[SecuritySolution][Endpoint][Response Actions] Scan response actions history and errors
#186284
Conversation
Also shows general action failed message that was not showing up after adding logic to show errors for actions that were not sent to fleet. refs elastic/pull/155254
ashokaditya
added
release_note:enhancement
Team:Defend Workflows
|
/ci |
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
| const command = RESPONSE_ACTION_API_COMMAND_TO_CONSOLE_COMMAND_MAP[_command]; | ||
|
|
||
| if (errors?.length) { |
There was a problem hiding this comment.
This logic was breaking the failed status on history. I'll add tests for it.
ashokaditya
force-pushed
the
task/dw-scan-response-actions-history-9213
branch
from
c967201
to
63db37d
Compare
Both errors and output codes should be visible when action failed instead of one or the other.
ashokaditya
force-pushed
the
task/dw-scan-response-actions-history-9213
branch
from
a5b7255
to
e5df51c
Compare
...ic/management/components/endpoint_action_failure_message/endpoint_action_failure_message.tsx
Outdated
Show resolved
Hide resolved
| return ( | ||
| <> | ||
| {OUTPUT_MESSAGES.hasFailed(command)} | ||
| <> | ||
| {/* if has outputs and was not successful, show error code message for each agent */} | ||
| {outputs && | ||
| agents.map( | ||
| (agentId) => | ||
| outputs[agentId] && | ||
| hasKnownErrorCode(outputs[agentId]) && ( | ||
| <div key={outputs[agentId].content.code}> | ||
| <EuiSpacer size="s" /> | ||
| <EndpointActionFailureMessage | ||
| action={action} | ||
| isConsoleOutput={false} | ||
| data-test-subj={getTestId('failureMessage')} | ||
| /> | ||
| </div> | ||
| ) | ||
| )} | ||
| {/* if there are errors, show them as well*/} | ||
| {!!errors?.length && | ||
| errors.map((error) => ( | ||
| <div key={error}> | ||
| <EuiSpacer size="s" /> | ||
| <EuiFlexItem>{error}</EuiFlexItem> | ||
| </div> | ||
| ))} | ||
| </> | ||
| </> | ||
| ); |
There was a problem hiding this comment.
Why make this so complicated?
IMO, this here should just be:
if (!wasSuccessful) {
return (
<div>
<EuiSpacer size="s" />
<EndpointActionFailureMessage
action={action}
isConsoleOutput={false}
data-test-subj={getTestId('failureMessage')}
/>
</div>
}All logic to display the error should be encapsulated into the <EndpointActionFailureMessage> component.
Also,
Since we are now going to use the EndpointActionFailureMessage> component here in the History log, its the first time that the component might have errors from Multiple agents, so please enhance it so that it correctly display it for multiple agents. Example:
<div>
Host __HOST_NAME__: ___HOST_ERROR___
</div>
<div>
Host __HOST_NAME__: ___HOST_ERROR___
</div>
(or just implement a better UI for it - but essentially: each error should be listed under the respective agent host name that reported it)
The Prefix or host "label" should only be shown when the action was sent to multiple agents - else just show the error.
Also - careful in showing the action.errors: [] array in addition to the errors from each host. The errors array is (if I remember correctly) just a list of errors that each agent returned, so you likely will be showing duplicate information.
Just to recap:
- the
<EndpointActionFailureMessage>component should be responsible for formatting all errors from the agents that the action was sent to - When the action was sent to multiple agents, each error should be listed under a label showing the host name
Let me know if this makes sense and your thoughts on it.
There was a problem hiding this comment.
Thanks for the suggestion. Yeah that makes sense.
...ic/management/components/endpoint_action_failure_message/endpoint_action_failure_message.tsx
Outdated
Show resolved
Hide resolved
...ic/management/components/endpoint_action_failure_message/endpoint_action_failure_message.tsx
Outdated
Show resolved
Hide resolved
review changes
ashokaditya
force-pushed
the
task/dw-scan-response-actions-history-9213
branch
from
23e772b
to
b4bb1af
Compare
...ic/management/components/endpoint_action_failure_message/endpoint_action_failure_message.tsx
Outdated
Show resolved
Hide resolved
|
|
||
| // Determine if each endpoint returned a response code and if so, | ||
| // see if we have a localized message for it | ||
| if (action.outputs) { | ||
| // if there are multiple agents, we need to show the outputs/error message for each agent | ||
| if (action.outputs || (action.errors && action.errors.length)) { |
There was a problem hiding this comment.
can you add tests for this component that validates the different conditions implemented.
(I actually thought we had tests for it, but maybe it was only the component that first implemented it 🤔 )
| if (!allAgentErrors.length) { | ||
| return null; | ||
| } |
There was a problem hiding this comment.
I think we should return a default error here - I see you removed the prior implementation. Maybe add it back and change the message to Unknown error??
Reasoning: if we reached this point in the component (got passed line 38, then the action is at error, so we should display something in the UI or else the user will not really see anything (also - we devs would have a hard time debugging issues like this if it was to come in via an SDH).
There was a problem hiding this comment.
Oh yeah I missed that. We agreed on the reasoning earlier. I'll add it back.
| import { EndpointActionGenerator } from '../../../../common/endpoint/data_generators/endpoint_action_generator'; | ||
| import { EndpointActionFailureMessage } from './endpoint_action_failure_message'; | ||
|
|
||
| describe('EndpointActionFailureMessage', () => { |
…om:ashokaditya/kibana into task/dw-scan-response-actions-history-9213
...management/components/endpoint_response_actions_list/components/action_log_expanded_tray.tsx
Outdated
Show resolved
Hide resolved
ashokaditya
added
bug
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: cc @ashokaditya |
Summary
Adds missing tests for showing
scanresponse action history. Also improves on showing failure messages for actions that were created and sent to Endpoint. As a failed action may have output error codes and a list of error messages this change is going to show both or either depending on the data. Additionally, the changes in the PR handles error messages for multiple agents.History Log
Console
Mutli agent response history page with errors
Screenclip (older than screenshots)
Checklist