Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Investigate in Resolver Timeline Integration #70111

Merged

Conversation

andrew-goldstein
Copy link
Contributor

@andrew-goldstein andrew-goldstein commented Jun 26, 2020

[Security] Investigate in Resolver Timeline Integration

This PR adds a new Investigate in Resolver action to the Timeline, and all timeline-based views, including:

  • Timeline
  • Alert list (i.e. Signals)
  • Hosts > Events
  • Hosts > External alerts
  • Network > External alerts

investigate-in-resolver-action

Resolver Overlay

When the Investigate in Resolver action is clicked, Resolver is displayed in an overlay over the events. The screenshot below has placeholder text where Resolver will be rendered:

resolver-overlay

The Resolver overlay is closed by clicking the < Back to events button shown in the screenshot above.

The state of the timeline is restored when the overlay is closed. The scroll position (within the events), any expanded events, etc, will appear exactly as they were before the Resolver overlay was displayed.

Case Integration

Users may link directly to a Timeline Resolver view from cases via the Attach to new case and Attach to existing case... actions show in the screenshot below:

case-integration

investigate-in-resolver

When users click the link in a case, Timeline will automatically open to the Resolver view in the link.

URL State

Users can directly share Resolver views (in saved Timelines) with other users by copying the Kibana URL to the clipboard when Resolver is open.

When another user pastes the URL in their browser, Timeline will automatically open and display the Resolver view in the URL.

Enabling the Investigate in Resolver action

In this PR, the Investigate in Resolver action is only enabled for events where all of the following are true:

  • agent.type is endpoint
  • process.entity_id exists

Context passed to Resolver

The only context passed to Resolver is the _id of the event (when the user clicks Investigate in Resolver)

What's next?

  • @oatkiller will replace the placeholder text shown in the screenshots above with the actual call to Resolver in a separate PR
  • I will follow-up this PR with additional tests
  • The action text Investigate in Resolver may be changed in a future PR
  • Hide the Add to case action in timeline-based views (it's currently visible, but disabled)

This PR adds a new `Investigate in Resolver` action to the Timeline, and all timeline-based views, including:

- Timeline
- Alert list (i.e. Signals)
- Hosts > Events
- Hosts > External alerts
- Network > External alerts

![investigate-in-resolver-action](https://user-images.githubusercontent.com/4459398/85886173-c40d1c80-b7a2-11ea-8011-0221fef95d51.png)

### Resolver Overlay

When the `Investigate in Resolver` action is clicked, Resolver is displayed in an overlay over the events. The screenshot below has placeholder text where Resolver will be rendered:

![resolver-overlay](https://user-images.githubusercontent.com/4459398/85886309-10f0f300-b7a3-11ea-95cb-0117207e4890.png)

The Resolver overlay is closed by clicking the `< Back to events` button shown in the screenshot above.

The state of the timeline is restored when the overlay is closed. The scroll position (within the events), any expanded events, etc, will appear exactly as they were before the Resolver overlay was displayed.

### Case Integration

Users may link directly to a Timeline Resolver view from cases via the `Attach to new case` and `Attach to existing case...` actions show in the screenshot below:

![case-integration](https://user-images.githubusercontent.com/4459398/85886773-e3587980-b7a3-11ea-87b6-b098ea14bc5f.png)

![investigate-in-resolver](https://user-images.githubusercontent.com/4459398/85885618-daff3f00-b7a1-11ea-9356-2e8a1291f213.gif)

When users click the link in a case, Timeline will automatically open to the Resolver view in the link.

### URL State

Users can directly share Resolver views (in saved Timelines) with other users by copying the Kibana URL to the clipboard when Resolver is open.

When another user pastes the URL in their browser, Timeline will automatically open and display the Resolver view in the URL.

### Enabling the `Investigate in Resolver` action

In this PR, the `Investigate in Resolver` action is only enabled for events where all of the following are true:

- `agent.type` is `endpoint`
- `process.entity_id` exists

### Context passed to Resolver

The only context passed to `Resolver` is the `_id` of the event (when the user clicks `Investigate in Resolver`)

### What's next?

- @oatkiller will replace the placeholder text shown in the screenshots above with the actual call to Resolver in a separate PR
- I will follow-up this PR with additional tests
- The action text `Investigate in Resolver` may be changed in a future PR
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

Copy link
Contributor

@oatkiller oatkiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm rebased. seems good. thanks!

@andrew-goldstein
Copy link
Contributor Author

@elasticmachine merge upstream

@oatkiller oatkiller mentioned this pull request Jun 26, 2020
30 tasks
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

@kbn/optimizer bundle module count

id value diff baseline
securitySolution 787 +2 785

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@andrew-goldstein andrew-goldstein merged commit 295ac7e into elastic:master Jun 26, 2020
@andrew-goldstein andrew-goldstein deleted the timeline-overlay-resolver branch June 26, 2020 21:36
andrew-goldstein added a commit that referenced this pull request Jun 27, 2020
…70136)

## [Security] `Investigate in Resolver` Timeline Integration

This PR adds a new `Investigate in Resolver` action to the Timeline, and all timeline-based views, including:

- Timeline
- Alert list (i.e. Signals)
- Hosts > Events
- Hosts > External alerts
- Network > External alerts

![investigate-in-resolver-action](https://user-images.githubusercontent.com/4459398/85886173-c40d1c80-b7a2-11ea-8011-0221fef95d51.png)

### Resolver Overlay

When the `Investigate in Resolver` action is clicked, Resolver is displayed in an overlay over the events. The screenshot below has placeholder text where Resolver will be rendered:

![resolver-overlay](https://user-images.githubusercontent.com/4459398/85886309-10f0f300-b7a3-11ea-95cb-0117207e4890.png)

The Resolver overlay is closed by clicking the `< Back to events` button shown in the screenshot above.

The state of the timeline is restored when the overlay is closed. The scroll position (within the events), any expanded events, etc, will appear exactly as they were before the Resolver overlay was displayed.

### Case Integration

Users may link directly to a Timeline Resolver view from cases via the `Attach to new case` and `Attach to existing case...` actions show in the screenshot below:

![case-integration](https://user-images.githubusercontent.com/4459398/85886773-e3587980-b7a3-11ea-87b6-b098ea14bc5f.png)

![investigate-in-resolver](https://user-images.githubusercontent.com/4459398/85885618-daff3f00-b7a1-11ea-9356-2e8a1291f213.gif)

When users click the link in a case, Timeline will automatically open to the Resolver view in the link.

### URL State

Users can directly share Resolver views (in saved Timelines) with other users by copying the Kibana URL to the clipboard when Resolver is open.

When another user pastes the URL in their browser, Timeline will automatically open and display the Resolver view in the URL.

### Enabling the `Investigate in Resolver` action

In this PR, the `Investigate in Resolver` action is only enabled for events where all of the following are true:

- `agent.type` is `endpoint`
- `process.entity_id` exists

### Context passed to Resolver

The only context passed to `Resolver` is the `_id` of the event (when the user clicks `Investigate in Resolver`)

### What's next?

- @oatkiller will replace the placeholder text shown in the screenshots above with the actual call to Resolver in a separate PR
- I will follow-up this PR with additional tests
- The action text `Investigate in Resolver` may be changed in a future PR
- Hide the `Add to case` action in timeline-based views (it's currently visible, but disabled)
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jun 29, 2020
* master: (59 commits)
  [Lens] Fix broken test (elastic#70117)
  [SIEM] Import timeline fix (elastic#65448)
  [SECURITY SOLUTION][INGEST] UX update for ingest manager edit/create datasource for endpoint (elastic#70079)
  [Telemetry] Collector Schema (elastic#64942)
  [Endpoint] Add Endpoint empty states for onboarding (elastic#69626)
  Hide unused resolver buttons (elastic#70112)
  [Security] `Investigate in Resolver` Timeline Integration (elastic#70111)
  [Discover] Improve styling of graphs in sidebar (elastic#69440)
  [Metrics UI] Fix EuiTheme type issue (elastic#69735)
  skip failing suite (elastic#70104) (elastic#70103)
  [ENDPOINT] Hide the Timeline Flyout while on the Management Pages (elastic#69998)
  [SIEM][CASE] Persist callout when dismissed (elastic#68372)
  [SIEM][Exceptions] - Cleaned up and updated exception list item comment structure (elastic#69532)
  [Maps] remove indexing state from redux (elastic#69765)
  Add API integration test for deleting data streams. (elastic#70020)
  renames SIEM to Security Solution (elastic#70070)
  Adding saved_objects_page in OSS (elastic#69900)
  [Lens] Use accordion menus in field list for available and empty fields (elastic#68871)
  Dynamic uiActions & license support (elastic#68507)
  [SIEM] Update readme for timeline apis (elastic#67038)
  ...
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jun 29, 2020
…bana into alerting/consumer-based-rbac

* 'alerting/consumer-based-rbac' of github.com:gmmorris/kibana: (25 commits)
  [Lens] Fix broken test (elastic#70117)
  [SIEM] Import timeline fix (elastic#65448)
  [SECURITY SOLUTION][INGEST] UX update for ingest manager edit/create datasource for endpoint (elastic#70079)
  [Telemetry] Collector Schema (elastic#64942)
  [Endpoint] Add Endpoint empty states for onboarding (elastic#69626)
  Hide unused resolver buttons (elastic#70112)
  [Security] `Investigate in Resolver` Timeline Integration (elastic#70111)
  [Discover] Improve styling of graphs in sidebar (elastic#69440)
  [Metrics UI] Fix EuiTheme type issue (elastic#69735)
  skip failing suite (elastic#70104) (elastic#70103)
  [ENDPOINT] Hide the Timeline Flyout while on the Management Pages (elastic#69998)
  [SIEM][CASE] Persist callout when dismissed (elastic#68372)
  [SIEM][Exceptions] - Cleaned up and updated exception list item comment structure (elastic#69532)
  [Maps] remove indexing state from redux (elastic#69765)
  Add API integration test for deleting data streams. (elastic#70020)
  renames SIEM to Security Solution (elastic#70070)
  Adding saved_objects_page in OSS (elastic#69900)
  [Lens] Use accordion menus in field list for available and empty fields (elastic#68871)
  Dynamic uiActions & license support (elastic#68507)
  [SIEM] Update readme for timeline apis (elastic#67038)
  ...
andrew-goldstein added a commit to andrew-goldstein/kibana that referenced this pull request Jul 2, 2020
… action

- Renames the `Investigate in Resolver` Timeline action, a follow-up item from the `What's next?` section of elastic#70111
- Fixes a CSS issue where the icon didn't align with the others for non-default row-heights

## Before

![before-investigate-in-resolver](https://user-images.githubusercontent.com/4459398/86393038-a97eeb80-bc59-11ea-9ba4-449ab20ddd25.png)

## After

![after-analyze-event](https://user-images.githubusercontent.com/4459398/86393050-ad127280-bc59-11ea-8040-7f254b0255b0.png)

Desk tested in:
- Chrome `83.0.4103.116`
- Firefox `78.0.1`
- Safari `13.1.1`
andrew-goldstein added a commit that referenced this pull request Jul 2, 2020
…tion (#70634)

## [Security Solution] Renames the `Investigate in Resolver` Timeline action

- Renames the `Investigate in Resolver` Timeline action, a follow-up item from the `What's next?` section of #70111
- Fixes a CSS issue where the icon didn't align with the others on non-default row-heights

## Before

![before-investigate-in-resolver](https://user-images.githubusercontent.com/4459398/86393038-a97eeb80-bc59-11ea-9ba4-449ab20ddd25.png)

## After

![after-analyze-event](https://user-images.githubusercontent.com/4459398/86393050-ad127280-bc59-11ea-8040-7f254b0255b0.png)

Desk tested in:
- Chrome `83.0.4103.116`
- Firefox `78.0.1`
- Safari `13.1.1`
andrew-goldstein added a commit that referenced this pull request Jul 2, 2020
…tion (#70634) (#70665)

## [Security Solution] Renames the `Investigate in Resolver` Timeline action

- Renames the `Investigate in Resolver` Timeline action, a follow-up item from the `What's next?` section of #70111
- Fixes a CSS issue where the icon didn't align with the others on non-default row-heights

## Before

![before-investigate-in-resolver](https://user-images.githubusercontent.com/4459398/86393038-a97eeb80-bc59-11ea-9ba4-449ab20ddd25.png)

## After

![after-analyze-event](https://user-images.githubusercontent.com/4459398/86393050-ad127280-bc59-11ea-8040-7f254b0255b0.png)

Desk tested in:
- Chrome `83.0.4103.116`
- Firefox `78.0.1`
- Safari `13.1.1`
andrew-goldstein added a commit that referenced this pull request Jul 15, 2020
## Full screen Timeline & Timeline-based views

- Adds a _Full screen_ mode to Timeline, and all Timeline-based views, including:
  - Detections
  - Detections > Rule details
  - Hosts > Events
  - Hosts > External alerts
  - Network > External alerts
  - Timeline
- Enter full screen from any Resolver
- Adds a `Collapse event` action for quickly collapsing an expanded Timeline event
- Hides the `Add to case action` in timeline-based Resolver views, so those actions are only enabled in Timeline (a `TODO`  from #70111)

### Full screen detections
![full-screen-detections](https://user-images.githubusercontent.com/4459398/87493332-d348f280-c609-11ea-9399-126d2259daa2.gif)

### Enter full screen from any Resolver
![full-screen-resolver](https://user-images.githubusercontent.com/4459398/87493348-de038780-c609-11ea-86a3-52ab24055e38.gif)

### Full screen Timeline
![full-screen-timeline](https://user-images.githubusercontent.com/4459398/87493394-f4114800-c609-11ea-8d62-4add291d937a.gif)

### Collapse event
![collapse-event](https://user-images.githubusercontent.com/4459398/87493408-fa9fbf80-c609-11ea-88c8-fa87d82d1eb1.gif)

### Sort tooltip
![sort-tooltip](https://user-images.githubusercontent.com/4459398/87493417-012e3700-c60a-11ea-9905-44e3b7cfe60f.gif)
angorayc pushed a commit that referenced this pull request Jul 15, 2020
…1838)

## Full screen Timeline & Timeline-based views

- Adds a _Full screen_ mode to Timeline, and all Timeline-based views, including:
  - Detections
  - Detections > Rule details
  - Hosts > Events
  - Hosts > External alerts
  - Network > External alerts
  - Timeline
- Enter full screen from any Resolver
- Adds a `Collapse event` action for quickly collapsing an expanded Timeline event
- Hides the `Add to case action` in timeline-based Resolver views, so those actions are only enabled in Timeline (a `TODO`  from #70111)

### Full screen detections
![full-screen-detections](https://user-images.githubusercontent.com/4459398/87493332-d348f280-c609-11ea-9399-126d2259daa2.gif)

### Enter full screen from any Resolver
![full-screen-resolver](https://user-images.githubusercontent.com/4459398/87493348-de038780-c609-11ea-86a3-52ab24055e38.gif)

### Full screen Timeline
![full-screen-timeline](https://user-images.githubusercontent.com/4459398/87493394-f4114800-c609-11ea-8d62-4add291d937a.gif)

### Collapse event
![collapse-event](https://user-images.githubusercontent.com/4459398/87493408-fa9fbf80-c609-11ea-88c8-fa87d82d1eb1.gif)

### Sort tooltip
![sort-tooltip](https://user-images.githubusercontent.com/4459398/87493417-012e3700-c60a-11ea-9905-44e3b7cfe60f.gif)
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants