Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Alerts] Rule exception preview #150351

Open
e40pud opened this issue Feb 6, 2023 · 3 comments
Open

[Security Solution][Alerts] Rule exception preview #150351

e40pud opened this issue Feb 6, 2023 · 3 comments
Assignees
Labels
8.10 candidate Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. UX: UI/UX Designs Requires design mocks before development and UX lead approval on PR before merge.

Comments

@e40pud
Copy link
Contributor

e40pud commented Feb 6, 2023

Rule preview now provides users with a reliable way to assess how a rule will perform before creating a rule or before saving changes when editing a rule. Rule preview when editing a rule takes into account any exceptions that have already been added to the rule. However, when creating a new exception users don't have a good way to quickly verify if the exception will suppress new alerts the way they intend.

Discussion

In the original ticket we proposed two UX changes. We addressed the mapping issues in this PR.

The intention of this ticket is to cover the second part of the original ticket:

Extend the rule preview API to accept ephemeral exception items, separately from the standard rule schema that includes exception list IDs, so we can preview what the rule would do with an exception item without actually creating the exception. We could then add a preview capability in the "Add Rule Exception" flyout with either a full table of preview results, a summary of statistics about the preview results (alerts created, or a histogram, etc), or maybe 2 tables side-by-side comparing how the rule executes with/without the exception.

Related epic.

cc @marshallmain

@e40pud e40pud added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Alerts Security Detection Alerts Area Team labels Feb 6, 2023
@e40pud e40pud self-assigned this Feb 6, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@e40pud
Copy link
Contributor Author

e40pud commented Feb 6, 2023

@ARWNightingale We would need your help with this one to understand how we could re-use Rule Preview component from the Rule creation/editing page on "add rule exception" page.

@ARWNightingale ARWNightingale self-assigned this Feb 8, 2023
@ARWNightingale ARWNightingale added UX: UI/UX Designs Requires design mocks before development and UX lead approval on PR before merge. and removed 8.8 candidate labels Feb 8, 2023
@ARWNightingale
Copy link

Discussed yesterday in backlog grooming and it was deemed to be out of scope/lower priority for 8.8.

@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area 8.10 candidate and removed Team:Detection Alerts Security Detection Alerts Area Team 8.9 candidate labels May 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.10 candidate Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. UX: UI/UX Designs Requires design mocks before development and UX lead approval on PR before merge.
Projects
None yet
Development

No branches or pull requests

5 participants