[Security Solution][Alerts] Rule exception preview #150351
Labels
8.10 candidate
Team:Detection Engine
Security Solution Detection Engine Area
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
UX: UI/UX Designs
Requires design mocks before development and UX lead approval on PR before merge.
Rule preview now provides users with a reliable way to assess how a rule will perform before creating a rule or before saving changes when editing a rule. Rule preview when editing a rule takes into account any exceptions that have already been added to the rule. However, when creating a new exception users don't have a good way to quickly verify if the exception will suppress new alerts the way they intend.
Discussion
In the original ticket we proposed two UX changes. We addressed the mapping issues in this PR.
The intention of this ticket is to cover the second part of the original ticket:
Extend the rule preview API to accept ephemeral exception items, separately from the standard rule schema that includes exception list IDs, so we can preview what the rule would do with an exception item without actually creating the exception. We could then add a preview capability in the "Add Rule Exception" flyout with either a full table of preview results, a summary of statistics about the preview results (alerts created, or a histogram, etc), or maybe 2 tables side-by-side comparing how the rule executes with/without the exception.
Related epic.
cc @marshallmain
The text was updated successfully, but these errors were encountered: