[Security Solution][Alerts] Provide more information about rule exception behavior before creation #146845
Assignees
Labels
8.7 candidate
Team:Detection Alerts
Security Detection Alerts Area Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.7.0
Comments
marshallmain
added
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
e40pud
added a commit
to e40pud/kibana
that referenced
this issue
Jan 18, 2023
…tion behavior before creation (elastic#146845)
|
I've got design feedback from @ARWNightingale to improve the warning message that we show underneath the field dropdown menu when users select a field with the mapping issues. We will use the accordion component to hide the details of the warning (showing all the mapping issues across all the indices). Screen.Recording.2023-01-30.at.12.23.12.movAlso, we will show the tooltip on problematic field hovering while selecting one from the dropdown menu:
|
e40pud
added a commit
that referenced
this issue
Feb 6, 2023
…tion behavior before creation (#149149) ## Summary These changes surface mapping issues when exceptions are created. We gonna warn the user about type conflicts and unmapped indices. Tooltip warning inside the field selection dropdown menu: <img width="2020" alt="Screenshot 2023-01-18 at 19 01 44" src="https://user-images.githubusercontent.com/2700761/213261684-61d21068-12bc-408f-8d20-1a196e0719a7.png"> Warning text underneath the dropdown menu when user picks the field which has mapping issues: https://user-images.githubusercontent.com/2700761/215467838-5d39ff75-3a2e-44ef-ba89-57cd3975310c.mov Main ticket #146845 --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
|
We covered mapping issues in this PR. The proposal about the previewing what the rule would do with an exception item without actually creating the exception will be addressed in this ticket. |
darnautov
pushed a commit
to darnautov/kibana
that referenced
this issue
Feb 7, 2023
…tion behavior before creation (elastic#149149) ## Summary These changes surface mapping issues when exceptions are created. We gonna warn the user about type conflicts and unmapped indices. Tooltip warning inside the field selection dropdown menu: <img width="2020" alt="Screenshot 2023-01-18 at 19 01 44" src="https://user-images.githubusercontent.com/2700761/213261684-61d21068-12bc-408f-8d20-1a196e0719a7.png"> Warning text underneath the dropdown menu when user picks the field which has mapping issues: https://user-images.githubusercontent.com/2700761/215467838-5d39ff75-3a2e-44ef-ba89-57cd3975310c.mov Main ticket elastic#146845 --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
benakansara
pushed a commit
to benakansara/kibana
that referenced
this issue
Feb 7, 2023
…tion behavior before creation (elastic#149149) ## Summary These changes surface mapping issues when exceptions are created. We gonna warn the user about type conflicts and unmapped indices. Tooltip warning inside the field selection dropdown menu: <img width="2020" alt="Screenshot 2023-01-18 at 19 01 44" src="https://user-images.githubusercontent.com/2700761/213261684-61d21068-12bc-408f-8d20-1a196e0719a7.png"> Warning text underneath the dropdown menu when user picks the field which has mapping issues: https://user-images.githubusercontent.com/2700761/215467838-5d39ff75-3a2e-44ef-ba89-57cd3975310c.mov Main ticket elastic#146845 --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
e40pud
added a commit
to e40pud/kibana
that referenced
this issue
Mar 6, 2023
Main ticket elastic#146845 Addition to PR: elastic#149149
e40pud
added a commit
that referenced
this issue
Mar 6, 2023
…152726) ## Summary These changes update warning message that we show to user to indicate index mapping conflicts while selecting a field to build a Rule Exception. New tooltip message: <img width="829" alt="Screenshot 2023-03-06 at 16 18 51" src="https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png"> [Main ticket](#146845) Addition to [this PR](#149149) cc @nastasha-solomon
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Mar 6, 2023
…lastic#152726) ## Summary These changes update warning message that we show to user to indicate index mapping conflicts while selecting a field to build a Rule Exception. New tooltip message: <img width="829" alt="Screenshot 2023-03-06 at 16 18 51" src="https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png"> [Main ticket](elastic#146845) Addition to [this PR](elastic#149149) cc @nastasha-solomon (cherry picked from commit ce96318)
kibanamachine
added a commit
that referenced
this issue
Mar 6, 2023
…ssage (#152726) (#152755) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution][Alerts] Update mapping conflicts warning message (#152726)](#152726) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ievgen Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2023-03-06T18:23:26Z","message":"[Security Solution][Alerts] Update mapping conflicts warning message (#152726)\n\n## Summary\r\n\r\nThese changes update warning message that we show to user to indicate\r\nindex mapping conflicts while selecting a field to build a Rule\r\nException.\r\n\r\nNew tooltip message:\r\n\r\n<img width=\"829\" alt=\"Screenshot 2023-03-06 at 16 18 51\"\r\nsrc=\"https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png\">\r\n\r\n[Main ticket](#146845 to [this PR](#149149 @nastasha-solomon","sha":"ce9631850d8631eb72b52687fb5ed0b7645f207d","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Security Solution Platform","Team:Detection Alerts","backport:prev-minor","ci:cloud-deploy","v8.8.0"],"number":152726,"url":"#152726 Solution][Alerts] Update mapping conflicts warning message (#152726)\n\n## Summary\r\n\r\nThese changes update warning message that we show to user to indicate\r\nindex mapping conflicts while selecting a field to build a Rule\r\nException.\r\n\r\nNew tooltip message:\r\n\r\n<img width=\"829\" alt=\"Screenshot 2023-03-06 at 16 18 51\"\r\nsrc=\"https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png\">\r\n\r\n[Main ticket](#146845 to [this PR](#149149 @nastasha-solomon","sha":"ce9631850d8631eb72b52687fb5ed0b7645f207d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"#152726 Solution][Alerts] Update mapping conflicts warning message (#152726)\n\n## Summary\r\n\r\nThese changes update warning message that we show to user to indicate\r\nindex mapping conflicts while selecting a field to build a Rule\r\nException.\r\n\r\nNew tooltip message:\r\n\r\n<img width=\"829\" alt=\"Screenshot 2023-03-06 at 16 18 51\"\r\nsrc=\"https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png\">\r\n\r\n[Main ticket](#146845 to [this PR](#149149 @nastasha-solomon","sha":"ce9631850d8631eb72b52687fb5ed0b7645f207d"}}]}] BACKPORT--> Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
sloanelybutsurely
pushed a commit
to sloanelybutsurely/kibana
that referenced
this issue
Mar 8, 2023
…lastic#152726) ## Summary These changes update warning message that we show to user to indicate index mapping conflicts while selecting a field to build a Rule Exception. New tooltip message: <img width="829" alt="Screenshot 2023-03-06 at 16 18 51" src="https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png"> [Main ticket](elastic#146845) Addition to [this PR](elastic#149149) cc @nastasha-solomon
bmorelli25
pushed a commit
to bmorelli25/kibana
that referenced
this issue
Mar 10, 2023
…lastic#152726) ## Summary These changes update warning message that we show to user to indicate index mapping conflicts while selecting a field to build a Rule Exception. New tooltip message: <img width="829" alt="Screenshot 2023-03-06 at 16 18 51" src="https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png"> [Main ticket](elastic#146845) Addition to [this PR](elastic#149149) cc @nastasha-solomon
nkhristinin
pushed a commit
that referenced
this issue
Mar 22, 2023
…152726) ## Summary These changes update warning message that we show to user to indicate index mapping conflicts while selecting a field to build a Rule Exception. New tooltip message: <img width="829" alt="Screenshot 2023-03-06 at 16 18 51" src="https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png"> [Main ticket](#146845) Addition to [this PR](#149149) cc @nastasha-solomon
![https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png\">\r\n\r\n[Main](https://user-images.githubusercontent.com/2700761/223154197-ee4ed680-5cc1-4b48-82d8-e225aa24519b.png\">\r\n\r\n[Main){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule preview now provides users with a reliable way to assess how a rule will perform before creating a rule or before saving changes when editing a rule. Rule preview when editing a rule takes into account any exceptions that have already been added to the rule. However, when creating a new exception users don't have a good way to quickly verify if the exception will suppress new alerts the way they intend.
We've received a number of SDHs in the past where users create an exception and then find that the exception does not suppress alerts as intended. e.g.
Most commonly these issues occur when a field is mapped in some indices but not others - in this scenario, a field appears in the field selection drop-down because it is mapped in some indices but the field does not work in all indices. The result is the exception can be created without issue, but the exception may not work as expected on indices where the field is unmapped.
In other cases, exceptions may not work as expected if the field's value is not clearly displayed in the UI. SDH We've encountered some cases where, for example, the whitespace in the exception entry is not displayed but is included in the actual exception, causing the entry not to match documents that it appears that it should.
Discussion
We would like to provide users with more tools to verify how their exceptions will operate before creating them. These new tools should make it faster and easier for users to detect cases like those above where exceptions will not perform as they intend, and allow for fast feedback loops where a user can define an exception in the flyout, test it, make changes, and test again - all without having to wait for the rule to run again and/or wait for new data to come in that triggers the rule.
We have 2 initial proposals for UX changes:
47/57for each field that shows how many indices the field is mapped in out of the total indices fields are selected from. E.g.47/57would mean that of the 57 indices, that field is not mapped in 10 indices. We could add a tooltip or warning icon in cases where a field is not mapped in all of the indices to notify users that the field is not mapped in some of their indices, and this may cause the exception not to work as intended.This issue is for tracking work on exploring these 2 options and other options for providing improved visibility into exception behavior before the exceptions are created.
The text was updated successfully, but these errors were encountered: