-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] New Rules Installation and Upgrade UI Workflows #158450
[Security Solution] New Rules Installation and Upgrade UI Workflows #158450
Conversation
2835282
to
d6e2387
Compare
c4573e4
to
9c5a781
Compare
@@ -92,6 +92,7 @@ const calculateRuleInfos = (results: CalculateRuleDiffResult[]): RuleUpgradeInfo | |||
return { | |||
id: installedCurrentVersion.id, | |||
rule_id: installedCurrentVersion.rule_id, | |||
revision: installedCurrentVersion.revision, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@xcrzx The RuleUpgradeSpecifier
expects to be sent the current revision
of the rule, but the response payload of upgrade _review
as it was did not return it. I added it here so it can be resent to the backend on rule upgrade _perform
.
Does this make sense to you? Or did I misunderstand the OCC mechanism?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, that's correct. I overlooked the revision
in my previous PR. Thank you for adding it, @jpdjere. 👍
c0c59c2
to
e63db16
Compare
0d92ba0
to
fd43956
Compare
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
1a9b099
to
27a5ed3
Compare
Files by Code Ownerelastic/security-defend-workflows
elastic/security-detection-engine
elastic/security-threat-hunting
elastic/security-threat-hunting-explore
|
Co-authored-by: Sergi Massaneda <sergi.massaneda@gmail.com>
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @jpdjere |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Detection engine changes LGTM
…ring in Add Rules and Rule Upgrade tables (#159700) ## Summary **1.** Replaces the EUI out-of-the-box filtering by rule name and tags [used in the initial implementation](#158450) with custom in-memory filtering. This aligns the look-and-feel of the Rules Management table with the new Add Elastic Rules and Rule Upgrades table ![image](/~https://github.com/elastic/kibana/assets/5354282/e4b01221-74c1-40e5-abf4-87344a080e5d) ![image](/~https://github.com/elastic/kibana/assets/5354282/9684cee2-a2bf-4850-82e0-1d3679c55c99) **2.** Adds a CTA in the Add Elastic RUles table when all rules have been installed, that navigates the user back to the Rules Management table. ![image](/~https://github.com/elastic/kibana/assets/5354282/15825af2-005d-47c8-a2a6-97603ea32646) ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](/~https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](/~https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
…de (#159868) ## Summary Reintroduces ML Jobs warning popover that was removed during [new install/upgrade initial implementation.](#158450) ML Jobs warning popover that appears when user has legacy ML jobs installed, and the user attempts to update their prebuilt rules. Modified behaviour so that the popover now appears in any of the three cases: upgrading **all rules**, upgrading **specific rules** and upgrading **a single rule**. ### Testing In the `state` returned by `UpgradePrebuiltRulesTableContextProvider`, replace the value of `legacyJobsInstalled` for a mock value. See below: ```ts return { state: { rules, tags, isFetched, isLoading: isLoading && loadingJobs, isRefetching, selectedRules, loadingRules, lastUpdated: dataUpdatedAt, legacyJobsInstalled: [ { id: 'rc-rare-process-windows-5', description: 'Looks for rare and anomalous processes on a Windows host. Requires process execution events from Sysmon.', groups: ['host'], processed_record_count: 8577, memory_status: 'ok', jobState: 'closed', hasDatafeed: true, datafeedId: 'datafeed-rc-rare-process-windows-5', datafeedIndices: ['winlogbeat-*'], datafeedState: 'stopped', latestTimestampMs: 1561402325194, earliestTimestampMs: 1554327458406, isSingleMetricViewerJob: true, awaitingNodeAssignment: false, jobTags: {}, bucketSpanSeconds: 900, }, { id: 'siem-api-rare_process_linux_ecs', description: 'SIEM Auditbeat: Detect unusually rare processes on Linux (beta)', groups: ['siem'], processed_record_count: 582251, memory_status: 'hard_limit', jobState: 'closed', hasDatafeed: true, datafeedId: 'datafeed-siem-api-rare_process_linux_ecs', datafeedIndices: ['auditbeat-*'], datafeedState: 'stopped', latestTimestampMs: 1557434782207, earliestTimestampMs: 1557353420495, isSingleMetricViewerJob: true, awaitingNodeAssignment: false, jobTags: {}, bucketSpanSeconds: 900, }, ], isUpgradeModalVisible, ruleIdToUpgrade, modalConfirmationUpdateMethod, }, actions, }; ``` ### Checklist Delete any items that are not applicable to this PR. - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Addresses: #154614 #154615
Figma designs: https://www.figma.com/file/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?type=design&node-id=2935-577576&t=ziqgnlEJBpowqa7F-0
Summary
prebuiltRulesNewUpgradeAndInstallationWorkflowsEnabled
feature flag. All new prebuilt endpoints now available by default.useAddPrebuiltRulesTableContext
anduseUpgradePrebuiltRulesTableContext
respectively)useFetchPrebuiltRulesStatusQuery
andusePrebuiltRulesStatus
consume the/internal/detection_engine/prebuilt_rules/status
endpoint and provide information about number of rules available for installation, number of installed rules, and number of rules with available updates.useFetchPrebuiltRulesInstallReviewQuery
andusePrebuiltRulesInstallReview
consume the/internal/detection_engine/prebuilt_rules/installation/_review
endpoint and return the rules available for installation which are listed in the Add Rules page.useFetchPrebuiltRulesUpgradeReviewQuery
andusePrebuiltRulesUpgradeReview
consume the/internal/detection_engine/prebuilt_rules/upgrade/_review
endpoint and return the rules which have available updates, and are listed in the Rule Updates page.usePerformInstallAllRules
,usePerformInstallSpecificRules
, and its respective mutation hooksusePerformAllRulesInstallMutation
andusePerformSpecificRulesInstallMutation
consume the/internal/detection_engine/prebuilt_rules/upgrade/_perform
endpoint in order to install rules.usePerformUpgradeAllRules
,usePerformUpgradeSpecificRules
and its respective mutation hooksusePerformAllRulesUpgradeMutation
andusePerformSpecificRulesUpgradeMutation
consume the/internal/detection_engine/prebuilt_rules/upgrade/_perform
endpoint in order to upgrade rules.Deprecated code
Hooks:
useCreatePrebuiltRulesMutation
useInstallPrePackagedRules
useCreatePrePackagedRules
usePrePackagedRulesInstallationStatus
usePrePackagedTimelinesInstallationStatus
Major points to resolve
/api/detection_engine/rules/prepackaged
endpoint in favour of the new ones, we are not currently installing timeline templates. Serverside, we will need a new endpoint to install them separately from rules? In the UI, how would this still work: would they get installed in the background now? Or maybe have a new button for it somewhere?Deviations from design
This PR includes a reduced scope to the final workflow shown in the Figma designs.
Most notably, in Milestone 2, to be released in 8.9, we did not build the flyout that, in the Add Rules page, shows the rule details when the user clicks on it, so the user can review it before installing. The same is true in the Rule Updates table, which does not allow, for now, reviewing the rules. In both cases, the user can only click in "Install Rule" and "Upgrade Rule".
There are other differences in the UI, for technical reasons:
security-rule
) was created or updated, this is information we don't currently have within the SO. After discussion with @ksevasilyeva and @ARWNightingale, we decided, for now, to remove the column. In the meantime, @terrancedejesus created an issue to includecreatedAt
andupdatedAt
fields within the rule assets, that we can use to display in the table in later iterations.Other remaining work:
How to test rule upgrade
rule_id
from the Network tab.PATCH /api/detection_engine/rules
with therule_id
in the payload, and also set theversion
to a number lower than the current version./upgrade/_review
endpoint will now return that rule as available for upgrade.Videos
Rule Installation Workflow
New.Rule.Installation.Workflow.mp4
Rule Upgrade Workflow
New.Role.Upgrade.Workflow.mp4
TODO