Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Cases] Add import/export functionality #110148

Merged
merged 14 commits into from
Sep 14, 2021

Conversation

jonathan-buttner
Copy link
Contributor

@jonathan-buttner jonathan-buttner commented Aug 25, 2021

This PR allows the cases saved objects to be exported and imported. The functionality is provided through the Saved Objects Management Page.

Since cases uses inbound references, when a case is selected for export we search for all comments and user actions that reference that case.

image

What is exported?

  • The Case itself (title, settings, reporter, tags, etc)
  • Comments/attachments
    • Alerts that are attached to a case will have their information exported (id, index, rule information etc) but the body of the alert will not be exported
  • User actions
  • The connector if one exists

Permissions

For a user to view the Saved Objects Management Page they must have the Saved Objects Management privilege
image

Granting this privilege also grants the user all access to all saved objects. So it is possible for a user to have no Cases privileges but still be able to import/export via the Saved Objects Management privilege.

Issues

Release note

Cases can now be imported and exported through the Saved Objects Management Page. Only the Cases themselves need to be selected for export. The Case title will be shown in the Saved Objects Management Page table's title column. Cases are also labeled with the case icon:
image

Rows labeled cases-comment or cases-user-actions should be ignored and not selected when exporting.

@jonathan-buttner jonathan-buttner added v8.0.0 Team:Threat Hunting Security Solution Threat Hunting Team Feature:Cases Cases feature release_note:feature Makes this part of the condensed release notes auto-backport Deprecated - use backport:version if exact versions are needed v7.16.0 labels Aug 25, 2021
import { createCaseError, defaultSortField } from '../../common';
import { ESCaseAttributes } from '../../services/cases/types';

export async function handleExport({
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We intentionally do not want to do authorization checks while exporting because it is valid for a user to export a case while not having either security solution or observability cases read privileges.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is valid? It seems like users can always read a case this way even if they do not have read access.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Christos and I talked offline. This is the current behavior with other entities within Kibana. We don't have a way to enforce the feature privileges for import/export right now.

}

const [{ savedObjects }] = await coreSetup.getStartServices();
const savedObjectsClient = savedObjects.getScopedClient(context.request, {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm creating the saved objects client directly here instead of using our service layer because the service layer can mutate the data (for example creating the connector_id field when the objects are returned). We can also make more performant calls here for both the attachments and user actions at the same time using point in time searches instead of the implementation that the service layer uses.

}
}

async function getAttachmentsAndUserActionsForCases(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only need to export the attachments and user actions. The connectors are stored as outbound references so they are exported automatically by the framework.

sortField: string;
type: string;
}): Promise<Array<SavedObject<T>>> {
const references = caseIds.map((id) => ({ type: CASE_SAVED_OBJECT, id }));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is basically searching for all the case ids for attachments or user actions at the same time.

@jonathan-buttner jonathan-buttner marked this pull request as ready for review September 1, 2021 15:42
@jonathan-buttner jonathan-buttner requested a review from a team as a code owner September 1, 2021 15:42
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@jonathan-buttner
Copy link
Contributor Author

@elasticmachine merge upstream

@jonathan-buttner jonathan-buttner linked an issue Sep 7, 2021 that may be closed by this pull request
@jonathan-buttner
Copy link
Contributor Author

@elasticmachine merge upstream

@jonathan-buttner
Copy link
Contributor Author

@elasticmachine merge upstream

@jonathan-buttner
Copy link
Contributor Author

@elasticsearchmachine merge upstream

@jonathan-buttner
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Member

@cnasikas cnasikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally. Everything worked as expected. LGTM!

@jonathan-buttner
Copy link
Contributor Author

@cnasikas found an issue with the import where if the case is deleted and then imported it will mark the case as needing to be pushed. We talked about possible solutions for this and there are many other situations depending on what case is being imported that could cause us to get into a state where we think we need to push when we actually don't need to. For now we're going to leave it as it is and investigate other possible solutions for tracking when a case needs to be pushed. Like keeping a counter associated with the case to mark the sequential version of the case so that we don't need to use the user actions to determine if the case needs to be pushed.

@jonathan-buttner jonathan-buttner merged commit 2567c4f into elastic:master Sep 14, 2021
@jonathan-buttner jonathan-buttner deleted the cases-import-export branch September 14, 2021 17:42
kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Sep 14, 2021
* Working export but not import

* Adding user action import flag

* Adding a few integration tests

* Adding connector test

* Finishing integration tests

* Removing connector after each test to restore original state

* Bumping migration version for comment so

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

@kobelb
Copy link
Contributor

kobelb commented Sep 14, 2021

Nice work @jonathan-buttner 🥇

kibanamachine added a commit that referenced this pull request Sep 14, 2021
* Working export but not import

* Adding user action import flag

* Adding a few integration tests

* Adding connector test

* Finishing integration tests

* Removing connector after each test to restore original state

* Bumping migration version for comment so

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
@monina-n monina-n requested review from monina-n and removed request for monina-n October 5, 2021 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Cases Cases feature release_note:feature Makes this part of the condensed release notes Team:Threat Hunting Security Solution Threat Hunting Team v7.16.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Import and export Cases using saved-object management
5 participants