[SIEM] Detection Engine Meta Cleanup #54935

spong · 2020-01-15T17:11:55Z

This is a meta issue for tracking the remaining Detection Engine cleanup items.

cc @XavierM, @FrankHassanabad, @dhurley14 , @MichaelMarcialis, @tsg, @cwurm, @mchopda

Generic DE

Add link to Rule Details in timeline for both rule_id and rule_name (column renderer) (@XavierM)
Pre-packaged rule (@XavierM)
~~Close Signal in Timeline (@XavierM)~~ it is a feature let's do it 7.7
Update Icons (@patrykkopycinski)
Detection Engine Text Review (doc) (@XavierM)
Remove ability to add your own custom immutable rules or delete them (@FrankHassanabad)
Fix kibana breadcrumb for dection engine routes (@patrykkopycinski)

Signals Table

Field Browser Resets to default Timeline Columns (@XavierM)
Update column order (?) (Timestamp, Risk Score, Rule Name, etc...)

Signals Histogram

Stack by MITRE ATT&CK (@andrew-goldstein / @spong / ++ @FrankHassanabad 🙌 )
Update loader to match the other histograms on the Overview Page (@spong)
Support Inspect button (@XavierM )
Scale to selected time period ([SIEM] Histograms should always scale to selected time period #54899 (comment)) (@spong)
Look into histogram automatically fitting the data. e,g, if you look at “today”, it only shows from the first to the last signal (bucketing issue)

All Rules

~~Last completed run subtitle?~~ feature so let's do for 7.7
~~Show total number of enabled rules + Deactivate (@spong )~~ Now showing rule totals in filters, deactivate all is feature so let's do for 7.7
Elastic/ Custom Rule Filters + Tags (@spong)
Bulk Duplicate (@spong)
Refresh table when deleting all on page (@spong)
Remove Edit selected index patterns... batch action (@spong)
~~Improve export rules error feedback~~ will address in 7.7
Add Risk Score column (@spong)
Remove Method column (@spong)

Rule Details

Remove Experimental tag (@XavierM)
Succeeded text size consistency (@XavierM)
Overflow Actions Button extra edit (@XavierM)
~~Toaster not showing when deleting rule~~ will address in 7.7
MITRE ATT&CK Empty (Rule: "Suricata ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000") (@XavierM)
Toggling enable/disable -> Did the rule run? (@dhurley14)
Remove duplicate failure on response if less than 5 failures have occurred. (@dhurley14)

Rule Creation / Edit Rules

Additional look back minimum value to 1 (@XavierM)
Fix Timeline selector loading (@XavierM)
Save on edit ([SIEM] Detection engine: Create new rule should not validate input when going back #54897) (@XavierM)
Toaster for successful creation (@XavierM)

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-01-15T17:12:00Z

Pinging @elastic/siem (Team:SIEM)

## Summary This PR addresses bugs outlined in #54935 Including: * Add Risk Score column * Remove Method column * Fixes `Showing Events` on Alerts table * Fixes Tag overflow * Shows Tags/Filters ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

## Summary This PR addresses bugs outlined in elastic#54935 Including: * Add Risk Score column * Remove Method column * Fixes `Showing Events` on Alerts table * Fixes Tag overflow * Shows Tags/Filters ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

## Summary This PR addresses bugs outlined in #54935 Including: * Add Risk Score column * Remove Method column * Fixes `Showing Events` on Alerts table * Fixes Tag overflow * Shows Tags/Filters ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

@MichaelMarcialis

## Summary This PR wraps up the remaining `Detection Engine` meta tickets: #55585, #54935, and elastic/siem-team#498 - [x] Histogram bar interval (bar counts and widths) consistency (#55585) - [x] Make the bar intervals a consistent 32 bars across the board * Enabled `extended_bounds`, `min_doc_count: 0`, and now setting consistent `fixed_interval` when querying to ensure the entire daterange is displayed across all histograms. - [x] Filter out the "untitled" timelines from both timeline selection options during rule creation (elastic/siem-team#498) - [ ] ~Import query from saved timeline~ * For 7.7 tracking ticket here: #56079 - [x] `Investigate detections using this timeline template` - [x] Everywhere we use "Alerts" (Overview page, Host Tab, Network Tab) we should change the term to "External Alerts" - [x] Updated Host Page Tab/Table/Histogram/Breadcrumbs - [x] Updated Network Page Tab/Table/Histogram/Breadcrumbs - [x] Updated DE permission/index error doc links to go to [corresponding DE docs section](https://www.elastic.co/guide/en/siem/guide/7.6/detection-engine-overview.html#detections-permissions) - [x] Removed `frequency` in favor of `count` for remaining histograms ##### Inconsistent Histogram intervals ![image](https://user-images.githubusercontent.com/2946766/73161560-04a82300-40a9-11ea-950f-ea56f9a5bfd7.png) ##### Consistent Histogram Intervals ![image](https://user-images.githubusercontent.com/2946766/73159564-fefc0e80-40a3-11ea-9b9d-4d15899dabd2.png) cc @MichaelMarcialis @cwurm @MikePaquette ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

@MichaelMarcialis

## Summary This PR wraps up the remaining `Detection Engine` meta tickets: elastic#55585, elastic#54935, and elastic/siem-team#498 - [x] Histogram bar interval (bar counts and widths) consistency (elastic#55585) - [x] Make the bar intervals a consistent 32 bars across the board * Enabled `extended_bounds`, `min_doc_count: 0`, and now setting consistent `fixed_interval` when querying to ensure the entire daterange is displayed across all histograms. - [x] Filter out the "untitled" timelines from both timeline selection options during rule creation (elastic/siem-team#498) - [ ] ~Import query from saved timeline~ * For 7.7 tracking ticket here: elastic#56079 - [x] `Investigate detections using this timeline template` - [x] Everywhere we use "Alerts" (Overview page, Host Tab, Network Tab) we should change the term to "External Alerts" - [x] Updated Host Page Tab/Table/Histogram/Breadcrumbs - [x] Updated Network Page Tab/Table/Histogram/Breadcrumbs - [x] Updated DE permission/index error doc links to go to [corresponding DE docs section](https://www.elastic.co/guide/en/siem/guide/7.6/detection-engine-overview.html#detections-permissions) - [x] Removed `frequency` in favor of `count` for remaining histograms ##### Inconsistent Histogram intervals ![image](https://user-images.githubusercontent.com/2946766/73161560-04a82300-40a9-11ea-950f-ea56f9a5bfd7.png) ##### Consistent Histogram Intervals ![image](https://user-images.githubusercontent.com/2946766/73159564-fefc0e80-40a3-11ea-9b9d-4d15899dabd2.png) cc @MichaelMarcialis @cwurm @MikePaquette ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

@MichaelMarcialis

## Summary This PR wraps up the remaining `Detection Engine` meta tickets: elastic#55585, elastic#54935, and elastic/siem-team#498 - [x] Histogram bar interval (bar counts and widths) consistency (elastic#55585) - [x] Make the bar intervals a consistent 32 bars across the board * Enabled `extended_bounds`, `min_doc_count: 0`, and now setting consistent `fixed_interval` when querying to ensure the entire daterange is displayed across all histograms. - [x] Filter out the "untitled" timelines from both timeline selection options during rule creation (elastic/siem-team#498) - [ ] ~Import query from saved timeline~ * For 7.7 tracking ticket here: elastic#56079 - [x] `Investigate detections using this timeline template` - [x] Everywhere we use "Alerts" (Overview page, Host Tab, Network Tab) we should change the term to "External Alerts" - [x] Updated Host Page Tab/Table/Histogram/Breadcrumbs - [x] Updated Network Page Tab/Table/Histogram/Breadcrumbs - [x] Updated DE permission/index error doc links to go to [corresponding DE docs section](https://www.elastic.co/guide/en/siem/guide/7.6/detection-engine-overview.html#detections-permissions) - [x] Removed `frequency` in favor of `count` for remaining histograms ##### Inconsistent Histogram intervals ![image](https://user-images.githubusercontent.com/2946766/73161560-04a82300-40a9-11ea-950f-ea56f9a5bfd7.png) ##### Consistent Histogram Intervals ![image](https://user-images.githubusercontent.com/2946766/73159564-fefc0e80-40a3-11ea-9b9d-4d15899dabd2.png) cc @MichaelMarcialis @cwurm @MikePaquette ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

@MichaelMarcialis

## Summary This PR wraps up the remaining `Detection Engine` meta tickets: #55585, #54935, and elastic/siem-team#498 - [x] Histogram bar interval (bar counts and widths) consistency (#55585) - [x] Make the bar intervals a consistent 32 bars across the board * Enabled `extended_bounds`, `min_doc_count: 0`, and now setting consistent `fixed_interval` when querying to ensure the entire daterange is displayed across all histograms. - [x] Filter out the "untitled" timelines from both timeline selection options during rule creation (elastic/siem-team#498) - [ ] ~Import query from saved timeline~ * For 7.7 tracking ticket here: #56079 - [x] `Investigate detections using this timeline template` - [x] Everywhere we use "Alerts" (Overview page, Host Tab, Network Tab) we should change the term to "External Alerts" - [x] Updated Host Page Tab/Table/Histogram/Breadcrumbs - [x] Updated Network Page Tab/Table/Histogram/Breadcrumbs - [x] Updated DE permission/index error doc links to go to [corresponding DE docs section](https://www.elastic.co/guide/en/siem/guide/7.6/detection-engine-overview.html#detections-permissions) - [x] Removed `frequency` in favor of `count` for remaining histograms ##### Inconsistent Histogram intervals ![image](https://user-images.githubusercontent.com/2946766/73161560-04a82300-40a9-11ea-950f-ea56f9a5bfd7.png) ##### Consistent Histogram Intervals ![image](https://user-images.githubusercontent.com/2946766/73159564-fefc0e80-40a3-11ea-9b9d-4d15899dabd2.png) cc @MichaelMarcialis @cwurm @MikePaquette ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

@MichaelMarcialis

## Summary This PR wraps up the remaining `Detection Engine` meta tickets: #55585, #54935, and elastic/siem-team#498 - [x] Histogram bar interval (bar counts and widths) consistency (#55585) - [x] Make the bar intervals a consistent 32 bars across the board * Enabled `extended_bounds`, `min_doc_count: 0`, and now setting consistent `fixed_interval` when querying to ensure the entire daterange is displayed across all histograms. - [x] Filter out the "untitled" timelines from both timeline selection options during rule creation (elastic/siem-team#498) - [ ] ~Import query from saved timeline~ * For 7.7 tracking ticket here: #56079 - [x] `Investigate detections using this timeline template` - [x] Everywhere we use "Alerts" (Overview page, Host Tab, Network Tab) we should change the term to "External Alerts" - [x] Updated Host Page Tab/Table/Histogram/Breadcrumbs - [x] Updated Network Page Tab/Table/Histogram/Breadcrumbs - [x] Updated DE permission/index error doc links to go to [corresponding DE docs section](https://www.elastic.co/guide/en/siem/guide/7.6/detection-engine-overview.html#detections-permissions) - [x] Removed `frequency` in favor of `count` for remaining histograms ##### Inconsistent Histogram intervals ![image](https://user-images.githubusercontent.com/2946766/73161560-04a82300-40a9-11ea-950f-ea56f9a5bfd7.png) ##### Consistent Histogram Intervals ![image](https://user-images.githubusercontent.com/2946766/73159564-fefc0e80-40a3-11ea-9b9d-4d15899dabd2.png) cc @MichaelMarcialis @cwurm @MikePaquette ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] ~[Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~ - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~

spong · 2020-01-28T17:44:56Z

Looks like we've got all these taken care of (or be tackling in 7.7) -- thanks @XavierM @patrykkopycinski @FrankHassanabad @dhurley14 @andrew-goldstein ! 😀 🎉

spong added bug Fixes for quality problems that affect the customer experience Meta Team:SIEM labels Jan 15, 2020

spong assigned XavierM, dhurley14, FrankHassanabad and spong Jan 15, 2020

spong mentioned this issue Jan 22, 2020

[SIEM] [Detection Engine] All Rules fixes #55641

Merged

7 tasks

spong mentioned this issue Jan 27, 2020

[SIEM] [Detection Engine] Fixes histogram intervals #55969

Merged

17 tasks

spong closed this as completed Jan 28, 2020

MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SIEM] Detection Engine Meta Cleanup #54935

[SIEM] Detection Engine Meta Cleanup #54935

spong commented Jan 15, 2020 •

edited by dhurley14

Loading

elasticmachine commented Jan 15, 2020

spong commented Jan 28, 2020

[SIEM] Detection Engine Meta Cleanup #54935

[SIEM] Detection Engine Meta Cleanup #54935

Comments

spong commented Jan 15, 2020 • edited by dhurley14 Loading

Generic DE

Signals Table

Signals Histogram

All Rules

Rule Details

Rule Creation / Edit Rules

elasticmachine commented Jan 15, 2020

spong commented Jan 28, 2020

spong commented Jan 15, 2020 •

edited by dhurley14

Loading