[Security Solution] [Attack discovery] Attack Discovery RBAC / Display an upgrade CTA for the serverless essentials product tier #188788
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrew-goldstein
added
release_note:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
semd
reviewed
Jul 22, 2024
There was a problem hiding this comment.
Hi Andrew, we already have a framework in place for Upselling/CLA pages.
This PR is reimplementing the same thing only for Attack Discovery, and it is adding serverless-specific logic in the security_solution plugin, which is breaking the convention of keeping this plugin "offering agnostic". It is also not using the PLI config for ProductFeatureKey.assistant, which means that if we change the centralized pli_config this CLA page will still appear.
The Onboarding page, to which this PR is adding a dependency from Attack discovery, is going to be refactored soon, and all code related to productTypes (serverless-specific) will be moved to the security_solution_serverless plugin.
If this is an urgent bug fix I am fine merging it as a temporary patch, but it would make the onboarding page refactoring much harder. So I strongly suggest changing the approach to use the existing upselling service.
Suggestion
We only need to register the CLA components here for serverless, and here for stateful, using pli: ProductFeatureKey.assistant. And change the capabilities required for the Attack Discover page in the config:
by:
capabilities: [[`${SERVER_APP_ID}.show`, ${ASSISTANT_FEATURE_ID}.ai-assistant`]], // both capabilities are required
And that's it, all the branching logic will already be taken care of by the framework, according to the PLI config. It will also integrate RBAC for free.
Let me know if I can help.
As a reference this is the implementation for the Threat Intel page paywall for serverless.
| @@ -18,6 +18,7 @@ import { uniq } from 'lodash/fp'; | |||
| import React, { useCallback, useEffect, useMemo, useState } from 'react'; | |||
| import { useLocalStorage } from 'react-use'; | |||
|
|
|||
| import { useProductTypes } from '../../common/components/landing_page/onboarding/hooks/use_product_types'; | |||
There was a problem hiding this comment.
This hook was created as a temporary workaround and is going to be removed.
There was a problem hiding this comment.
This hook was created as a temporary workaround and is going to be removed.
Thanks @semd for the feedback suggesting to instead use the Upselling/CLA framework!
I took the following actions to implement the feedback:
- updated the PR to use the Upselling/CLA framework in this commit
- added a new section to the PR description, titled
Upselling framework usagewith the details below - rested and updated all screenshots in the PR description
The following summary describes the changes made in this PR to adopt the framework:
- Removed the branching logic from
x-pack/plugins/security_solution/public/attack_discovery/pages/upgrade/index.tsx, and moved the component to an upsellingsectioncomponent inx-pack/packages/security-solution/upselling/sections/attack_discovery/index.tsx, where the component was renamed toAttackDiscoveryUpsellingSection.
This section component handles (just) the styling of the upselling message and actions (by itself, without the page wrapper), and receives the following props:
interface Props {
actions?: React.ReactNode;
availabilityMessage: string;
upgradeMessage: string;
}The self managed and serverless-specific actions and i18n messages are passed down via the components described in the later steps below.
-
Removed all previous references to the
Upgradecomponent (and references touseProductTypes) from the Attack discovery page inx-pack/plugins/security_solution/public/attack_discovery/pages/index.tsx, because the framework manages the upgrade case instead of the page itself. -
Created an upselling
pagecomponentAttackDiscoveryUpsellingPageinx-pack/packages/security-solution/upselling/pages/attack_discovery/index.tsx.
This component handles (just) the styling of the page that wraps the Attack discovery section. It passes the same props to the previously described AttackDiscoveryUpsellingSection component.
- Created a self-managed-specific
AttackDiscoveryUpsellingPageESScomponent inx-pack/plugins/security_solution_ess/public/upselling/pages/attack_discovery/index.tsx
This component passes self-managed-specific upgrade action buttons / links and i18n strings to the previously described AttackDiscoveryUpsellingPage
- Also for self managed, added a new
AttackDiscoveryUpsellingPageLazycomponent to the existing file:x-pack/plugins/security_solution_ess/public/upselling/lazy_upselling.tsx
This component lazy loads the previously described AttackDiscoveryUpsellingPageESS component.
- Added registration for the previously described
AttackDiscoveryUpsellingPageLazycomponent to the existingUpsellingPagessection inx-pack/plugins/security_solution_ess/public/upselling/register_upsellings.tsxwith aminimumLicenseRequiredofenterprise:
minimumLicenseRequired: 'enterprise',
- Created a serverless-specific
AttackDiscoveryUpsellingPageServerlesscomponent inx-pack/plugins/security_solution_serverless/public/upselling/pages/attack_discovery/index.tsx
This component passes serverless-specific i18n messages to the platform agnostic AttackDiscoveryUpsellingPage component.
-
Also for serverless, added a new
AttackDiscoveryUpsellingPageLazycomponent to the existing file:x-pack/plugins/security_solution_serverless/public/upselling/lazy_upselling.tsx -
Added registration for the previously described
AttackDiscoveryUpsellingPageLazycomponent to the existingupsellingPagessection inx-pack/plugins/security_solution_serverless/public/upselling/upsellings.tsxwith theassistantPLI:
pli: ProductFeatureKey.assistant,
- Added the
${ASSISTANT_FEATURE_ID}.ai-assistantcapability as an OR condition (via nested array, per the framework) to the Attack discovery link inx-pack/plugins/security_solution/public/attack_discovery/links.ts. This addition enables the security route wrapper to check for upselling pages in serverless:
capabilities: [[`${SERVER_APP_ID}.show`, `${ASSISTANT_FEATURE_ID}.ai-assistant`]],
- Added
licenseType: 'enterprise'to the Attack discovery link inx-pack/plugins/security_solution/public/attack_discovery/links.tsto require anenterpriselicense for self managed
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
72c07e2 to
4bfd2e1
Compare
Files by Code Ownerelastic/kibana-core
elastic/security-threat-hunting-explore
|
semd
reviewed
Jul 24, 2024
x-pack/plugins/security_solution/public/attack_discovery/links.test.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Jul 24, 2024
x-pack/plugins/security_solution/public/attack_discovery/links.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Jul 24, 2024
x-pack/plugins/security_solution/public/attack_discovery/pages/index.test.tsx
Outdated
Show resolved
Hide resolved
semd
reviewed
Jul 24, 2024
x-pack/plugins/security_solution/public/attack_discovery/pages/upgrade/index.tsx
Outdated
Show resolved
Hide resolved
semd
reviewed
Jul 24, 2024
x-pack/plugins/security_solution/public/attack_discovery/use_attack_discovery/index.tsx
Outdated
Show resolved
Hide resolved
semd
reviewed
Jul 24, 2024
semd
reviewed
Jul 24, 2024
x-pack/packages/security-solution/upselling/pages/attack_discovery/index.tsx
Show resolved
Hide resolved
semd
reviewed
Jul 24, 2024
semd
reviewed
Jul 24, 2024
pgayvallet
approved these changes
Jul 24, 2024
andrew-goldstein
added
needs_docs
release_note:enhancement
and removed
v8.15.0
release_note:skip
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
4bfd2e1 to
1a7651e
Compare
paul-tavares
approved these changes
Aug 5, 2024
x-pack/packages/security-solution/upselling/pages/attack_discovery/page_title/index.tsx
Show resolved
Hide resolved
...gins/security_solution_ess/public/upselling/pages/attack_discovery/upgrade_actions/index.tsx
Outdated
Show resolved
Hide resolved
elena-shostak
approved these changes
Aug 6, 2024
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
b97fdd1 to
22a9ed8
Compare
Thanks @elena-shostak! I implemented your feedback in 22a9ed8 , as illustrated by the animated gif below:
|
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
22a9ed8 to
b2361c7
Compare
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
b2361c7 to
eb770b8
Compare
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
eb770b8 to
f1a209e
Compare
…the serverless essentials product tier ### Summary This PR fixes an issue where Attack discovery does not display an upgrade call to action (CTA) for the serverless _essentials_ product tier #### After  _Above: After the fix, an upgrade CTA is displayed for the serverless essentials product tier_ #### Before  _Above: Before the fix, an upgrade CTA is NOT displayed for the serverless essentials product tier_ ### Desk testing Reproduction steps: 1) Comment-out any preconfigured connectors in `config/kibana.dev.yml` 2) Add the following configuration to `config/kibana.dev.yml`: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` 3) Start Elasticsearch ```sh yarn es serverless --projectType security ``` 4) Start a development instance of Kibana ``` yarn start --serverless=security --no-base-path ``` 5) Navigate to Security > Attack discovery **Expected result** - An upgrade CTA is displayed, as illustrated by the _after_ screenshot below:  **Actual result** - An upgrade CTA is NOT displayed, as illustrated by the _before_ screenshot below:  ### Upgrade CTA gallery The screenshots in this section document the CTA displayed for various license levels after the fix: #### Self managed BASIC  #### Self managed PLATINUM  #### Self managed TRIAL  #### Self managed ENTERPRISE  #### Serverless ESSENTIALS  #### Serverless COMPLETE 
This PR updates the Attack discovery page to use the upselling framework via the following summarized steps:
1. Removed the branching logic from `x-pack/plugins/security_solution/public/attack_discovery/pages/upgrade/index.tsx`, and moved the component to an upselling `section` component in `x-pack/packages/security-solution/upselling/sections/attack_discovery/index.tsx`, where the component was renamed to `AttackDiscoveryUpsellingSection`.
This `section` component handles (just) the styling of the upselling message and actions (by itself, without the page wrapper), and receives the following props:
```typescript
interface Props {
actions?: React.ReactNode;
availabilityMessage: string;
upgradeMessage: string;
}
```
The self managed and serverless-specific actions and `i18n` messages are passed down via the components described in the later steps below.
2. Removed all previous references to the `Upgrade` component (and references to `useProductTypes`) from the Attack discovery page in `x-pack/plugins/security_solution/public/attack_discovery/pages/index.tsx`, because the framework manages the upgrade case instead of the page itself.
3. Created an upselling `page` component `AttackDiscoveryUpsellingPage` in `x-pack/packages/security-solution/upselling/pages/attack_discovery/index.tsx`.
This component handles (just) the styling of the _page_ that wraps the Attack discovery `section`. It passes the same props to the previously described `AttackDiscoveryUpsellingSection` component.
4. Created a self-managed-specific `AttackDiscoveryUpsellingPageESS` component in `x-pack/plugins/security_solution_ess/public/upselling/pages/attack_discovery/index.tsx`
This component passes self-managed-specific upgrade action buttons / links and `i18n` strings to the previously described `AttackDiscoveryUpsellingPage`
5. Also for self managed, added a new `AttackDiscoveryUpsellingPageLazy` component to the existing file: `x-pack/plugins/security_solution_ess/public/upselling/lazy_upselling.tsx`
This component lazy loads the previously described `AttackDiscoveryUpsellingPageESS` component.
6. Added registration for the previously described `AttackDiscoveryUpsellingPageLazy` component to the existing `UpsellingPages` section in `x-pack/plugins/security_solution_ess/public/upselling/register_upsellings.tsx` with a `minimumLicenseRequired` of `enterprise`:
```
minimumLicenseRequired: 'enterprise',
```
7. Created a serverless-specific `AttackDiscoveryUpsellingPageServerless` component in `x-pack/plugins/security_solution_serverless/public/upselling/pages/attack_discovery/index.tsx`
This component passes serverless-specific `i18n` messages to the platform agnostic `AttackDiscoveryUpsellingPage` component.
8. Also for serverless, added a new `AttackDiscoveryUpsellingPageLazy` component to the existing file: `x-pack/plugins/security_solution_serverless/public/upselling/lazy_upselling.tsx`
9. Added registration for the previously described `AttackDiscoveryUpsellingPageLazy` component to the existing `upsellingPages` section in `x-pack/plugins/security_solution_serverless/public/upselling/upsellings.tsx` with the `assistant` PLI:
```
pli: ProductFeatureKey.assistant,
```
10. Added the `${ASSISTANT_FEATURE_ID}.ai-assistant` capability as an OR condition (via nested array, per the [framework](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/common/lib/capabilities/has_capabilities.ts#L11-L22)) to the Attack discovery link in `x-pack/plugins/security_solution/public/attack_discovery/links.ts`. This addition enables the security route wrapper to check for upselling pages in serverless:
```
capabilities: [[`${SERVER_APP_ID}.show`, `${ASSISTANT_FEATURE_ID}.ai-assistant`]],
```
11. Added `licenseType: 'enterprise'` to the Attack discovery link in `x-pack/plugins/security_solution/public/attack_discovery/links.ts` to require an `enterprise` license for self managed
- removes `upgrade` component - removes unnecessary mock - updates comments
…latform_plugins --update-limits`
…ies: `actions`, `stackConnectors`, `triggersActionsUi`
…curity-solution/upselling/tsconfig.json`
…play an upgrade CTA for the serverless essentials product tier ### Summary This PR adds Role Based Access Control (RBAC) to Attack discovery. Security users may enable or disable the new `Attack Discovery` RBAC feature shown in the figure below:  _Above: The new `Attack discovery` RBAC feature_ It is possible to for example, configure a custom role that enables Attack discovery, but disables the assistant, as illustrated by the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_all_assistant_none` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Trial | ✅ | ❌ | ❌ | ❌ | | `has_attack_discovery_all_assistant_none` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Enterprise | ✅ | ❌ | ❌ | ❌ | _Above: An example role that enables Attack discovery, but disables the assistant_ See the `Desk Testing` section of this PR for details. This PR also fixes an issue where Attack discovery does not display an upgrade call to action (CTA) for the serverless _essentials_ product tier, per the before and after screenshots below: #### Before  _Above: Before the fix, an upgrade CTA is NOT displayed for the serverless essentials product tier_ #### After  _Above: After the fix, an upgrade CTA is displayed for the serverless essentials product tier_ The fix above is implemented by adopting the upselling framework. ### New Feature ID This PR adds a new Feature ID for attack discovery: ```typescript export const ATTACK_DISCOVERY_FEATURE_ID = 'securitySolutionAttackDiscovery' as const; ``` in `x-pack/packages/security-solution/features/src/constants.ts` ### Upselling framework usage This PR updates the Attack discovery page to use the upselling framework via the following summarized steps: 1. Removed the branching logic from `x-pack/plugins/security_solution/public/attack_discovery/pages/upgrade/index.tsx`, and moved the component to an upselling `section` component in `x-pack/packages/security-solution/upselling/sections/attack_discovery/index.tsx`, where the component was renamed to `AttackDiscoveryUpsellingSection`. This `section` component handles (just) the styling of the upselling message and actions (by itself, without the page wrapper), and receives the following props: ```typescript interface Props { actions?: React.ReactNode; availabilityMessage: string; upgradeMessage: string; } ``` The self managed and serverless-specific actions and `i18n` messages are passed down via the components described in the later steps below. 2. Removed all previous references to the `Upgrade` component (and references to `useProductTypes`) from the Attack discovery page in `x-pack/plugins/security_solution/public/attack_discovery/pages/index.tsx`, because the framework manages the upgrade case instead of the page itself. 3. Created an upselling `page` component `AttackDiscoveryUpsellingPage` in `x-pack/packages/security-solution/upselling/pages/attack_discovery/index.tsx`. This component handles (just) the styling of the _page_ that wraps the Attack discovery `section`. It passes the same props to the previously described `AttackDiscoveryUpsellingSection` component. 4. Created a self-managed-specific `AttackDiscoveryUpsellingPageESS` component in `x-pack/plugins/security_solution_ess/public/upselling/pages/attack_discovery/index.tsx` This component passes self-managed-specific upgrade action buttons / links and `i18n` strings to the previously described `AttackDiscoveryUpsellingPage` 5. Also for self managed, added a new `AttackDiscoveryUpsellingPageLazy` component to the existing file: `x-pack/plugins/security_solution_ess/public/upselling/lazy_upselling.tsx` This component lazy loads the previously described `AttackDiscoveryUpsellingPageESS` component. 6. Added registration for the previously described `AttackDiscoveryUpsellingPageLazy` component to the existing `UpsellingPages` section in `x-pack/plugins/security_solution_ess/public/upselling/register_upsellings.tsx` with a `minimumLicenseRequired` of `enterprise`: ``` minimumLicenseRequired: 'enterprise', ``` 7. Created a serverless-specific `AttackDiscoveryUpsellingPageServerless` component in `x-pack/plugins/security_solution_serverless/public/upselling/pages/attack_discovery/index.tsx` This component passes serverless-specific `i18n` messages to the platform agnostic `AttackDiscoveryUpsellingPage` component. 8. Also for serverless, added a new `AttackDiscoveryUpsellingPageLazy` component to the existing file: `x-pack/plugins/security_solution_serverless/public/upselling/lazy_upselling.tsx` 9. Added registration for the previously described `AttackDiscoveryUpsellingPageLazy` component to the existing `upsellingPages` section in `x-pack/plugins/security_solution_serverless/public/upselling/upsellings.tsx` with the `assistant` PLI: ``` pli: ProductFeatureKey.assistant, ``` 10. Added the `${ASSISTANT_FEATURE_ID}.ai-assistant` capability as an OR condition (via nested array, per the [framework](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/common/lib/capabilities/has_capabilities.ts#L11-L22)) to the Attack discovery link in `x-pack/plugins/security_solution/public/attack_discovery/links.ts`. This addition enables the security route wrapper to check for upselling pages in serverless: ``` capabilities: [[`${SERVER_APP_ID}.show`, `${ASSISTANT_FEATURE_ID}.ai-assistant`]], ``` 11. Added `licenseType: 'enterprise'` to the Attack discovery link in `x-pack/plugins/security_solution/public/attack_discovery/links.ts` to require an `enterprise` license for self managed ### Upgrade CTA gallery The screenshots in this section document the CTA (or Welcome message when the feature is licensed) displayed for various license levels after the fix: #### Users with the `None` privilege If users with the `None` privilege manually enter an Attack discovery URL, e.g. `http://localhost:5601/app/security/attack_discovery`, the framework will display the following error prompt:  #### Self managed BASIC  #### Self managed PLATINUM  #### Self managed TRIAL  #### Self managed ENTERPRISE  #### Serverless ESSENTIALS  #### Serverless COMPLETE  ## Desk Testing ### Severless: Desk testing (just) the upgrade CTA Reproduction steps: 1) Comment-out any preconfigured connectors in `config/kibana.dev.yml` 2) Edit the configuration of `config/serverless.security.yml` to enable the `essentials` product tier: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` 3) Start Elasticsearch ```sh yarn es serverless --projectType security ``` 4) Start a development instance of Kibana ``` yarn start --serverless=security --no-base-path ``` 5) Navigate to Security > Attack discovery **Expected result** - An upgrade CTA is displayed, as illustrated by the _after_ screenshot below:  - The video tour is NOT displayed for serverless, as noted in the [original PR](elastic#182605 (comment)) **Actual result** - An upgrade CTA is NOT displayed, as illustrated by the _before_ screenshot below:  ### Desk testing Self Managed To desk test self manged, we will: 1) Create (three) roles for testing 2) Create (three) users assigned to the roles 3) Test each role at `Basic`, `Trial`, `Platinum`, and `Enterprise` levels to verify: - `Attack discovery` link visibility in the Security solution navigation - Visibility of the upsell empty prompt for license levels where Attack discovery is unavailable - The upsell empty prompt includes the `Subscription plans` and `Manage license` actions - When Attack discoveries are generated, the `View in Ai Assistant` button and popover menu action are enabled / disabled, based on availability of the `AI Assistant` feature #### Creating (three) roles for testing In this section, we will start a new (development) self managed deployment, and create the following three roles via Kibana Dev Tools: - `has_attack_discovery_all_assistant_all` - `has_attack_discovery_all_assistant_none` - `has_attack_discovery_none_assistant_all` To start the deployment and create the roles: 1) Add a pre-configured GenAI connector to `config/kibana.dev.yml` 2) Start a new (development) instance of Elasticsearch: ```sh yarn es snapshot -E path.data=/Users/$USERNAME/data-2024-07-31a ``` 3) Start a local (development) instance of Kibana: ``` yarn start --no-base-path ```` 4) Login to Kibana as the `elastic` user 5) Generate some alerts 6) Navigate to Dev Tools 7) Execute the following three API calls to create the roles: <details><summary>PUT /_security/role/has_attack_discovery_all_assistant_all</summary> <p> ``` ts PUT /_security/role/has_attack_discovery_all_assistant_all { "cluster": [ "all" ], "indices": [ { "names": [ "*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_securitySolutionAssistant.minimal_all", "feature_securitySolutionAttackDiscovery.minimal_all", "feature_siem.all", "feature_securitySolutionCases.all", "feature_actions.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` </p> </details> <details><summary>PUT /_security/role/has_attack_discovery_all_assistant_none</summary> <p> ``` ts PUT /_security/role/has_attack_discovery_all_assistant_none { "cluster": [ "all" ], "indices": [ { "names": [ "*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_securitySolutionAttackDiscovery.minimal_all", "feature_siem.all", "feature_securitySolutionCases.all", "feature_actions.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` </p> </details> <details><summary>PUT /_security/role/has_attack_discovery_none_assistant_all</summary> <p> ``` ts PUT /_security/role/has_attack_discovery_none_assistant_all { "cluster": [ "all" ], "indices": [ { "names": [ "*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_securitySolutionAssistant.minimal_all", "feature_siem.all", "feature_securitySolutionCases.all", "feature_actions.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` </p> </details> #### Creating (three) users assigned to the roles In this section, we will create the following three users via Kibana Dev Tools using the API calls below (expand for details): - `attack_discovery_all_assistant_all` - `attack_discovery_all_assistant_none` - `attack_discovery_none_assistant_all` 1) Navigate to Dev Tools 2) Execute the following three API calls to create the users: <details><summary>POST /_security/user/attack_discovery_all_assistant_all</summary> <p> ``` ts POST /_security/user/attack_discovery_all_assistant_all { "username": "attack_discovery_all_assistant_all", "password": "changeme", "roles": [ "has_attack_discovery_all_assistant_all" ], "full_name": "Attack Discovery All Assistant All", "email": "user@example.com", "metadata": {}, "enabled": true } ``` </p> </details> <details><summary>POST /_security/user/attack_discovery_all_assistant_none</summary> <p> ``` ts POST /_security/user/attack_discovery_all_assistant_none { "username": "attack_discovery_all_assistant_none", "password": "changeme", "roles": [ "has_attack_discovery_all_assistant_none" ], "full_name": "Attack Discovery All Assistant None", "email": "user@example.com", "metadata": {}, "enabled": true } ``` </p> </details> <details><summary>POST /_security/user/attack_discovery_none_assistant_all</summary> <p> ``` ts POST /_security/user/attack_discovery_none_assistant_all { "username": "attack_discovery_none_assistant_all", "password": "changeme", "roles": [ "has_attack_discovery_none_assistant_all" ], "full_name": "Attack Discovery None Assistant All", "email": "user@example.com", "metadata": {}, "enabled": true } ``` </p> </details> #### Testing each role at `Basic`, `Trial`, `Platinum`, and `Enterprise` levels In this section, we will test each of the self managed `Basic`, `Trial`, `Platinum`, and `Enterprise` license levels with the three roles we created for testing. ##### Testing the `has_attack_discovery_all_assistant_all` role 1) Login as the `attack_discovery_all_assistant_all` user 2) Navigate to the Security solution 3) For each of the `Basic`, `Trial`, `Platinum`, and `Enterprise` levels, verify your observations match the expected behavior in the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_all_assistant_all` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_all` | Trial | ✅ | ❌ | ❌ | ✅ | | `has_attack_discovery_all_assistant_all` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_all` | Enterprise | ✅ | ❌ | ❌ | ✅ | ##### Testing the `has_attack_discovery_all_assistant_none` role 1) Login as the `attack_discovery_all_assistant_none` user 2) Navigate to the Security solution 3) For each of the `Basic`, `Trial`, `Platinum`, and `Enterprise` levels, verify your observations match the expected behavior in the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_all_assistant_none` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Trial | ✅ | ❌ | ❌ | ❌ | | `has_attack_discovery_all_assistant_none` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Enterprise | ✅ | ❌ | ❌ | ❌ | ##### Testing the `has_attack_discovery_none_assistant_all` role 1) Login as the `attack_discovery_none_assistant_all` user 2) Navigate to the Security solution 3) For each of the `Basic`, `Trial`, `Platinum`, and `Enterprise` levels, verify your observations match the expected behavior in the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_none_assistant_all` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_none_assistant_all` | Trial | ❌ | ❌ | ❌ | ❌ | | `has_attack_discovery_none_assistant_all` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_none_assistant_all` | Enterprise | ❌ | ❌ | ❌ | ❌ | --------------------------------------------- ### Serverless Testing To desk test serverless, we will test the `essentials` and `complete` product tiers to verify: - `Attack discovery` link visibility in the Security project navigation - Visibility of the upsell empty prompt for license levels where Attack discovery is unavailable - The upsell empty prompt does NOT include the `Subscription plans` and `Manage license` actions - When Attack discoveries are generated, the `View in Ai Assistant` button and popover menu action are enabled #### Essentials tier testing 1) Add a pre-configured GenAI connector to `config/kibana.dev.yml` 2) Edit the configuration of `config/serverless.security.yml` to enable the `essentials` product tier: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'essentials' }, { product_line: 'endpoint', product_tier: 'essentials' }, ] ``` 2) Start a new (development) instance of Elasticsearch: ```sh yarn es serverless --clean --projectType security ``` 3) Start a local (development) instance of Kibana: ``` yarn start --serverless=security --no-base-path ```` 4) select the `admin` role 5) Generate some alerts 6) Verify your observations match the expected behavior in the table below: | Role | Tier | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `viewer` | essentials | ✅ | ✅ | ❌ | ❌ | | `editor` | essentials | ✅ | ✅ | ❌ | ❌ | | `t1_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `t2_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `t3_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `threat_intelligence_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `rule_author` | essentials | ✅ | ✅ | ❌ | ❌ | | `soc_manager` | essentials | ✅ | ✅ | ❌ | ❌ | | `detections_admin` | essentials | ✅ | ✅ | ❌ | ❌ | | `platform_engineer` | essentials | ✅ | ✅ | ❌ | ❌ | | `endpoint_operations_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `endpoint_policy_manager` | essentials | ✅ | ✅ | ❌ | ❌ | | `admin` | essentials | ✅ | ✅ | ❌ | ❌ | | `system_indices_superuser` | essentials | ✅ | ✅ | ❌ | ❌ | ### Complete tier testing 1) Stop the running Kibana server (from the previous Essentials tier testing) 2) Edit the configuration of `config/serverless.security.yml` to enable the `complete` product tier: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'complete' }, { product_line: 'endpoint', product_tier: 'complete' }, ] ``` 3) Restart a local (development) instance of Kibana: ``` yarn start --serverless=security --no-base-path ```` 4) Verify your observations match the expected behavior in the table below: | Role | Tier | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------|----------|--------------------|-------------|--------------------|---------------------------| | `viewer` | complete | ✅ | ❌ | ❌ | ✅ | | `editor` | complete | ✅ | ❌ | ❌ | ✅ | | `t1_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `t2_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `t3_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `threat_intelligence_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `rule_author` | complete | ✅ | ❌ | ❌ | ✅ | | `soc_manager` | complete | ✅ | ❌ | ❌ | ✅ | | `detections_admin` | complete | ✅ | ❌ | ❌ | ✅ | | `platform_engineer` | complete | ✅ | ❌ | ❌ | ✅ | | `endpoint_operations_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `endpoint_policy_manager` | complete | ✅ | ❌ | ❌ | ✅ | | `admin` | complete | ✅ | ❌ | ❌ | ✅ | | `system_indices_superuser` | complete | ✅ | ❌ | ❌ | ✅ |
andrew-goldstein
force-pushed
the
essentials_tier_cta
branch
from
f1a209e to
6e6300f
Compare
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
async chunk count
History
To update your PR or re-run it, just comment with: |
bryce-b
pushed a commit
to bryce-b/kibana
that referenced
this pull request
Aug 13, 2024
…y an upgrade CTA for the serverless essentials product tier (elastic#188788) ## [Security Solution] [Attack discovery] Attack Discovery RBAC / Display an upgrade CTA for the serverless essentials product tier ### Summary This PR adds Role Based Access Control (RBAC) to Attack discovery. Security users may enable or disable the new `Attack Discovery` RBAC feature shown in the figure below:  _Above: The new `Attack discovery` RBAC feature_ It is possible to for example, configure a custom role that enables Attack discovery, but disables the assistant, as illustrated by the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_all_assistant_none` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Trial | ✅ | ❌ | ❌ | ❌ | | `has_attack_discovery_all_assistant_none` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Enterprise | ✅ | ❌ | ❌ | ❌ | _Above: An example role that enables Attack discovery, but disables the assistant_ See the `Desk Testing` section of this PR for details. This PR also fixes an issue where Attack discovery does not display an upgrade call to action (CTA) for the serverless _essentials_ product tier, per the before and after screenshots below: #### Before  _Above: Before the fix, an upgrade CTA is NOT displayed for the serverless essentials product tier_ #### After  _Above: After the fix, an upgrade CTA is displayed for the serverless essentials product tier_ The fix above is implemented by adopting the upselling framework. ### New Feature ID This PR adds a new Feature ID for attack discovery: ```typescript export const ATTACK_DISCOVERY_FEATURE_ID = 'securitySolutionAttackDiscovery' as const; ``` in `x-pack/packages/security-solution/features/src/constants.ts` ### Upselling framework usage This PR updates the Attack discovery page to use the upselling framework via the following summarized steps: 1. Removed the branching logic from `x-pack/plugins/security_solution/public/attack_discovery/pages/upgrade/index.tsx`, and moved the component to an upselling `section` component in `x-pack/packages/security-solution/upselling/sections/attack_discovery/index.tsx`, where the component was renamed to `AttackDiscoveryUpsellingSection`. This `section` component handles (just) the styling of the upselling message and actions (by itself, without the page wrapper), and receives the following props: ```typescript interface Props { actions?: React.ReactNode; availabilityMessage: string; upgradeMessage: string; } ``` The self managed and serverless-specific actions and `i18n` messages are passed down via the components described in the later steps below. 2. Removed all previous references to the `Upgrade` component (and references to `useProductTypes`) from the Attack discovery page in `x-pack/plugins/security_solution/public/attack_discovery/pages/index.tsx`, because the framework manages the upgrade case instead of the page itself. 3. Created an upselling `page` component `AttackDiscoveryUpsellingPage` in `x-pack/packages/security-solution/upselling/pages/attack_discovery/index.tsx`. This component handles (just) the styling of the _page_ that wraps the Attack discovery `section`. It passes the same props to the previously described `AttackDiscoveryUpsellingSection` component. 4. Created a self-managed-specific `AttackDiscoveryUpsellingPageESS` component in `x-pack/plugins/security_solution_ess/public/upselling/pages/attack_discovery/index.tsx` This component passes self-managed-specific upgrade action buttons / links and `i18n` strings to the previously described `AttackDiscoveryUpsellingPage` 5. Also for self managed, added a new `AttackDiscoveryUpsellingPageLazy` component to the existing file: `x-pack/plugins/security_solution_ess/public/upselling/lazy_upselling.tsx` This component lazy loads the previously described `AttackDiscoveryUpsellingPageESS` component. 6. Added registration for the previously described `AttackDiscoveryUpsellingPageLazy` component to the existing `UpsellingPages` section in `x-pack/plugins/security_solution_ess/public/upselling/register_upsellings.tsx` with a `minimumLicenseRequired` of `enterprise`: ``` minimumLicenseRequired: 'enterprise', ``` 7. Created a serverless-specific `AttackDiscoveryUpsellingPageServerless` component in `x-pack/plugins/security_solution_serverless/public/upselling/pages/attack_discovery/index.tsx` This component passes serverless-specific `i18n` messages to the platform agnostic `AttackDiscoveryUpsellingPage` component. 8. Also for serverless, added a new `AttackDiscoveryUpsellingPageLazy` component to the existing file: `x-pack/plugins/security_solution_serverless/public/upselling/lazy_upselling.tsx` 9. Added registration for the previously described `AttackDiscoveryUpsellingPageLazy` component to the existing `upsellingPages` section in `x-pack/plugins/security_solution_serverless/public/upselling/upsellings.tsx` with the `assistant` PLI: ``` pli: ProductFeatureKey.assistant, ``` 10. Added the `${ASSISTANT_FEATURE_ID}.ai-assistant` capability as an OR condition (via nested array, per the [framework](https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/common/lib/capabilities/has_capabilities.ts#L11-L22)) to the Attack discovery link in `x-pack/plugins/security_solution/public/attack_discovery/links.ts`. This addition enables the security route wrapper to check for upselling pages in serverless: ``` capabilities: [[`${SERVER_APP_ID}.show`, `${ASSISTANT_FEATURE_ID}.ai-assistant`]], ``` 11. Added `licenseType: 'enterprise'` to the Attack discovery link in `x-pack/plugins/security_solution/public/attack_discovery/links.ts` to require an `enterprise` license for self managed ### Upgrade CTA gallery The screenshots in this section document the CTA (or Welcome message when the feature is licensed) displayed for various license levels after the fix: #### Users with the `None` privilege If users with the `None` privilege manually enter an Attack discovery URL, e.g. `http://localhost:5601/app/security/attack_discovery`, the framework will display the following error prompt:  #### Self managed BASIC  #### Self managed PLATINUM  #### Self managed TRIAL  #### Self managed ENTERPRISE  #### Serverless ESSENTIALS  #### Serverless COMPLETE  ## Desk Testing ### Severless: Desk testing (just) the upgrade CTA Reproduction steps: 1) Comment-out any preconfigured connectors in `config/kibana.dev.yml` 2) Edit the configuration of `config/serverless.security.yml` to enable the `essentials` product tier: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` 3) Start Elasticsearch ```sh yarn es serverless --projectType security ``` 4) Start a development instance of Kibana ``` yarn start --serverless=security --no-base-path ``` 5) Navigate to Security > Attack discovery **Expected result** - An upgrade CTA is displayed, as illustrated by the _after_ screenshot below:  - The video tour is NOT displayed for serverless, as noted in the [original PR](elastic#182605 (comment)) **Actual result** - An upgrade CTA is NOT displayed, as illustrated by the _before_ screenshot below:  ### Desk testing Self Managed To desk test self manged, we will: 1) Create (three) roles for testing 2) Create (three) users assigned to the roles 3) Test each role at `Basic`, `Trial`, `Platinum`, and `Enterprise` levels to verify: - `Attack discovery` link visibility in the Security solution navigation - Visibility of the upsell empty prompt for license levels where Attack discovery is unavailable - The upsell empty prompt includes the `Subscription plans` and `Manage license` actions - When Attack discoveries are generated, the `View in Ai Assistant` button and popover menu action are enabled / disabled, based on availability of the `AI Assistant` feature #### Creating (three) roles for testing In this section, we will start a new (development) self managed deployment, and create the following three roles via Kibana Dev Tools: - `has_attack_discovery_all_assistant_all` - `has_attack_discovery_all_assistant_none` - `has_attack_discovery_none_assistant_all` To start the deployment and create the roles: 1) Add a pre-configured GenAI connector to `config/kibana.dev.yml` 2) Start a new (development) instance of Elasticsearch: ```sh yarn es snapshot -E path.data=/Users/$USERNAME/data-2024-07-31a ``` 3) Start a local (development) instance of Kibana: ``` yarn start --no-base-path ```` 4) Login to Kibana as the `elastic` user 5) Generate some alerts 6) Navigate to Dev Tools 7) Execute the following three API calls to create the roles: <details><summary>PUT /_security/role/has_attack_discovery_all_assistant_all</summary> <p> ``` ts PUT /_security/role/has_attack_discovery_all_assistant_all { "cluster": [ "all" ], "indices": [ { "names": [ "*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_securitySolutionAssistant.minimal_all", "feature_securitySolutionAttackDiscovery.minimal_all", "feature_siem.all", "feature_securitySolutionCases.all", "feature_actions.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` </p> </details> <details><summary>PUT /_security/role/has_attack_discovery_all_assistant_none</summary> <p> ``` ts PUT /_security/role/has_attack_discovery_all_assistant_none { "cluster": [ "all" ], "indices": [ { "names": [ "*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_securitySolutionAttackDiscovery.minimal_all", "feature_siem.all", "feature_securitySolutionCases.all", "feature_actions.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` </p> </details> <details><summary>PUT /_security/role/has_attack_discovery_none_assistant_all</summary> <p> ``` ts PUT /_security/role/has_attack_discovery_none_assistant_all { "cluster": [ "all" ], "indices": [ { "names": [ "*" ], "privileges": [ "all" ], "field_security": { "grant": [ "*" ], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_securitySolutionAssistant.minimal_all", "feature_siem.all", "feature_securitySolutionCases.all", "feature_actions.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` </p> </details> #### Creating (three) users assigned to the roles In this section, we will create the following three users via Kibana Dev Tools using the API calls below (expand for details): - `attack_discovery_all_assistant_all` - `attack_discovery_all_assistant_none` - `attack_discovery_none_assistant_all` 1) Navigate to Dev Tools 2) Execute the following three API calls to create the users: <details><summary>POST /_security/user/attack_discovery_all_assistant_all</summary> <p> ``` ts POST /_security/user/attack_discovery_all_assistant_all { "username": "attack_discovery_all_assistant_all", "password": "changeme", "roles": [ "has_attack_discovery_all_assistant_all" ], "full_name": "Attack Discovery All Assistant All", "email": "user@example.com", "metadata": {}, "enabled": true } ``` </p> </details> <details><summary>POST /_security/user/attack_discovery_all_assistant_none</summary> <p> ``` ts POST /_security/user/attack_discovery_all_assistant_none { "username": "attack_discovery_all_assistant_none", "password": "changeme", "roles": [ "has_attack_discovery_all_assistant_none" ], "full_name": "Attack Discovery All Assistant None", "email": "user@example.com", "metadata": {}, "enabled": true } ``` </p> </details> <details><summary>POST /_security/user/attack_discovery_none_assistant_all</summary> <p> ``` ts POST /_security/user/attack_discovery_none_assistant_all { "username": "attack_discovery_none_assistant_all", "password": "changeme", "roles": [ "has_attack_discovery_none_assistant_all" ], "full_name": "Attack Discovery None Assistant All", "email": "user@example.com", "metadata": {}, "enabled": true } ``` </p> </details> #### Testing each role at `Basic`, `Trial`, `Platinum`, and `Enterprise` levels In this section, we will test each of the self managed `Basic`, `Trial`, `Platinum`, and `Enterprise` license levels with the three roles we created for testing. ##### Testing the `has_attack_discovery_all_assistant_all` role 1) Login as the `attack_discovery_all_assistant_all` user 2) Navigate to the Security solution 3) For each of the `Basic`, `Trial`, `Platinum`, and `Enterprise` levels, verify your observations match the expected behavior in the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_all_assistant_all` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_all` | Trial | ✅ | ❌ | ❌ | ✅ | | `has_attack_discovery_all_assistant_all` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_all` | Enterprise | ✅ | ❌ | ❌ | ✅ | ##### Testing the `has_attack_discovery_all_assistant_none` role 1) Login as the `attack_discovery_all_assistant_none` user 2) Navigate to the Security solution 3) For each of the `Basic`, `Trial`, `Platinum`, and `Enterprise` levels, verify your observations match the expected behavior in the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_all_assistant_none` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Trial | ✅ | ❌ | ❌ | ❌ | | `has_attack_discovery_all_assistant_none` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_all_assistant_none` | Enterprise | ✅ | ❌ | ❌ | ❌ | ##### Testing the `has_attack_discovery_none_assistant_all` role 1) Login as the `attack_discovery_none_assistant_all` user 2) Navigate to the Security solution 3) For each of the `Basic`, `Trial`, `Platinum`, and `Enterprise` levels, verify your observations match the expected behavior in the table below: | Role | License | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `has_attack_discovery_none_assistant_all` | Basic | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_none_assistant_all` | Trial | ❌ | ❌ | ❌ | ❌ | | `has_attack_discovery_none_assistant_all` | Platinum | ✅ | ✅ | ✅ | ❌ | | `has_attack_discovery_none_assistant_all` | Enterprise | ❌ | ❌ | ❌ | ❌ | --------------------------------------------- ### Serverless Testing To desk test serverless, we will test the `essentials` and `complete` product tiers to verify: - `Attack discovery` link visibility in the Security project navigation - Visibility of the upsell empty prompt for license levels where Attack discovery is unavailable - The upsell empty prompt does NOT include the `Subscription plans` and `Manage license` actions - When Attack discoveries are generated, the `View in Ai Assistant` button and popover menu action are enabled #### Essentials tier testing 1) Add a pre-configured GenAI connector to `config/kibana.dev.yml` 2) Edit the configuration of `config/serverless.security.yml` to enable the `essentials` product tier: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'essentials' }, { product_line: 'endpoint', product_tier: 'essentials' }, ] ``` 2) Start a new (development) instance of Elasticsearch: ```sh yarn es serverless --clean --projectType security ``` 3) Start a local (development) instance of Kibana: ``` yarn start --serverless=security --no-base-path ```` 4) select the `admin` role 5) Generate some alerts 6) Verify your observations match the expected behavior in the table below: | Role | Tier | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------|------------|--------------------|-------------|--------------------|---------------------------| | `viewer` | essentials | ✅ | ✅ | ❌ | ❌ | | `editor` | essentials | ✅ | ✅ | ❌ | ❌ | | `t1_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `t2_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `t3_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `threat_intelligence_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `rule_author` | essentials | ✅ | ✅ | ❌ | ❌ | | `soc_manager` | essentials | ✅ | ✅ | ❌ | ❌ | | `detections_admin` | essentials | ✅ | ✅ | ❌ | ❌ | | `platform_engineer` | essentials | ✅ | ✅ | ❌ | ❌ | | `endpoint_operations_analyst` | essentials | ✅ | ✅ | ❌ | ❌ | | `endpoint_policy_manager` | essentials | ✅ | ✅ | ❌ | ❌ | | `admin` | essentials | ✅ | ✅ | ❌ | ❌ | | `system_indices_superuser` | essentials | ✅ | ✅ | ❌ | ❌ | ### Complete tier testing 1) Stop the running Kibana server (from the previous Essentials tier testing) 2) Edit the configuration of `config/serverless.security.yml` to enable the `complete` product tier: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'complete' }, { product_line: 'endpoint', product_tier: 'complete' }, ] ``` 3) Restart a local (development) instance of Kibana: ``` yarn start --serverless=security --no-base-path ```` 4) Verify your observations match the expected behavior in the table below: | Role | Tier | Navigation visible | Show upsell | Upsell has actions | View in assistant enabled | |-------------------------------|----------|--------------------|-------------|--------------------|---------------------------| | `viewer` | complete | ✅ | ❌ | ❌ | ✅ | | `editor` | complete | ✅ | ❌ | ❌ | ✅ | | `t1_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `t2_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `t3_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `threat_intelligence_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `rule_author` | complete | ✅ | ❌ | ❌ | ✅ | | `soc_manager` | complete | ✅ | ❌ | ❌ | ✅ | | `detections_admin` | complete | ✅ | ❌ | ❌ | ✅ | | `platform_engineer` | complete | ✅ | ❌ | ❌ | ✅ | | `endpoint_operations_analyst` | complete | ✅ | ❌ | ❌ | ✅ | | `endpoint_policy_manager` | complete | ✅ | ❌ | ❌ | ✅ | | `admin` | complete | ✅ | ❌ | ❌ | ✅ | | `system_indices_superuser` | complete | ✅ | ❌ | ❌ | ✅ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Security Solution] [Attack discovery] Attack Discovery RBAC / Display an upgrade CTA for the serverless essentials product tier
Summary
This PR adds Role Based Access Control (RBAC) to Attack discovery.
Security users may enable or disable the new
Attack DiscoveryRBAC feature shown in the figure below:Above: The new
Attack discoveryRBAC featureIt is possible to for example, configure a custom role that enables Attack discovery, but disables the assistant, as illustrated by the table below:
has_attack_discovery_all_assistant_nonehas_attack_discovery_all_assistant_nonehas_attack_discovery_all_assistant_nonehas_attack_discovery_all_assistant_noneAbove: An example role that enables Attack discovery, but disables the assistant
See the
Desk Testingsection of this PR for details.This PR also fixes an issue where Attack discovery does not display an upgrade call to action (CTA) for the serverless essentials product tier, per the before and after screenshots below:
Before
Above: Before the fix, an upgrade CTA is NOT displayed for the serverless essentials product tier
After
Above: After the fix, an upgrade CTA is displayed for the serverless essentials product tier
The fix above is implemented by adopting the upselling framework.
New Feature ID
This PR adds a new Feature ID for attack discovery:
in
x-pack/packages/security-solution/features/src/constants.tsUpselling framework usage
This PR updates the Attack discovery page to use the upselling framework via the following summarized steps:
x-pack/plugins/security_solution/public/attack_discovery/pages/upgrade/index.tsx, and moved the component to an upsellingsectioncomponent inx-pack/packages/security-solution/upselling/sections/attack_discovery/index.tsx, where the component was renamed toAttackDiscoveryUpsellingSection.This
sectioncomponent handles (just) the styling of the upselling message and actions (by itself, without the page wrapper), and receives the following props:The self managed and serverless-specific actions and
i18nmessages are passed down via the components described in the later steps below.Removed all previous references to the
Upgradecomponent (and references touseProductTypes) from the Attack discovery page inx-pack/plugins/security_solution/public/attack_discovery/pages/index.tsx, because the framework manages the upgrade case instead of the page itself.Created an upselling
pagecomponentAttackDiscoveryUpsellingPageinx-pack/packages/security-solution/upselling/pages/attack_discovery/index.tsx.This component handles (just) the styling of the page that wraps the Attack discovery
section. It passes the same props to the previously describedAttackDiscoveryUpsellingSectioncomponent.AttackDiscoveryUpsellingPageESScomponent inx-pack/plugins/security_solution_ess/public/upselling/pages/attack_discovery/index.tsxThis component passes self-managed-specific upgrade action buttons / links and
i18nstrings to the previously describedAttackDiscoveryUpsellingPageAttackDiscoveryUpsellingPageLazycomponent to the existing file:x-pack/plugins/security_solution_ess/public/upselling/lazy_upselling.tsxThis component lazy loads the previously described
AttackDiscoveryUpsellingPageESScomponent.AttackDiscoveryUpsellingPageLazycomponent to the existingUpsellingPagessection inx-pack/plugins/security_solution_ess/public/upselling/register_upsellings.tsxwith aminimumLicenseRequiredofenterprise:AttackDiscoveryUpsellingPageServerlesscomponent inx-pack/plugins/security_solution_serverless/public/upselling/pages/attack_discovery/index.tsxThis component passes serverless-specific
i18nmessages to the platform agnosticAttackDiscoveryUpsellingPagecomponent.Also for serverless, added a new
AttackDiscoveryUpsellingPageLazycomponent to the existing file:x-pack/plugins/security_solution_serverless/public/upselling/lazy_upselling.tsxAdded registration for the previously described
AttackDiscoveryUpsellingPageLazycomponent to the existingupsellingPagessection inx-pack/plugins/security_solution_serverless/public/upselling/upsellings.tsxwith theassistantPLI:${ASSISTANT_FEATURE_ID}.ai-assistantcapability as an OR condition (via nested array, per the framework) to the Attack discovery link inx-pack/plugins/security_solution/public/attack_discovery/links.ts. This addition enables the security route wrapper to check for upselling pages in serverless:licenseType: 'enterprise'to the Attack discovery link inx-pack/plugins/security_solution/public/attack_discovery/links.tsto require anenterpriselicense for self managedUpgrade CTA gallery
The screenshots in this section document the CTA (or Welcome message when the feature is licensed) displayed for various license levels after the fix:
Users with the
NoneprivilegeIf users with the
Noneprivilege manually enter an Attack discovery URL, e.g.http://localhost:5601/app/security/attack_discovery, the framework will display the following error prompt:Self managed BASIC
Self managed PLATINUM
Self managed TRIAL
Self managed ENTERPRISE
Serverless ESSENTIALS
Serverless COMPLETE
Desk Testing
Severless: Desk testing (just) the upgrade CTA
Reproduction steps:
Comment-out any preconfigured connectors in
config/kibana.dev.ymlEdit the configuration of
config/serverless.security.ymlto enable theessentialsproduct tier:Expected result
Actual result
Desk testing Self Managed
To desk test self manged, we will:
Basic,Trial,Platinum, andEnterpriselevels to verify:Attack discoverylink visibility in the Security solution navigationSubscription plansandManage licenseactionsView in Ai Assistantbutton and popover menu action are enabled / disabled, based on availability of theAI AssistantfeatureCreating (three) roles for testing
In this section, we will start a new (development) self managed deployment, and create the following three roles via Kibana Dev Tools:
has_attack_discovery_all_assistant_allhas_attack_discovery_all_assistant_nonehas_attack_discovery_none_assistant_allTo start the deployment and create the roles:
Add a pre-configured GenAI connector to
config/kibana.dev.ymlStart a new (development) instance of Elasticsearch:
yarn es snapshot -E path.data=/Users/$USERNAME/data-2024-07-31aLogin to Kibana as the
elasticuserGenerate some alerts
Navigate to Dev Tools
Execute the following three API calls to create the roles:
PUT /_security/role/has_attack_discovery_all_assistant_all
PUT /_security/role/has_attack_discovery_all_assistant_none
PUT /_security/role/has_attack_discovery_none_assistant_all
Creating (three) users assigned to the roles
In this section, we will create the following three users via Kibana Dev Tools using the API calls below (expand for details):
attack_discovery_all_assistant_allattack_discovery_all_assistant_noneattack_discovery_none_assistant_allNavigate to Dev Tools
Execute the following three API calls to create the users:
POST /_security/user/attack_discovery_all_assistant_all
POST /_security/user/attack_discovery_all_assistant_none
POST /_security/user/attack_discovery_none_assistant_all
Testing each role at
Basic,Trial,Platinum, andEnterpriselevelsIn this section, we will test each of the self managed
Basic,Trial,Platinum, andEnterpriselicense levels with the three roles we created for testing.Testing the
has_attack_discovery_all_assistant_allroleLogin as the
attack_discovery_all_assistant_alluserNavigate to the Security solution
For each of the
Basic,Trial,Platinum, andEnterpriselevels, verify your observations match the expected behavior in the table below:has_attack_discovery_all_assistant_allhas_attack_discovery_all_assistant_allhas_attack_discovery_all_assistant_allhas_attack_discovery_all_assistant_allTesting the
has_attack_discovery_all_assistant_noneroleLogin as the
attack_discovery_all_assistant_noneuserNavigate to the Security solution
For each of the
Basic,Trial,Platinum, andEnterpriselevels, verify your observations match the expected behavior in the table below:has_attack_discovery_all_assistant_nonehas_attack_discovery_all_assistant_nonehas_attack_discovery_all_assistant_nonehas_attack_discovery_all_assistant_noneTesting the
has_attack_discovery_none_assistant_allroleLogin as the
attack_discovery_none_assistant_alluserNavigate to the Security solution
For each of the
Basic,Trial,Platinum, andEnterpriselevels, verify your observations match the expected behavior in the table below:has_attack_discovery_none_assistant_allhas_attack_discovery_none_assistant_allhas_attack_discovery_none_assistant_allhas_attack_discovery_none_assistant_allServerless Testing
To desk test serverless, we will test the
essentialsandcompleteproduct tiers to verify:Attack discoverylink visibility in the Security project navigationSubscription plansandManage licenseactionsView in Ai Assistantbutton and popover menu action are enabledEssentials tier testing
Add a pre-configured GenAI connector to
config/kibana.dev.ymlEdit the configuration of
config/serverless.security.ymlto enable theessentialsproduct tier:select the
adminroleGenerate some alerts
Verify your observations match the expected behavior in the table below:
viewereditort1_analystt2_analystt3_analystthreat_intelligence_analystrule_authorsoc_managerdetections_adminplatform_engineerendpoint_operations_analystendpoint_policy_manageradminsystem_indices_superuserComplete tier testing
Stop the running Kibana server (from the previous Essentials tier testing)
Edit the configuration of
config/serverless.security.ymlto enable thecompleteproduct tier:viewereditort1_analystt2_analystt3_analystthreat_intelligence_analystrule_authorsoc_managerdetections_adminplatform_engineerendpoint_operations_analystendpoint_policy_manageradminsystem_indices_superuser