[Security Solution][Alerts][Discuss] Alert suppression on docs with missing fields #150101
Comments
marshallmain
added
enhancement
|
Draft version of UI: Rule create page
Rule Details
cc: @elastic/security-docs , @joepeeples |
|
POC for hiding suppression settings in accordion
Screen.Recording.2023-04-19.at.19.01.33.movFew questions:
|
|
We agreed to add accordion with Suppression Configuration button title
cc: @paulewing |
…ns for security rules (#155055) ## Summary - adresses #150101 - fixes #155242 - introduces UI options for selections 2 modes for suppressing or not suppressing alerts with missing **Group By** fields - adds accordion that contains all suppression related logic ### UX changes #### Rule edit page <details> <summary>Accordion closed</summary> <img width="1042" alt="Screenshot 2023-04-21 at 16 09 44" src="https://user-images.githubusercontent.com/92328789/233700543-8a5091e0-6455-4d76-b6b6-7a280d747d0c.png"> </details> <details> <summary>Accordion opened</summary> <img width="1017" alt="Screenshot 2023-04-24 at 19 44 33" src="https://user-images.githubusercontent.com/92328789/234087516-58b88dab-0285-47ca-a016-bfff31dbebae.png"> </details> #### Rule Details page <img width="2293" alt="Screenshot 2023-04-19 at 18 50 13" src="https://user-images.githubusercontent.com/92328789/234004667-d879bfff-0d11-4bc9-ab5b-7ad904e29d1f.png"> ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [x] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [x] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [x] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
|
on advanced correlation WG meeting we decided to remove accordion and instead of, we will just add indentation for suppression settings In future, we might also consider an option to add info icons or links to documentation for each suppress/unsupress mode |
|
@joepeeples , can you please assist with wording for information icons, we want to add for |
|
Here's my first stab at the UI text, tooltip, etc. This is a combo of @vitaliidm's draft and a condensed version of the draft docs I'm working on here.
I know the option names are a little repetitive, but I thought it'd help to be specific. "Do not suppress" on its own felt a little broad to me, like the user was turning off suppression overall, but it's really only under specific circumstances. Also, FYI the Learn more link is following the UX Writing team's guidelines for docs links, so no ending punctuation, etc. |
|
Thanks @joepeeples Although, Suppress when fields missing sounds very repetitive if combined with header If a suppression field is missing |
|
@vitaliidm and all: I see what you mean. Maybe something like:
|
|
@joepeeples
Or maybe just
|
@vitaliidm I like this first option a lot. It's a little wordier, but I think in this case that's a good thing, because this explains the behavior more fully and accurately. |
…ck (#155839) ## Summary - addresses review feedback on #155055 - addresses UI changes from #150101 - removes accordion in favour of intended suppression components - adds popover with a link to documentation - changes wording - addresses #156247 ### Before <img width="1017" alt="Screenshot 2023-04-24 at 19 44 33" src="https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png"> ### After #### Intended Fields <img width="1016" alt="Screenshot 2023-05-05 at 10 42 46" src="https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png"> #### Tooltip <img width="1016" alt="Screenshot 2023-05-05 at 10 43 41" src="https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png"> --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
…ck (elastic#155839) ## Summary - addresses review feedback on elastic#155055 - addresses UI changes from elastic#150101 - removes accordion in favour of intended suppression components - adds popover with a link to documentation - changes wording - addresses elastic#156247 ### Before <img width="1017" alt="Screenshot 2023-04-24 at 19 44 33" src="https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png"> ### After #### Intended Fields <img width="1016" alt="Screenshot 2023-05-05 at 10 42 46" src="https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png"> #### Tooltip <img width="1016" alt="Screenshot 2023-05-05 at 10 43 41" src="https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png"> --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Garrett Spong <spong@users.noreply.github.com> (cherry picked from commit 31b6062)
…feedback (#155839) (#157192) # Backport This will backport the following commits from `main` to `8.8`: - [[Security Solution][Alerts] resolves alerts suppression review feedback (#155839)](#155839) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-05-09T16:12:20Z","message":"[Security Solution][Alerts] resolves alerts suppression review feedback (#155839)\n\n## Summary\r\n\r\n- addresses review feedback on\r\nhttps://github.com//pull/155055\r\n- addresses UI changes from\r\nhttps://github.com//issues/150101\r\n - removes accordion in favour of intended suppression components\r\n - adds popover with a link to documentation\r\n - changes wording\r\n- addresses https://github.com/elastic/kibana/issues/156247\r\n\r\n### Before\r\n<img width=\"1017\" alt=\"Screenshot 2023-04-24 at 19 44 33\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png\">\r\n\r\n### After\r\n\r\n#### Intended Fields\r\n<img width=\"1016\" alt=\"Screenshot 2023-05-05 at 10 42 46\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png\">\r\n\r\n#### Tooltip\r\n<img width=\"1016\" alt=\"Screenshot 2023-05-05 at 10 43 41\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png\">\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Garrett Spong <spong@users.noreply.github.com>","sha":"31b6062148b55f712015fc9061172eca54c0acd4","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Detection Alerts","backport:prev-minor","v8.8.0","v8.9.0"],"number":155839,"url":"https://github.com/elastic/kibana/pull/155839","mergeCommit":{"message":"[Security Solution][Alerts] resolves alerts suppression review feedback (#155839)\n\n## Summary\r\n\r\n- addresses review feedback on\r\nhttps://github.com//pull/155055\r\n- addresses UI changes from\r\nhttps://github.com//issues/150101\r\n - removes accordion in favour of intended suppression components\r\n - adds popover with a link to documentation\r\n - changes wording\r\n- addresses https://github.com/elastic/kibana/issues/156247\r\n\r\n### Before\r\n<img width=\"1017\" alt=\"Screenshot 2023-04-24 at 19 44 33\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png\">\r\n\r\n### After\r\n\r\n#### Intended Fields\r\n<img width=\"1016\" alt=\"Screenshot 2023-05-05 at 10 42 46\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png\">\r\n\r\n#### Tooltip\r\n<img width=\"1016\" alt=\"Screenshot 2023-05-05 at 10 43 41\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png\">\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Garrett Spong <spong@users.noreply.github.com>","sha":"31b6062148b55f712015fc9061172eca54c0acd4"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/155839","number":155839,"mergeCommit":{"message":"[Security Solution][Alerts] resolves alerts suppression review feedback (#155839)\n\n## Summary\r\n\r\n- addresses review feedback on\r\nhttps://github.com//pull/155055\r\n- addresses UI changes from\r\nhttps://github.com//issues/150101\r\n - removes accordion in favour of intended suppression components\r\n - adds popover with a link to documentation\r\n - changes wording\r\n- addresses https://github.com/elastic/kibana/issues/156247\r\n\r\n### Before\r\n<img width=\"1017\" alt=\"Screenshot 2023-04-24 at 19 44 33\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png\">\r\n\r\n### After\r\n\r\n#### Intended Fields\r\n<img width=\"1016\" alt=\"Screenshot 2023-05-05 at 10 42 46\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png\">\r\n\r\n#### Tooltip\r\n<img width=\"1016\" alt=\"Screenshot 2023-05-05 at 10 43 41\"\r\nsrc=\"https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png\">\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Garrett Spong <spong@users.noreply.github.com>","sha":"31b6062148b55f712015fc9061172eca54c0acd4"}}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Co-authored-by: Pedro Jaramillo <pedro.jaramillo@elastic.co>
![https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png\">\r\n\r\n###](https://user-images.githubusercontent.com/92328789/234824612-b0ed2870-8aa0-44af-a37d-c061358c54a3.png\">\r\n\r\n###){kind=link}
![https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png\">\r\n\r\n####](https://user-images.githubusercontent.com/92328789/236426053-279d2f5b-46ea-434b-9cfa-696c71321661.png\">\r\n\r\n####){kind=link}
![https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png\">\r\n\r\n---------\r\n\r\nCo-authored-by](https://user-images.githubusercontent.com/92328789/236426061-1c39a5c2-63ca-4a36-b15e-2a1c1943481d.png\">\r\n\r\n---------\r\n\r\nCo-authored-by){kind=link}
yctercero
added
Team:Detection Engine
|
UI changes implemented in #155839 |
|
Hello Team, Do you have any specific time when this suppression feature on specific fields for a specific time will be available in Elastic Security? This is really a need to prevent multiple alerts/noise triggering in front of analysts. Splunk has this feature named as throttle for a while and it is very useful. Especially working in an MSSP, we sometimes see multiple logs for the same event in a specific rule query and this throttle feature is needed to prevent alerting for the same username and/or same hostname and/or same target.user.name etc. for an hour or so, therefore alerts are not triggered for a specific time on a specific field. Also there are cases that a rule search may trigger in a client environment for a network misconfiguration after a maintenance or a general update can match with the rule search query which may result in benign activities, however throttle can help in such cases to prevent excessive alerting. I was asking questions about throttle option to Elastic Support and Maggie informed me about this github page. Thank you. Umut. |
|
hmm. Why does it need platinum license ? so basic |
With the introduction of alert suppression users can select one or more fields to group source events by, creating a single alert per unique value in the field. However, "no value" is currently (in 8.6 and 8.7) treated as a unique value for this grouping. As a result, all documents that don't populate the suppression field will end up in the same group, which may not be what users expect to happen.
There are (at least) 3 ways we might choose to handle docs that are missing the suppression field:
host.nameofhost-1is a unique value.(3) seems to be the most intuitive default behavior. However, we may also want to provide the ability to configure how these docs that are missing the suppression field are handled.
Questions:
Should we allow this behavior to be configured, perhaps at the rule level?
Since alert suppression is in technical preview, are we free to change the default behavior from option 2 to option 3?
cc @paulewing
The text was updated successfully, but these errors were encountered: