; | ||
| import deepMerge from 'deepmerge'; | ||
|
|
||
| // eslint-disable-next-line @kbn/eslint/no-restricted-paths |
There was a problem hiding this comment.
Any context as to why it's okay to import these even though they're coming from a restricted path? Should they not be restricted?
There was a problem hiding this comment.
loadActionTypes are not exposed on top-level, but we need that to fetch current action types and then to filter only supported ones. It's a temporary solution, will talk to the alerting team to make sure loadActionTypes is exposed on the top-level
spong
reviewed
Mar 24, 2020
| @@ -21,7 +21,7 @@ interface GetSignalsCount { | |||
| ruleAlertId: string; | |||
| ruleId: string; | |||
| index: string; | |||
| kibanaUrl: string | undefined; | |||
| kibanaSiemAppUrl: string | {} | undefined; | |||
There was a problem hiding this comment.
This can't actually be an object, but rather is a byproduct of the typing of meta correct?
If this indeed can only ever be a string, might be best to keep it as such and narrow the type coming from meta in these two files? Thoughts?
spong
reviewed
Mar 24, 2020
| @@ -30,7 +30,7 @@ export const buildSignalsSearchQuery = ({ ruleId, index, from, to }: BuildSignal | |||
| { | |||
| range: { | |||
| '@timestamp': { | |||
| gte: from, | |||
| gt: from, | |||
There was a problem hiding this comment.
Just commenting to verify the switch from gte to gt as the timestamp supplied to this query:
is the previousStartedAt (or previous interval if n/a), which is the start of the last rule run, correct?
There was a problem hiding this comment.
correct :)
spong
reviewed
Mar 24, 2020
| const mockAction = { | ||
| group: 'default', | ||
| id: '99403909-ca9b-49ba-9d7a-7e5320e68d05', | ||
| params: { message: 'ML Rule generated {{state.signalsCount}} signals' }, |
There was a problem hiding this comment.
I believe this is the old count field as I was not seeing count come through when testing with the default message.
Suggested change
| params: { message: 'ML Rule generated {{state.signalsCount}} signals' }, | |
| params: { message: 'ML Rule generated {{state.signals_count}} signals' }, |
spong
reviewed
Mar 24, 2020
| @@ -15,6 +15,17 @@ import { stepAboutDefaultValue } from './default_value'; | |||
|
|
|||
| const theme = () => ({ eui: euiDarkVars, darkMode: true }); | |||
|
|
|||
| /* eslint-disable no-console */ | |||
| // Silence until enzyme fixed to use ReactTestUtils.act() | |||
There was a problem hiding this comment.
Thank you for commenting -- sad to see this come back, but so it goes.
spong
reviewed
Mar 24, 2020
Comment on lines
+58
to
+60
| const kibanaAbsoluteUrl = useMemo(() => application.getUrlForApp('siem', { absolute: true }), [ | ||
| application, | ||
| ]); |
There was a problem hiding this comment.
Thanks for this fix -- I believe this should be fine for cloud, and shouldn't have any effect with CCS since this functionality is specific to rules/saved objects.
spong
approved these changes
Mar 24, 2020
There was a problem hiding this comment.
Checked out, tested locally and was receiving notifications for signals as expected, and also performed code review. Left a few comments but overall this is fantastic @patrykkopycinski! Thanks for the clean implementation, additional tests, and great feature here! LGMT! 👍 🚀 🙂
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
spong
pushed a commit
to spong/kibana
that referenced
this pull request
Mar 24, 2020
## Summary Allow defining notifications that will trigger whenever the rule created new signals. Requires: - elastic#58395 - elastic#58964 - elastic#60832   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server) - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
|
🎉 🎉🎉🎉 |
spong
added a commit
that referenced
this pull request
Mar 25, 2020
## Summary Allow defining notifications that will trigger whenever the rule created new signals. Requires: - #58395 - #58964 - #60832   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server) - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) Co-authored-by: patrykkopycinski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Allow defining notifications that will trigger whenever the rule created new signals.
Requires:
Checklist
Delete any items that are not applicable to this PR.
For maintainers