Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Lists][Exceptions] - Updates exception list item comments structure #68864

Merged
merged 3 commits into from
Jun 11, 2020

Conversation

yctercero
Copy link
Contributor

@yctercero yctercero commented Jun 11, 2020

Summary

This is part of a series of upcoming changes to the exception list item structure. This PR focuses solely on updating exception_item.comment. The hope is to keep these PRs relatively small.

  • Updates exception_item.comment structure which was previously a string to exception_item.comments which is an array of { comment: string; created_by: string; created_at: string; }
  • Adds a few unit tests server side
  • Fixes some minor mispellings
  • Updates ExceptionViewer component in the UI to account for new structure

Snapshots

As you can see, comments are now appearing on the UI as expected.
Screen Shot 2020-06-11 at 1 03 59 AM

Testing

To turn on lists plugin - in kibana.dev.yml

# Enable lists feature
xpack.lists.enabled: true
xpack.lists.listIndex: '.lists-yara'
xpack.lists.listItemIndex: '.items-yara'

Use the scripts in x-pack/plugins/lists/server/scripts to create some sample exception lists and items. You can use the following:

  • Create detection type list ./post_exception_list.sh ./exception_lists/new/exception_list_detection.json
  • Create detection type list items ./post_exception_list_item.sh ./exception_lists/new/exception_list_item_detection_auto_id.json - this script auto generates the item_id so you can run it as many times as you like to create multiple items associated with the list generated in step 1
  • Create endpoint list ./post_exception_list.sh
  • Create endpoint type list items ./post_exception_list_item.sh ./exception_lists/new/exception_list_item_auto_id.json - this script auto generates the item_id so you can run it as many times as you like to create multiple items associated with the list generated in step 3
  • Run ./find_exception_lists.sh to get the id of the two lists you created
  • Update the ExceptionsViewer component in x-pack/plugins/security_solution/public/alerts/pages/detection_engine/rules/details/index.tsx to something like the following:
 <ExceptionsViewer
       ruleId={ruleId ?? ''}
       availableListTypes={[
          ExceptionListType.DETECTION_ENGINE,
          ExceptionListType.ENDPOINT,
        ]}
       commentsAccordionId={'ruleDetailsTabExceptions'}
       exceptionListsMeta ={[
         {
            id: [DETECTION_LIST_ID],  // `id` not `list_id`
            type: 'detection',
            namespaceType: 'single',
         },
         {
            id: [ENDPOINT_LIST_ID],  // `id` not `list_id`
             type: 'endpoint',
             namespaceType: 'single',
           },
         ]}  />

Navigate to the rules details page and click on the 'Exceptions' tab. Voila!

Checklist

Sorry, something went wrong.

@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

comments: {
properties: {
comment: {
type: 'keyword',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious if we could change comment type to text instead of keyword so the full content of the comment is searchable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. I noticed other ones like description was set to keyword. Wasn't sure if that was for a specific reason so I defaulted to keyword. Will update!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries I was just curious if it's something we might want. Open to hearing from others with their thoughts on this. Not a big deal either way I think.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per our chat, I'm planning on updating these in the upcoming PR that addresses entries. I'll link to it once its up as a follow up.

expect(getPaths(left(message.errors))).toEqual(['invalid keys "extraKey"']);
expect(message.schema).toEqual({});
});
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the test!


// TODO: Is it expected behavior for it not to auto-generate a uui or throw
// error if item_id is not passed in?
xtest('it should accept an undefined for "item_id" and auto generate a uuid', () => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@FrankHassanabad I think I might have seen a to do related to this, but just wanted to double check the expected behavior here.

Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks for the moving so fast on these and the tests!

@yctercero yctercero merged commit da5aa03 into elastic:master Jun 11, 2020
yctercero added a commit to yctercero/kibana that referenced this pull request Jun 11, 2020
…lastic#68864)

### Summary

This is part of a series of upcoming changes to the exception list item structure. This PR focuses solely on updating exception_item.comment. The hope is to keep these PRs relatively small.

- Updates exception_item.comment structure which was previously a string to exception_item.comments which is an array of { comment: string; created_by: string; created_at: string; }
- Adds a few unit tests server side
- Fixes some minor misspellings
- Updates ExceptionViewer component in the UI to account for new structure
yctercero added a commit that referenced this pull request Jun 12, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…cture (#68864) (#68907)

* [Lists][Exceptions] - Updates exception list item comments structure (#68864)

### Summary

This is part of a series of upcoming changes to the exception list item structure. This PR focuses solely on updating exception_item.comment. The hope is to keep these PRs relatively small.

- Updates exception_item.comment structure which was previously a string to exception_item.comments which is an array of { comment: string; created_by: string; created_at: string; }
- Adds a few unit tests server side
- Fixes some minor misspellings
- Updates ExceptionViewer component in the UI to account for new structure

* Update API review file per CI instructions
yctercero added a commit that referenced this pull request Jun 26, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…nt structure (#69532)

### Summary

This PR is a follow up to #68864 . That PR used a partial to differentiate between new and existing comments, this meant that comments could be updated when they shouldn't. It was decided in our discussion of exception list schemas that comments should be append only. This PR assures that's the case, but also leaves it open to editing comments (via API). It checks to make sure that users can only update their own comments.
yctercero added a commit to yctercero/kibana that referenced this pull request Jun 26, 2020
…nt structure (elastic#69532)

### Summary

This PR is a follow up to elastic#68864 . That PR used a partial to differentiate between new and existing comments, this meant that comments could be updated when they shouldn't. It was decided in our discussion of exception list schemas that comments should be append only. This PR assures that's the case, but also leaves it open to editing comments (via API). It checks to make sure that users can only update their own comments.
yctercero added a commit that referenced this pull request Jun 26, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…nt structure (#69532) (#70107)

### Summary

This PR is a follow up to #68864 . That PR used a partial to differentiate between new and existing comments, this meant that comments could be updated when they shouldn't. It was decided in our discussion of exception list schemas that comments should be append only. This PR assures that's the case, but also leaves it open to editing comments (via API). It checks to make sure that users can only update their own comments.
@yctercero yctercero deleted the exc-comments branch October 14, 2020 12:00
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants