forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution] Add Alert Suppression editable component (elastic…
…#198673) **Partially addresses:** elastic#171520 ## Summary This PR adds is built on top of elastic#193828 and elastic#196948 and adds an Alert Suppression editable component for Three Way Diff tab's final edit side of the upgrade prebuilt rule workflow. ## Details elastic#171520 required adding editable components for each field diffable rule field. Alert Suppression edit component was extracted from Define Rule Step Component into a separate reusable component. To simplify the logic it was split into common Alert Suppression and Threshold Alert Suppression since the latter is a specific use case. ## Caveats Upgrade prebuilt rules workflow is quite different from rule creation and editing. In create and edit rule forms users are capable to change any field at their will. Upgrade prebuilt rules workflow allow to modify only specific fields having diff in the current rule upgrade. There are fields which depend on each other. In particular Alert Suppression isn't supported for EQL sequence though it's addressed in elastic#189725. - Alert Suppression editable component in Three Way Diff workflow isn't disabled EQL sequence rule queries. Alert suppression support for rules with EQL sequence queries is implemented in elastic#189725. - Machine learning rule type require running selected machine learning jobs otherwise input could be disabled in case of there are no fields to pick from otherwise a warning message below the combobox is shown. ## How to test The simplest way to test is via patching installed prebuilt rules via Rule Patch API. Please follow steps below - Enable Prebuilt rule customization feature by adding a `prebuiltRulesCustomizationEnabled` feature flag - Run Kibana locally - Install a prebuilt rule, e.g. `Potential Code Execution via Postgresql` with rule_id `2a692072-d78d-42f3-a48a-775677d79c4e` - Patch the installed rule by running a query below ```bash curl -X PATCH --user elastic:changeme -H 'Content-Type: application/json' -H 'kbn-xsrf: 123' -H "elastic-api-version: 2023-10-31" -d '{"rule_id":"2a692072-d78d-42f3-a48a-775677d79c4e","version":1,"alert_suppression":{"group_by":["host.name"]}}' http://localhost:5601/kbn/api/detection_engine/rules ``` - Open `Detection Rules (SIEM)` Page -> `Rule Updates` -> click on `Potential Code Execution via Postgresql` rule -> expand `EQL Query` to see EQL Query -> press `Edit` button ## Screenshots Custom query prebuilt rule (UI looks similar for EQL, Indicator Match, New Terms and ES|QL rule types) ![image](https://github.com/user-attachments/assets/86015d5b-e252-4d0b-9aa3-fc14679a493b) Machine learning prebuilt rule with a diff in alert suppression ![image](https://github.com/user-attachments/assets/210246cd-27fd-4976-befc-dee023101ec9) Threshold prebuilt rule ![image](https://github.com/user-attachments/assets/44b0c1bc-4134-4d58-bd9a-e8e2d4c50802)
- Loading branch information
Showing
96 changed files
with
1,942 additions
and
877 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
79 changes: 79 additions & 0 deletions
79
x-pack/plugins/security_solution/public/common/test/eui/combobox.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { act, fireEvent, waitFor } from '@testing-library/react'; | ||
|
||
export function showEuiComboBoxOptions(comboBoxToggleButton: HTMLElement): Promise<void> { | ||
fireEvent.click(comboBoxToggleButton); | ||
|
||
return waitFor(() => { | ||
const listWithOptionsElement = document.querySelector('[role="listbox"]'); | ||
const emptyListElement = document.querySelector('.euiComboBoxOptionsList__empty'); | ||
|
||
expect(listWithOptionsElement || emptyListElement).toBeInTheDocument(); | ||
}); | ||
} | ||
|
||
type SelectEuiComboBoxOptionParameters = | ||
| { | ||
comboBoxToggleButton: HTMLElement; | ||
optionIndex: number; | ||
optionText?: undefined; | ||
} | ||
| { | ||
comboBoxToggleButton: HTMLElement; | ||
optionText: string; | ||
optionIndex?: undefined; | ||
}; | ||
|
||
export function selectEuiComboBoxOption({ | ||
comboBoxToggleButton, | ||
optionIndex, | ||
optionText, | ||
}: SelectEuiComboBoxOptionParameters): Promise<void> { | ||
return act(async () => { | ||
await showEuiComboBoxOptions(comboBoxToggleButton); | ||
|
||
const options = Array.from( | ||
document.querySelectorAll('[data-test-subj*="comboBoxOptionsList"] [role="option"]') | ||
); | ||
|
||
if (typeof optionText === 'string') { | ||
const optionToSelect = options.find((option) => option.textContent === optionText); | ||
|
||
if (optionToSelect) { | ||
fireEvent.click(optionToSelect); | ||
} else { | ||
throw new Error( | ||
`Could not find option with text "${optionText}". Available options: ${options | ||
.map((option) => option.textContent) | ||
.join(', ')}` | ||
); | ||
} | ||
} else { | ||
fireEvent.click(options[optionIndex]); | ||
} | ||
}); | ||
} | ||
|
||
export function selectFirstEuiComboBoxOption({ | ||
comboBoxToggleButton, | ||
}: { | ||
comboBoxToggleButton: HTMLElement; | ||
}): Promise<void> { | ||
return selectEuiComboBoxOption({ comboBoxToggleButton, optionIndex: 0 }); | ||
} | ||
|
||
export function clearEuiComboBoxSelection({ | ||
clearButton, | ||
}: { | ||
clearButton: HTMLElement; | ||
}): Promise<void> { | ||
return act(async () => { | ||
fireEvent.click(clearButton); | ||
}); | ||
} |
64 changes: 64 additions & 0 deletions
64
...ine/rule_creation/components/alert_suppression_edit/components/alert_suppression_edit.tsx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import React, { memo } from 'react'; | ||
import { EuiPanel, EuiText, EuiToolTip } from '@elastic/eui'; | ||
import type { DataViewFieldBase } from '@kbn/es-query'; | ||
import { useFormData } from '../../../../../shared_imports'; | ||
import { MissingFieldsStrategySelector } from './missing_fields_strategy_selector'; | ||
import { SuppressionDurationSelector } from './suppression_duration_selector'; | ||
import { SuppressionFieldsSelector } from './suppression_fields_selector'; | ||
import { ALERT_SUPPRESSION_FIELDS_FIELD_NAME } from '../constants/fields'; | ||
|
||
interface AlertSuppressionEditProps { | ||
suppressibleFields: DataViewFieldBase[]; | ||
labelAppend?: React.ReactNode; | ||
disabled?: boolean; | ||
disabledText?: string; | ||
warningText?: string; | ||
} | ||
|
||
export const AlertSuppressionEdit = memo(function AlertSuppressionEdit({ | ||
suppressibleFields, | ||
labelAppend, | ||
disabled, | ||
disabledText, | ||
warningText, | ||
}: AlertSuppressionEditProps): JSX.Element { | ||
const [{ [ALERT_SUPPRESSION_FIELDS_FIELD_NAME]: suppressionFields }] = useFormData<{ | ||
[ALERT_SUPPRESSION_FIELDS_FIELD_NAME]: string[]; | ||
}>({ | ||
watch: ALERT_SUPPRESSION_FIELDS_FIELD_NAME, | ||
}); | ||
const hasSelectedFields = suppressionFields?.length > 0; | ||
const content = ( | ||
<> | ||
<SuppressionFieldsSelector | ||
suppressibleFields={suppressibleFields} | ||
labelAppend={labelAppend} | ||
disabled={disabled} | ||
/> | ||
{warningText && ( | ||
<EuiText size="xs" color="warning" data-test-subj="alertSuppressionWarning"> | ||
{warningText} | ||
</EuiText> | ||
)} | ||
<EuiPanel paddingSize="m" hasShadow={false}> | ||
<SuppressionDurationSelector disabled={disabled || !hasSelectedFields} /> | ||
<MissingFieldsStrategySelector disabled={disabled || !hasSelectedFields} /> | ||
</EuiPanel> | ||
</> | ||
); | ||
|
||
return disabled && disabledText ? ( | ||
<EuiToolTip position="right" content={disabledText}> | ||
{content} | ||
</EuiToolTip> | ||
) : ( | ||
content | ||
); | ||
}); |
Oops, something went wrong.