[Cases] User actions enhancements #115730
Labels
epic
Feature:Cases
Cases feature
loe:needs-research
This issue requires some research before it can be worked on or estimated
needs design
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
v9.0.0
Comments
|
Pinging @elastic/security-threat-hunting-cases (Team:Threat Hunting:Cases) |
cnasikas
added
loe:needs-research
cnasikas
changed the title
|
@cnasikas this question came up during a planning session: Why the 9.0.0 label on this issue? |
|
Hi @MikePaquette! I put the 9.0.0 label because when I opened the issue we were not sure if it is gonna be part of 8.1. Also, this ticket gonna be implemented in parts in multiple releases. For 8.1, only the |
cnasikas
added
Feature:Cases
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
9 tasks
|
As most of the items are done in this issue I am closing it if favor of #140096 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Every user action in Cases is recorded to an immutable appended list. This enables the ability of traceability and non-repudiation of users.
Problem
At the moment, all user actions are being fetched and shown to the UI. This will lead to performance issues if user actions grow a lot when for example multiple alerts will be attached to a case either dynamically (with the use of the case connector) or manually (bulk operation).
Solution
The UI should fetch and show a portion of user actions. This can be either the last N user actions or a mix of the X first and Y last. Users could load more by pressing a "load more" button. The same should apply to comments.
UI/UX
A design is needed of how we should show the limited user actions (timeline) to the users. Also, by limiting the user actions a lot of information will be hidden to the user like alerts, require push to external service, timelines, etc. Different views may be needed to show hidden information. Example #116501
Technical
Connectors
When changing the connector in a case the front end searches through all user actions to find the latest connector's fields and show them to the user. This can lead to broken connectors if a portion of user actions is being fetched. Research needs to be done on how we can get the connector's fields.
Schema of user actions
A user action saves the old value and the new value of every action. For example, if a user changes the title from
My titletoMy new titlethennew_value: "My new titleandold_value: "My title". If the values are objects then a stringified version is saved in the values.Having objects as a string in a variable makes it hard to search in (useful for KPIs) and puts a burden on the frontend when parsing the values to make UI decisions (what to render and how). Each user action value (old & new) should be strictly typed to avoid confusion of the data saved in the values.
Also, the
new_val_connector_idandold_val_connector_idattributes should be removed from the schema of the user action as it is related to a specific action (create/update connectors) and not to all of them.Issue: #119153
Related issue: #43673
Frontend
At the moment, the front end does a lot of work. Specifically: a) finding connector's field from the user actions b) parsing/stringifying the values, and c) finding last push information. All these computations should be moved to the backend.
Also, an if/else pattern has been adopted to render actions based on their type. We should change to a factory pattern where based on the action the right component is returned and rendered.
API
At the moment only one router is exposed from the API, the "Get all user actions". Because this route returns all user actions performance issues may arise. For that reason, we should use the
createPointInTimeFinderAPI.Tasks
The text was updated successfully, but these errors were encountered: