-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field component #171520
Open
47 of 69 tasks
Tracked by
#174168
Labels
8.18 candidate
enhancement
New value added to drive a business result
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.0
v8.17.0
v8.18.0
Comments
jpdjere
added
triage_needed
needs design
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Detection Rule Management
Security Detection Rule Management Team
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
labels
Nov 20, 2023
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
This is a great writeup @jpdjere, very comprehensive and accurate 👍 Thank you! I made a few small adjustments in the text (description is already updated): -Selecting any of the first two fields will populate the **merge proposal** column
+Selecting any of the first two options will populate the **merge proposal** column
with either the Current or Target version, respectively. +When the user finished editing the field (prefilled, or edited manually, or just want to
+keep the proposed merged value), they should explicitly accept the change for this field.
-Once the user selects a version, and accepts it via an **"Accept" button**
+Once the user clicks an **"Accept" button**
located somewhere in the component (preferably near the third column?),
a **checkbox** gets automatically ticked located on the top right, to confirm
-that the change for the field was successfully selected.
+that the change for the field was approved by the user and validated by the app. @jpdjere @ARWNightingale @approksiu I have a few other thoughts:
|
jpdjere
changed the title
[Security Solution] Build Three-Way-Diff field update component
[Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field update component
Apr 9, 2024
jpdjere
changed the title
[Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field update component
[Security Solution] Rework Update flyout to display all field updates and build Three-Way-Diff field component
Apr 9, 2024
This was referenced Jun 12, 2024
banderror
added
enhancement
New value added to drive a business result
8.15 candidate
8.16 candidate
and removed
8.15 candidate
labels
Jun 25, 2024
maximpn
added a commit
to maximpn/kibana
that referenced
this issue
Nov 28, 2024
**Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an ES|QL Query editable component for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR extracts ES|QL Query edit component from Define rule form step and makes it reusable. The following changes were made - ES|QL validator was refactored and covered by unit tests - Query persistence was addressed and covered by tests (previous functionality didn't work out of the box and didn't have tests) ## How to test The simplest way to test is via patching installed prebuilt rules (a.k.a. downgrading a prebuilt rule) via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an ES|QL prebuilt rule, e.g. `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` with rule_id `0cd2f3e6-41da-40e6-b28b-466f688f00a6` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"0cd2f3e6-41da-40e6-b28b-466f688f00a6","version":1,"query":"from logs-*","language":"esql"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots <img width="2550" alt="image" src="https://github.com/user-attachments/assets/f65d04d5-9fd9-4d3f-8741-eba04a3be8a6"> <img width="2552" alt="image" src="https://github.com/user-attachments/assets/dd0a2613-5262-44b2-bbeb-d0ed34d57d9c"> (cherry picked from commit e55232f) # Conflicts: # x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/esql_validator.test.ts # x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/esql_validator.ts # x-pack/plugins/translations/translations/zh-CN.json
maximpn
added a commit
that referenced
this issue
Dec 6, 2024
…validation errors (#202544) **Addresses:** #171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 6, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1"> (cherry picked from commit b0c7a8c)
markov00
pushed a commit
to markov00/kibana
that referenced
this issue
Dec 7, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this issue
Dec 9, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
SoniaSanzV
pushed a commit
to SoniaSanzV/kibana
that referenced
this issue
Dec 9, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Dec 9, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
Samiul-TheSoccerFan
pushed a commit
to Samiul-TheSoccerFan/kibana
that referenced
this issue
Dec 10, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
mykolaharmash
pushed a commit
to mykolaharmash/kibana
that referenced
this issue
Dec 11, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
maximpn
added a commit
that referenced
this issue
Dec 11, 2024
…out (#201501) **Addresses:** #171520 ## Summary This PR updates Prebuilt Rules Customization UI to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820). On top of that it renames and toss files to organize them in a much more clear way. ## Details A number of changes required to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820) - move save/accept button to the field's right side header - expose additional field upgrade state `NoConflicts` to distinguish between `Accepted` and `NoConflicts` states - consume `ruleUpgradeState` in different components to display proper badges and texts Additional refactoring was done to facilitate the changes - `FinalRuleContext` and `FieldFinalEditContext` were merged together into `FieldUpgradeContext` - files and some folders were renamed and tossed to make the structure simpler and transparent There is still space for improvement. Current PR tries to minimize the changes to avoid too many conflicts since development is still in progress. And an additional limit of 200 path characters is imposed in Kibana preventing too deep foldering. Some functionality could be moved to a package later on to mitigate that obstacle. ## How to test locally - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Modify one or more prebuilt rules with updates to see unresolved conflicts (don't forget to refresh the page after rule's modification, it's required to clear the cache) ## Screenshots and screen recordings ![Screenshot 2024-11-26 at 13 42 16](https://github.com/user-attachments/assets/126bdc64-b810-424a-b81e-7674480a66cf) ![Screenshot 2024-11-26 at 13 42 27](https://github.com/user-attachments/assets/af5d9c2c-055d-423d-880a-b69e95ba129c) ![Screenshot 2024-11-26 at 13 42 40](https://github.com/user-attachments/assets/b0f87a95-df23-42a8-883b-29665f3db325) https://github.com/user-attachments/assets/7befe77a-3af7-48ea-a23f-aa0017d94be5 https://github.com/user-attachments/assets/2837b405-3889-44a0-b1cb-d6c51cd9d051 https://github.com/user-attachments/assets/7cbc411d-a927-45e9-8607-7ef515337ab5
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 11, 2024
…out (elastic#201501) **Addresses:** elastic#171520 ## Summary This PR updates Prebuilt Rules Customization UI to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820). On top of that it renames and toss files to organize them in a much more clear way. ## Details A number of changes required to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820) - move save/accept button to the field's right side header - expose additional field upgrade state `NoConflicts` to distinguish between `Accepted` and `NoConflicts` states - consume `ruleUpgradeState` in different components to display proper badges and texts Additional refactoring was done to facilitate the changes - `FinalRuleContext` and `FieldFinalEditContext` were merged together into `FieldUpgradeContext` - files and some folders were renamed and tossed to make the structure simpler and transparent There is still space for improvement. Current PR tries to minimize the changes to avoid too many conflicts since development is still in progress. And an additional limit of 200 path characters is imposed in Kibana preventing too deep foldering. Some functionality could be moved to a package later on to mitigate that obstacle. ## How to test locally - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Modify one or more prebuilt rules with updates to see unresolved conflicts (don't forget to refresh the page after rule's modification, it's required to clear the cache) ## Screenshots and screen recordings ![Screenshot 2024-11-26 at 13 42 16](https://github.com/user-attachments/assets/126bdc64-b810-424a-b81e-7674480a66cf) ![Screenshot 2024-11-26 at 13 42 27](https://github.com/user-attachments/assets/af5d9c2c-055d-423d-880a-b69e95ba129c) ![Screenshot 2024-11-26 at 13 42 40](https://github.com/user-attachments/assets/b0f87a95-df23-42a8-883b-29665f3db325) https://github.com/user-attachments/assets/7befe77a-3af7-48ea-a23f-aa0017d94be5 https://github.com/user-attachments/assets/2837b405-3889-44a0-b1cb-d6c51cd9d051 https://github.com/user-attachments/assets/7cbc411d-a927-45e9-8607-7ef515337ab5 (cherry picked from commit 2dcbc5d)
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Dec 12, 2024
… fields (elastic#199115) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an EQL Query editable component with EQL Options fields (`event_category_override`, `timestamp_field` and `tiebreaker_field`) for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR make a set of changes to make existing EQL Query bar component easily reusable and type safe when used in forms. In particular the following was done - EQL query bar was wrapped in `EqlQueryEdit` component with `UseField` inside. It helps to make it type safe avoiding issues like passing invalid types to `EqlQueryBar`. `UseField` types component properties as `Record<string, any>` so potentially any refactoring can break some functionality. For example code in Timeline passes `DataViewSpec` where `DataViewBase` is expected while these two types aren't fully compatible. - Validation was added directly to `EqlQueryEdit`. Passing field configuration to `UseField` rewrites field configuration defined in from schema. It leads to cases when validation is defined in both form schema and as a field configuration for `UseFields`. Additionally we can reduce reusing complexity by incapsulating absolutely required validation in `EqlQueryEdit` component. - Empty string `tiebreakerField` was removed in Timelines. `tiebreakerField` is part of EQL options used for EQL validation. EQL validation endpoint `/internal/search/eql` returns an error when an empty string provided for `tiebreakerField`. This problem didn't surface earlier since It looks like EQL options weren't provided correctly before this PR. Timeline EQL validation requests were sent without EQL options. ## How to test The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an EQL prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"2a692072-d78d-42f3-a48a-775677d79c4e","version":1,"query":"process where process.name == \"cmd.exe\"","language":"eql","event_category_override": "test","timestamp_field": "@timestamp","tiebreaker_field": "tiebreaker"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots - EQL Query in Prebuilt Rules Update workflow <img width="2560" alt="image" src="https://github.com/user-attachments/assets/59d157b2-6aca-4b21-95d0-f71a2e174df2"> - event_category_override + tiebreaker_field + timestamp_field (aka EQL options) in Prebuilt Rules Update workflow <img width="2552" alt="image" src="https://github.com/user-attachments/assets/1886d3b4-98f9-40a7-954c-2a6d4b8e925a"> - Examples of invalid EQL <img width="2560" alt="image" src="https://github.com/user-attachments/assets/d584deca-7903-45c5-9499-718552df441c"> <img width="2548" alt="image" src="https://github.com/user-attachments/assets/b734e22c-ab62-4624-85d0-e4e6dbb9d523">
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Dec 12, 2024
**Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an ES|QL Query editable component for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details This PR extracts ES|QL Query edit component from Define rule form step and makes it reusable. The following changes were made - ES|QL validator was refactored and covered by unit tests - Query persistence was addressed and covered by tests (previous functionality didn't work out of the box and didn't have tests) ## How to test The simplest way to test is via patching installed prebuilt rules (a.k.a. downgrading a prebuilt rule) via Rule Patch API. Please follow steps below - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Run Kibana locally - Install an ES|QL prebuilt rule, e.g. `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` with rule_id `0cd2f3e6-41da-40e6-b28b-466f688f00a6` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"0cd2f3e6-41da-40e6-b28b-466f688f00a6","version":1,"query":"from logs-*","language":"esql"}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots <img width="2550" alt="image" src="https://github.com/user-attachments/assets/f65d04d5-9fd9-4d3f-8741-eba04a3be8a6"> <img width="2552" alt="image" src="https://github.com/user-attachments/assets/dd0a2613-5262-44b2-bbeb-d0ed34d57d9c">
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Dec 12, 2024
…validation errors (elastic#202544) **Addresses:** elastic#171520 ## Summary This PR adds functionality to allow users save EQL and ES|QL queries in Prebuilt Rule Customization workflow by displaying a confirmation modal with non critical validation errors (a.k.a warnings). It also refactors confirmation modal usage in rule creation/editing forms for better reusability. ## Screenshots <img width="1909" alt="Screenshot 2024-12-03 at 14 01 36" src="https://github.com/user-attachments/assets/c0054fc1-b52b-400f-80d7-af42391f4e18"> https://github.com/user-attachments/assets/2a20fcfe-ffc0-4547-8621-7ac6873c8dc9 https://github.com/user-attachments/assets/50b5cf5a-ea3f-4c22-a443-b5d4056a92c8 <img width="2541" alt="Screenshot 2024-12-03 at 14 06 29" src="https://github.com/user-attachments/assets/dde3fd60-6c69-4f8e-a65a-837b2319e4ac"> <img width="2552" alt="Screenshot 2024-12-03 at 14 06 51" src="https://github.com/user-attachments/assets/220817a6-991f-4361-88d2-ee3a47a36ad6"> <img width="2555" alt="Screenshot 2024-12-03 at 14 07 52" src="https://github.com/user-attachments/assets/c46fc49c-9ce1-4472-bdea-f9507aa62ece"> <img width="2553" alt="Screenshot 2024-12-03 at 14 08 18" src="https://github.com/user-attachments/assets/92388c56-8644-4c54-8727-b9a73b3497d1">
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this issue
Dec 12, 2024
…out (elastic#201501) **Addresses:** elastic#171520 ## Summary This PR updates Prebuilt Rules Customization UI to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820). On top of that it renames and toss files to organize them in a much more clear way. ## Details A number of changes required to match the [design](https://www.figma.com/design/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?node-id=5146-77820) - move save/accept button to the field's right side header - expose additional field upgrade state `NoConflicts` to distinguish between `Accepted` and `NoConflicts` states - consume `ruleUpgradeState` in different components to display proper badges and texts Additional refactoring was done to facilitate the changes - `FinalRuleContext` and `FieldFinalEditContext` were merged together into `FieldUpgradeContext` - files and some folders were renamed and tossed to make the structure simpler and transparent There is still space for improvement. Current PR tries to minimize the changes to avoid too many conflicts since development is still in progress. And an additional limit of 200 path characters is imposed in Kibana preventing too deep foldering. Some functionality could be moved to a package later on to mitigate that obstacle. ## How to test locally - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled - Allow internal APIs via adding `server.restrictInternalApis: false` to `kibana.dev.yaml` - Clear Elasticsearch data - Run Elasticsearch and Kibana locally (do not open Kibana in a web browser) - Install an outdated version of the `security_detection_engine` Fleet package ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"force":true}' http://localhost:5601/kbn/api/fleet/epm/packages/security_detection_engine/8.14.1 ``` - Install prebuilt rules ```bash curl -X POST --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 1" -d '{"mode":"ALL_RULES"}' http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` - Modify one or more prebuilt rules with updates to see unresolved conflicts (don't forget to refresh the page after rule's modification, it's required to clear the cache) ## Screenshots and screen recordings ![Screenshot 2024-11-26 at 13 42 16](https://github.com/user-attachments/assets/126bdc64-b810-424a-b81e-7674480a66cf) ![Screenshot 2024-11-26 at 13 42 27](https://github.com/user-attachments/assets/af5d9c2c-055d-423d-880a-b69e95ba129c) ![Screenshot 2024-11-26 at 13 42 40](https://github.com/user-attachments/assets/b0f87a95-df23-42a8-883b-29665f3db325) https://github.com/user-attachments/assets/7befe77a-3af7-48ea-a23f-aa0017d94be5 https://github.com/user-attachments/assets/2837b405-3889-44a0-b1cb-d6c51cd9d051 https://github.com/user-attachments/assets/7cbc411d-a927-45e9-8607-7ef515337ab5
nikitaindik
added a commit
that referenced
this issue
Dec 13, 2024
… empty (#203826) **Partially addresses: #171520 ## Summary This PR updates readonly components of the Rule Upgrade flyout to display placeholders in cases when a field value is empty. ## Changes - Added placeholders to readonly components in the Rule Upgrade flyout - Simplified Storybook stories to make them more readable and less dependent on flyout context - Added stories that showcase empty states. You can run Storybook with `yarn storybook security_solution`. ## Screenshots **Before / After** <img width="2560" alt="Schermafbeelding 2024-12-12 om 00 05 56" src="https://github.com/user-attachments/assets/e85a4514-4861-4be7-b0d2-534f7ad2d8cf" /> Work started on 11-Dec-2024
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 13, 2024
… empty (elastic#203826) **Partially addresses: elastic#171520 ## Summary This PR updates readonly components of the Rule Upgrade flyout to display placeholders in cases when a field value is empty. ## Changes - Added placeholders to readonly components in the Rule Upgrade flyout - Simplified Storybook stories to make them more readable and less dependent on flyout context - Added stories that showcase empty states. You can run Storybook with `yarn storybook security_solution`. ## Screenshots **Before / After** <img width="2560" alt="Schermafbeelding 2024-12-12 om 00 05 56" src="https://github.com/user-attachments/assets/e85a4514-4861-4be7-b0d2-534f7ad2d8cf" /> Work started on 11-Dec-2024 (cherry picked from commit 27fe7e4)
nikitaindik
added a commit
that referenced
this issue
Dec 14, 2024
… in Rule Upgrade flyout (#203222) **Partially addresses: #171520** ## Summary This PR updates the tooltips for the ‘Diff view’ and ‘Final update’ sections in the prebuilt rule upgrade flyout. It also streamlines the version picker by removing redundant options, making the UI simpler and clearer for users. ## Changes - Reduced the number of version picker items based on the diff outcome. Updated item names for better clarity. - Revised the tooltip text for the ‘Diff view’ section to better explain the available dropdown options. The tooltip now describes only the options in the dropdown to avoid overwhelming the user with unrelated information. - Updated the tooltip text for the ‘Final update’ section. ## Screenshots <img width="922" alt="Schermafbeelding 2024-12-11 om 11 54 48" src="https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451"> <img width="640" alt="Schermafbeelding 2024-12-11 om 11 55 32" src="https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3"> <img width="433" alt="Schermafbeelding 2024-12-11 om 11 55 58" src="https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13"> Work started on 06-Dec-2024. --------- Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 14, 2024
… in Rule Upgrade flyout (elastic#203222) **Partially addresses: elastic#171520** ## Summary This PR updates the tooltips for the ‘Diff view’ and ‘Final update’ sections in the prebuilt rule upgrade flyout. It also streamlines the version picker by removing redundant options, making the UI simpler and clearer for users. ## Changes - Reduced the number of version picker items based on the diff outcome. Updated item names for better clarity. - Revised the tooltip text for the ‘Diff view’ section to better explain the available dropdown options. The tooltip now describes only the options in the dropdown to avoid overwhelming the user with unrelated information. - Updated the tooltip text for the ‘Final update’ section. ## Screenshots <img width="922" alt="Schermafbeelding 2024-12-11 om 11 54 48" src="https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451"> <img width="640" alt="Schermafbeelding 2024-12-11 om 11 55 32" src="https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3"> <img width="433" alt="Schermafbeelding 2024-12-11 om 11 55 58" src="https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13"> Work started on 06-Dec-2024. --------- Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co> (cherry picked from commit 90e35a0)
kibanamachine
added a commit
that referenced
this issue
Dec 14, 2024
… texts in Rule Upgrade flyout (#203222) (#204314) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Reduce dropdown options and improve tooltip texts in Rule Upgrade flyout (#203222)](#203222) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Nikita Indik","email":"nikita.indik@elastic.co"},"sourceCommit":{"committedDate":"2024-12-14T11:40:45Z","message":"[Security Solution] Reduce dropdown options and improve tooltip texts in Rule Upgrade flyout (#203222)\n\n**Partially addresses: #171520**\r\n\r\n## Summary\r\n\r\nThis PR updates the tooltips for the ‘Diff view’ and ‘Final update’\r\nsections in the prebuilt rule upgrade flyout. It also streamlines the\r\nversion picker by removing redundant options, making the UI simpler and\r\nclearer for users.\r\n\r\n## Changes\r\n- Reduced the number of version picker items based on the diff outcome.\r\nUpdated item names for better clarity.\r\n- Revised the tooltip text for the ‘Diff view’ section to better explain\r\nthe available dropdown options. The tooltip now describes only the\r\noptions in the dropdown to avoid overwhelming the user with unrelated\r\ninformation.\r\n- Updated the tooltip text for the ‘Final update’ section.\r\n\r\n## Screenshots\r\n<img width=\"922\" alt=\"Schermafbeelding 2024-12-11 om 11 54 48\"\r\nsrc=\"https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451\">\r\n\r\n<img width=\"640\" alt=\"Schermafbeelding 2024-12-11 om 11 55 32\"\r\nsrc=\"https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3\">\r\n\r\n<img width=\"433\" alt=\"Schermafbeelding 2024-12-11 om 11 55 58\"\r\nsrc=\"https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13\">\r\n\r\n\r\nWork started on 06-Dec-2024.\r\n\r\n---------\r\n\r\nCo-authored-by: Maxim Palenov <maxim.palenov@elastic.co>","sha":"90e35a04bc795aebdd62c11cd53e279b566582b8","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","ci:cloud-deploy","backport:version","v8.18.0"],"title":"[Security Solution] Reduce dropdown options and improve tooltip texts in Rule Upgrade flyout","number":203222,"url":"https://github.com/elastic/kibana/pull/203222","mergeCommit":{"message":"[Security Solution] Reduce dropdown options and improve tooltip texts in Rule Upgrade flyout (#203222)\n\n**Partially addresses: #171520**\r\n\r\n## Summary\r\n\r\nThis PR updates the tooltips for the ‘Diff view’ and ‘Final update’\r\nsections in the prebuilt rule upgrade flyout. It also streamlines the\r\nversion picker by removing redundant options, making the UI simpler and\r\nclearer for users.\r\n\r\n## Changes\r\n- Reduced the number of version picker items based on the diff outcome.\r\nUpdated item names for better clarity.\r\n- Revised the tooltip text for the ‘Diff view’ section to better explain\r\nthe available dropdown options. The tooltip now describes only the\r\noptions in the dropdown to avoid overwhelming the user with unrelated\r\ninformation.\r\n- Updated the tooltip text for the ‘Final update’ section.\r\n\r\n## Screenshots\r\n<img width=\"922\" alt=\"Schermafbeelding 2024-12-11 om 11 54 48\"\r\nsrc=\"https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451\">\r\n\r\n<img width=\"640\" alt=\"Schermafbeelding 2024-12-11 om 11 55 32\"\r\nsrc=\"https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3\">\r\n\r\n<img width=\"433\" alt=\"Schermafbeelding 2024-12-11 om 11 55 58\"\r\nsrc=\"https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13\">\r\n\r\n\r\nWork started on 06-Dec-2024.\r\n\r\n---------\r\n\r\nCo-authored-by: Maxim Palenov <maxim.palenov@elastic.co>","sha":"90e35a04bc795aebdd62c11cd53e279b566582b8"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203222","number":203222,"mergeCommit":{"message":"[Security Solution] Reduce dropdown options and improve tooltip texts in Rule Upgrade flyout (#203222)\n\n**Partially addresses: #171520**\r\n\r\n## Summary\r\n\r\nThis PR updates the tooltips for the ‘Diff view’ and ‘Final update’\r\nsections in the prebuilt rule upgrade flyout. It also streamlines the\r\nversion picker by removing redundant options, making the UI simpler and\r\nclearer for users.\r\n\r\n## Changes\r\n- Reduced the number of version picker items based on the diff outcome.\r\nUpdated item names for better clarity.\r\n- Revised the tooltip text for the ‘Diff view’ section to better explain\r\nthe available dropdown options. The tooltip now describes only the\r\noptions in the dropdown to avoid overwhelming the user with unrelated\r\ninformation.\r\n- Updated the tooltip text for the ‘Final update’ section.\r\n\r\n## Screenshots\r\n<img width=\"922\" alt=\"Schermafbeelding 2024-12-11 om 11 54 48\"\r\nsrc=\"https://github.com/user-attachments/assets/124e76a1-99dc-48d8-be54-f6c8f2079451\">\r\n\r\n<img width=\"640\" alt=\"Schermafbeelding 2024-12-11 om 11 55 32\"\r\nsrc=\"https://github.com/user-attachments/assets/45655dd2-6503-46b7-b28b-0df7bf0e6fa3\">\r\n\r\n<img width=\"433\" alt=\"Schermafbeelding 2024-12-11 om 11 55 58\"\r\nsrc=\"https://github.com/user-attachments/assets/d845ff52-4678-4245-8bdd-b9957f0c1d13\">\r\n\r\n\r\nWork started on 06-Dec-2024.\r\n\r\n---------\r\n\r\nCo-authored-by: Maxim Palenov <maxim.palenov@elastic.co>","sha":"90e35a04bc795aebdd62c11cd53e279b566582b8"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Nikita Indik <nikita.indik@elastic.co>
nikitaindik
added a commit
that referenced
this issue
Dec 18, 2024
… editable fields (#200304) **Partially addresses: #171520 ## Summary **Changes in this PR**: - `history_window_start` and `new_terms_fields` are now editable in the Rule Upgrade flyout - Extracted fields into separate components that are easier to reuse (`NewTermsFieldsEdit` and `HistoryWindowStartEdit`) <img width="1392" alt="Schermafbeelding 2024-11-15 om 15 51 04" src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9"> ### Testing - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled. - To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the `PATCH api/detection_engine/rules` API. - Set `version: 1` in the request body to downgrade it to version 1. - Modify other rule fields in the request body as needed to test the changes.
nikitaindik
added a commit
to nikitaindik/kibana
that referenced
this issue
Dec 18, 2024
… editable fields (elastic#200304) **Partially addresses: elastic#171520 ## Summary **Changes in this PR**: - `history_window_start` and `new_terms_fields` are now editable in the Rule Upgrade flyout - Extracted fields into separate components that are easier to reuse (`NewTermsFieldsEdit` and `HistoryWindowStartEdit`) <img width="1392" alt="Schermafbeelding 2024-11-15 om 15 51 04" src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9"> ### Testing - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled. - To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the `PATCH api/detection_engine/rules` API. - Set `version: 1` in the request body to downgrade it to version 1. - Modify other rule fields in the request body as needed to test the changes.
nikitaindik
added a commit
that referenced
this issue
Dec 18, 2024
…nomaly_threshold` editable fields (#200323) **Partially addresses: #171520 ## Summary **Changes in this PR**: - `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now editable in the Rule Upgrade flyout <img width="1840" alt="Schermafbeelding 2024-11-26 om 08 59 24" src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83"> ### Testing - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled. - To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the `PATCH api/detection_engine/rules` API. - Set `version: 1` in the request body to downgrade it to version 1. - Modify other rule fields in the request body as needed to test the changes.
nikitaindik
added a commit
to nikitaindik/kibana
that referenced
this issue
Dec 18, 2024
…nomaly_threshold` editable fields (elastic#200323) **Partially addresses: elastic#171520 ## Summary **Changes in this PR**: - `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now editable in the Rule Upgrade flyout <img width="1840" alt="Schermafbeelding 2024-11-26 om 08 59 24" src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83"> ### Testing - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled. - To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the `PATCH api/detection_engine/rules` API. - Set `version: 1` in the request body to downgrade it to version 1. - Modify other rule fields in the request body as needed to test the changes. (cherry picked from commit 042344e)
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this issue
Dec 19, 2024
… editable fields (elastic#200304) **Partially addresses: elastic#171520 ## Summary **Changes in this PR**: - `history_window_start` and `new_terms_fields` are now editable in the Rule Upgrade flyout - Extracted fields into separate components that are easier to reuse (`NewTermsFieldsEdit` and `HistoryWindowStartEdit`) <img width="1392" alt="Schermafbeelding 2024-11-15 om 15 51 04" src="https://github.com/user-attachments/assets/d00b7b3d-7c01-4041-b940-390660a069a9"> ### Testing - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled. - To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the `PATCH api/detection_engine/rules` API. - Set `version: 1` in the request body to downgrade it to version 1. - Modify other rule fields in the request body as needed to test the changes.
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this issue
Dec 19, 2024
…nomaly_threshold` editable fields (elastic#200323) **Partially addresses: elastic#171520 ## Summary **Changes in this PR**: - `threshold` and `machine_learning_job_id`, `anomaly_threshold` are now editable in the Rule Upgrade flyout <img width="1840" alt="Schermafbeelding 2024-11-26 om 08 59 24" src="https://github.com/user-attachments/assets/b76ef89b-8051-4eba-8d67-9e86a0408e83"> ### Testing - Ensure the `prebuiltRulesCustomizationEnabled` feature flag is enabled. - To simulate the availability of prebuilt rule upgrades, downgrade a currently installed prebuilt rule using the `PATCH api/detection_engine/rules` API. - Set `version: 1` in the request body to downgrade it to version 1. - Modify other rule fields in the request body as needed to test the changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
8.18 candidate
enhancement
New value added to drive a business result
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.0
v8.17.0
v8.18.0
Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168
Design Discussion context: #178211
Design: Figma (internal)
Miro board with UI components breakdown: https://miro.com/app/board/uXjVK0gqjjQ=/?share_link_id=554028328760
Screenshot of the Miro board (click to expand)
TODO (click to expand)
This is roughly the order I plan to implement these.
Front-end logic
_perform
upgrade API (PR)Components: ComparisonSide (left side, please refer to the Miro board to see where it is)
VersionPicker
component that displays a dropdown component to select which 2 versions to compare.InlineDiffView
component that uses the existingDiffView
component, but in inline diff mode.ComparisonSide
component that combinesVersionPicker
andInlineDiffView
resovedValue ?? merged_version
logicComponents: FinalSide (right side)
SaveButton
component that saves user changes when they are valid and ready.EditButton
component that switches the edit mode onFieldReadOnly
component that renders a suitable component / components from the Rule Details page based on the passed field name.FinalReadOnly
component that combinesEditButton
andFieldReadOnly
Components: FieldEdit
FieldEdit components are components that render one or more UI elements from the Rule Editing page for every field.
Field edit components
Common Diffable rule fields (PR) @nikitaindik (2d)
name
(done in PR)tags
description
severity
severity_mapping
risk_score
risk_score_mapping
references
false_positives
threat
note
setup
related_integrations
required_fields
rule_schedule
max_signals
investigation_fields
rule_name_override
timestamp_override
timeline_template
building_block
data_source (PR)
alert_suppression (PR) (2d)
kql_query (PR)
eql_query (PR) @maximpn (3d)
esql_query (PR) @maximpn (2d)
Threat Match rule specific fields (PR) @maximpn (5d)
ML rule specific fields (PR on hold, approx. until 2nd half of December) @nikitaindik
New terms rule (PR on hold, waiting for review and testing, approx. until 2nd half of December) @nikitaindik
Common functional components
FinalEdit
component that combinesSaveButton
,Prefill
and FieldEdit components.FinalSide
component that displays either aFinalReadOnly
or aFinalEdit
component depending on the state.Components: Basic layout
Add a new tab component for the three-way diff and hide it behind the
prebuiltRulesCustomizationEnabled
feature flagAdd
PerformUpgradeButton
component that will trigger the upgrade.Add
UpdateInfoBar
component that will display the number of updatable fields and a number of fields that have conflicts.Add
RuleDiffSection
component that will display a collapsible section with a label like "Definition", "About" or "Schedule".Add
RuleFieldDiff
collapsible component that is expanded by default if conflict is SOLVABLE or NON_SOLVABLE.Add
RuleDiffFieldHeader
component that displays the conflict bagde and Accepted/Auto-accepted label. (needs conflict)Display fields with SOLVABLE and NON_SOLVABLE conflicts expanded
Display fields with SOLVABLE conflicts in readonly mode
Display fields with NON_SOLVABLE conflicts in editing mode (PR) @maximpn
Implement changes accepting workflow (see Miro chart) (PR) @maximpn
Save
,Accept
andSave and accept
buttons in the field's right side header. RemoveSave
button from field's right side content.Save
norAccept
buttons, Edit mode showsSave
button, badgeAuto-accepted
(green) after accepting changesAccept
button, Edit mode showsSave and accept
orSave
button, badgeSolved conflict
(yellow) before accepting andSolved conflict
(green) after acceptingSave and accept
button, badgeUnsolved conflict
(red) before accepting andSolved conflict
(green) after acceptingImprovements to the UI and copy of the flyout (PR) @maximpn
Improvements to the copy of the dropdown to select the diff view (Make diff options more human friendly) (PR) @maximpn
Base = Original
Current = Current
Target = Elastic update
Editable components issues
Threat Match Mapping Edit component displays empty values instead of real ones. This is a bug in EsFieldSelector which doesn't display a field name if it's missing in the selected indices. It will be addressed in a follow up PR.Addressed in Threat Match Mapping Edit component PR.Demo feedback
Review my changes
showing base vs current andReview Elastic update
showing base vs target,Review result
showing current vs final. We also can consider removing some options.No changes
. It's confusing. We could showReview Elastic update
by default instead.To address in separate tickets scope (TODO move to appropriate tickets)
Testing
Refactorings
Product enhancements
Prefill
component that displays a dropdown with versions available for prefill.RuleDetailsFlyoutHeader
flyout header with components that are shown in designs, for example a badge for Customized Elastic rules.Summary
As part of the Prebuilt Rules customization epic, we need to:
1. Update tab
The Updates tab currently displays a list of fields to be updated, in side-by-side view of the current and target version of each. This basic structure will be maintained, but for each field, the side-by-side diff component will be replaced by the Three-Way-Diff field component described in step 2.
The tab needs other changes:
2. Build a Three-Way-Diff field update component
The Three-Way-Diff field update component allows users to:
The initial designs for the current component look like so:
Figure 1:
Figure 2:
Notice that this is only an initial iteration and does not include the specs written in this ticket.
Component description
We are thinking about a component that, by default, shows two columns:
Left column
The Left column will display, by default, an inline diff between the current and the target version of the field.
This column will additionally display two dropdowns that enable the user to select the two versions being compared. Alternatively, it could be just one, offering the combinations:
Selecting one of the options above will update the content of the Left column to display the diff between those two version.
Right column
The Right Column (Final Version) will contain:
A component displaying the Final Version of the field that will be saved when the upgrade is confirmed. This component can be switched between a read-only view (as seen on the first image above, at the top) and an editable component (as seen on Figure 1, above).
The Read-Only view can be switched to the editable component by clicking on the "Edit" button, and vice-versa by clicking on the "Save button".
The Final version will be displayed differently depending on the value of the
conflict
field from API response for that field:NO
:SOLVABLE
:NON_SOLVABLE
:current
version). The "Save" button can be clicked to accept the change.Prefill version dropdown
The Right column will have a button located on top of the component that displays the Final Version that allows the user to fill in (prepopulate) the editable field, by offering the options:
Selecting any of the first two options will populate the merge proposal column with either the Current or Target version, respectively.
"Accepted" label
When the user has finished editing the field (prefilled, or edited manually, or just want to keep the proposed merged value), they should click on the "Save" button to "Accept" the changes.
Once the user clicks on the "Save" button, the field updates to display an "Accepted" label with a green tick to confirm that the change for the field was approved by the user and validated by the app.
(If the API response has the value of the
conflict
field set toNO
orSOLVABLE
, the field will appear from start as auto-accepted)When the user clicks on "Save", if the change is validated, the accordion container of the field will collapse. If the accordion is reopened, the component should be in read-only view.
The user can "Un-Accept" a change by manually opening the accordion and clicking on the "Edit" button. That action will "Un-Accept" the field and will "block" the the update of the rule until the field is saved again, by clicking on the "Save" button (all fields to needs to be accepted in order to update the rule).
**EXPAND:** This is a UX similar to the file per file review in Github PR's and the feature to mark a file as "Reviewed":
Before marking file as reviewed
After marking file as reviewed
ONLY once all fields have been confirmed (all have green ticks) the user can make the request to update the rule. (This however is not part of the spec for this component, but important context to understand its role)
Other considerations:
version
revision
author
license
The text was updated successfully, but these errors were encountered: