New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Osquery] Add Osquery results to Case #139909
Conversation
# Conflicts: # x-pack/plugins/osquery/public/plugin.ts # x-pack/plugins/osquery/public/routes/live_queries/details/index.tsx # x-pack/plugins/osquery/public/routes/saved_queries/edit/tabs.tsx # x-pack/plugins/osquery/public/types.ts
…poc-cases # Conflicts: # x-pack/plugins/osquery/public/routes/live_queries/details/index.tsx
|
||
return getAddToTimelineButton({ | ||
dataProvider: providerA, | ||
field: value, | ||
dataProvider: providers, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is required for us to add multiple actions to time at once. Is this a proper approach?
The functionality itself is not used yet, but I am hoping to use it still for 8.5
@elasticmachine merge upstream |
}, | ||
async (context, request, response) => { | ||
// this is to skip validation eg. for analysts in cases attachments so they can see the results despite not having permissions | ||
const { isSystemRequest } = request; | ||
if (!isSystemRequest) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@elastic/kibana-security please keep me honest here. The system request header should NOT be used to skip authorization checks. The existence of the system request header is only intended to allow us to determine whether or not the user's session should be extended as a result of a HTTP request being made.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, the inner circle agreed to revert this changes and just show permission denied info.
Thanks @kobelb for your input 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pinging us @kobelb! Yes, you're absolutely correct, isSystemRequest == request that wasn't initiated by the user and shouldn't be treated as the user activity
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great progress! Few other nit comments
const { cases } = useKibana().services; | ||
|
||
const casePermissions = cases.helpers.canUseCases(); | ||
const hasReadPermissions = casePermissions.read && casePermissions.update && casePermissions.push; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: maybe rename this to hasCasesPermissions
, the permissions being checked here indicate there are more than just read
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
<EuiToolTip | ||
content={ | ||
<EuiFlexItem> | ||
{i18n.translate('xpack.osquery.cases.addToCaseText', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use the ADD_TO_CASE
variable here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 yes, thx!
import OsqueryLogo from '../../components/osquery_icon/osquery.svg'; | ||
|
||
// TODO waiting for Metadata to add "add to timeline" in here | ||
// const AttachmentActions: React.FC = () => ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reminder to remove commented out code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
type: 'regular', | ||
event: 'attached Osquery results', | ||
timelineAvatar: <EuiAvatar name="osquery" color="subdued" iconType={OsqueryLogo} />, | ||
// actions: <AttachmentActions />, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
const addToTimeline = useCallback( | ||
(payload) => { | ||
if (!actionId || !addToTimelineButton) { | ||
return <></>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just checking, can this be null
? or does that mess with how the parent component is rendered?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Null would mess up. I will refactor these 2 - addToTimeline and addToCases buttons within OSquery during FF, or for 8.6. There is a few new things we learnt during preparation for 8.5.
}, | ||
async (context, request, response) => { | ||
let agent; | ||
// this is to skip validation eg. for analysts in cases attachments so they can see the results despite not having permissions | ||
const { isSystemRequest } = request; | ||
if (!isSystemRequest) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey! Don't forget to remove this logic from all routes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Great progress on this feature! Here are a few things I noted while testing before the instance went down 😢 : There is empty space on the overflow actions button Rerendering the osquery attachment causes the case to flicker and jump. I'm not sure if this is related to how Cases performs the rerendering, or maybe the animation of populating results in the osquery component. This appears to only happen in the Stack Cases, so maybe it's our fault 😆 FlickeringScreen.Recording.2022-09-15.at.1.03.30.PM.mov |
@elasticmachine merge upstream |
1 similar comment
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! I left a few minor questions and text changes.
I tested:
- user with no osquery permissions cannot view the attachment within cases ✅
- user with no cases permissions results in the add to case button being disabled ✅
- user without superuser permissions can view the attachment within cases (this works after adding
read
to theall
feature` ✅ - user without indices permissions cannot view the attachment within cases ✅
- attaching to timeline, viewing in lens, and viewing in discover from within cases works ✅
body={ | ||
<FormattedMessage | ||
id="xpack.osquery.cases.permissionDenied" | ||
defaultMessage=" To access this results, ask your administrator for {osquery} Kibana |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor change: To access these...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
<CasesContext owner={CASES_OWNER} permissions={casePermissions}> | ||
<EuiTabbedContent | ||
// TODO: extend the EuiTabbedContent component to support EuiTabs props | ||
// bottomBorder={false} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: remove commented out code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd leave the TODO, maybe there's gonna be time to take care of it soon
<AddToCaseButton | ||
queryId={payload.queryId} | ||
agentIds={agentIds} | ||
actionId={liveQueryActionId || ''} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How likely is it for the liveQueryActionId
to be undefined? aka setting actionId
to an empty string? Should we disable the button if it undefined?
I think I tracked the code and it'll just result in the live query not running so maybe we'll just show an empty component within cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, empty string doesn't make sense. I'll add a check if we have livequeryActionId before rendering Button. We should have it after running a query, before getting results - I would risk a statement that it's obligatory.
Also I tested closing the osquery indices and that results in the attachments within cases looking like: Seems fine to me 👍 Or maybe we could say something like |
The indices error is definitely something we should take a closer look into, thanks for the suggestion. 👍 and the whole review thing, you were very helpful @jonathan-buttner and @cnasikas thanks 👍 |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
async chunk count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @tomsonpl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This PR adds a functionality to add Osquery Results to Cases with help of
CasesUi.hooks
.All types of Cases are supported - Security, Observability, Stack Management.
To Do:
[+] - Live queries + live query details
[+] - O11y Host metrics flyout
[+] - Alert flyout
[+] - Comment should include agentId details and query results
[+] - Change icon on the left side of comments
[+] - Adding packs
[] - Action item on the right side of the comment ( arrow-right ) should add whole result to Timeline
[+] - Add to timeline in case comment's result