[Security Solution] Remove the advanced sorting switch from the rules management page #149840
Conversation
xcrzx
added
release_note:enhancement
Team:Detections and Resp
xcrzx
force-pushed
the
remove-in-memory-table
branch
11 times, most recently
from
6971bd6
to
cd5e413
Compare
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
xcrzx
force-pushed
the
remove-in-memory-table
branch
4 times, most recently
from
86811f1
to
1375e45
Compare
| ...doc.attributes, | ||
| lastRun: { | ||
| ...doc.attributes.lastRun, | ||
| outcomeOrder: RuleLastRunOutcomeOrderMap[outcome], |
There was a problem hiding this comment.
I don't recall off hand, but are there any old legacy outcome's that a user could have lingering around that wouldn't be included in the RuleLastRunOutcomeOrderMap? If so, is undefined fine here until the next rule execution?
There was a problem hiding this comment.
The outcome field was added in 8.6 with only three values specified in the RuleLastRunOutcomeOrderMap. So I don't expect any other values there. That said, undefined should also work just fine.
There was a problem hiding this comment.
Problem is, the outcomeOrder is defined as a number, but in the case of a outcome: undefined - or some change in the future that would add a new outcome but forget to add the order - the order will end up being undefined. Feels like we should change outcomeOrder to be number | undefined, or write a function to generate the updated value that deals with the potential undefined value, where it's generated in execution.
If we want to keep it typed as a number, then I think we need to supply a number here, but not sure what we'd use. If we go with making outcome_order as number | undefined, then this code is fine as-is , as it would generate an undefined (if outcome is not set or an unexpected value).
There was a problem hiding this comment.
Unless I miss something, outcome cannot be undefined. See the 8.6 migration, for example:
If the outcome is unknown, the whole lastRun structure is omitted.
Furthermore, adding a new outcome value will cause a type error if the value is not added to the outcome->order map:
So TypeScript protects us from forgetting to add values to the linked structures.
That said, if you feel strongly about changing the type of outcomeOrder to number | undefined, I'm okay with that. It doesn't affect the code of Security Solution in any way, as we don't work with that field directly.
There was a problem hiding this comment.
Awesome! We've become more sensitive to migrations recently so wanted to understand this one well.
The main thing I'm worrying about is some bug where we would unintentionally have outcome set to some invalid value, as part of normal (presumably buggy!) operation. And then the migration would end up writing out an undefined for the order. But ... that's valid for that field :-)
So, even in that case, I don't think there's anything else we can do to improve the migration.
The rest of the type-checking on outcome looks good, thanks for explaining.
...ty_solution/server/lib/detection_engine/rule_management/logic/search/transform_sort_field.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Checked out, tested locally, code reviewed and rules area changes LGTM! 👍
One issue with sorting on Version, but I think we can just remove that column (as intended in #148196) and call it a day.
As always, super clean work here @xcrzx! Thank you for seeing this feature full-circle -- the in-memory table served our users well in the interim, and it's now nice to have mapped_params support where we need it, awesome! 😀
xcrzx
force-pushed
the
remove-in-memory-table
branch
2 times, most recently
from
ce10b97
to
2d675b4
Compare
x-pack/plugins/alerting/server/saved_objects/migrations/8.7/index.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
Outdated
Show resolved
Hide resolved
| export const SortField = t.union([ | ||
| t.literal('created_at'), | ||
| t.literal('createdAt'), // Legacy notation, keeping for backwards compatibility | ||
| t.literal('enabled'), | ||
| t.literal('execution_summary.last_execution.date'), | ||
| t.literal('execution_summary.last_execution.metrics.execution_gap_duration_s'), | ||
| t.literal('execution_summary.last_execution.metrics.total_indexing_duration_ms'), | ||
| t.literal('execution_summary.last_execution.metrics.total_search_duration_ms'), | ||
| t.literal('execution_summary.last_execution.status'), | ||
| t.literal('name'), | ||
| t.literal('risk_score'), | ||
| t.literal('riskScore'), // Legacy notation, keeping for backwards compatibility | ||
| t.literal('severity'), | ||
| t.literal('updated_at'), | ||
| t.literal('updatedAt'), // Legacy notation, keeping for backwards compatibility | ||
| ]); |
There was a problem hiding this comment.
We should not forget to update the docs with this info. I can open a ticket if you haven't already.
There was a problem hiding this comment.
Also, this is a type that applies specifically to the find rules API endpoint, but it's not common. Let's rename it to FindRulesSortField and move it to x-pack/plugins/security_solution/common/detection_engine/rule_management/api/rules/find_rules/request_schema.ts
| }, | ||
| { | ||
| refetchInterval: isRefreshOn && !isActionInProgress && autoRefreshSettings.value, | ||
| keepPreviousData: true, // Use this option so that the state doesn't jump between "success" and "loading" on page change |
...on/public/detection_engine/rule_management_ui/components/rules_table/rules_table_toolbar.tsx
Show resolved
Hide resolved
| import { assertUnreachable } from '../../../../../../common/utility_types'; | ||
|
|
||
| /** | ||
| * Transform the sort field name from the request to the Alerting framework |
There was a problem hiding this comment.
Thank you for all these comments, it's a ton of help for our future self or anyone new to this codebase.
I'm thinking now: what about filtering? We should probably do the same for filters as well, right?
| ...doc.attributes, | ||
| lastRun: { | ||
| ...doc.attributes.lastRun, | ||
| outcomeOrder: RuleLastRunOutcomeOrderMap[outcome], |
There was a problem hiding this comment.
Problem is, the outcomeOrder is defined as a number, but in the case of a outcome: undefined - or some change in the future that would add a new outcome but forget to add the order - the order will end up being undefined. Feels like we should change outcomeOrder to be number | undefined, or write a function to generate the updated value that deals with the potential undefined value, where it's generated in execution.
If we want to keep it typed as a number, then I think we need to supply a number here, but not sure what we'd use. If we go with making outcome_order as number | undefined, then this code is fine as-is , as it would generate an undefined (if outcome is not set or an unexpected value).
| @@ -173,6 +173,7 @@ export default function createAlertTests({ getService }: FtrProviderContext) { | |||
| }, | |||
| outcome: 'succeeded', | |||
| outcome_msg: null, | |||
| outcome_order: 0, | |||
There was a problem hiding this comment.
We should add tests for 'warning' and 'failed' to ensure the outcome_order is expected. I think that can just be added to any other test that receives those outcomes.
There was a problem hiding this comment.
Not sure what tests you mean here. I've added more test cases to the migrations suite, and haven't found any explicit integrational tests for the lastRun or outcome fields. This file is the only place in x-pack/test/alerting_api_integration besides migrations where execution outcome is surfaced.
There was a problem hiding this comment.
Ah, I see! I figured we had some - I do see some outcome FT for the event log, but not seeing any for the rule itself.
@XavierM, did I miss some? Looks like you were involved in some of this work in a previous PR. Seems like we should add some (in a separate issue/PR) if we don't have any.
There was a problem hiding this comment.
yes, we will add specific test around that in the near future. We will use the same one for executionStatus if they exist
There was a problem hiding this comment.
They do exist! So here a ticket #150487 to add them for last_run
x-pack/plugins/alerting/server/saved_objects/migrations/index.test.ts
Outdated
Show resolved
Hide resolved
xcrzx
force-pushed
the
remove-in-memory-table
branch
from
2d675b4
to
c67e600
Compare
|
@pmuellr @xcrzx My 2 cents: let's reserve Having nullable fields makes the code more error-prone, and here it seems we could avoid that. |
xcrzx
force-pushed
the
remove-in-memory-table
branch
from
c67e600
to
c61110b
Compare
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @xcrzx |
As I mentioned in my comment above, there normally shouldn't be a situation when |
… management page (elastic#149840) **Resolves: elastic#138907 **Resolves: elastic#148196 ## Summary - Added missing `outcomeOrder` field to the alerting framework - Removed the advanced sorting switch from the rules management page - Both rules management and rules monitoring tables now have all columns sortable, including indexing time, query time, last gap, and last response - Sorting now happens entirely on the server side. No in-memory structures are needed. - Removed the version column as intended in elastic#148196 There's one caveat, though. The running status is represented as a different rule field. So when sorting by the last status, if there are any "running" rules, they could appear in any row on the table: 
Resolves: #138907
Resolves: #148196
Summary
outcomeOrderfield to the alerting frameworkThere's one caveat, though. The running status is represented as a different rule field. So when sorting by the last status, if there are any "running" rules, they could appear in any row on the table: