Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Investigations] - Add kibana.alert.url (#155069)
## Summary This PR introduces the field `kibana.alert.url` to the alerts generated by al alert rule types. Functionality was added in [this PR](#148800) for 8.8 to allow users to link directly to the alert flyout. To be able to provide users with this field via our connectors, we are adding the url under the field `kibana.alert.url`. To test, create an alert of any type and you should see this field set in the alert flyout: <img width="838" alt="image" src="https://user-images.githubusercontent.com/17211684/233993880-fc7fd790-105e-4c16-947e-e2f5a2965936.png"> The url provided is a redirect path that contains the necessary information (space, id, index, and timestamp) to be able to redirect the user to a filtered alert page for the given alert and the detail flyout opened. This allows us to retain flexibility in the future for any changes that may occur with the alert flyout or an alert page. More on that can be found in the earlier pr: #148800 ### Testing 1. The `kibana.alert.url` field makes use of the `publicBaseUrl` configuration which must be set in your kibana.dev.yml for this field to be generated. Add the following to your yaml file. Note that if you use a `basePath`, it will have to be appended to the end of your `publicBaseUrl` path. ``` server.publicBaseUrl: 'http://localhost:5601' ``` with basePath: ``` server.basePath: '/someBasePath' server.publicBaseUrl: 'http://localhost:5601/someBasePath' ``` 2. Generate data and enable any rule type to get alerts. 3. Go to the alert page, click expand detail, and search for `kibana.alert.url` in the table. 4. Visit that url and you should see a filtered alert page with the details flyout opened ***Caveat - when grouping is enabled, the details flyout will not open as the table that it is attached to is not actually loaded at that point in time. When the table is loaded by either disabling grouping or opening the group, the details flyout will open
- Loading branch information
1 parent
61b56ce
commit ecc54af
Showing
33 changed files
with
418 additions
and
104 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56 changes: 56 additions & 0 deletions
56
x-pack/plugins/security_solution/common/detection_engine/schemas/alerts/8.8.0/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import type { ALERT_URL, ALERT_UUID } from '@kbn/rule-data-utils'; | ||
| import type { AlertWithCommonFields800 } from '@kbn/rule-registry-plugin/common/schemas/8.0.0'; | ||
| import type { | ||
| Ancestor840, | ||
| BaseFields840, | ||
| EqlBuildingBlockFields840, | ||
| EqlShellFields840, | ||
| NewTermsFields840, | ||
| } from '../8.4.0'; | ||
|
|
||
| /* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.8.0. | ||
| Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.8.0. | ||
| If you are adding new fields for a new release of Kibana, create a new sibling folder to this one | ||
| for the version to be released and add the field(s) to the schema in that folder. | ||
| Then, update `../index.ts` to import from the new folder that has the latest schemas, add the | ||
| new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas. | ||
| */ | ||
|
|
||
| export type { Ancestor840 as Ancestor880 }; | ||
| export interface BaseFields880 extends BaseFields840 { | ||
| [ALERT_URL]: string | undefined; | ||
| [ALERT_UUID]: string; | ||
| } | ||
|
|
||
| export interface WrappedFields880<T extends BaseFields880> { | ||
| _id: string; | ||
| _index: string; | ||
| _source: T; | ||
| } | ||
|
|
||
| export type GenericAlert880 = AlertWithCommonFields800<BaseFields880>; | ||
|
|
||
| export type EqlShellFields880 = EqlShellFields840 & BaseFields880; | ||
|
|
||
| export type EqlBuildingBlockFields880 = EqlBuildingBlockFields840 & BaseFields880; | ||
|
|
||
| export type NewTermsFields880 = NewTermsFields840 & BaseFields880; | ||
|
|
||
| export type NewTermsAlert880 = NewTermsFields840 & BaseFields880; | ||
|
|
||
| export type EqlBuildingBlockAlert880 = AlertWithCommonFields800<EqlBuildingBlockFields880>; | ||
|
|
||
| export type EqlShellAlert880 = AlertWithCommonFields800<EqlShellFields880>; | ||
|
|
||
| export type DetectionAlert880 = | ||
| | GenericAlert880 | ||
| | EqlShellAlert880 | ||
| | EqlBuildingBlockAlert880 | ||
| | NewTermsAlert880; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56 changes: 56 additions & 0 deletions
56
x-pack/plugins/security_solution/common/utils/alert_detail_path.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import { buildAlertDetailPath, getAlertDetailsUrl } from './alert_detail_path'; | ||
|
|
||
| describe('alert_detail_path', () => { | ||
| const defaultArguments = { | ||
| alertId: 'testId', | ||
| index: 'testIndex', | ||
| timestamp: '2023-04-18T00:00:00.000Z', | ||
| }; | ||
| describe('buildAlertDetailPath', () => { | ||
| it('builds the alert detail path as expected', () => { | ||
| expect(buildAlertDetailPath(defaultArguments)).toMatchInlineSnapshot( | ||
| `"/alerts/redirect/testId?index=testIndex×tamp=2023-04-18T00:00:00.000Z"` | ||
| ); | ||
| }); | ||
| }); | ||
| describe('getAlertDetailsUrl', () => { | ||
| it('builds the alert detail path without a space id', () => { | ||
| expect( | ||
| getAlertDetailsUrl({ | ||
| ...defaultArguments, | ||
| basePath: 'http://somebasepath.com', | ||
| }) | ||
| ).toMatchInlineSnapshot( | ||
| `"http://somebasepath.com/app/security/alerts/redirect/testId?index=testIndex×tamp=2023-04-18T00:00:00.000Z"` | ||
| ); | ||
| }); | ||
|
|
||
| it('builds the alert detail path with a space id', () => { | ||
| expect( | ||
| getAlertDetailsUrl({ | ||
| ...defaultArguments, | ||
| basePath: 'http://somebasepath.com', | ||
| spaceId: 'test-space', | ||
| }) | ||
| ).toMatchInlineSnapshot( | ||
| `"http://somebasepath.com/s/test-space/app/security/alerts/redirect/testId?index=testIndex×tamp=2023-04-18T00:00:00.000Z"` | ||
| ); | ||
| }); | ||
|
|
||
| it('does not build the alert detail path without a basePath', () => { | ||
| expect( | ||
| getAlertDetailsUrl({ | ||
| ...defaultArguments, | ||
| spaceId: 'test-space', | ||
| }) | ||
| ).toBe(undefined); | ||
| }); | ||
| }); | ||
| }); |
39 changes: 39 additions & 0 deletions
39
x-pack/plugins/security_solution/common/utils/alert_detail_path.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License | ||
| * 2.0; you may not use this file except in compliance with the Elastic License | ||
| * 2.0. | ||
| */ | ||
|
|
||
| import { addSpaceIdToPath } from '@kbn/spaces-plugin/common'; | ||
| import { ALERT_DETAILS_REDIRECT_PATH, APP_PATH } from '../constants'; | ||
|
|
||
| export const buildAlertDetailPath = ({ | ||
| alertId, | ||
| index, | ||
| timestamp, | ||
| }: { | ||
| alertId: string; | ||
| index: string; | ||
| timestamp: string; | ||
| }) => `${ALERT_DETAILS_REDIRECT_PATH}/${alertId}?index=${index}×tamp=${timestamp}`; | ||
|
|
||
| export const getAlertDetailsUrl = ({ | ||
| alertId, | ||
| index, | ||
| timestamp, | ||
| basePath, | ||
| spaceId, | ||
| }: { | ||
| alertId: string; | ||
| index: string; | ||
| timestamp: string; | ||
| basePath?: string; | ||
| spaceId?: string | null; | ||
| }) => { | ||
| const alertDetailPath = buildAlertDetailPath({ alertId, index, timestamp }); | ||
| const alertDetailPathWithAppPath = `${APP_PATH}${alertDetailPath}`; | ||
| return basePath | ||
| ? addSpaceIdToPath(basePath, spaceId ?? undefined, alertDetailPathWithAppPath) | ||
| : undefined; | ||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 26 additions & 11 deletions
37
...ecurity_solution/public/timelines/components/side_panel/__snapshots__/index.test.tsx.snap
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.