[Security Solution] Populate alert status auditing fields #171589
Conversation
marshallmain
added
release_note:enhancement
Team:Detection Engine
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
marshallmain
added
the
Feature:Detection Alerts
|
The ResponseOps changes besides the alert table changes LGTM. I'd like to have someone from RAM review the alert table changes since I'm not sure what the ramifications of those changes are. @XavierM ? |
marshallmain
added
ci:cloud-deploy
| const getUpdateSignalStatusScript = (status: SetSignalsStatusSchemaDecoded['status']) => ({ | ||
| source: `if (ctx._source['${ALERT_WORKFLOW_STATUS}'] != null) { | ||
| ctx._source['${ALERT_WORKFLOW_STATUS}'] = '${status}' | ||
| const getUpdateSignalStatusScript = ( |
There was a problem hiding this comment.
This only returns user profiles that are enabled right? Is a profile enabled automatically on login? Would there be a case of someone being logged onto the UI with a disabled profile and so this status is not logged?
| @@ -39,6 +42,7 @@ import { ALERTS_URL } from '../../../urls/navigation'; | |||
|
|
|||
| // FLAKY: https://github.com/elastic/kibana/issues/169091 | |||
There was a problem hiding this comment.
I have a PR trying to fix the flake, just haven't gotten back to it yet! #171676
|
Hey @marshallmain - sorry I just got to doing a very quick overview today. I plan to pull down and test tomorrow. Could we add the new PR checklist to the description? Thanks so much! |
There was a problem hiding this comment.
Thanks for adding this in the table and the alert details flyout @marshallmain!
I left a few small comments.
Also I'm thinking that this could be a good candidate for some Cypress tests? We already have everything setup for you, and even have one test for each action performed on the alert (this one when closing an alert and that one when acknowledging an alert). You probably would have to update the page filters to show the changed alert, reopen the flyout and test that the new section correctly shows up under the About section. Wdyt?
(I tried manually once a test was finished and it worked, so we should be able to do this programmatically without any issues). I'm happy to help out on this if you need!
I also have a question regarding the UI. Was adding this new section validated by UIUX? It seems a bit weird to me, and I would have thought instead to add something in the header next to the already existing status component (by probably updating this status.tsx file).
Finally, when the Mitre Attack component is rendered, the spacing is a bit small between mitre attack and this new status component. The challenge is both these are conditionally rendered. What do you think about removing this <EuiSpacer size="m" /> here and add one <EuiSpacer size="m" /> at the top of both the mitre_attack component and your new alert_status? That way the spacing will always look nice, when the components are visible or not.
| import { useBulkGetUserProfiles } from '../../../../common/components/user_profiles/use_bulk_get_user_profiles'; | ||
| import { PreferenceFormattedDate } from '../../../../common/components/formatted_date'; | ||
|
|
||
| export const AlertStatus: FC = () => { |
There was a problem hiding this comment.
can you please add a short documentation here, just to be consistent with all the other components in the document_details folder?
| const statusUpdatedBy = searchHit.fields?.['kibana.alert.workflow_user'] as string; | ||
| const statusUpdatedAt = searchHit.fields?.['kibana.alert.workflow_status_updated_at']; |
There was a problem hiding this comment.
any reason for not using getFieldsData along side our x-pack/plugins/security_solution/public/flyout/document_details/shared/utils.tsx like we use in the rest of the document_details flyout code?
The getFieldsData is available from the useRightPanelContext you're already using.
It would be
const { getFieldsData } = useRightPanelContext();
const statusUpdatedBy = getField(getFieldsData('kibana.alert.workflow_user'));
const statusUpdatedAt = getField(getFieldsData('kibana.alert.workflow_status_updated_at'));
There was a problem hiding this comment.
I figured getting the raw data from the searchHit was simple enough, I can change it though
| @@ -43,6 +43,10 @@ const MITRE_ATTACK_TEST_ID = `${PREFIX}MitreAttack` as const; | |||
| export const MITRE_ATTACK_TITLE_TEST_ID = `${MITRE_ATTACK_TEST_ID}Title` as const; | |||
| export const MITRE_ATTACK_DETAILS_TEST_ID = `${MITRE_ATTACK_TEST_ID}Details` as const; | |||
|
|
|||
| export const WORKFLOW_STATUS_TEST_ID = `${PREFIX}WorkflowStatus` as const; | |||
There was a problem hiding this comment.
nit but this one doesn't need to be exported
Is there a specific person that needs to approve changes to the flyout? I avoided adding it to the header because it looked cluttered to me already and adding status history information didn't seem to fit with the rest of the basic info that's displayed in the header. I'm working on making the other suggested changes to the flyout, thanks for the review! |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Canvas Sharable Runtime
Page load bundle
Unknown metric groupsAPI count
References to deprecated APIs
History
To update your PR or re-run it, just comment with: |
@marshallmain: @ferenrigue owns the flyout design but she is on vacation right now. We could ask @codearos but if you want we can merge this as is and I'm happy to make small UI changes later once UIUX comes up with a solution they like? |
There was a problem hiding this comment.
LGTM for the Threat Hunting Investigations team, thanks for making the changes @marshallmain
This PR populates the existing
kibana.alert.workflow_userfield in the alerts-as-data mappings with theprofile_uidof the last user to modify the status of the alert. It also adds a new field,kibana.alert.workflow_status_updated_at, to track the last time the workflow status was updated and populates it with a timestamp.Similar to the alert assignment PR,
workflow_userrenders in the table with a user avatar instead of the rawprofile_uidvalue stored in the alert. The filter in/out buttons on the row cell automatically add a filter that uses the raw value so that filtering works correctly.Due to limitations of Kibana's user profile implementation,
workflow_useris only populated if a user changes the alert status using the alert status route (POST /api/detection_engine/signals/status) within an interactive session, i.e. logs in rather than passes credentials with each API request (related issue).Alerts table
Alert details
Checklist
kibana.alert.workflow_userandkibana.alert.workflow_status_updated_at) security-docs#4325