Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Implement rule filters for the Protections/Detections Coverage Overview dashboard #158246

Closed
2 tasks done
maximpn opened this issue May 23, 2023 · 3 comments
Closed
2 tasks done

[Security Solution] Implement rule filters for the Protections/Detections Coverage Overview dashboard #158246

maximpn opened this issue May 23, 2023 · 3 comments
Assignees
@dplumlee
Labels
8.10 candidate Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@maximpn
Copy link
Contributor

maximpn commented May 23, 2023
edited by dplumlee
Loading

Epic: https://github.com/elastic/security-team/issues/2905 (internal)
Depends on: #158243, #158238

Summary

Implement simple rule filters for the Protections/Detections Coverage Overview dashboard similar to presented on the Rules Management page.

  • Rule status filter should include only enabled and disabled statuses
  • Rule type filter should include only prebuilt and custom types (prebuilt is the same as Elastic rules used in the designs though it's much more general)

Design screenshots:
image
image
@maximpn maximpn added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team 8.9 candidate labels May 23, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@maximpn maximpn added the Feature:Rule Management Security Solution Detection Rule Management area label May 23, 2023
@dplumlee dplumlee mentioned this issue Aug 9, 2023
Merged
4 tasks
@maximpn maximpn mentioned this issue Aug 14, 2023
Merged
1 task
maximpn added a commit that referenced this issue Aug 14, 2023
@maximpn
[Security Solution] Fix Coverage Overview API activity filter (#163785)
c610d03 
**Relates to:** #158246

## Summary

If activity filter contains both allowed values `enabled` and `disabled` simultaneously Coverage Overview endpoint returns the response filtered by the first value only.

This PR fixes wrong behavior os if `enabled` and `disabled` values are set simultaneously the response contains combined results for both `enabled` and `disabled` activity filter values.

For example a request like below

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled","disabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

would produce the same response as the following request

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@banderror
Copy link
Contributor

Implemented in #163498 and #163785

bryce-b pushed a commit that referenced this issue Aug 22, 2023
@maximpn @bryce-b
[Security Solution] Fix Coverage Overview API activity filter (#163785)
629a796 
**Relates to:** #158246

## Summary

If activity filter contains both allowed values `enabled` and `disabled` simultaneously Coverage Overview endpoint returns the response filtered by the first value only.

This PR fixes wrong behavior os if `enabled` and `disabled` values are set simultaneously the response contains combined results for both `enabled` and `disabled` activity filter values.

For example a request like below

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -d '{"filter":{"activity": ["enabled","disabled"]}}' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

would produce the same response as the following request

```sh
curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' http://localhost:5601/kbn/internal/detection_engine/rules/_coverage_overview --verbose
```

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
8.10 candidate Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maximpn @banderror @elasticmachine @dplumlee