From dbd1334480a2545dd9f18f8a0cde1a53630e1db7 Mon Sep 17 00:00:00 2001 From: Drew Tate Date: Tue, 2 Jul 2024 11:55:51 -0600 Subject: [PATCH 01/10] [ES|QL] capitalize things (#186340) ## Summary https://github.com/elastic/kibana/assets/315764/8f8e618c-22e6-4a33-957e-c9d1664cc000 Close https://github.com/elastic/kibana/issues/184238 --------- Co-authored-by: Stratoula Kalafateli --- .../src/utils/append_to_query.test.ts | 14 +++--- .../src/utils/append_to_query.ts | 4 +- .../src/utils/get_initial_esql_query.test.ts | 2 +- .../src/utils/get_initial_esql_query.ts | 2 +- .../src/autocomplete/autocomplete.test.ts | 44 ++++++++++--------- .../src/autocomplete/factories.ts | 18 ++++---- .../src/definitions/helpers.ts | 14 +++--- .../src/shared/helpers.ts | 5 ++- .../src/validation/validation.ts | 2 +- .../create_filters_from_value_click.test.ts | 2 +- .../apps/discover/esql/_esql_view.ts | 8 ++-- .../discover/group6/_sidebar_field_stats.ts | 14 +++--- .../apps/discover/group7/_new_search.ts | 4 +- .../open_lens_config/create_action_helpers.ts | 2 +- .../logs_explorer/public/hooks/use_esql.tsx | 2 +- .../common/discover/esql/_esql_view.ts | 2 +- 16 files changed, 74 insertions(+), 65 deletions(-) diff --git a/packages/kbn-esql-utils/src/utils/append_to_query.test.ts b/packages/kbn-esql-utils/src/utils/append_to_query.test.ts index 2f3d28c467444..f7c69fbb5c687 100644 --- a/packages/kbn-esql-utils/src/utils/append_to_query.test.ts +++ b/packages/kbn-esql-utils/src/utils/append_to_query.test.ts @@ -31,7 +31,7 @@ describe('appendToQuery', () => { appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '+', 'string') ).toBe( `from logstash-* // meow -| where \`dest\`=="tada!"` +| WHERE \`dest\`=="tada!"` ); }); it('appends a filter out where clause in an existing query', () => { @@ -39,7 +39,7 @@ describe('appendToQuery', () => { appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '-', 'string') ).toBe( `from logstash-* // meow -| where \`dest\`!="tada!"` +| WHERE \`dest\`!="tada!"` ); }); @@ -48,14 +48,14 @@ describe('appendToQuery', () => { appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '-', 'ip') ).toBe( `from logstash-* // meow -| where \`dest\`::string!="tada!"` +| WHERE \`dest\`::string!="tada!"` ); }); it('appends a where clause in an existing query with casting to string when the type is not given', () => { expect(appendWhereClauseToESQLQuery('from logstash-* // meow', 'dest', 'tada!', '-')).toBe( `from logstash-* // meow -| where \`dest\`::string!="tada!"` +| WHERE \`dest\`::string!="tada!"` ); }); @@ -70,7 +70,7 @@ describe('appendToQuery', () => { ) ).toBe( `from logstash-* // meow -| where \`dest\` is not null` +| WHERE \`dest\` is not null` ); }); @@ -85,7 +85,7 @@ describe('appendToQuery', () => { ) ).toBe( `from logstash-* // meow -| where \`dest\` is null` +| WHERE \`dest\` is null` ); }); @@ -100,7 +100,7 @@ describe('appendToQuery', () => { ) ).toBe( `from logstash-* | where country == "GR" -and \`dest\`=="Crete"` +AND \`dest\`=="Crete"` ); }); diff --git a/packages/kbn-esql-utils/src/utils/append_to_query.ts b/packages/kbn-esql-utils/src/utils/append_to_query.ts index d1bf0afa33755..0d8de16f03e79 100644 --- a/packages/kbn-esql-utils/src/utils/append_to_query.ts +++ b/packages/kbn-esql-utils/src/utils/append_to_query.ts @@ -85,9 +85,9 @@ export function appendWhereClauseToESQLQuery( } } // filter does not exist in the where clause - const whereClause = `and ${fieldName}${operator}${filterValue}`; + const whereClause = `AND ${fieldName}${operator}${filterValue}`; return appendToESQLQuery(baseESQLQuery, whereClause); } - const whereClause = `| where ${fieldName}${operator}${filterValue}`; + const whereClause = `| WHERE ${fieldName}${operator}${filterValue}`; return appendToESQLQuery(baseESQLQuery, whereClause); } diff --git a/packages/kbn-esql-utils/src/utils/get_initial_esql_query.test.ts b/packages/kbn-esql-utils/src/utils/get_initial_esql_query.test.ts index bb4fe9e1a15da..45aac1344725d 100644 --- a/packages/kbn-esql-utils/src/utils/get_initial_esql_query.test.ts +++ b/packages/kbn-esql-utils/src/utils/get_initial_esql_query.test.ts @@ -10,6 +10,6 @@ import { getInitialESQLQuery } from './get_initial_esql_query'; describe('getInitialESQLQuery', () => { it('should work correctly', () => { - expect(getInitialESQLQuery('logs*')).toBe('from logs* | limit 10'); + expect(getInitialESQLQuery('logs*')).toBe('FROM logs* | LIMIT 10'); }); }); diff --git a/packages/kbn-esql-utils/src/utils/get_initial_esql_query.ts b/packages/kbn-esql-utils/src/utils/get_initial_esql_query.ts index f2ccad78fa55f..302f3c364f1a6 100644 --- a/packages/kbn-esql-utils/src/utils/get_initial_esql_query.ts +++ b/packages/kbn-esql-utils/src/utils/get_initial_esql_query.ts @@ -11,5 +11,5 @@ * @param indexOrIndexPattern */ export function getInitialESQLQuery(indexOrIndexPattern: string): string { - return `from ${indexOrIndexPattern} | limit 10`; + return `FROM ${indexOrIndexPattern} | LIMIT 10`; } diff --git a/packages/kbn-esql-validation-autocomplete/src/autocomplete/autocomplete.test.ts b/packages/kbn-esql-validation-autocomplete/src/autocomplete/autocomplete.test.ts index 8edbcd5472593..6f0562d7f118e 100644 --- a/packages/kbn-esql-validation-autocomplete/src/autocomplete/autocomplete.test.ts +++ b/packages/kbn-esql-validation-autocomplete/src/autocomplete/autocomplete.test.ts @@ -186,9 +186,11 @@ function getFunctionSignaturesByReturnType( .sort(({ name: a }, { name: b }) => a.localeCompare(b)) .map(({ type, name, signatures }) => { if (type === 'builtin') { - return signatures.some(({ params }) => params.length > 1) ? `${name} $0` : name; + return signatures.some(({ params }) => params.length > 1) + ? `${name.toUpperCase()} $0` + : name.toUpperCase(); } - return `${name}($0)`; + return `${name.toUpperCase()}($0)`; }); } @@ -337,31 +339,31 @@ describe('autocomplete', () => { describe('New command', () => { testSuggestions( ' ', - sourceCommands.map((name) => name + ' $0') + sourceCommands.map((name) => name.toUpperCase() + ' $0') ); testSuggestions( 'from a | ', commandDefinitions .filter(({ name }) => !sourceCommands.includes(name)) - .map(({ name }) => name + ' $0') + .map(({ name }) => name.toUpperCase() + ' $0') ); testSuggestions( 'from a [metadata _id] | ', commandDefinitions .filter(({ name }) => !sourceCommands.includes(name)) - .map(({ name }) => name + ' $0') + .map(({ name }) => name.toUpperCase() + ' $0') ); testSuggestions( 'from a | eval var0 = a | ', commandDefinitions .filter(({ name }) => !sourceCommands.includes(name)) - .map(({ name }) => name + ' $0') + .map(({ name }) => name.toUpperCase() + ' $0') ); testSuggestions( 'from a [metadata _id] | eval var0 = a | ', commandDefinitions .filter(({ name }) => !sourceCommands.includes(name)) - .map(({ name }) => name + ' $0') + .map(({ name }) => name.toUpperCase() + ' $0') ); }); @@ -371,11 +373,11 @@ describe('autocomplete', () => { // Monaco will filter further down here testSuggestions( 'f', - sourceCommands.map((name) => name + ' $0') + sourceCommands.map((name) => name.toUpperCase() + ' $0') ); testSuggestions('from ', suggestedIndexes); testSuggestions('from a,', suggestedIndexes); - testSuggestions('from a, b ', ['metadata $0', ',', '|']); + testSuggestions('from a, b ', ['METADATA $0', ',', '|']); testSuggestions('from *,', suggestedIndexes); testSuggestions('from index', suggestedIndexes, 5 /* space before index */); testSuggestions('from a, b [metadata ]', METADATA_FIELDS, ' ]'); @@ -403,14 +405,14 @@ describe('autocomplete', () => { }); describe('show', () => { - testSuggestions('show ', ['info']); + testSuggestions('show ', ['INFO']); for (const fn of ['info']) { testSuggestions(`show ${fn} `, ['|']); } }); describe('meta', () => { - testSuggestions('meta ', ['functions']); + testSuggestions('meta ', ['FUNCTIONS']); for (const fn of ['functions']) { testSuggestions(`meta ${fn} `, ['|']); } @@ -522,8 +524,8 @@ describe('autocomplete', () => { ',' ); - testSuggestions('from index | WHERE stringField not ', ['like $0', 'rlike $0', 'in $0']); - testSuggestions('from index | WHERE stringField NOT ', ['like $0', 'rlike $0', 'in $0']); + testSuggestions('from index | WHERE stringField not ', ['LIKE $0', 'RLIKE $0', 'IN $0']); + testSuggestions('from index | WHERE stringField NOT ', ['LIKE $0', 'RLIKE $0', 'IN $0']); testSuggestions('from index | WHERE not ', [ ...getFieldNamesByType('boolean'), ...getFunctionSignaturesByReturnType('eval', 'boolean', { evalMath: true }), @@ -577,7 +579,7 @@ describe('autocomplete', () => { testSuggestions(`from a | ${subExpression} ${command} stringField `, [constantPattern]); testSuggestions( `from a | ${subExpression} ${command} stringField ${constantPattern} `, - (command === 'dissect' ? ['append_separator = $0'] : []).concat(['|']) + (command === 'dissect' ? ['APPEND_SEPARATOR = $0'] : []).concat(['|']) ); if (command === 'dissect') { testSuggestions( @@ -616,7 +618,7 @@ describe('autocomplete', () => { describe('rename', () => { testSuggestions('from a | rename ', getFieldNamesByType('any')); - testSuggestions('from a | rename stringField ', ['as $0']); + testSuggestions('from a | rename stringField ', ['AS $0']); testSuggestions('from a | rename stringField as ', ['var0']); }); @@ -704,7 +706,7 @@ describe('autocomplete', () => { ], '(' ); - testSuggestions('from a | stats a=min(b) ', ['by $0', ',', '|']); + testSuggestions('from a | stats a=min(b) ', ['BY $0', ',', '|']); testSuggestions('from a | stats a=min(b) by ', [ 'var0 =', ...getFieldNamesByType('any'), @@ -737,7 +739,7 @@ describe('autocomplete', () => { ]); // smoke testing with suggestions not at the end of the string - testSuggestions('from a | stats a = min(b) | sort b', ['by $0', ',', '|'], ') '); + testSuggestions('from a | stats a = min(b) | sort b', ['BY $0', ',', '|'], ') '); testSuggestions( 'from a | stats avg(b) by stringField', [ @@ -854,7 +856,7 @@ describe('autocomplete', () => { testSuggestions(`from a ${prevCommand}| enrich _${mode.toUpperCase()}:`, policyNames, ':'); testSuggestions(`from a ${prevCommand}| enrich _${camelCase(mode)}:`, policyNames, ':'); } - testSuggestions(`from a ${prevCommand}| enrich policy `, ['on $0', 'with $0', '|']); + testSuggestions(`from a ${prevCommand}| enrich policy `, ['ON $0', 'WITH $0', '|']); testSuggestions(`from a ${prevCommand}| enrich policy on `, [ 'stringField', 'numberField', @@ -868,7 +870,7 @@ describe('autocomplete', () => { 'any#Char$Field', 'kubernetes.something.something', ]); - testSuggestions(`from a ${prevCommand}| enrich policy on b `, ['with $0', ',', '|']); + testSuggestions(`from a ${prevCommand}| enrich policy on b `, ['WITH $0', ',', '|']); testSuggestions(`from a ${prevCommand}| enrich policy on b with `, [ 'var0 =', ...getPolicyFields('policy'), @@ -915,8 +917,8 @@ describe('autocomplete', () => { ',', '|', ]); - testSuggestions('from index | EVAL stringField not ', ['like $0', 'rlike $0', 'in $0']); - testSuggestions('from index | EVAL stringField NOT ', ['like $0', 'rlike $0', 'in $0']); + testSuggestions('from index | EVAL stringField not ', ['LIKE $0', 'RLIKE $0', 'IN $0']); + testSuggestions('from index | EVAL stringField NOT ', ['LIKE $0', 'RLIKE $0', 'IN $0']); testSuggestions('from index | EVAL numberField in ', ['( $0 )']); testSuggestions( 'from index | EVAL numberField in ( )', diff --git a/packages/kbn-esql-validation-autocomplete/src/autocomplete/factories.ts b/packages/kbn-esql-validation-autocomplete/src/autocomplete/factories.ts index 1bc93193bd39a..53e65c2f95aba 100644 --- a/packages/kbn-esql-validation-autocomplete/src/autocomplete/factories.ts +++ b/packages/kbn-esql-validation-autocomplete/src/autocomplete/factories.ts @@ -42,7 +42,7 @@ export function getSuggestionFunctionDefinition(fn: FunctionDefinition): Suggest const fullSignatures = getFunctionSignatures(fn); return { label: fullSignatures[0].declaration, - text: `${fn.name}($0)`, + text: `${fn.name.toUpperCase()}($0)`, asSnippet: true, kind: 'Function', detail: fn.description, @@ -60,7 +60,7 @@ export function getSuggestionBuiltinDefinition(fn: FunctionDefinition): Suggesti const hasArgs = fn.signatures.some(({ params }) => params.length > 1); return { label: fn.name, - text: hasArgs ? `${fn.name} $0` : fn.name, + text: hasArgs ? `${fn.name.toUpperCase()} $0` : fn.name.toUpperCase(), asSnippet: hasArgs, kind: 'Operator', detail: fn.description, @@ -103,10 +103,10 @@ export function getSuggestionCommandDefinition( const commandDefinition = getCommandDefinition(command.name); const commandSignature = getCommandSignature(commandDefinition); return { - label: commandDefinition.name, + label: commandDefinition.name.toUpperCase(), text: commandDefinition.signature.params.length - ? `${commandDefinition.name} $0` - : commandDefinition.name, + ? `${commandDefinition.name.toUpperCase()} $0` + : commandDefinition.name.toUpperCase(), asSnippet: true, kind: 'Method', detail: commandDefinition.description, @@ -247,14 +247,16 @@ export const buildOptionDefinition = ( isAssignType: boolean = false ) => { const completeItem: SuggestionRawDefinition = { - label: option.name, - text: option.name, + label: option.name.toUpperCase(), + text: option.name.toUpperCase(), kind: 'Reference', detail: option.description, sortText: '1', }; if (isAssignType || option.signature.params.length) { - completeItem.text = isAssignType ? `${option.name} = $0` : `${option.name} $0`; + completeItem.text = isAssignType + ? `${option.name.toUpperCase()} = $0` + : `${option.name.toUpperCase()} $0`; completeItem.asSnippet = true; completeItem.command = TRIGGER_SUGGESTION_COMMAND; } diff --git a/packages/kbn-esql-validation-autocomplete/src/definitions/helpers.ts b/packages/kbn-esql-validation-autocomplete/src/definitions/helpers.ts index 7d70d1acc9631..0ccb7855b284b 100644 --- a/packages/kbn-esql-validation-autocomplete/src/definitions/helpers.ts +++ b/packages/kbn-esql-validation-autocomplete/src/definitions/helpers.ts @@ -56,12 +56,16 @@ export function getCommandSignature( { withTypes }: { withTypes: boolean } = { withTypes: true } ) { return { - declaration: `${name} ${printCommandArguments(signature, withTypes)} ${options.map( + declaration: `${name.toUpperCase()} ${printCommandArguments( + signature, + withTypes + )} ${options.map( (option) => - `${option.wrapped ? option.wrapped[0] : ''}${option.name} ${printCommandArguments( - option.signature, - withTypes - )}${option.wrapped ? option.wrapped[1] : ''}` + `${ + option.wrapped ? option.wrapped[0] : '' + }${option.name.toUpperCase()} ${printCommandArguments(option.signature, withTypes)}${ + option.wrapped ? option.wrapped[1] : '' + }` )}`, examples, }; diff --git a/packages/kbn-esql-validation-autocomplete/src/shared/helpers.ts b/packages/kbn-esql-validation-autocomplete/src/shared/helpers.ts index 4a89a6b72d166..effd6b1b16ddd 100644 --- a/packages/kbn-esql-validation-autocomplete/src/shared/helpers.ts +++ b/packages/kbn-esql-validation-autocomplete/src/shared/helpers.ts @@ -127,7 +127,7 @@ export function isComma(char: string) { } export function isSourceCommand({ label }: { label: string }) { - return ['from', 'row', 'show'].includes(String(label)); + return ['FROM', 'ROW', 'SHOW'].includes(label); } let fnLookups: Map | undefined; @@ -290,12 +290,13 @@ export function areFieldAndVariableTypesCompatible( return fieldType === variableType; } -export function printFunctionSignature(arg: ESQLFunction): string { +export function printFunctionSignature(arg: ESQLFunction, useCaps = true): string { const fnDef = getFunctionDefinition(arg.name); if (fnDef) { const signature = getFunctionSignatures( { ...fnDef, + name: useCaps ? fnDef.name.toUpperCase() : fnDef.name, signatures: [ { ...fnDef?.signatures[0], diff --git a/packages/kbn-esql-validation-autocomplete/src/validation/validation.ts b/packages/kbn-esql-validation-autocomplete/src/validation/validation.ts index fcd17d5451825..e3c94aee3f482 100644 --- a/packages/kbn-esql-validation-autocomplete/src/validation/validation.ts +++ b/packages/kbn-esql-validation-autocomplete/src/validation/validation.ts @@ -220,7 +220,7 @@ function validateNestedFunctionArg( values: { name: astFunction.name, argType: parameterDefinition.type, - value: printFunctionSignature(actualArg) || actualArg.name, + value: printFunctionSignature(actualArg, false) || actualArg.name, givenType: argFn.signatures[0].returnType, }, locations: actualArg.location, diff --git a/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts b/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts index fab4d18af400b..16c2983c7a9cf 100644 --- a/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts +++ b/src/plugins/data/public/actions/filters/create_filters_from_value_click.test.ts @@ -169,7 +169,7 @@ describe('createFiltersFromClickEvent', () => { }); expect(queryString).toEqual(`from meow -| where \`columnA\`=="2048"`); +| WHERE \`columnA\`=="2048"`); }); }); }); diff --git a/test/functional/apps/discover/esql/_esql_view.ts b/test/functional/apps/discover/esql/_esql_view.ts index 9f60f4991ab4c..cea3b6ecce044 100644 --- a/test/functional/apps/discover/esql/_esql_view.ts +++ b/test/functional/apps/discover/esql/_esql_view.ts @@ -303,7 +303,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const historyItems = await esql.getHistoryItems(); log.debug(historyItems); const queryAdded = historyItems.some((item) => { - return item[1] === 'from logstash-* | limit 10'; + return item[1] === 'FROM logstash-* | LIMIT 10'; }); expect(queryAdded).to.be(true); @@ -564,7 +564,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB\n| where \`geo.dest\`=="BT"` + `from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB\n| WHERE \`geo.dest\`=="BT"` ); // negate @@ -575,7 +575,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const newValue = await monacoEditor.getCodeEditorValue(); expect(newValue).to.eql( - `from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB\n| where \`geo.dest\`!="BT"` + `from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB\n| WHERE \`geo.dest\`!="BT"` ); }); @@ -597,7 +597,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB | where countB > 0\nand \`geo.dest\`=="BT"` + `from logstash-* | sort @timestamp desc | limit 10000 | stats countB = count(bytes) by geo.dest | sort countB | where countB > 0\nAND \`geo.dest\`=="BT"` ); }); }); diff --git a/test/functional/apps/discover/group6/_sidebar_field_stats.ts b/test/functional/apps/discover/group6/_sidebar_field_stats.ts index cbeb128036ab6..dd148e43d2d6e 100644 --- a/test/functional/apps/discover/group6/_sidebar_field_stats.ts +++ b/test/functional/apps/discover/group6/_sidebar_field_stats.ts @@ -172,7 +172,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| where \`bytes\`==0` + `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| WHERE \`bytes\`==0` ); await PageObjects.unifiedFieldList.closeFieldPopover(); }); @@ -193,7 +193,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| where \`extension.raw\`=="css"` + `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| WHERE \`extension.raw\`=="css"` ); await PageObjects.unifiedFieldList.closeFieldPopover(); @@ -215,7 +215,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| where \`clientip\`::string=="216.126.255.31"` + `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| WHERE \`clientip\`::string=="216.126.255.31"` ); await PageObjects.unifiedFieldList.closeFieldPopover(); @@ -241,7 +241,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| where \`@timestamp\` is not null` + `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| WHERE \`@timestamp\` is not null` ); await testSubjects.missingOrFail('dscFieldStats-statsFooter'); await PageObjects.unifiedFieldList.closeFieldPopover(); @@ -277,7 +277,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| where \`extension\`=="css"` + `from logstash-* [METADATA _index, _id] | sort @timestamp desc | limit 500\n| WHERE \`extension\`=="css"` ); await PageObjects.unifiedFieldList.closeFieldPopover(); @@ -317,7 +317,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); expect(editorValue).to.eql( - `from logstash-* | sort @timestamp desc | limit 50 | stats avg(bytes) by geo.dest | limit 3\n| where \`avg(bytes)\`==5453` + `from logstash-* | sort @timestamp desc | limit 50 | stats avg(bytes) by geo.dest | limit 3\n| WHERE \`avg(bytes)\`==5453` ); await PageObjects.unifiedFieldList.closeFieldPopover(); @@ -345,7 +345,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.unifiedFieldList.clickFieldListMinusFilter('enabled', 'true'); await testSubjects.click('TextBasedLangEditor-expand'); const editorValue = await monacoEditor.getCodeEditorValue(); - expect(editorValue).to.eql(`row enabled = true\n| where \`enabled\`!=true`); + expect(editorValue).to.eql(`row enabled = true\n| WHERE \`enabled\`!=true`); await PageObjects.unifiedFieldList.closeFieldPopover(); }); }); diff --git a/test/functional/apps/discover/group7/_new_search.ts b/test/functional/apps/discover/group7/_new_search.ts index 265602db217e2..14632d6e2618b 100644 --- a/test/functional/apps/discover/group7/_new_search.ts +++ b/test/functional/apps/discover/group7/_new_search.ts @@ -105,7 +105,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.clickNewSearchButton(); await PageObjects.discover.waitUntilSearchingHasFinished(); - expect(await monacoEditor.getCodeEditorValue()).to.be('from logstash-* | limit 10'); + expect(await monacoEditor.getCodeEditorValue()).to.be('FROM logstash-* | LIMIT 10'); expect(await PageObjects.discover.getVisContextSuggestionType()).to.be('histogramForESQL'); expect(await PageObjects.discover.getHitCount()).to.be('10'); }); @@ -126,7 +126,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { await PageObjects.discover.clickNewSearchButton(); await PageObjects.discover.waitUntilSearchingHasFinished(); - expect(await monacoEditor.getCodeEditorValue()).to.be('from logstash-* | limit 10'); + expect(await monacoEditor.getCodeEditorValue()).to.be('FROM logstash-* | LIMIT 10'); expect(await PageObjects.discover.getHitCount()).to.be('10'); }); }); diff --git a/x-pack/plugins/lens/public/trigger_actions/open_lens_config/create_action_helpers.ts b/x-pack/plugins/lens/public/trigger_actions/open_lens_config/create_action_helpers.ts index 387349039fed0..d11a32bbd5e06 100644 --- a/x-pack/plugins/lens/public/trigger_actions/open_lens_config/create_action_helpers.ts +++ b/x-pack/plugins/lens/public/trigger_actions/open_lens_config/create_action_helpers.ts @@ -63,7 +63,7 @@ export async function executeCreateAction({ const defaultIndex = dataView.getIndexPattern(); const defaultEsqlQuery = { - esql: `from ${defaultIndex} | limit 10`, + esql: `FROM ${defaultIndex} | LIMIT 10`, }; // For the suggestions api we need only the columns diff --git a/x-pack/plugins/observability_solution/logs_explorer/public/hooks/use_esql.tsx b/x-pack/plugins/observability_solution/logs_explorer/public/hooks/use_esql.tsx index e26474b6165e6..65140b4c1e4f2 100644 --- a/x-pack/plugins/observability_solution/logs_explorer/public/hooks/use_esql.tsx +++ b/x-pack/plugins/observability_solution/logs_explorer/public/hooks/use_esql.tsx @@ -35,7 +35,7 @@ export const useEsql = ({ dataSourceSelection }: EsqlContextDeps): UseEsqlResult const discoverLinkParams = { query: { - esql: `from ${esqlPattern} | limit 10`, + esql: `FROM ${esqlPattern} | LIMIT 10`, }, }; diff --git a/x-pack/test_serverless/functional/test_suites/common/discover/esql/_esql_view.ts b/x-pack/test_serverless/functional/test_suites/common/discover/esql/_esql_view.ts index 8e7b921d9655d..600ce61167c74 100644 --- a/x-pack/test_serverless/functional/test_suites/common/discover/esql/_esql_view.ts +++ b/x-pack/test_serverless/functional/test_suites/common/discover/esql/_esql_view.ts @@ -308,7 +308,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) { const historyItems = await esql.getHistoryItems(); log.debug(historyItems); const queryAdded = historyItems.some((item) => { - return item[1] === 'from logstash-* | limit 10'; + return item[1] === 'FROM logstash-* | LIMIT 10'; }); expect(queryAdded).to.be(true); From 75874ca942c2c5e57411a754aa153ee1b3f12fb4 Mon Sep 17 00:00:00 2001 From: Sandra G Date: Tue, 2 Jul 2024 14:11:56 -0400 Subject: [PATCH 02/10] [APM] limit service map scripted metric agg based on shard count (#186417) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary https://github.com/elastic/kibana/issues/179229 This PR addresses the need to limit the amount of data that the scripted metric aggregation in the service map processes in one request which can lead to timeouts and OOMs, often resulting in the user seeing [parent circuit breaker](https://www.elastic.co/guide/en/elasticsearch/reference/current/circuit-breaker.html#parent-circuit-breaker) errors and no service map visualization. This query can fire up to 20 times max depending on how many trace ids are fetched in subsequent query, contributing more to exceeding the total allowable memory. These changes will not remove the possibility of OOMs or circuit breaker errors. It doesn't control for multiple users or other processes happening in kibana, rather we are removing the current state of querying for an unknown number of documents by providing a hard limit and a way to easily tweak that limit. ## Changes - Make get_service_paths_from_trace_ids "shard aware" by adding an initial query, `get_trace_ids_shard_data` without the aggregations and only the trace id filter and other filters in order to see how many shards were searched - Use a baseline of 2_576_980_377 bytes max from new config `serverlessServiceMapMaxAvailableBytes`, for all get_service_paths_from_trace_ids queries when hitting the `/internal/apm/service-map` - Calculate how many docs we should retrieve per shard and set that to `terminateAfter` and also as part of the map phase to ensure we never send more than this number to reduce - Calculation is: ((serverlessServiceMapMaxAvailableBytes / average document size) / totalRequests) / numberOfShards Eg: 2_576_980_377 / 495 avg doc size = 5,206,020 total docs 5,206,020 total docs / 10 requests = 520,602 docs per query 520,602 docs per query / 3 shards = **173,534 docs per shard** Since 173,534 is greater than the default setting `serviceMapTerminateAfter`, docs per shard is 100k - Ensure that `map_script` phase won't process duplicate events - Refactor the `processAndReturnEvent` function to replace recursion with a loop to mitigate risks of stack overflow and excessive memory consumption when processing deep trees ## Testing ### Testing that the scripted metric agg query does not exceed the request circuit breaker - start elasticsearch with default settings - on `main`, without these changes, update the request circuit breaker limit to be 2mb: ``` PUT /_cluster/settings { "persistent": { "indices.breaker.request.limit": "2mb" } } ``` - run synthtrace `node scripts/synthtrace.js service_map_oom --from=now-15m --to=now --clean` - Go to the service map, and you should see this error: Screenshot 2024-06-20 at 2 41 18 PM - checkout this PR - set the apm kibana setting to 2mb(binary): `xpack.apm.serverlessServiceMapMaxAvailableBytes: 2097152`. this represents the available space for the [request circuit breaker](https://www.elastic.co/guide/en/elasticsearch/reference/current/circuit-breaker.html#request-circuit-breaker), since we aren't grabbing that dynamically. - navigate to the service map and you should not get this error and the service map should appear --------- Co-authored-by: Carlos Crespo Co-authored-by: Elastic Machine --- .../apm/server/index.ts | 1 + .../calculate_docs_per_shard.test.ts | 31 ++ .../service_map/calculate_docs_per_shard.ts | 34 ++ .../fetch_service_paths_from_trace_ids.ts | 377 +++++++++++------- .../routes/service_map/get_service_map.ts | 2 + .../get_service_map_from_trace_ids.ts | 6 + 6 files changed, 314 insertions(+), 137 deletions(-) create mode 100644 x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.test.ts create mode 100644 x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.ts diff --git a/x-pack/plugins/observability_solution/apm/server/index.ts b/x-pack/plugins/observability_solution/apm/server/index.ts index 44d447ce4c110..f3ebcec582a46 100644 --- a/x-pack/plugins/observability_solution/apm/server/index.ts +++ b/x-pack/plugins/observability_solution/apm/server/index.ts @@ -26,6 +26,7 @@ const configSchema = schema.object({ serviceMapFingerprintGlobalBucketSize: schema.number({ defaultValue: 1000, }), + serviceMapMaxAllowableBytes: schema.number({ defaultValue: 2_576_980_377 }), // 2.4GB serviceMapTraceIdBucketSize: schema.number({ defaultValue: 65 }), serviceMapTraceIdGlobalBucketSize: schema.number({ defaultValue: 6 }), serviceMapMaxTracesPerRequest: schema.number({ defaultValue: 50 }), diff --git a/x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.test.ts b/x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.test.ts new file mode 100644 index 0000000000000..cf32db83f2dac --- /dev/null +++ b/x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.test.ts @@ -0,0 +1,31 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { calculateDocsPerShard } from './calculate_docs_per_shard'; + +describe('calculateDocsPerShard', () => { + it('calculates correct docs per shard', () => { + expect( + calculateDocsPerShard({ + serviceMapMaxAllowableBytes: 2_576_980_377, + avgDocSizeInBytes: 495, + totalShards: 3, + numOfRequests: 10, + }) + ).toBe(173534); + }); + it('handles zeros', () => { + expect(() => + calculateDocsPerShard({ + serviceMapMaxAllowableBytes: 0, + avgDocSizeInBytes: 0, + totalShards: 0, + numOfRequests: 0, + }) + ).toThrow('all parameters must be > 0'); + }); +}); diff --git a/x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.ts b/x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.ts new file mode 100644 index 0000000000000..de9145d7542f6 --- /dev/null +++ b/x-pack/plugins/observability_solution/apm/server/routes/service_map/calculate_docs_per_shard.ts @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +interface Params { + serviceMapMaxAllowableBytes: number; + avgDocSizeInBytes: number; + totalShards: number; + numOfRequests: number; +} + +export const calculateDocsPerShard = ({ + serviceMapMaxAllowableBytes, + avgDocSizeInBytes, + totalShards, + numOfRequests, +}: Params): number => { + if ( + serviceMapMaxAllowableBytes <= 0 || + avgDocSizeInBytes <= 0 || + totalShards <= 0 || + numOfRequests <= 0 + ) { + throw new Error('all parameters must be > 0'); + } + const bytesPerRequest = Math.floor(serviceMapMaxAllowableBytes / numOfRequests); + const totalNumDocsAllowed = Math.floor(bytesPerRequest / avgDocSizeInBytes); + const numDocsPerShardAllowed = Math.floor(totalNumDocsAllowed / totalShards); + + return numDocsPerShardAllowed; +}; diff --git a/x-pack/plugins/observability_solution/apm/server/routes/service_map/fetch_service_paths_from_trace_ids.ts b/x-pack/plugins/observability_solution/apm/server/routes/service_map/fetch_service_paths_from_trace_ids.ts index 5467606954844..70d51a56c6177 100644 --- a/x-pack/plugins/observability_solution/apm/server/routes/service_map/fetch_service_paths_from_trace_ids.ts +++ b/x-pack/plugins/observability_solution/apm/server/routes/service_map/fetch_service_paths_from_trace_ids.ts @@ -7,13 +7,38 @@ import { rangeQuery } from '@kbn/observability-plugin/server'; import { ProcessorEvent } from '@kbn/observability-plugin/common'; -import { TRACE_ID } from '../../../common/es_fields/apm'; +import { + AGENT_NAME, + PARENT_ID, + PROCESSOR_EVENT, + SERVICE_ENVIRONMENT, + SERVICE_NAME, + SPAN_DESTINATION_SERVICE_RESOURCE, + SPAN_SUBTYPE, + SPAN_TYPE, + TRACE_ID, +} from '../../../common/es_fields/apm'; import { ConnectionNode, ExternalConnectionNode, ServiceConnectionNode, } from '../../../common/service_map'; import { APMEventClient } from '../../lib/helpers/create_es_client/create_apm_event_client'; +import { calculateDocsPerShard } from './calculate_docs_per_shard'; + +const SCRIPTED_METRICS_FIELDS_TO_COPY = [ + PARENT_ID, + SERVICE_NAME, + SERVICE_ENVIRONMENT, + SPAN_DESTINATION_SERVICE_RESOURCE, + TRACE_ID, + PROCESSOR_EVENT, + SPAN_TYPE, + SPAN_SUBTYPE, + AGENT_NAME, +]; + +const AVG_BYTES_PER_FIELD = 55; export async function fetchServicePathsFromTraceIds({ apmEventClient, @@ -21,12 +46,16 @@ export async function fetchServicePathsFromTraceIds({ start, end, terminateAfter, + serviceMapMaxAllowableBytes, + numOfRequests, }: { apmEventClient: APMEventClient; traceIds: string[]; start: number; end: number; terminateAfter: number; + serviceMapMaxAllowableBytes: number; + numOfRequests: number; }) { // make sure there's a range so ES can skip shards const dayInMs = 24 * 60 * 60 * 1000; @@ -37,8 +66,8 @@ export async function fetchServicePathsFromTraceIds({ apm: { events: [ProcessorEvent.span, ProcessorEvent.transaction], }, - terminate_after: terminateAfter, body: { + terminate_after: terminateAfter, track_total_hits: false, size: 0, query: { @@ -53,178 +82,252 @@ export async function fetchServicePathsFromTraceIds({ ], }, }, - aggs: { - service_map: { - scripted_metric: { - init_script: { - lang: 'painless', - source: `state.eventsById = new HashMap(); - - String[] fieldsToCopy = new String[] { - 'parent.id', - 'service.name', - 'service.environment', - 'span.destination.service.resource', - 'trace.id', - 'processor.event', - 'span.type', - 'span.subtype', - 'agent.name' - }; - state.fieldsToCopy = fieldsToCopy;`, - }, - map_script: { - lang: 'painless', - source: `def id; - id = $('span.id', null); - if (id == null) { - id = $('transaction.id', null); - } - - def copy = new HashMap(); - copy.id = id; - - for(key in state.fieldsToCopy) { - def value = $(key, null); - if (value != null) { - copy[key] = value; - } + }, + }; + // fetch without aggs to get shard count, first + const serviceMapQueryDataResponse = await apmEventClient.search( + 'get_trace_ids_shard_data', + serviceMapParams + ); + /* + * Calculate how many docs we can fetch per shard. + * Used in both terminate_after and tracking in the map script of the scripted_metric agg + * to ensure we don't fetch more than we can handle. + * + * 1. Use serviceMapMaxAllowableBytes setting, which represents our baseline request circuit breaker limit. + * 2. Divide by numOfRequests we fire off simultaneously to calculate bytesPerRequest. + * 3. Divide bytesPerRequest by the average doc size to get totalNumDocsAllowed. + * 4. Divide totalNumDocsAllowed by totalShards to get numDocsPerShardAllowed. + * 5. Use the lesser of numDocsPerShardAllowed or terminateAfter. + */ + + const avgDocSizeInBytes = SCRIPTED_METRICS_FIELDS_TO_COPY.length * AVG_BYTES_PER_FIELD; // estimated doc size in bytes + const totalShards = serviceMapQueryDataResponse._shards.total; + + const calculatedDocs = calculateDocsPerShard({ + serviceMapMaxAllowableBytes, + avgDocSizeInBytes, + totalShards, + numOfRequests, + }); + + const numDocsPerShardAllowed = calculatedDocs > terminateAfter ? terminateAfter : calculatedDocs; + + const serviceMapAggs = { + service_map: { + scripted_metric: { + params: { + limit: numDocsPerShardAllowed, + fieldsToCopy: SCRIPTED_METRICS_FIELDS_TO_COPY, + }, + init_script: { + lang: 'painless', + source: ` + state.docCount = 0; + state.limit = params.limit; + state.eventsById = new HashMap(); + state.fieldsToCopy = params.fieldsToCopy;`, + }, + map_script: { + lang: 'painless', + source: ` + if (state.docCount >= state.limit) { + // Stop processing if the document limit is reached + return; + } + + def id = $('span.id', null); + if (id == null) { + id = $('transaction.id', null); + } + + // Ensure same event isn't processed twice + if (id != null && !state.eventsById.containsKey(id)) { + def copy = new HashMap(); + copy.id = id; + + for(key in state.fieldsToCopy) { + def value = $(key, null); + if (value != null) { + copy[key] = value; } - - state.eventsById[id] = copy`, - }, - combine_script: { - lang: 'painless', - source: `return state.eventsById;`, - }, - reduce_script: { - lang: 'painless', - source: ` - def getDestination ( def event ) { - def destination = new HashMap(); - destination['span.destination.service.resource'] = event['span.destination.service.resource']; - destination['span.type'] = event['span.type']; - destination['span.subtype'] = event['span.subtype']; - return destination; } - def processAndReturnEvent(def context, def eventId) { - if (context.processedEvents[eventId] != null) { - return context.processedEvents[eventId]; - } - - def event = context.eventsById[eventId]; - - if (event == null) { - return null; + state.eventsById[id] = copy; + state.docCount++; + } + `, + }, + combine_script: { + lang: 'painless', + source: `return state;`, + }, + reduce_script: { + lang: 'painless', + source: ` + def getDestination(def event) { + def destination = new HashMap(); + destination['span.destination.service.resource'] = event['span.destination.service.resource']; + destination['span.type'] = event['span.type']; + destination['span.subtype'] = event['span.subtype']; + return destination; + } + + def processAndReturnEvent(def context, def eventId) { + def stack = new Stack(); + def reprocessQueue = new LinkedList(); + + // Avoid reprocessing the same event + def visited = new HashSet(); + + stack.push(eventId); + + while (!stack.isEmpty()) { + def currentEventId = stack.pop(); + def event = context.eventsById.get(currentEventId); + + if (event == null || context.processedEvents.get(currentEventId) != null) { + continue; } + visited.add(currentEventId); def service = new HashMap(); service['service.name'] = event['service.name']; service['service.environment'] = event['service.environment']; service['agent.name'] = event['agent.name']; - + def basePath = new ArrayList(); - def parentId = event['parent.id']; - def parent; - - if (parentId != null && parentId != event['id']) { - parent = processAndReturnEvent(context, parentId); - if (parent != null) { - /* copy the path from the parent */ - basePath.addAll(parent.path); - /* flag parent path for removal, as it has children */ - context.locationsToRemove.add(parent.path); - - /* if the parent has 'span.destination.service.resource' set, and the service is different, - we've discovered a service */ - - if (parent['span.destination.service.resource'] != null - && parent['span.destination.service.resource'] != "" - && (parent['service.name'] != event['service.name'] - || parent['service.environment'] != event['service.environment'] - ) - ) { - def parentDestination = getDestination(parent); - context.externalToServiceMap.put(parentDestination, service); + + if (parentId != null && !parentId.equals(currentEventId)) { + def parent = context.processedEvents.get(parentId); + + if (parent == null) { + + // Only adds the parentId to the stack if it hasn't been visited to prevent infinite loop scenarios + // if the parent is null, it means it hasn't been processed yet or it could also mean that the current event + // doesn't have a parent, in which case we should skip it + if (!visited.contains(parentId)) { + stack.push(parentId); + // Add currentEventId to be reprocessed once its parent is processed + reprocessQueue.add(currentEventId); } + + + continue; } - } + // copy the path from the parent + basePath.addAll(parent.path); + // flag parent path for removal, as it has children + context.locationsToRemove.add(parent.path); + + // if the parent has 'span.destination.service.resource' set, and the service is different, we've discovered a service + if (parent['span.destination.service.resource'] != null + && !parent['span.destination.service.resource'].equals("") + && (!parent['service.name'].equals(event['service.name']) + || !parent['service.environment'].equals(event['service.environment']) + ) + ) { + def parentDestination = getDestination(parent); + context.externalToServiceMap.put(parentDestination, service); + } + } + def lastLocation = basePath.size() > 0 ? basePath[basePath.size() - 1] : null; - def currentLocation = service; - - /* only add the current location to the path if it's different from the last one*/ + + // only add the current location to the path if it's different from the last one if (lastLocation == null || !lastLocation.equals(currentLocation)) { basePath.add(currentLocation); } - - /* if there is an outgoing span, create a new path */ + + // if there is an outgoing span, create a new path if (event['span.destination.service.resource'] != null - && event['span.destination.service.resource'] != '') { + && !event['span.destination.service.resource'].equals("")) { + def outgoingLocation = getDestination(event); def outgoingPath = new ArrayList(basePath); outgoingPath.add(outgoingLocation); context.paths.add(outgoingPath); } - + event.path = basePath; + context.processedEvents[currentEventId] = event; - context.processedEvents[eventId] = event; - return event; - } - - def context = new HashMap(); - - context.processedEvents = new HashMap(); - context.eventsById = new HashMap(); - - context.paths = new HashSet(); - context.externalToServiceMap = new HashMap(); - context.locationsToRemove = new HashSet(); - - for (state in states) { - context.eventsById.putAll(state); - } - - for (entry in context.eventsById.entrySet()) { - processAndReturnEvent(context, entry.getKey()); - } - - def paths = new HashSet(); - - for(foundPath in context.paths) { - if (!context.locationsToRemove.contains(foundPath)) { - paths.add(foundPath); + // reprocess events which were waiting for their parents to be processed + while (!reprocessQueue.isEmpty()) { + stack.push(reprocessQueue.remove()); } } - def response = new HashMap(); - response.paths = paths; - - def discoveredServices = new HashSet(); - - for(entry in context.externalToServiceMap.entrySet()) { - def map = new HashMap(); - map.from = entry.getKey(); - map.to = entry.getValue(); - discoveredServices.add(map); + return null; + } + + def context = new HashMap(); + + context.processedEvents = new HashMap(); + context.eventsById = new HashMap(); + context.paths = new HashSet(); + context.externalToServiceMap = new HashMap(); + context.locationsToRemove = new HashSet(); + + for (state in states) { + context.eventsById.putAll(state.eventsById); + state.eventsById.clear(); + } + + states.clear(); + + for (entry in context.eventsById.entrySet()) { + processAndReturnEvent(context, entry.getKey()); + } + + context.processedEvents.clear(); + context.eventsById.clear(); + + def response = new HashMap(); + response.paths = new HashSet(); + response.discoveredServices = new HashSet(); + + for (foundPath in context.paths) { + if (!context.locationsToRemove.contains(foundPath)) { + response.paths.add(foundPath); } - response.discoveredServices = discoveredServices; - - return response;`, - }, - }, - } as const, + } + + context.locationsToRemove.clear(); + context.paths.clear(); + + for (entry in context.externalToServiceMap.entrySet()) { + def map = new HashMap(); + map.from = entry.getKey(); + map.to = entry.getValue(); + response.discoveredServices.add(map); + } + + context.externalToServiceMap.clear(); + + return response; + `, + }, }, + } as const, + }; + + const serviceMapParamsWithAggs = { + ...serviceMapParams, + body: { + ...serviceMapParams.body, + size: 1, + terminate_after: numDocsPerShardAllowed, + aggs: serviceMapAggs, }, }; const serviceMapFromTraceIdsScriptResponse = await apmEventClient.search( 'get_service_paths_from_trace_ids', - serviceMapParams + serviceMapParamsWithAggs ); return serviceMapFromTraceIdsScriptResponse as { diff --git a/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map.ts b/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map.ts index 61fc849996a6e..69a000f4c2a8f 100644 --- a/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map.ts +++ b/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map.ts @@ -82,6 +82,8 @@ async function getConnectionData({ start, end, terminateAfter: config.serviceMapTerminateAfter, + serviceMapMaxAllowableBytes: config.serviceMapMaxAllowableBytes, + numOfRequests: chunks.length, logger, }) ) diff --git a/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map_from_trace_ids.ts b/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map_from_trace_ids.ts index 1b2cc6070d87f..d1bec0076d8f2 100644 --- a/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map_from_trace_ids.ts +++ b/x-pack/plugins/observability_solution/apm/server/routes/service_map/get_service_map_from_trace_ids.ts @@ -46,6 +46,8 @@ export async function getServiceMapFromTraceIds({ start, end, terminateAfter, + serviceMapMaxAllowableBytes, + numOfRequests, logger, }: { apmEventClient: APMEventClient; @@ -53,6 +55,8 @@ export async function getServiceMapFromTraceIds({ start: number; end: number; terminateAfter: number; + serviceMapMaxAllowableBytes: number; + numOfRequests: number; logger: Logger; }) { const serviceMapFromTraceIdsScriptResponse = await fetchServicePathsFromTraceIds({ @@ -61,6 +65,8 @@ export async function getServiceMapFromTraceIds({ start, end, terminateAfter, + serviceMapMaxAllowableBytes, + numOfRequests, }); logger.debug('Received scripted metric agg response'); From 5cb60aa23fc6319eae83c5d8724a5701e6b34865 Mon Sep 17 00:00:00 2001 From: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> Date: Tue, 2 Jul 2024 14:28:32 -0400 Subject: [PATCH 03/10] Defend Advanced Policy Options for Registry Event Filtering Enforcement (#186564) ## Summary Adds a Defend Advanced Policy option to allow 8.15.0 users to opt out of Registry Event Filtering. ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --- .../pages/policy/models/advanced_policy_schema.ts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts index 05ea215f65c50..b6333f949c761 100644 --- a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts +++ b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts @@ -1908,4 +1908,15 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [ } ), }, + { + key: 'windows.advanced.events.registry.enforce_registry_filters', + first_supported_version: '8.15', + documentation: i18n.translate( + 'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.events.registry.enforce_registry_filters', + { + defaultMessage: + 'Reduce data volume by filtering out registry events which are not relevant to behavioral protections. Default: true', + } + ), + }, ]; From 4007283a84fdd2f9accd374af614c4b388bb71cb Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Tue, 2 Jul 2024 22:26:25 +0300 Subject: [PATCH 04/10] fix(dev, serverless): do not inject mock SAML IdP configuration if conflicting configuration is provided via CLI arguments (#187337) ## Summary Our functional test server provides Kibana configuration via CLI arguments that the code configuring the mock SAML IdP realm in dev mode didn't account for. This means that when we run the test server locally, both FTR and Kibana try to configure the mock SAML IdP, which crashes the local Kibana. This issue only affects those who run functional tests locally and doesn't impact CI, where we use the built version of Kibana to run tests. This built version doesn't include the mock SAML IdP, delegating the mock SAML IdP configuration solely to FTR. This PR updates the code that attempts to automatically configure the mock SAML IdP in dev mode to check the configuration from both config files and CLI arguments to determine whether automatic configuration is possible. --- src/cli/serve/serve.js | 47 ++++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index b29e054b7ed95..bb2d6f6684683 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -118,7 +118,11 @@ export function applyConfigOverrides(rawConfig, opts, extraCliOptions, keystoreC if (opts.dev) { if (opts.serverless) { setServerlessKibanaDevServiceAccountIfPossible(get, set, opts); - isServerlessSamlSupported = tryConfigureServerlessSamlProvider(rawConfig, opts); + isServerlessSamlSupported = tryConfigureServerlessSamlProvider( + rawConfig, + opts, + extraCliOptions + ); } if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) { @@ -342,9 +346,10 @@ function mergeAndReplaceArrays(objValue, srcValue) { * Tries to configure SAML provider in serverless mode and applies the necessary configuration. * @param rawConfig Full configuration object. * @param opts CLI options. + * @param extraCliOptions Extra CLI options. * @returns {boolean} True if SAML provider was successfully configured. */ -function tryConfigureServerlessSamlProvider(rawConfig, opts) { +function tryConfigureServerlessSamlProvider(rawConfig, opts, extraCliOptions) { if (!MOCK_IDP_PLUGIN_SUPPORTED || opts.ssl === false) { return false; } @@ -353,22 +358,32 @@ function tryConfigureServerlessSamlProvider(rawConfig, opts) { // eslint-disable-next-line import/no-dynamic-require const { MOCK_IDP_REALM_NAME } = require(MOCK_IDP_PLUGIN_PATH); - // Check if there are any custom authentication providers already configure with the order `0` reserved for the - // Serverless SAML provider. + // Check if there are any custom authentication providers already configured with the order `0` reserved for the + // Serverless SAML provider or if there is an existing SAML provider with the name MOCK_IDP_REALM_NAME. We check + // both rawConfig and extraCliOptions because the latter can be used to override the former. let hasBasicOrTokenProviderConfigured = false; - const providersConfig = _.get(rawConfig, 'xpack.security.authc.providers', {}); - for (const [providerType, providers] of Object.entries(providersConfig)) { - if (providerType === 'basic' || providerType === 'token') { - hasBasicOrTokenProviderConfigured = true; - } + for (const configSource of [rawConfig, extraCliOptions]) { + const providersConfig = _.get(configSource, 'xpack.security.authc.providers', {}); + for (const [providerType, providers] of Object.entries(providersConfig)) { + if (providerType === 'basic' || providerType === 'token') { + hasBasicOrTokenProviderConfigured = true; + } - for (const [providerName, provider] of Object.entries(providers)) { - if (provider.order === 0) { - console.warn( - `The serverless SAML authentication provider won't be configured because the order "0" is already used by the custom authentication provider "${providerType}/${providerName}".` + - `Please update the custom provider to use a different order or remove it to allow the serverless SAML provider to be configured.` - ); - return false; + for (const [providerName, provider] of Object.entries(providers)) { + if (provider.order === 0) { + console.warn( + `The serverless SAML authentication provider won't be configured because the order "0" is already used by the custom authentication provider "${providerType}/${providerName}".` + + `Please update the custom provider to use a different order or remove it to allow the serverless SAML provider to be configured.` + ); + return false; + } + + if (providerType === 'saml' && providerName === MOCK_IDP_REALM_NAME) { + console.warn( + `The serverless SAML authentication provider won't be configured because the SAML provider with "${MOCK_IDP_REALM_NAME}" name is already configured".` + ); + return false; + } } } } From e654e464665f0d6b071149d27b4293ceb4de3ba3 Mon Sep 17 00:00:00 2001 From: Kerry Gallagher Date: Tue, 2 Jul 2024 20:29:32 +0100 Subject: [PATCH 05/10] [Logs] Add Log Sources advanced setting and client / server access services (#186468) ## Summary Implements part 1 of https://github.com/elastic/observability-dev/issues/3498 (adds an advanced setting and data access services for consumers). ## Reviewer notes - Please see note comments inline with the code. - The `limits.yml` change was generated by `node scripts/build_kibana_platform_plugins.js --update-limits`. - There are no consumers using this yet, so you'll need to make some minor adjustments if you'd like to test the access services. In a plugin (`infra` for example) the server side access could look like this: ```ts const [, { logsDataAccess }] = await getStartServices(); const logSourcesService = await logsDataAccess.services.getLogSourcesService(request); await logSourcesService.setLogSources([ { indexPattern: 'logs-*-*' }, { indexPattern: 'test-logs-*' }, ]); ``` Public access could look like this: ```ts const logSourcesService = plugins.logsDataAccess.services.logSourcesService; logSourcesService.setLogSources([{ indexPattern: 'client-side-logs-*' }]); ``` - I haven't added any tests here yet as any unit tests would more or less just be re-testing a UI settings mock. Functional tests will be valuable once there are consumers. ## UI Screenshot 2024-06-20 at 10 41 16 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> --- .../settings/setting_ids/index.ts | 1 + packages/kbn-optimizer/limits.yml | 1 + .../server/collectors/management/schema.ts | 7 ++++ .../server/collectors/management/types.ts | 1 + src/plugins/telemetry/schema/oss_plugins.json | 9 +++++ x-pack/.i18nrc.json | 1 + .../logs_data_access/common/constants.ts | 8 ++++ .../logs_data_access/common/types.ts | 10 +++++ .../logs_data_access/common/ui_settings.ts | 32 +++++++++++++++ .../logs_data_access/kibana.jsonc | 2 +- .../logs_data_access/public/index.ts | 23 +++++++++++ .../logs_data_access/public/plugin.ts | 39 +++++++++++++++++++ .../services/log_sources_service/index.ts | 28 +++++++++++++ .../public/services/register_services.ts | 21 ++++++++++ .../logs_data_access/public/types.ts | 12 ++++++ .../logs_data_access/server/plugin.ts | 10 ++++- .../services/log_sources_service/index.ts | 35 +++++++++++++++++ .../server/services/register_services.ts | 9 ++++- .../logs_data_access/tsconfig.json | 10 ++++- 19 files changed, 254 insertions(+), 5 deletions(-) create mode 100644 x-pack/plugins/observability_solution/logs_data_access/common/constants.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/common/types.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/common/ui_settings.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/public/index.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/public/plugin.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/public/services/register_services.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/public/types.ts create mode 100644 x-pack/plugins/observability_solution/logs_data_access/server/services/log_sources_service/index.ts diff --git a/packages/kbn-management/settings/setting_ids/index.ts b/packages/kbn-management/settings/setting_ids/index.ts index 32df8ac3240c4..94d56372a17c4 100644 --- a/packages/kbn-management/settings/setting_ids/index.ts +++ b/packages/kbn-management/settings/setting_ids/index.ts @@ -142,6 +142,7 @@ export const OBSERVABILITY_APM_ENABLE_SERVICE_INVENTORY_TABLE_SEARCH_BAR = export const OBSERVABILITY_LOGS_EXPLORER_ALLOWED_DATA_VIEWS_ID = 'observability:logsExplorer:allowedDataViews'; export const OBSERVABILITY_APM_ENABLE_MULTI_SIGNAL = 'observability:apmEnableMultiSignal'; +export const OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID = 'observability:logSources'; // Reporting settings export const XPACK_REPORTING_CUSTOM_PDF_LOGO_ID = 'xpackReporting:customPdfLogo'; diff --git a/packages/kbn-optimizer/limits.yml b/packages/kbn-optimizer/limits.yml index 73d9f0e23af29..c4958003bcfb6 100644 --- a/packages/kbn-optimizer/limits.yml +++ b/packages/kbn-optimizer/limits.yml @@ -95,6 +95,7 @@ pageLoadAssetSize: licensing: 29004 links: 44490 lists: 22900 + logsDataAccess: 16759 logsExplorer: 60000 logsShared: 281060 logstash: 53548 diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts index cf62f45ce3156..8285a0aee6b01 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/schema.ts @@ -499,6 +499,13 @@ export const stackManagementSchema: MakeSchemaFrom = { _meta: { description: 'Non-default value of setting.' }, }, }, + 'observability:logSources': { + type: 'array', + items: { + type: 'keyword', + _meta: { description: 'Non-default value of setting.' }, + }, + }, 'banners:placement': { type: 'keyword', _meta: { description: 'Non-default value of setting.' }, diff --git a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts index 6a5983df9ccfd..95c72298a9b0e 100644 --- a/src/plugins/kibana_usage_collection/server/collectors/management/types.ts +++ b/src/plugins/kibana_usage_collection/server/collectors/management/types.ts @@ -53,6 +53,7 @@ export interface UsageStats { 'observability:apmEnableTableSearchBar': boolean; 'observability:apmEnableServiceInventoryTableSearchBar': boolean; 'observability:logsExplorer:allowedDataViews': string[]; + 'observability:logSources': string[]; 'observability:aiAssistantLogsIndexPattern': string; 'observability:aiAssistantResponseLanguage': string; 'observability:aiAssistantSimulatedFunctionCalling': boolean; diff --git a/src/plugins/telemetry/schema/oss_plugins.json b/src/plugins/telemetry/schema/oss_plugins.json index 1e2c942ba2a5c..22e75e5d4b658 100644 --- a/src/plugins/telemetry/schema/oss_plugins.json +++ b/src/plugins/telemetry/schema/oss_plugins.json @@ -10343,6 +10343,15 @@ } } }, + "observability:logSources": { + "type": "array", + "items": { + "type": "keyword", + "_meta": { + "description": "Non-default value of setting." + } + } + }, "banners:placement": { "type": "keyword", "_meta": { diff --git a/x-pack/.i18nrc.json b/x-pack/.i18nrc.json index dd3409451e704..ed7720dda0fdd 100644 --- a/x-pack/.i18nrc.json +++ b/x-pack/.i18nrc.json @@ -47,6 +47,7 @@ "xpack.idxMgmtPackage": "packages/index-management", "xpack.indexLifecycleMgmt": "plugins/index_lifecycle_management", "xpack.infra": "plugins/observability_solution/infra", + "xpack.logsDataAccess": "plugins/observability_solution/logs_data_access", "xpack.logsExplorer": "plugins/observability_solution/logs_explorer", "xpack.logsShared": "plugins/observability_solution/logs_shared", "xpack.fleet": "plugins/fleet", diff --git a/x-pack/plugins/observability_solution/logs_data_access/common/constants.ts b/x-pack/plugins/observability_solution/logs_data_access/common/constants.ts new file mode 100644 index 0000000000000..83acb8bcfff15 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/common/constants.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const DEFAULT_LOG_SOURCES = ['logs-*-*']; diff --git a/x-pack/plugins/observability_solution/logs_data_access/common/types.ts b/x-pack/plugins/observability_solution/logs_data_access/common/types.ts new file mode 100644 index 0000000000000..d021617f294ae --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/common/types.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export interface LogSource { + indexPattern: string; +} diff --git a/x-pack/plugins/observability_solution/logs_data_access/common/ui_settings.ts b/x-pack/plugins/observability_solution/logs_data_access/common/ui_settings.ts new file mode 100644 index 0000000000000..500011231ee38 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/common/ui_settings.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { schema } from '@kbn/config-schema'; +import { UiSettingsParams } from '@kbn/core-ui-settings-common'; +import { i18n } from '@kbn/i18n'; +import { OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID } from '@kbn/management-settings-ids'; +import { DEFAULT_LOG_SOURCES } from './constants'; + +/** + * uiSettings definitions for the logs_data_access plugin. + */ +export const uiSettings: Record = { + [OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID]: { + category: ['observability'], + name: i18n.translate('xpack.logsDataAccess.logSources', { + defaultMessage: 'Log sources', + }), + value: DEFAULT_LOG_SOURCES, + description: i18n.translate('xpack.logsDataAccess.logSourcesDescription', { + defaultMessage: + 'Sources to be used for logs data. If the data contained in these indices is not logs data, you may experience degraded functionality.', + }), + type: 'array', + schema: schema.arrayOf(schema.string()), + requiresPageReload: true, + }, +}; diff --git a/x-pack/plugins/observability_solution/logs_data_access/kibana.jsonc b/x-pack/plugins/observability_solution/logs_data_access/kibana.jsonc index 0636aac3e5c96..56d8e556affc4 100644 --- a/x-pack/plugins/observability_solution/logs_data_access/kibana.jsonc +++ b/x-pack/plugins/observability_solution/logs_data_access/kibana.jsonc @@ -5,7 +5,7 @@ "plugin": { "id": "logsDataAccess", "server": true, - "browser": false, + "browser": true, "requiredPlugins": [ "data", "dataViews" diff --git a/x-pack/plugins/observability_solution/logs_data_access/public/index.ts b/x-pack/plugins/observability_solution/logs_data_access/public/index.ts new file mode 100644 index 0000000000000..ed4a2be8a1b09 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/public/index.ts @@ -0,0 +1,23 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PluginInitializer } from '@kbn/core/public'; +import { + LogsDataAccessPlugin, + LogsDataAccessPluginSetup, + LogsDataAccessPluginStart, +} from './plugin'; +import { LogsDataAccessPluginSetupDeps, LogsDataAccessPluginStartDeps } from './types'; + +export const plugin: PluginInitializer< + LogsDataAccessPluginSetup, + LogsDataAccessPluginStart, + LogsDataAccessPluginSetupDeps, + LogsDataAccessPluginStartDeps +> = () => { + return new LogsDataAccessPlugin(); +}; diff --git a/x-pack/plugins/observability_solution/logs_data_access/public/plugin.ts b/x-pack/plugins/observability_solution/logs_data_access/public/plugin.ts new file mode 100644 index 0000000000000..b68d3734ee695 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/public/plugin.ts @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { CoreStart } from '@kbn/core/public'; +import { Plugin } from '@kbn/core/public'; +import { registerServices } from './services/register_services'; +import { LogsDataAccessPluginSetupDeps, LogsDataAccessPluginStartDeps } from './types'; +export type LogsDataAccessPluginSetup = ReturnType; +export type LogsDataAccessPluginStart = ReturnType; + +export class LogsDataAccessPlugin + implements + Plugin< + LogsDataAccessPluginSetup, + LogsDataAccessPluginStart, + LogsDataAccessPluginSetupDeps, + LogsDataAccessPluginStartDeps + > +{ + public setup() {} + + public start(core: CoreStart, plugins: LogsDataAccessPluginStartDeps) { + const services = registerServices({ + deps: { + uiSettings: core.uiSettings, + }, + }); + + return { + services, + }; + } + + public stop() {} +} diff --git a/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts b/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts new file mode 100644 index 0000000000000..3fd4674ea5509 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/public/services/log_sources_service/index.ts @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID } from '@kbn/management-settings-ids'; +import { LogSource } from '../../../common/types'; +import { RegisterServicesParams } from '../register_services'; + +export function createLogSourcesService(params: RegisterServicesParams) { + const { uiSettings } = params.deps; + return { + getLogSources: (): LogSource[] => { + const logSources = uiSettings.get(OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID); + return logSources.map((logSource) => ({ + indexPattern: logSource, + })); + }, + setLogSources: async (sources: LogSource[]) => { + return await uiSettings.set( + OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID, + sources.map((source) => source.indexPattern) + ); + }, + }; +} diff --git a/x-pack/plugins/observability_solution/logs_data_access/public/services/register_services.ts b/x-pack/plugins/observability_solution/logs_data_access/public/services/register_services.ts new file mode 100644 index 0000000000000..73ce189106287 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/public/services/register_services.ts @@ -0,0 +1,21 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { IUiSettingsClient } from '@kbn/core-ui-settings-browser'; +import { createLogSourcesService } from './log_sources_service'; + +export interface RegisterServicesParams { + deps: { + uiSettings: IUiSettingsClient; + }; +} + +export function registerServices(params: RegisterServicesParams) { + return { + logSourcesService: createLogSourcesService(params), + }; +} diff --git a/x-pack/plugins/observability_solution/logs_data_access/public/types.ts b/x-pack/plugins/observability_solution/logs_data_access/public/types.ts new file mode 100644 index 0000000000000..a330a295c17ce --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/public/types.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +// eslint-disable-next-line @typescript-eslint/no-empty-interface +export interface LogsDataAccessPluginSetupDeps {} + +// eslint-disable-next-line @typescript-eslint/no-empty-interface +export interface LogsDataAccessPluginStartDeps {} diff --git a/x-pack/plugins/observability_solution/logs_data_access/server/plugin.ts b/x-pack/plugins/observability_solution/logs_data_access/server/plugin.ts index 13977e869b233..74d56a794b3fe 100644 --- a/x-pack/plugins/observability_solution/logs_data_access/server/plugin.ts +++ b/x-pack/plugins/observability_solution/logs_data_access/server/plugin.ts @@ -12,6 +12,7 @@ import type { Plugin, PluginInitializerContext, } from '@kbn/core/server'; +import { uiSettings } from '../common/ui_settings'; import { registerServices } from './services/register_services'; import { LogsDataAccessPluginStartDeps, LogsDataAccessPluginSetupDeps } from './types'; @@ -32,12 +33,17 @@ export class LogsDataAccessPlugin constructor(initializerContext: PluginInitializerContext) { this.logger = initializerContext.logger.get(); } - public setup(core: CoreSetup, plugins: LogsDataAccessPluginSetupDeps) {} + public setup(core: CoreSetup, plugins: LogsDataAccessPluginSetupDeps) { + core.uiSettings.register(uiSettings); + } public start(core: CoreStart, plugins: LogsDataAccessPluginStartDeps) { const services = registerServices({ logger: this.logger, - deps: {}, + deps: { + savedObjects: core.savedObjects, + uiSettings: core.uiSettings, + }, }); return { diff --git a/x-pack/plugins/observability_solution/logs_data_access/server/services/log_sources_service/index.ts b/x-pack/plugins/observability_solution/logs_data_access/server/services/log_sources_service/index.ts new file mode 100644 index 0000000000000..c6075d1d20834 --- /dev/null +++ b/x-pack/plugins/observability_solution/logs_data_access/server/services/log_sources_service/index.ts @@ -0,0 +1,35 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { KibanaRequest } from '@kbn/core-http-server'; +import { OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID } from '@kbn/management-settings-ids'; +import { LogSource } from '../../../common/types'; +import { RegisterServicesParams } from '../register_services'; + +export function createGetLogSourcesService(params: RegisterServicesParams) { + return async (request: KibanaRequest) => { + const { savedObjects, uiSettings } = params.deps; + const soClient = savedObjects.getScopedClient(request); + const uiSettingsClient = uiSettings.asScopedToClient(soClient); + return { + getLogSources: async (): Promise => { + const logSources = await uiSettingsClient.get( + OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID + ); + return logSources.map((logSource) => ({ + indexPattern: logSource, + })); + }, + setLogSources: async (sources: LogSource[]) => { + return await uiSettingsClient.set( + OBSERVABILITY_LOGS_DATA_ACCESS_LOG_SOURCES_ID, + sources.map((source) => source.indexPattern) + ); + }, + }; + }; +} diff --git a/x-pack/plugins/observability_solution/logs_data_access/server/services/register_services.ts b/x-pack/plugins/observability_solution/logs_data_access/server/services/register_services.ts index c35b30783b5f4..26435a5657be9 100644 --- a/x-pack/plugins/observability_solution/logs_data_access/server/services/register_services.ts +++ b/x-pack/plugins/observability_solution/logs_data_access/server/services/register_services.ts @@ -5,16 +5,23 @@ * 2.0. */ +import { SavedObjectsServiceStart } from '@kbn/core-saved-objects-server'; +import { UiSettingsServiceStart } from '@kbn/core-ui-settings-server'; import { Logger } from '@kbn/logging'; import { createGetLogsRatesService } from './get_logs_rates_service'; +import { createGetLogSourcesService } from './log_sources_service'; export interface RegisterServicesParams { logger: Logger; - deps: {}; + deps: { + savedObjects: SavedObjectsServiceStart; + uiSettings: UiSettingsServiceStart; + }; } export function registerServices(params: RegisterServicesParams) { return { getLogsRatesService: createGetLogsRatesService(params), + getLogSourcesService: createGetLogSourcesService(params), }; } diff --git a/x-pack/plugins/observability_solution/logs_data_access/tsconfig.json b/x-pack/plugins/observability_solution/logs_data_access/tsconfig.json index 9bd4031c7a39e..1bc17c4f8814a 100644 --- a/x-pack/plugins/observability_solution/logs_data_access/tsconfig.json +++ b/x-pack/plugins/observability_solution/logs_data_access/tsconfig.json @@ -3,12 +3,20 @@ "compilerOptions": { "outDir": "target/types" }, - "include": ["common/**/*", "server/**/*", "jest.config.js"], + "include": ["common/**/*", "server/**/*", "public/**/*", "jest.config.js"], "exclude": ["target/**/*"], "kbn_references": [ "@kbn/core", "@kbn/logging", "@kbn/data-plugin", "@kbn/data-views-plugin", + "@kbn/core-http-server", + "@kbn/management-settings-ids", + "@kbn/config-schema", + "@kbn/core-ui-settings-common", + "@kbn/i18n", + "@kbn/core-saved-objects-server", + "@kbn/core-ui-settings-server", + "@kbn/core-ui-settings-browser", ] } From 2aa94a27f05b0b72fdbb01f8b929e28452974929 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 2 Jul 2024 14:33:11 -0500 Subject: [PATCH 06/10] [Detection Engine] Adds Alert Suppression to ML Rules (#181926) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary This PR introduces Alert Suppression for ML Detection Rules. This feature is behaviorally similar to alerting suppression for other Detection Engine Rule types, and nearly identical to the analogous features for EQL rules. There are some additional UI behaviors introduced here as well, mainly intended to cover the shortcomings discovered in https://github.com/elastic/kibana/issues/183100. Those behaviors are: 1. Populating the suppression field list with fields from the anomaly index(es). 1. Disabling the suppression UI if no selected ML jobs are running (because we cannot populate the list of fields on which they'll be suppressing). 1. Warning the user if _some_ selected ML jobs are not running (because the list of suppression fields may be incomplete). See screenshots below for more info. ### Intermediate Serverless Deployment As per the "intermediate deployment" requirements for serverless, while the schema (and declared alert SO mappings) will be extended to allow this functionality, the user-facing features are currently hidden behind a feature flag. Once this is merged and released, we can issue a "final" deployment in which the feature flag is enabled, and the feature effectively released. ## Screenshots * Overview of new UI fields Screenshot 2024-05-16 at 3 22 02 PM * Example of Anomaly fields in suppression combobox Screenshot 2024-06-06 at 5 14 17 PM * Suppression disabled due to no jobs running Screenshot 2024-06-17 at 11 23 39 PM * Warning due to not all jobs running Screenshot 2024-06-17 at 11 26 16 PM ## Steps to Review 1. Review the Test Plan for an overview of behavior 2. Review Integration tests for an overview of implementation and edge cases 3. Review Cypress tests for an overview of UX changes 4. Testing on [Demo Instance](https://rylnd-pr-181926-ml-rule-alert-suppression.kbndev.co/) (elastic/changeme) 1. This instance has the relevant feature flag enabled, has some sample auditbeat data, as well as the [anomalies archive data](https://github.com/elastic/kibana/tree/main/x-pack/test/functional/es_archives/security_solution/anomalies) for the purposes of exercising an ML rule against "real" anomalies 1. There are a few example rules in the default space: 1. A simple [query rule](https://rylnd-pr-181926-ml-rule-alert-suppression.kbndev.co/app/security/rules/id/f6f5960d-7e4b-40c1-ae15-501112822130) against auditbeat data 1. An [ML rule](https://rylnd-pr-181926-ml-rule-alert-suppression.kbndev.co/app/security/rules/id/9122669e-b2e1-41ce-af25-eeae15aa9ece) with per-execution suppression on both `by_field_name` and `by_field_value` (which ends up not actually suppressing anything) 1. An [ML rule](https://rylnd-pr-181926-ml-rule-alert-suppression.kbndev.co/app/security/rules/id/0aabc280-00bd-42d4-82e6-65997c751797) with per-execution suppression on `by_field_name` (which suppresses all anomalies into a single alert) ## Related Issues - This feature was temporarily blocked by https://github.com/elastic/kibana/issues/183100, but those changes are now in this PR. ## Checklist - [x] Functional changes are hidden behind a feature flag. If not hidden, the PR explains why these changes are being implemented in a long-living feature branch. - [x] Functional changes are covered with a test plan and automated tests. * [Test Plan](https://github.com/elastic/security-team/pull/9279) - [x] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner) in both ESS and Serverless. By default, use 200 runs for ESS and 200 runs for Serverless. * [ESS - Cypress x 200](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6449) * [Serverless - Cypress x 200](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6450) * [ESS - API x 200](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6447) * [Serverless - API x 200](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6448) - [ ] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [ ] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. - [ ] (OPTIONAL) OpenAPI specs changes include detailed descriptions and examples of usage and are ready to be released on https://docs.elastic.co/api-reference. NOTE: This is optional because at the moment we don't have yet any OpenAPI specs that would be fully "documented" and "GA-ready" for publishing on https://docs.elastic.co/api-reference. - [ ] Functional changes are communicated to the Docs team. A ticket is opened in https://github.com/elastic/security-docs using the [Internal documentation request (Elastic employees)](https://github.com/elastic/security-docs/issues/new?assignees=&labels=&projects=&template=docs-request-internal.yaml&title=%5BRequest%5D+) template. The following information is included: feature flags used, target ESS version, planned timing for ESS and Serverless releases. --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> --- .../project_roles/security/roles.yml | 21 + ...s_upgrade_and_rollback_checks.test.ts.snap | 46 + .../rule_schema/rule_request_schema.test.ts | 1 + .../model/rule_schema/rule_schemas.gen.ts | 17 +- .../rule_schema/rule_schemas.schema.yaml | 9 + .../common/detection_engine/constants.ts | 1 + .../common/detection_engine/utils.test.ts | 16 +- .../common/experimental_features.ts | 5 + .../components/ml/hooks/use_ml_rule_config.ts | 62 + .../ml/hooks/use_ml_rule_validations.test.ts | 102 ++ .../ml/hooks/use_ml_rule_validations.ts | 41 + .../common/components/ml_popover/api.mock.ts | 10 + .../hooks/use_security_jobs_helpers.tsx | 13 +- .../description_step/index.test.tsx | 73 +- .../components/step_define_rule/index.tsx | 106 +- .../step_define_rule/translations.tsx | 15 + ...e_experimental_feature_fields_transform.ts | 10 +- .../pages/rule_creation/helpers.test.ts | 26 + .../pages/rule_creation/helpers.ts | 1 + .../logic/use_alert_suppression.test.tsx | 38 +- .../logic/use_alert_suppression.tsx | 15 +- .../rule_management/logic/use_rule_fields.ts | 36 + .../components/alerts_table/actions.tsx | 52 +- .../es_serverless_resources/roles.yml | 18 + .../normalization/rule_converters.test.ts | 117 +- .../normalization/rule_converters.ts | 4 + .../rule_schema/model/rule_schemas.ts | 1 + .../rule_types/ml/create_ml_alert_type.ts | 39 +- .../detection_engine/rule_types/ml/ml.test.ts | 60 +- .../lib/detection_engine/rule_types/ml/ml.ts | 84 +- .../lib/detection_engine/rule_types/types.ts | 4 +- .../utils/wrap_suppressed_alerts.ts | 11 +- .../delete_all_anomalies.ts | 36 + .../detections_response/index.ts | 1 + .../security_solution/anomalies/mappings.json | 9 +- .../config/ess/config.base.ts | 1 + .../configs/serverless.config.ts | 1 + .../execution_logic/index.ts | 1 + .../execution_logic/machine_learning.ts | 4 +- .../machine_learning_alert_suppression.ts | 1106 +++++++++++++++++ .../machine_learning_setup.ts | 3 +- ..._generated_properties_including_rule_id.ts | 10 +- .../test/security_solution_cypress/config.ts | 1 + ...ws_suppression_serverless_essentials.cy.ts | 7 +- .../common_flows_supression_ess_basic.cy.ts | 4 + .../machine_learning_rule_suppression.cy.ts | 198 +++ .../rule_edit/machine_learning_rule.cy.ts | 178 +++ .../prebuilt_rules_preview.cy.ts | 28 +- .../cypress/support/machine_learning.ts | 64 + .../serverless_config.ts | 1 + .../project_controller_security_roles.yml | 18 + 51 files changed, 2503 insertions(+), 222 deletions(-) create mode 100644 x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_config.ts create mode 100644 x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.test.ts create mode 100644 x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.ts create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_rule_fields.ts create mode 100644 x-pack/test/common/utils/security_solution/detections_response/delete_all_anomalies.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/machine_learning_rule_suppression.cy.ts create mode 100644 x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts diff --git a/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml index e47cc78eadc33..3c118688f6429 100644 --- a/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -35,6 +35,7 @@ viewer: - '.fleet-actions*' - 'risk-score.risk-score-*' - '.asset-criticality.asset-criticality-*' + - '.ml-anomalies-*' privileges: - read applications: @@ -100,6 +101,10 @@ editor: - 'read' - 'write' allow_restricted_indices: false + - names: + - '.ml-anomalies-*' + privileges: + - read applications: - application: 'kibana-.kibana' privileges: @@ -154,6 +159,7 @@ t1_analyst: - '.fleet-actions*' - risk-score.risk-score-* - .asset-criticality.asset-criticality-* + - '.ml-anomalies-*' privileges: - read applications: @@ -201,6 +207,7 @@ t2_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - '.ml-anomalies-*' privileges: - read - names: @@ -262,6 +269,7 @@ t3_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - '.ml-anomalies-*' privileges: - read applications: @@ -331,6 +339,7 @@ threat_intelligence_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - '.ml-anomalies-*' privileges: - read applications: @@ -389,6 +398,7 @@ rule_author: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - '.ml-anomalies-*' privileges: - read applications: @@ -453,6 +463,7 @@ soc_manager: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - '.ml-anomalies-*' privileges: - read applications: @@ -513,6 +524,7 @@ detections_admin: - metrics-endpoint.metadata_current_* - .fleet-agents* - .fleet-actions* + - '.ml-anomalies-*' privileges: - read - names: @@ -570,6 +582,10 @@ platform_engineer: privileges: - read - write + - names: + - '.ml-anomalies-*' + privileges: + - read applications: - application: 'kibana-.kibana' privileges: @@ -620,6 +636,7 @@ endpoint_operations_analyst: - .lists* - .items* - risk-score.risk-score-* + - '.ml-anomalies-*' privileges: - read - names: @@ -710,6 +727,10 @@ endpoint_policy_manager: - read - write - manage + - names: + - '.ml-anomalies-*' + privileges: + - read applications: - application: 'kibana-.kibana' privileges: diff --git a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap index 456b7e00dd1ed..932daa1fed69d 100644 --- a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap +++ b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap @@ -7127,6 +7127,52 @@ Object { }, Object { "properties": Object { + "alertSuppression": Object { + "additionalProperties": false, + "properties": Object { + "duration": Object { + "additionalProperties": false, + "properties": Object { + "unit": Object { + "enum": Array [ + "s", + "m", + "h", + ], + "type": "string", + }, + "value": Object { + "minimum": 1, + "type": "integer", + }, + }, + "required": Array [ + "value", + "unit", + ], + "type": "object", + }, + "groupBy": Object { + "items": Object { + "type": "string", + }, + "maxItems": 3, + "minItems": 1, + "type": "array", + }, + "missingFieldsStrategy": Object { + "enum": Array [ + "doNotSuppress", + "suppress", + ], + "type": "string", + }, + }, + "required": Array [ + "groupBy", + ], + "type": "object", + }, "anomalyThreshold": Object { "minimum": 0, "type": "integer", diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.test.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.test.ts index b7435c7dd86e8..a22886b287c7f 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.test.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_request_schema.test.ts @@ -1272,6 +1272,7 @@ describe('rules schema', () => { { ruleType: 'saved_query', ruleMock: getCreateSavedQueryRulesSchemaMock() }, { ruleType: 'eql', ruleMock: getCreateEqlRuleSchemaMock() }, { ruleType: 'new_terms', ruleMock: getCreateNewTermsRulesSchemaMock() }, + { ruleType: 'machine_learning', ruleMock: getCreateMachineLearningRulesSchemaMock() }, ]; cases.forEach(({ ruleType, ruleMock }) => { diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts index 9bb1b26fafd95..83bf6778ec3e3 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts @@ -468,14 +468,25 @@ export const MachineLearningRuleRequiredFields = z.object({ machine_learning_job_id: MachineLearningJobId, }); +export type MachineLearningRuleOptionalFields = z.infer; +export const MachineLearningRuleOptionalFields = z.object({ + alert_suppression: AlertSuppression.optional(), +}); + export type MachineLearningRulePatchFields = z.infer; -export const MachineLearningRulePatchFields = MachineLearningRuleRequiredFields.partial(); +export const MachineLearningRulePatchFields = MachineLearningRuleRequiredFields.partial().merge( + MachineLearningRuleOptionalFields +); export type MachineLearningRuleResponseFields = z.infer; -export const MachineLearningRuleResponseFields = MachineLearningRuleRequiredFields; +export const MachineLearningRuleResponseFields = MachineLearningRuleRequiredFields.merge( + MachineLearningRuleOptionalFields +); export type MachineLearningRuleCreateFields = z.infer; -export const MachineLearningRuleCreateFields = MachineLearningRuleRequiredFields; +export const MachineLearningRuleCreateFields = MachineLearningRuleRequiredFields.merge( + MachineLearningRuleOptionalFields +); export type MachineLearningRule = z.infer; export const MachineLearningRule = SharedResponseProps.merge(MachineLearningRuleResponseFields); diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml index de424af505c1f..4ade72c15fbb9 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml @@ -686,18 +686,27 @@ components: - machine_learning_job_id - anomaly_threshold + MachineLearningRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' + MachineLearningRulePatchFields: allOf: - $ref: '#/components/schemas/MachineLearningRuleRequiredFields' x-modify: partial + - $ref: '#/components/schemas/MachineLearningRuleOptionalFields' MachineLearningRuleResponseFields: allOf: - $ref: '#/components/schemas/MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/MachineLearningRuleOptionalFields' MachineLearningRuleCreateFields: allOf: - $ref: '#/components/schemas/MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/MachineLearningRuleOptionalFields' MachineLearningRule: allOf: diff --git a/x-pack/plugins/security_solution/common/detection_engine/constants.ts b/x-pack/plugins/security_solution/common/detection_engine/constants.ts index 54c81cf93568f..8e06f46f1f46d 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/constants.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/constants.ts @@ -47,6 +47,7 @@ export const SUPPRESSIBLE_ALERT_RULES: Type[] = [ 'new_terms', 'threat_match', 'eql', + 'machine_learning', ]; export const SUPPRESSIBLE_ALERT_RULES_GA: Type[] = ['saved_query', 'query']; diff --git a/x-pack/plugins/security_solution/common/detection_engine/utils.test.ts b/x-pack/plugins/security_solution/common/detection_engine/utils.test.ts index 2e5ac39936fa3..a4db006a67463 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/utils.test.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/utils.test.ts @@ -236,9 +236,7 @@ describe('Alert Suppression Rules', () => { expect(isSuppressibleAlertRule('threat_match')).toBe(true); expect(isSuppressibleAlertRule('new_terms')).toBe(true); expect(isSuppressibleAlertRule('eql')).toBe(true); - - // Rule types that don't support alert suppression: - expect(isSuppressibleAlertRule('machine_learning')).toBe(false); + expect(isSuppressibleAlertRule('machine_learning')).toBe(true); }); test('should return false for an unknown rule type', () => { @@ -273,9 +271,7 @@ describe('Alert Suppression Rules', () => { expect(isSuppressionRuleConfiguredWithDuration('threat_match')).toBe(true); expect(isSuppressionRuleConfiguredWithDuration('new_terms')).toBe(true); expect(isSuppressionRuleConfiguredWithDuration('eql')).toBe(true); - - // Rule types that don't support alert suppression: - expect(isSuppressionRuleConfiguredWithDuration('machine_learning')).toBe(false); + expect(isSuppressionRuleConfiguredWithDuration('machine_learning')).toBe(true); }); test('should return false for an unknown rule type', () => { @@ -294,9 +290,7 @@ describe('Alert Suppression Rules', () => { expect(isSuppressionRuleConfiguredWithGroupBy('threat_match')).toBe(true); expect(isSuppressionRuleConfiguredWithGroupBy('new_terms')).toBe(true); expect(isSuppressionRuleConfiguredWithGroupBy('eql')).toBe(true); - - // Rule types that don't support alert suppression: - expect(isSuppressionRuleConfiguredWithGroupBy('machine_learning')).toBe(false); + expect(isSuppressionRuleConfiguredWithGroupBy('machine_learning')).toBe(true); }); test('should return false for a threshold rule type', () => { @@ -320,9 +314,7 @@ describe('Alert Suppression Rules', () => { expect(isSuppressionRuleConfiguredWithMissingFields('threat_match')).toBe(true); expect(isSuppressionRuleConfiguredWithMissingFields('new_terms')).toBe(true); expect(isSuppressionRuleConfiguredWithMissingFields('eql')).toBe(true); - - // Rule types that don't support alert suppression: - expect(isSuppressionRuleConfiguredWithMissingFields('machine_learning')).toBe(false); + expect(isSuppressionRuleConfiguredWithMissingFields('machine_learning')).toBe(true); }); test('should return false for a threshold rule type', () => { diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index 0a7558515226f..66b5f4bd948a1 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -175,6 +175,11 @@ export const allowedExperimentalValues = Object.freeze({ */ riskEnginePrivilegesRouteEnabled: true, + /** + * Enables alerts suppression for machine learning rules + */ + alertSuppressionForMachineLearningRuleEnabled: false, + /** * Enables experimental Experimental S1 integration data to be available in Analyzer */ diff --git a/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_config.ts b/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_config.ts new file mode 100644 index 0000000000000..86551ad64b43a --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_config.ts @@ -0,0 +1,62 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { useMemo } from 'react'; +import type { DataViewFieldBase } from '@kbn/es-query'; + +import { getTermsAggregationFields } from '../../../../detection_engine/rule_creation_ui/components/step_define_rule/utils'; +import { useRuleFields } from '../../../../detection_engine/rule_management/logic/use_rule_fields'; +import type { BrowserField } from '../../../containers/source'; +import { useMlCapabilities } from './use_ml_capabilities'; +import { useMlRuleValidations } from './use_ml_rule_validations'; +import { hasMlAdminPermissions } from '../../../../../common/machine_learning/has_ml_admin_permissions'; +import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license'; + +export interface UseMlRuleConfigReturn { + hasMlAdminPermissions: boolean; + hasMlLicense: boolean; + mlFields: DataViewFieldBase[]; + mlFieldsLoading: boolean; + mlSuppressionFields: BrowserField[]; + noMlJobsStarted: boolean; + someMlJobsStarted: boolean; +} + +/** + * This hook is used to retrieve the various configurations and status needed for creating/editing an ML Rule in the Detection Engine UI. It composes several other ML hooks. + * + * @param machineLearningJobId The ID(s) of the ML job to retrieve the configuration for + * + * @returns {UseMlRuleConfigReturn} An object containing the various configurations and statuses needed for creating/editing an ML Rule + * + */ +export const useMLRuleConfig = ({ + machineLearningJobId, +}: { + machineLearningJobId: string[]; +}): UseMlRuleConfigReturn => { + const mlCapabilities = useMlCapabilities(); + const { someJobsStarted: someMlJobsStarted, noJobsStarted: noMlJobsStarted } = + useMlRuleValidations({ machineLearningJobId }); + const { loading: mlFieldsLoading, fields: mlFields } = useRuleFields({ + machineLearningJobId, + }); + const mlSuppressionFields = useMemo( + () => getTermsAggregationFields(mlFields as BrowserField[]), + [mlFields] + ); + + return { + hasMlAdminPermissions: hasMlAdminPermissions(mlCapabilities), + hasMlLicense: hasMlLicense(mlCapabilities), + mlFields, + mlFieldsLoading, + mlSuppressionFields, + noMlJobsStarted, + someMlJobsStarted, + }; +}; diff --git a/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.test.ts b/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.test.ts new file mode 100644 index 0000000000000..6f14d6fe2a736 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.test.ts @@ -0,0 +1,102 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { renderHook } from '@testing-library/react-hooks'; +import { TestProviders } from '../../../mock'; +import { buildMockJobsSummary, getJobsSummaryResponseMock } from '../../ml_popover/api.mock'; +import { useInstalledSecurityJobs } from './use_installed_security_jobs'; + +import { useMlRuleValidations } from './use_ml_rule_validations'; + +jest.mock('./use_installed_security_jobs'); + +describe('useMlRuleValidations', () => { + const machineLearningJobId = ['test_job', 'test_job_2']; + + beforeEach(() => { + (useInstalledSecurityJobs as jest.Mock).mockReturnValue({ + loading: true, + jobs: [], + }); + }); + + it('returns loading state from inner hook', () => { + const { result, rerender } = renderHook(() => useMlRuleValidations({ machineLearningJobId }), { + wrapper: TestProviders, + }); + expect(result.current).toEqual(expect.objectContaining({ loading: true })); + + (useInstalledSecurityJobs as jest.Mock).mockReturnValueOnce({ + loading: false, + jobs: [], + }); + + rerender(); + + expect(result.current).toEqual(expect.objectContaining({ loading: false })); + }); + + it('returns no jobs started when no jobs are started', () => { + const { result } = renderHook(() => useMlRuleValidations({ machineLearningJobId }), { + wrapper: TestProviders, + }); + + expect(result.current).toEqual( + expect.objectContaining({ noJobsStarted: true, someJobsStarted: false }) + ); + }); + + it('returns some jobs started when some jobs are started', () => { + (useInstalledSecurityJobs as jest.Mock).mockReturnValueOnce({ + loading: false, + jobs: getJobsSummaryResponseMock([ + buildMockJobsSummary({ + id: machineLearningJobId[0], + jobState: 'opened', + datafeedState: 'started', + }), + buildMockJobsSummary({ + id: machineLearningJobId[1], + }), + ]), + }); + + const { result } = renderHook(() => useMlRuleValidations({ machineLearningJobId }), { + wrapper: TestProviders, + }); + + expect(result.current).toEqual( + expect.objectContaining({ noJobsStarted: false, someJobsStarted: true }) + ); + }); + + it('returns neither "no jobs started" nor "some jobs started" when all jobs are started', () => { + (useInstalledSecurityJobs as jest.Mock).mockReturnValueOnce({ + loading: false, + jobs: getJobsSummaryResponseMock([ + buildMockJobsSummary({ + id: machineLearningJobId[0], + jobState: 'opened', + datafeedState: 'started', + }), + buildMockJobsSummary({ + id: machineLearningJobId[1], + jobState: 'opened', + datafeedState: 'started', + }), + ]), + }); + + const { result } = renderHook(() => useMlRuleValidations({ machineLearningJobId }), { + wrapper: TestProviders, + }); + + expect(result.current).toEqual( + expect.objectContaining({ noJobsStarted: false, someJobsStarted: false }) + ); + }); +}); diff --git a/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.ts b/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.ts new file mode 100644 index 0000000000000..81897c5d29b82 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/components/ml/hooks/use_ml_rule_validations.ts @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { isJobStarted } from '../../../../../common/machine_learning/helpers'; +import { useInstalledSecurityJobs } from './use_installed_security_jobs'; + +export interface UseMlRuleValidationsParams { + machineLearningJobId: string[] | undefined; +} + +export interface UseMlRuleValidationsReturn { + loading: boolean; + noJobsStarted: boolean; + someJobsStarted: boolean; +} + +/** + * Hook to encapsulate some of our validation checks for ML rules. + * + * @param machineLearningJobId the ML Job IDs of the rule + * @returns validation state about the rule, relative to its ML jobs. + */ +export const useMlRuleValidations = ({ + machineLearningJobId, +}: UseMlRuleValidationsParams): UseMlRuleValidationsReturn => { + const { jobs: installedJobs, loading } = useInstalledSecurityJobs(); + const ruleMlJobs = installedJobs.filter((installedJob) => + (machineLearningJobId ?? []).includes(installedJob.id) + ); + const numberOfRuleMlJobsStarted = ruleMlJobs.filter((job) => + isJobStarted(job.jobState, job.datafeedState) + ).length; + const noMlJobsStarted = numberOfRuleMlJobsStarted === 0; + const someMlJobsStarted = !noMlJobsStarted && numberOfRuleMlJobsStarted !== ruleMlJobs.length; + + return { loading, noJobsStarted: noMlJobsStarted, someJobsStarted: someMlJobsStarted }; +}; diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/api.mock.ts b/x-pack/plugins/security_solution/public/common/components/ml_popover/api.mock.ts index 2000db1807cbf..fdd9d66ebaf90 100644 --- a/x-pack/plugins/security_solution/public/common/components/ml_popover/api.mock.ts +++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/api.mock.ts @@ -100,6 +100,16 @@ export const mockJobsSummaryResponse: MlSummaryJob[] = [ }, ]; +export const getJobsSummaryResponseMock = (additionalJobs: MlSummaryJob[]): MlSummaryJob[] => [ + ...mockJobsSummaryResponse, + ...additionalJobs, +]; + +export const buildMockJobsSummary = (overrides: Partial): MlSummaryJob => ({ + ...mockJobsSummaryResponse[0], + ...overrides, +}); + export const mockGetModuleResponse: Module[] = [ { id: 'security_linux_v3', diff --git a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs_helpers.tsx b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs_helpers.tsx index 8d0b63d8b32fe..567d7e038b5ad 100644 --- a/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs_helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/ml_popover/hooks/use_security_jobs_helpers.tsx @@ -6,6 +6,7 @@ */ import type { MlSummaryJob } from '@kbn/ml-plugin/public'; +import { isSecurityJob } from '../../../../../common/machine_learning/is_security_job'; import type { AugmentedSecurityJobFields, Module, @@ -111,13 +112,11 @@ export const getInstalledJobs = ( moduleJobs: SecurityJob[], compatibleModuleIds: string[] ): SecurityJob[] => - jobSummaryData - .filter(({ groups }) => groups.includes('siem') || groups.includes('security')) - .map((jobSummary) => ({ - ...jobSummary, - ...getAugmentedFields(jobSummary.id, moduleJobs, compatibleModuleIds), - isInstalled: true, - })); + jobSummaryData.filter(isSecurityJob).map((jobSummary) => ({ + ...jobSummary, + ...getAugmentedFields(jobSummary.id, moduleJobs, compatibleModuleIds), + isInstalled: true, + })); /** * Combines installed jobs + moduleSecurityJobs that don't overlap and sorts by name asc diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx index 8695041697120..f5a7e39634359 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx @@ -14,7 +14,6 @@ import { buildListItems, getDescriptionItem, } from '.'; -import type { Type } from '@kbn/securitysolution-io-ts-alerting-types'; import { FilterManager, UI_SETTINGS } from '@kbn/data-plugin/public'; import type { Filter } from '@kbn/es-query'; @@ -575,7 +574,6 @@ describe('description_step', () => { }); describe('alert suppression', () => { - const ruleTypesWithoutSuppression: Type[] = ['machine_learning']; const suppressionFields = { groupByDuration: { unit: 'm', @@ -587,23 +585,6 @@ describe('description_step', () => { suppressionMissingFields: 'suppress', }; describe('groupByDuration', () => { - ruleTypesWithoutSuppression.forEach((ruleType) => { - test(`should be empty if rule is ${ruleType}`, () => { - const result: ListItems[] = getDescriptionItem( - 'groupByDuration', - 'label', - { - ruleType, - ...suppressionFields, - }, - mockFilterManager, - mockLicenseService - ); - - expect(result).toEqual([]); - }); - }); - ['query', 'saved_query'].forEach((ruleType) => { test(`should be empty if groupByFields empty for ${ruleType} rule`, () => { const result: ListItems[] = getDescriptionItem( @@ -686,22 +667,21 @@ describe('description_step', () => { }); describe('groupByFields', () => { - [...ruleTypesWithoutSuppression, 'threshold'].forEach((ruleType) => { - test(`should be empty if rule is ${ruleType}`, () => { - const result: ListItems[] = getDescriptionItem( - 'groupByFields', - 'label', - { - ruleType, - ...suppressionFields, - }, - mockFilterManager, - mockLicenseService - ); + test(`should be empty if rule type is 'threshold'`, () => { + const result: ListItems[] = getDescriptionItem( + 'groupByFields', + 'label', + { + ruleType: 'threshold', + ...suppressionFields, + }, + mockFilterManager, + mockLicenseService + ); - expect(result).toEqual([]); - }); + expect(result).toEqual([]); }); + ['query', 'saved_query'].forEach((ruleType) => { test(`should return item for ${ruleType} rule`, () => { const result: ListItems[] = getDescriptionItem( @@ -720,22 +700,21 @@ describe('description_step', () => { }); describe('suppressionMissingFields', () => { - [...ruleTypesWithoutSuppression, 'threshold'].forEach((ruleType) => { - test(`should be empty if rule is ${ruleType}`, () => { - const result: ListItems[] = getDescriptionItem( - 'suppressionMissingFields', - 'label', - { - ruleType, - ...suppressionFields, - }, - mockFilterManager, - mockLicenseService - ); + test(`should be empty if rule type is 'threshold'`, () => { + const result: ListItems[] = getDescriptionItem( + 'suppressionMissingFields', + 'label', + { + ruleType: 'threshold', + ...suppressionFields, + }, + mockFilterManager, + mockLicenseService + ); - expect(result).toEqual([]); - }); + expect(result).toEqual([]); }); + ['query', 'saved_query'].forEach((ruleType) => { test(`should return item for ${ruleType} rule`, () => { const result: ListItems[] = getDescriptionItem( diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx index 98fe3bae27f5e..df6152c7069df 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/index.tsx @@ -36,9 +36,6 @@ import { FormattedMessage } from '@kbn/i18n-react'; import { useSetFieldValueWithCallback } from '../../../../common/utils/use_set_field_value_cb'; import { useRuleFromTimeline } from '../../../../detections/containers/detection_engine/rules/use_rule_from_timeline'; import { isMlRule } from '../../../../../common/machine_learning/helpers'; -import { hasMlAdminPermissions } from '../../../../../common/machine_learning/has_ml_admin_permissions'; -import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license'; -import { useMlCapabilities } from '../../../../common/components/ml/hooks/use_ml_capabilities'; import type { EqlOptionsSelected, FieldsEqlOptions } from '../../../../../common/search_strategy'; import { filterRuleFieldsForType, getStepDataDataSource } from '../../pages/rule_creation/helpers'; import type { @@ -105,6 +102,7 @@ import { useAllEsqlRuleFields } from '../../hooks'; import { useAlertSuppression } from '../../../rule_management/logic/use_alert_suppression'; import { AiAssistant } from '../ai_assistant'; import { RelatedIntegrations } from '../../../rule_creation/components/related_integrations'; +import { useMLRuleConfig } from '../../../../common/components/ml/hooks/use_ml_rule_config'; const CommonUseField = getUseField({ component: Field }); @@ -169,41 +167,53 @@ const IntendedRuleTypeEuiFormRow = styled(RuleTypeEuiFormRow)` // eslint-disable-next-line complexity const StepDefineRuleComponent: FC = ({ - isLoading, - isUpdateView = false, - kibanaDataViews, - indicesConfig, - threatIndicesConfig, + browserFields, + dataSourceType, defaultSavedQuery, + enableThresholdSuppression, form, - optionsSelected, - setOptionsSelected, + groupByFields, + index, indexPattern, + indicesConfig, isIndexPatternLoading, - browserFields, + isLoading, isQueryBarValid, + isUpdateView = false, + kibanaDataViews, + optionsSelected, + queryBarSavedId, + queryBarTitle, + ruleType, setIsQueryBarValid, setIsThreatQueryBarValid, - ruleType, - index, - threatIndex, - groupByFields, - dataSourceType, + setOptionsSelected, shouldLoadQueryDynamically, - queryBarTitle, - queryBarSavedId, + threatIndex, + threatIndicesConfig, thresholdFields, - enableThresholdSuppression, }) => { const queryClient = useQueryClient(); const { isSuppressionEnabled: isAlertSuppressionEnabled } = useAlertSuppression(ruleType); - const mlCapabilities = useMlCapabilities(); const [openTimelineSearch, setOpenTimelineSearch] = useState(false); const [indexModified, setIndexModified] = useState(false); const [threatIndexModified, setThreatIndexModified] = useState(false); const license = useLicense(); + const [{ machineLearningJobId }] = useFormData({ + form, + watch: ['machineLearningJobId'], + }); + const { + hasMlAdminPermissions, + hasMlLicense, + mlFieldsLoading, + mlSuppressionFields, + noMlJobsStarted, + someMlJobsStarted, + } = useMLRuleConfig({ machineLearningJobId }); + const esqlQueryRef = useRef(undefined); const isAlertSuppressionLicenseValid = license.isAtLeast(MINIMUM_LICENSE_FOR_SUPPRESSION); @@ -474,6 +484,24 @@ const StepDefineRuleComponent: FC = ({ isEqlSequenceQuery(queryBar?.query?.query as string) && groupByFields.length === 0; + const isSuppressionGroupByDisabled = + !isAlertSuppressionLicenseValid || + areSuppressionFieldsDisabledBySequence || + isEsqlSuppressionLoading || + (isMlRule(ruleType) && (noMlJobsStarted || mlFieldsLoading || !mlSuppressionFields.length)); + + const suppressionGroupByDisabledText = areSuppressionFieldsDisabledBySequence + ? i18n.EQL_SEQUENCE_SUPPRESSION_DISABLE_TOOLTIP + : isMlRule(ruleType) && noMlJobsStarted + ? i18n.MACHINE_LEARNING_SUPPRESSION_DISABLED_LABEL + : alertSuppressionUpsellingMessage; + + const suppressionGroupByFields = isEsqlRule(ruleType) + ? esqlSuppressionFields + : isMlRule(ruleType) + ? mlSuppressionFields + : termsAggregationFields; + /** * Component that allows selection of suppression intervals disabled: * - if suppression license is not valid(i.e. less than platinum) @@ -868,10 +896,10 @@ const StepDefineRuleComponent: FC = ({ () => ({ describedByIds: ['detectionEngineStepDefineRuleType'], isUpdateView, - hasValidLicense: hasMlLicense(mlCapabilities), - isMlAdmin: hasMlAdminPermissions(mlCapabilities), + hasValidLicense: hasMlLicense, + isMlAdmin: hasMlAdminPermissions, }), - [isUpdateView, mlCapabilities] + [hasMlAdminPermissions, hasMlLicense, isUpdateView] ); return ( @@ -1078,22 +1106,22 @@ const StepDefineRuleComponent: FC = ({ } > - + <> + + {someMlJobsStarted && ( + + {i18n.MACHINE_LEARNING_SUPPRESSION_INCOMPLETE_LABEL} + + )} + >(): (( fields: T ) => T) => { + const isAlertSuppressionForMachineLearningRuleEnabled = useIsExperimentalFeatureEnabled( + 'alertSuppressionForMachineLearningRuleEnabled' + ); const isAlertSuppressionForEsqlRuleEnabled = useIsExperimentalFeatureEnabled( 'alertSuppressionForEsqlRuleEnabled' ); @@ -23,7 +26,8 @@ export const useExperimentalFeatureFieldsTransform = { const isSuppressionDisabled = - isEsqlRule(fields.ruleType) && !isAlertSuppressionForEsqlRuleEnabled; + (isMlRule(fields.ruleType) && !isAlertSuppressionForMachineLearningRuleEnabled) || + (isEsqlRule(fields.ruleType) && !isAlertSuppressionForEsqlRuleEnabled); // reset any alert suppression values hidden behind feature flag if (isSuppressionDisabled) { @@ -38,7 +42,7 @@ export const useExperimentalFeatureFieldsTransform = { expect(result).toEqual(expected); }); + + it('returns suppression fields for machine_learning rules', () => { + const mockStepData: DefineStepRule = { + ...mockData, + ruleType: 'machine_learning', + machineLearningJobId: ['some_jobert_id'], + anomalyThreshold: 44, + groupByFields: ['event.type'], + groupByRadioSelection: GroupByOptions.PerTimePeriod, + groupByDuration: { value: 10, unit: 'm' }, + }; + const result = formatDefineStepData(mockStepData); + + const expected: DefineStepRuleJson = { + machine_learning_job_id: ['some_jobert_id'], + anomaly_threshold: 44, + type: 'machine_learning', + alert_suppression: { + group_by: ['event.type'], + duration: { value: 10, unit: 'm' }, + missing_fields_strategy: 'suppress', + }, + }; + + expect(result).toEqual(expect.objectContaining(expected)); + }); }); describe('formatScheduleStepData', () => { diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts index f281b3b6b4a2b..8cda58eeeb541 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts @@ -439,6 +439,7 @@ export const formatDefineStepData = (defineStepData: DefineStepRule): DefineStep ? { anomaly_threshold: ruleFields.anomalyThreshold, machine_learning_job_id: ruleFields.machineLearningJobId, + ...alertSuppressionFields, } : isThresholdFields(ruleFields) ? { diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.test.tsx index d12a5ff97d50a..fb00b73e88ffd 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.test.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.test.tsx @@ -37,18 +37,38 @@ describe('useAlertSuppression', () => { expect(result.current.isSuppressionEnabled).toBe(false); }); - it('should return isSuppressionEnabled false if ES|QL Feature Flag is disabled', () => { - const { result } = renderHook(() => useAlertSuppression('esql')); + describe('ML rules', () => { + it('is true if the feature flag is enabled', () => { + jest + .spyOn(useIsExperimentalFeatureEnabledMock, 'useIsExperimentalFeatureEnabled') + .mockReset() + .mockReturnValue(true); + const { result } = renderHook(() => useAlertSuppression('machine_learning')); - expect(result.current.isSuppressionEnabled).toBe(false); + expect(result.current.isSuppressionEnabled).toBe(true); + }); + + it('is false if the feature flag is disabled', () => { + const { result } = renderHook(() => useAlertSuppression('machine_learning')); + + expect(result.current.isSuppressionEnabled).toBe(false); + }); }); - it('should return isSuppressionEnabled true if ES|QL Feature Flag is enabled', () => { - jest - .spyOn(useIsExperimentalFeatureEnabledMock, 'useIsExperimentalFeatureEnabled') - .mockImplementation((flag) => flag === 'alertSuppressionForEsqlRuleEnabled'); - const { result } = renderHook(() => useAlertSuppression('esql')); + describe('ES|QL rules', () => { + it('should return isSuppressionEnabled false if ES|QL Feature Flag is disabled', () => { + const { result } = renderHook(() => useAlertSuppression('esql')); + + expect(result.current.isSuppressionEnabled).toBe(false); + }); + + it('should return isSuppressionEnabled true if ES|QL Feature Flag is enabled', () => { + jest + .spyOn(useIsExperimentalFeatureEnabledMock, 'useIsExperimentalFeatureEnabled') + .mockImplementation((flag) => flag === 'alertSuppressionForEsqlRuleEnabled'); + const { result } = renderHook(() => useAlertSuppression('esql')); - expect(result.current.isSuppressionEnabled).toBe(true); + expect(result.current.isSuppressionEnabled).toBe(true); + }); }); }); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.tsx index 1c9f139633c8c..6d0ecefe8345d 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.tsx @@ -6,7 +6,7 @@ */ import { useCallback } from 'react'; import type { Type } from '@kbn/securitysolution-io-ts-alerting-types'; -import { isSuppressibleAlertRule } from '../../../../common/detection_engine/utils'; +import { isMlRule, isSuppressibleAlertRule } from '../../../../common/detection_engine/utils'; import { useIsExperimentalFeatureEnabled } from '../../../common/hooks/use_experimental_features'; export interface UseAlertSuppressionReturn { @@ -14,6 +14,9 @@ export interface UseAlertSuppressionReturn { } export const useAlertSuppression = (ruleType: Type | undefined): UseAlertSuppressionReturn => { + const isAlertSuppressionForMachineLearningRuleEnabled = useIsExperimentalFeatureEnabled( + 'alertSuppressionForMachineLearningRuleEnabled' + ); const isAlertSuppressionForEsqlRuleEnabled = useIsExperimentalFeatureEnabled( 'alertSuppressionForEsqlRuleEnabled' ); @@ -27,8 +30,16 @@ export const useAlertSuppression = (ruleType: Type | undefined): UseAlertSuppres return isSuppressibleAlertRule(ruleType) && isAlertSuppressionForEsqlRuleEnabled; } + if (isMlRule(ruleType)) { + return isSuppressibleAlertRule(ruleType) && isAlertSuppressionForMachineLearningRuleEnabled; + } + return isSuppressibleAlertRule(ruleType); - }, [ruleType, isAlertSuppressionForEsqlRuleEnabled]); + }, [ + isAlertSuppressionForEsqlRuleEnabled, + isAlertSuppressionForMachineLearningRuleEnabled, + ruleType, + ]); return { isSuppressionEnabled: isSuppressionEnabledForRuleType(), diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_rule_fields.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_rule_fields.ts new file mode 100644 index 0000000000000..c0f34c5502f94 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_rule_fields.ts @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { DataViewFieldBase } from '@kbn/es-query'; + +import { useRuleIndices } from './use_rule_indices'; +import { useFetchIndex } from '../../../common/containers/source'; + +interface UseRuleFieldParams { + machineLearningJobId?: string[]; + indexPattern?: string[]; +} + +interface UseRuleFieldsReturn { + loading: boolean; + fields: DataViewFieldBase[]; +} + +export const useRuleFields = ({ + machineLearningJobId, + indexPattern, +}: UseRuleFieldParams): UseRuleFieldsReturn => { + const { ruleIndices } = useRuleIndices(machineLearningJobId, indexPattern); + const [ + loading, + { + indexPatterns: { fields }, + }, + ] = useFetchIndex(ruleIndices); + + return { loading, fields }; +}; diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx index c1465be7e67e0..b88ca5ff6ab83 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/actions.tsx @@ -30,6 +30,7 @@ import { TIMESTAMP, } from '@kbn/rule-data-utils'; +import type { Type as RuleType } from '@kbn/securitysolution-io-ts-alerting-types'; import { lastValueFrom } from 'rxjs'; import type { EcsSecurityExtension as Ecs } from '@kbn/securitysolution-ecs'; import type { DataTableModel } from '@kbn/securitysolution-data-table'; @@ -42,7 +43,13 @@ import { ALERT_NEW_TERMS, ALERT_RULE_INDICES, } from '../../../../common/field_maps/field_names'; -import { isEqlRule, isEsqlRule } from '../../../../common/detection_engine/utils'; +import { + isEqlRule, + isEsqlRule, + isMlRule, + isNewTermsRule, + isThresholdRule, +} from '../../../../common/detection_engine/utils'; import type { TimelineResult } from '../../../../common/api/timeline'; import { TimelineId } from '../../../../common/types/timeline'; import { TimelineStatus, TimelineType } from '../../../../common/api/timeline'; @@ -266,31 +273,16 @@ export const isEqlAlertWithGroupId = (ecsData: Ecs): boolean => { return isEql && groupId?.length > 0; }; -export const isThresholdAlert = (ecsData: Ecs): boolean => { - const ruleType = getField(ecsData, ALERT_RULE_TYPE); - return ( - ruleType === 'threshold' || - (Array.isArray(ruleType) && ruleType.length > 0 && ruleType[0] === 'threshold') - ); -}; - -export const isEqlAlert = (ecsData: Ecs): boolean => { +const getRuleType = (ecsData: Ecs): RuleType | undefined => { const ruleType = getField(ecsData, ALERT_RULE_TYPE); - return isEqlRule(ruleType) || (Array.isArray(ruleType) && isEqlRule(ruleType[0])); + return Array.isArray(ruleType) ? ruleType[0] : ruleType; }; -export const isEsqlAlert = (ecsData: Ecs): boolean => { - const ruleType = getField(ecsData, ALERT_RULE_TYPE); - return isEsqlRule(ruleType) || (Array.isArray(ruleType) && isEsqlRule(ruleType[0])); -}; - -export const isNewTermsAlert = (ecsData: Ecs): boolean => { - const ruleType = getField(ecsData, ALERT_RULE_TYPE); - return ( - ruleType === 'new_terms' || - (Array.isArray(ruleType) && ruleType.length > 0 && ruleType[0] === 'new_terms') - ); -}; +const isNewTermsAlert = (ecsData: Ecs): boolean => isNewTermsRule(getRuleType(ecsData)); +const isEsqlAlert = (ecsData: Ecs): boolean => isEsqlRule(getRuleType(ecsData)); +const isEqlAlert = (ecsData: Ecs): boolean => isEqlRule(getRuleType(ecsData)); +const isThresholdAlert = (ecsData: Ecs): boolean => isThresholdRule(getRuleType(ecsData)); +const isMlAlert = (ecsData: Ecs): boolean => isMlRule(getRuleType(ecsData)); const isSuppressedAlert = (ecsData: Ecs): boolean => { return getField(ecsData, ALERT_SUPPRESSION_DOCS_COUNT) != null; @@ -1035,7 +1027,12 @@ export const sendAlertToTimelineAction = async ({ getExceptionFilter ); // The Query field should remain unpopulated with the suppressed EQL/ES|QL alert. - } else if (isSuppressedAlert(ecsData) && !isEqlAlert(ecsData) && !isEsqlAlert(ecsData)) { + } else if ( + isSuppressedAlert(ecsData) && + !isEqlAlert(ecsData) && + !isEsqlAlert(ecsData) && + !isMlAlert(ecsData) + ) { return createSuppressedTimeline( ecsData, createTimeline, @@ -1106,7 +1103,12 @@ export const sendAlertToTimelineAction = async ({ } else if (isNewTermsAlert(ecsData)) { return createNewTermsTimeline(ecsData, createTimeline, noteContent, {}, getExceptionFilter); // The Query field should remain unpopulated with the suppressed EQL/ES|QL alert. - } else if (isSuppressedAlert(ecsData) && !isEqlAlert(ecsData) && !isEsqlAlert(ecsData)) { + } else if ( + isSuppressedAlert(ecsData) && + !isEqlAlert(ecsData) && + !isEsqlAlert(ecsData) && + !isMlAlert(ecsData) + ) { return createSuppressedTimeline(ecsData, createTimeline, noteContent, {}, getExceptionFilter); } else { let { dataProviders, filters } = buildTimelineDataProviderOrFilter( diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index 3bc3320b96026..c94d4a9a31d8e 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -53,6 +53,7 @@ viewer: - ".fleet-actions*" - "risk-score.risk-score-*" - ".asset-criticality.asset-criticality-*" + - ".ml-anomalies-*" privileges: - read applications: @@ -119,6 +120,10 @@ editor: - "read" - "write" allow_restricted_indices: false + - names: + - ".ml-anomalies-*" + privileges: + - read applications: - application: "kibana-.kibana" privileges: @@ -174,6 +179,7 @@ t1_analyst: - ".fleet-actions*" - risk-score.risk-score-* - .asset-criticality.asset-criticality-* + - ".ml-anomalies-*" privileges: - read applications: @@ -222,6 +228,7 @@ t2_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read - names: @@ -284,6 +291,7 @@ t3_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -349,6 +357,7 @@ threat_intelligence_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -408,6 +417,7 @@ rule_author: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -473,6 +483,7 @@ soc_manager: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -534,6 +545,7 @@ detections_admin: - metrics-endpoint.metadata_current_* - .fleet-agents* - .fleet-actions* + - ".ml-anomalies-*" privileges: - read - names: @@ -592,6 +604,10 @@ platform_engineer: privileges: - read - write + - names: + - ".ml-anomalies-*" + privileges: + - read applications: - application: "kibana-.kibana" privileges: @@ -643,6 +659,7 @@ endpoint_operations_analyst: - .lists* - .items* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read - names: @@ -711,6 +728,7 @@ endpoint_policy_manager: - packetbeat-* - winlogbeat-* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read - names: diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts index 537d7b6abaf8a..5df02371befa2 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.test.ts @@ -110,6 +110,51 @@ describe('rule_converters', () => { }); }); + describe('machine learning rules', () => { + test('should accept machine learning params when existing rule type is machine learning', () => { + const patchParams = { + anomaly_threshold: 5, + }; + const rule = getMlRuleParams(); + const patchedParams = patchTypeSpecificSnakeToCamel(patchParams, rule); + expect(patchedParams).toEqual( + expect.objectContaining({ + anomalyThreshold: 5, + }) + ); + }); + + test('should reject invalid machine learning params when existing rule type is machine learning', () => { + const patchParams = { + anomaly_threshold: 'invalid', + } as PatchRuleRequestBody; + const rule = getMlRuleParams(); + expect(() => patchTypeSpecificSnakeToCamel(patchParams, rule)).toThrowError( + 'anomaly_threshold: Expected number, received string' + ); + }); + + it('accepts suppression params', () => { + const patchParams = { + alert_suppression: { + group_by: ['agent.name'], + missing_fields_strategy: 'suppress' as const, + }, + }; + const rule = getMlRuleParams(); + const patchedParams = patchTypeSpecificSnakeToCamel(patchParams, rule); + + expect(patchedParams).toEqual( + expect.objectContaining({ + alertSuppression: { + groupBy: ['agent.name'], + missingFieldsStrategy: 'suppress', + }, + }) + ); + }); + }); + test('should accept threat match params when existing rule type is threat match', () => { const patchParams = { threat_indicator_path: 'my.indicator', @@ -298,29 +343,6 @@ describe('rule_converters', () => { ); }); - test('should accept machine learning params when existing rule type is machine learning', () => { - const patchParams = { - anomaly_threshold: 5, - }; - const rule = getMlRuleParams(); - const patchedParams = patchTypeSpecificSnakeToCamel(patchParams, rule); - expect(patchedParams).toEqual( - expect.objectContaining({ - anomalyThreshold: 5, - }) - ); - }); - - test('should reject invalid machine learning params when existing rule type is machine learning', () => { - const patchParams = { - anomaly_threshold: 'invalid', - } as PatchRuleRequestBody; - const rule = getMlRuleParams(); - expect(() => patchTypeSpecificSnakeToCamel(patchParams, rule)).toThrowError( - 'anomaly_threshold: Expected number, received string' - ); - }); - test('should accept new terms params when existing rule type is new terms', () => { const patchParams = { new_terms_fields: ['event.new_field'], @@ -344,6 +366,7 @@ describe('rule_converters', () => { ); }); }); + describe('typeSpecificCamelToSnake', () => { describe('EQL', () => { test('should accept EQL params when existing rule type is EQL', () => { @@ -396,6 +419,54 @@ describe('rule_converters', () => { ); }); }); + + describe('machine learning rules', () => { + it('accepts normal params', () => { + const params = { + anomalyThreshold: 74, + machineLearningJobId: ['job-1'], + }; + const ruleParams = { ...getMlRuleParams(), ...params }; + const transformedParams = typeSpecificCamelToSnake(ruleParams); + expect(transformedParams).toEqual( + expect.objectContaining({ + anomaly_threshold: 74, + machine_learning_job_id: ['job-1'], + }) + ); + }); + + it('accepts suppression params', () => { + const params = { + anomalyThreshold: 74, + machineLearningJobId: ['job-1'], + alertSuppression: { + groupBy: ['event.type'], + duration: { + value: 10, + unit: 'm', + } as AlertSuppressionDuration, + missingFieldsStrategy: 'suppress' as AlertSuppressionMissingFieldsStrategy, + }, + }; + const ruleParams = { ...getMlRuleParams(), ...params }; + const transformedParams = typeSpecificCamelToSnake(ruleParams); + expect(transformedParams).toEqual( + expect.objectContaining({ + anomaly_threshold: 74, + machine_learning_job_id: ['job-1'], + alert_suppression: { + group_by: ['event.type'], + duration: { + value: 10, + unit: 'm', + }, + missing_fields_strategy: 'suppress', + }, + }) + ); + }); + }); }); describe('commonParamsCamelToSnake', () => { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts index 7aac52dfe52c4..db815f32fb5ed 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts @@ -191,6 +191,7 @@ export const typeSpecificSnakeToCamel = ( type: params.type, anomalyThreshold: params.anomaly_threshold, machineLearningJobId: normalizeMachineLearningJobIds(params.machine_learning_job_id), + alertSuppression: convertAlertSuppressionToCamel(params.alert_suppression), }; } case 'new_terms': { @@ -338,6 +339,8 @@ const patchMachineLearningParams = ( machineLearningJobId: params.machine_learning_job_id ? normalizeMachineLearningJobIds(params.machine_learning_job_id) : existingRule.machineLearningJobId, + alertSuppression: + convertAlertSuppressionToCamel(params.alert_suppression) ?? existingRule.alertSuppression, }; }; @@ -706,6 +709,7 @@ export const typeSpecificCamelToSnake = ( type: params.type, anomaly_threshold: params.anomalyThreshold, machine_learning_job_id: params.machineLearningJobId, + alert_suppression: convertAlertSuppressionToSnake(params.alertSuppression), }; } case 'new_terms': { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index 48637e898dda3..b3000edf895dc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -268,6 +268,7 @@ export const MachineLearningSpecificRuleParams = z.object({ type: z.literal('machine_learning'), anomalyThreshold: AnomalyThreshold, machineLearningJobId: z.array(z.string()), + alertSuppression: AlertSuppressionCamel.optional(), }); export type MachineLearningRuleParams = BaseRuleParams & MachineLearningSpecificRuleParams; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts index ca0edac6fca4e..2d38b16e94b5f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts @@ -11,13 +11,15 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; import { SERVER_APP_ID } from '../../../../../common/constants'; import { MachineLearningRuleParams } from '../../rule_schema'; +import { getIsAlertSuppressionActive } from '../utils/get_is_alert_suppression_active'; import { mlExecutor } from './ml'; -import type { CreateRuleOptions, SecurityAlertType } from '../types'; +import type { CreateRuleOptions, SecurityAlertType, WrapSuppressedHits } from '../types'; +import { wrapSuppressedAlerts } from '../utils/wrap_suppressed_alerts'; export const createMlAlertType = ( createOptions: CreateRuleOptions ): SecurityAlertType => { - const { ml } = createOptions; + const { experimentalFeatures, ml, licensing } = createOptions; return { id: ML_RULE_TYPE_ID, name: 'Machine Learning Rule', @@ -56,11 +58,39 @@ export const createMlAlertType = ( wrapHits, exceptionFilter, unprocessedExceptions, + mergeStrategy, + alertTimestampOverride, + publicBaseUrl, + alertWithSuppression, + primaryTimestamp, + secondaryTimestamp, }, services, + spaceId, state, } = execOptions; + const isAlertSuppressionActive = await getIsAlertSuppressionActive({ + alertSuppression: completeRule.ruleParams.alertSuppression, + isFeatureDisabled: !experimentalFeatures.alertSuppressionForMachineLearningRuleEnabled, + licensing, + }); + + const wrapSuppressedHits: WrapSuppressedHits = (events, buildReasonMessage) => + wrapSuppressedAlerts({ + events, + spaceId, + completeRule, + mergeStrategy, + indicesToQuery: [], + buildReasonMessage, + alertTimestampOverride, + ruleExecutionLogger, + publicBaseUrl, + primaryTimestamp, + secondaryTimestamp, + }); + const result = await mlExecutor({ completeRule, tuple, @@ -72,6 +102,11 @@ export const createMlAlertType = ( wrapHits, exceptionFilter, unprocessedExceptions, + wrapSuppressedHits, + alertTimestampOverride, + alertWithSuppression, + isAlertSuppressionActive, + experimentalFeatures, }); return { ...result, state }; }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts index c357a7e077bb2..59a0204ef9545 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts @@ -9,6 +9,7 @@ import dateMath from '@kbn/datemath'; import type { RuleExecutorServicesMock } from '@kbn/alerting-plugin/server/mocks'; import { alertsMock } from '@kbn/alerting-plugin/server/mocks'; import { mlExecutor } from './ml'; +import type { ExperimentalFeatures } from '../../../../../common'; import { getCompleteRuleMock, getMlRuleParams } from '../../rule_schema/mocks'; import { getListClientMock } from '@kbn/lists-plugin/server/services/lists/list_client.mock'; import { findMlSignals } from './find_ml_signals'; @@ -21,6 +22,7 @@ jest.mock('./find_ml_signals'); jest.mock('./bulk_create_ml_signals'); describe('ml_executor', () => { + let mockExperimentalFeatures: jest.Mocked; let jobsSummaryMock: jest.Mock; let forceStartDatafeedsMock: jest.Mock; let stopDatafeedsMock: jest.Mock; @@ -37,6 +39,7 @@ describe('ml_executor', () => { const listClient = getListClientMock(); beforeEach(() => { + mockExperimentalFeatures = {} as jest.Mocked; jobsSummaryMock = jest.fn(); mlMock = mlPluginServerMock.createSetupContract(); mlMock.jobServiceProvider.mockReturnValue({ @@ -59,7 +62,7 @@ describe('ml_executor', () => { }); (bulkCreateMlSignals as jest.Mock).mockResolvedValue({ success: true, - bulkCreateDuration: 0, + bulkCreateDuration: 21, createdItemsCount: 0, errors: [], createdItems: [], @@ -80,6 +83,11 @@ describe('ml_executor', () => { wrapHits: jest.fn(), exceptionFilter: undefined, unprocessedExceptions: [], + wrapSuppressedHits: jest.fn(), + alertTimestampOverride: undefined, + alertWithSuppression: jest.fn(), + isAlertSuppressionActive: true, + experimentalFeatures: mockExperimentalFeatures, }) ).rejects.toThrow('ML plugin unavailable during rule execution'); }); @@ -97,6 +105,11 @@ describe('ml_executor', () => { wrapHits: jest.fn(), exceptionFilter: undefined, unprocessedExceptions: [], + wrapSuppressedHits: jest.fn(), + alertTimestampOverride: undefined, + alertWithSuppression: jest.fn(), + isAlertSuppressionActive: true, + experimentalFeatures: mockExperimentalFeatures, }); expect(ruleExecutionLogger.warn).toHaveBeenCalled(); expect(ruleExecutionLogger.warn.mock.calls[0][0]).toContain( @@ -125,6 +138,11 @@ describe('ml_executor', () => { wrapHits: jest.fn(), exceptionFilter: undefined, unprocessedExceptions: [], + wrapSuppressedHits: jest.fn(), + alertTimestampOverride: undefined, + alertWithSuppression: jest.fn(), + isAlertSuppressionActive: true, + experimentalFeatures: mockExperimentalFeatures, }); expect(ruleExecutionLogger.warn).toHaveBeenCalled(); expect(ruleExecutionLogger.warn.mock.calls[0][0]).toContain( @@ -149,9 +167,49 @@ describe('ml_executor', () => { wrapHits: jest.fn(), exceptionFilter: undefined, unprocessedExceptions: [], + wrapSuppressedHits: jest.fn(), + alertTimestampOverride: undefined, + alertWithSuppression: jest.fn(), + isAlertSuppressionActive: true, + experimentalFeatures: mockExperimentalFeatures, }); expect(result.userError).toEqual(true); expect(result.success).toEqual(false); expect(result.errors).toEqual(['my_test_job_name missing']); }); + + it('returns some timing information as part of the result', async () => { + // ensure our mock corresponds to the job that the rule uses + jobsSummaryMock.mockResolvedValue( + mlCompleteRule.ruleParams.machineLearningJobId.map((jobId) => ({ + id: jobId, + jobState: 'opened', + datafeedState: 'started', + })) + ); + + const result = await mlExecutor({ + completeRule: mlCompleteRule, + tuple, + ml: mlMock, + services: alertServices, + ruleExecutionLogger, + listClient, + bulkCreate: jest.fn(), + wrapHits: jest.fn(), + exceptionFilter: undefined, + unprocessedExceptions: [], + wrapSuppressedHits: jest.fn(), + alertTimestampOverride: undefined, + alertWithSuppression: jest.fn(), + isAlertSuppressionActive: true, + experimentalFeatures: mockExperimentalFeatures, + }); + + expect(result).toEqual( + expect.objectContaining({ + bulkCreateTimes: expect.arrayContaining([expect.any(Number)]), + }) + ); + }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts index 641a9dab05cb2..4b7de9b27a667 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts @@ -8,6 +8,7 @@ /* eslint require-atomic-updates: ["error", { "allowProperties": true }] */ import type { KibanaRequest } from '@kbn/core/server'; +import type { SuppressedAlertService } from '@kbn/rule-registry-plugin/server'; import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types'; import type { AlertInstanceContext, @@ -17,11 +18,12 @@ import type { import type { ListClient } from '@kbn/lists-plugin/server'; import type { Filter } from '@kbn/es-query'; import { isJobStarted } from '../../../../../common/machine_learning/helpers'; +import type { ExperimentalFeatures } from '../../../../../common/experimental_features'; import type { CompleteRule, MachineLearningRuleParams } from '../../rule_schema'; import { bulkCreateMlSignals } from './bulk_create_ml_signals'; import { filterEventsAgainstList } from '../utils/large_list_filters/filter_events_against_list'; import { findMlSignals } from './find_ml_signals'; -import type { BulkCreate, RuleRangeTuple, WrapHits } from '../types'; +import type { BulkCreate, RuleRangeTuple, WrapHits, WrapSuppressedHits } from '../types'; import { addToSearchAfterReturn, createErrorsFromShard, @@ -33,6 +35,26 @@ import type { SetupPlugins } from '../../../../plugin'; import { withSecuritySpan } from '../../../../utils/with_security_span'; import type { IRuleExecutionLogForExecutors } from '../../rule_monitoring'; import type { AnomalyResults } from '../../../machine_learning'; +import { bulkCreateSuppressedAlertsInMemory } from '../utils/bulk_create_suppressed_alerts_in_memory'; +import { buildReasonMessageForMlAlert } from '../utils/reason_formatters'; + +interface MachineLearningRuleExecutorParams { + completeRule: CompleteRule; + tuple: RuleRangeTuple; + ml: SetupPlugins['ml']; + listClient: ListClient; + services: RuleExecutorServices; + ruleExecutionLogger: IRuleExecutionLogForExecutors; + bulkCreate: BulkCreate; + wrapHits: WrapHits; + exceptionFilter: Filter | undefined; + unprocessedExceptions: ExceptionListItemSchema[]; + wrapSuppressedHits: WrapSuppressedHits; + alertTimestampOverride: Date | undefined; + alertWithSuppression: SuppressedAlertService; + isAlertSuppressionActive: boolean; + experimentalFeatures: ExperimentalFeatures; +} export const mlExecutor = async ({ completeRule, @@ -45,18 +67,12 @@ export const mlExecutor = async ({ wrapHits, exceptionFilter, unprocessedExceptions, -}: { - completeRule: CompleteRule; - tuple: RuleRangeTuple; - ml: SetupPlugins['ml']; - listClient: ListClient; - services: RuleExecutorServices; - ruleExecutionLogger: IRuleExecutionLogForExecutors; - bulkCreate: BulkCreate; - wrapHits: WrapHits; - exceptionFilter: Filter | undefined; - unprocessedExceptions: ExceptionListItemSchema[]; -}) => { + isAlertSuppressionActive, + wrapSuppressedHits, + alertTimestampOverride, + alertWithSuppression, + experimentalFeatures, +}: MachineLearningRuleExecutorParams) => { const result = createSearchAfterReturnType(); const ruleParams = completeRule.ruleParams; @@ -120,6 +136,7 @@ export const mlExecutor = async ({ return result; } + // TODO we add the max_signals warning _before_ filtering the anomalies against the exceptions list. Is that correct? if ( anomalyResults.hits.total && typeof anomalyResults.hits.total !== 'number' && @@ -140,17 +157,36 @@ export const mlExecutor = async ({ ruleExecutionLogger.debug(`Found ${anomalyCount} signals from ML anomalies`); } - const createResult = await bulkCreateMlSignals({ - anomalyHits: filteredAnomalyHits, - completeRule, - services, - ruleExecutionLogger, - id: completeRule.alertId, - signalsIndex: ruleParams.outputIndex, - bulkCreate, - wrapHits, - }); - addToSearchAfterReturn({ current: result, next: createResult }); + if (anomalyCount && isAlertSuppressionActive) { + await bulkCreateSuppressedAlertsInMemory({ + enrichedEvents: filteredAnomalyHits, + toReturn: result, + wrapHits, + bulkCreate, + services, + buildReasonMessage: buildReasonMessageForMlAlert, + ruleExecutionLogger, + tuple, + alertSuppression: completeRule.ruleParams.alertSuppression, + wrapSuppressedHits, + alertTimestampOverride, + alertWithSuppression, + experimentalFeatures, + }); + } else { + const createResult = await bulkCreateMlSignals({ + anomalyHits: filteredAnomalyHits, + completeRule, + services, + ruleExecutionLogger, + id: completeRule.alertId, + signalsIndex: ruleParams.outputIndex, + bulkCreate, + wrapHits, + }); + addToSearchAfterReturn({ current: result, next: createResult }); + } + const shardFailures = anomalyResults._shards.failures ?? []; const searchErrors = createErrorsFromShard({ errors: shardFailures, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts index 31aa1797234bf..8f7a50b195e4f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts @@ -37,7 +37,7 @@ import type { LicensingPluginSetup } from '@kbn/licensing-plugin/server'; import type { RuleResponseAction } from '../../../../common/api/detection_engine/model/rule_response_actions'; import type { ConfigType } from '../../../config'; import type { SetupPlugins } from '../../../plugin'; -import type { CompleteRule, EqlRuleParams, RuleParams, ThreatRuleParams } from '../rule_schema'; +import type { CompleteRule, RuleParams } from '../rule_schema'; import type { ExperimentalFeatures } from '../../../../common/experimental_features'; import type { ITelemetryEventsSender } from '../../telemetry/sender'; import type { IRuleExecutionLogForExecutors, IRuleMonitoringService } from '../rule_monitoring'; @@ -401,5 +401,3 @@ export interface OverrideBodyQuery { _source?: estypes.SearchSourceConfig; fields?: estypes.Fields; } - -export type RuleWithInMemorySuppression = ThreatRuleParams | EqlRuleParams; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/wrap_suppressed_alerts.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/wrap_suppressed_alerts.ts index 89328f176567d..70fee20116fc4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/wrap_suppressed_alerts.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/utils/wrap_suppressed_alerts.ts @@ -9,14 +9,19 @@ import objectHash from 'object-hash'; import { TIMESTAMP } from '@kbn/rule-data-utils'; import type { SuppressionFieldsLatest } from '@kbn/rule-registry-plugin/common/schemas'; -import type { RuleWithInMemorySuppression, SignalSourceHit } from '../types'; +import type { SignalSourceHit } from '../types'; import type { BaseFieldsLatest, WrappedFieldsLatest, } from '../../../../../common/api/detection_engine/model/alerts'; import type { ConfigType } from '../../../../config'; -import type { CompleteRule } from '../../rule_schema'; +import type { + CompleteRule, + EqlRuleParams, + MachineLearningRuleParams, + ThreatRuleParams, +} from '../../rule_schema'; import type { IRuleExecutionLogForExecutors } from '../../rule_monitoring'; import { buildBulkBody } from '../factories/utils/build_bulk_body'; import { getSuppressionAlertFields, getSuppressionTerms } from './suppression_utils'; @@ -24,6 +29,8 @@ import { generateId } from './utils'; import type { BuildReasonMessage } from './reason_formatters'; +type RuleWithInMemorySuppression = ThreatRuleParams | EqlRuleParams | MachineLearningRuleParams; + /** * wraps suppressed alerts * creates instanceId hash, which is used to search on time interval alerts diff --git a/x-pack/test/common/utils/security_solution/detections_response/delete_all_anomalies.ts b/x-pack/test/common/utils/security_solution/detections_response/delete_all_anomalies.ts new file mode 100644 index 0000000000000..1f9df710c5d5d --- /dev/null +++ b/x-pack/test/common/utils/security_solution/detections_response/delete_all_anomalies.ts @@ -0,0 +1,36 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { ToolingLog } from '@kbn/tooling-log'; +import type { Client } from '@elastic/elasticsearch'; + +import { countDownTest } from './count_down_test'; + +export const deleteAllAnomalies = async ( + log: ToolingLog, + es: Client, + index: string[] = ['.ml-anomalies-*'] +): Promise => { + await countDownTest( + async () => { + await es.deleteByQuery({ + index, + body: { + query: { + match_all: {}, + }, + }, + refresh: true, + }); + return { + passed: true, + }; + }, + 'deleteAllAnomalies', + log + ); +}; diff --git a/x-pack/test/common/utils/security_solution/detections_response/index.ts b/x-pack/test/common/utils/security_solution/detections_response/index.ts index d6a06f8e57797..43c2a54900c15 100644 --- a/x-pack/test/common/utils/security_solution/detections_response/index.ts +++ b/x-pack/test/common/utils/security_solution/detections_response/index.ts @@ -7,6 +7,7 @@ export * from './rules'; export * from './alerts'; +export * from './delete_all_anomalies'; export * from './count_down_test'; export * from './route_with_namespace'; export * from './wait_for'; diff --git a/x-pack/test/functional/es_archives/security_solution/anomalies/mappings.json b/x-pack/test/functional/es_archives/security_solution/anomalies/mappings.json index 484e0f3fc9aa0..56a26b937a49b 100644 --- a/x-pack/test/functional/es_archives/security_solution/anomalies/mappings.json +++ b/x-pack/test/functional/es_archives/security_solution/anomalies/mappings.json @@ -2,22 +2,21 @@ "type": "index", "value": { "aliases": { - ".ml-anomalies-.write-linux_anomalous_network_activity_ecs": { + ".ml-anomalies-.write-v3_linux_anomalous_network_activity": { "is_hidden": true }, - ".ml-anomalies-linux_anomalous_network_activity_ecs": { + ".ml-anomalies-v3_linux_anomalous_network_activity": { "filter": { "term": { "job_id": { - "boost": 1, - "value": "linux_anomalous_network_activity_ecs" + "value": "v3_linux_anomalous_network_activity" } } }, "is_hidden": true } }, - "index": ".ml-anomalies-custom-linux_anomalous_network_activity_ecs", + "index": ".ml-anomalies-custom-v3_linux_anomalous_network_activity", "mappings": { "_meta": { "version": "8.0.0" diff --git a/x-pack/test/security_solution_api_integration/config/ess/config.base.ts b/x-pack/test/security_solution_api_integration/config/ess/config.base.ts index 7256432174e3c..a47e43bd426e6 100644 --- a/x-pack/test/security_solution_api_integration/config/ess/config.base.ts +++ b/x-pack/test/security_solution_api_integration/config/ess/config.base.ts @@ -84,6 +84,7 @@ export function createTestConfig(options: CreateTestConfigOptions, testFiles?: s 'riskScoringPersistence', 'riskScoringRoutesEnabled', 'bulkCustomHighlightedFieldsEnabled', + 'alertSuppressionForMachineLearningRuleEnabled', 'manualRuleRunEnabled', ])}`, '--xpack.task_manager.poll_interval=1000', diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts index 76c73ff71cc18..825d6a0e5833b 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/configs/serverless.config.ts @@ -19,6 +19,7 @@ export default createTestConfig({ ])}`, // See tests within the file "ignore_fields.ts" which use these values in "alertIgnoreFields" `--xpack.securitySolution.enableExperimental=${JSON.stringify([ 'bulkCustomHighlightedFieldsEnabled', + 'alertSuppressionForMachineLearningRuleEnabled', 'alertSuppressionForEsqlRuleEnabled', ])}`, ], diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/index.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/index.ts index 3ea2c4e6c9359..5d0e8f4db4061 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/index.ts @@ -14,6 +14,7 @@ export default ({ loadTestFile }: FtrProviderContext): void => { loadTestFile(require.resolve('./esql')); loadTestFile(require.resolve('./esql_suppression')); loadTestFile(require.resolve('./machine_learning')); + loadTestFile(require.resolve('./machine_learning_alert_suppression')); loadTestFile(require.resolve('./new_terms')); loadTestFile(require.resolve('./new_terms_alert_suppression')); loadTestFile(require.resolve('./saved_query')); diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning.ts index 3fb077df86a38..5d73249e576f4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning.ts @@ -151,7 +151,7 @@ export default ({ getService }: FtrProviderContext) => { [SPACE_IDS]: ['default'], [ALERT_SEVERITY]: 'critical', [ALERT_RISK_SCORE]: 50, - [ALERT_RULE_PARAMETERS]: { + [ALERT_RULE_PARAMETERS]: expect.objectContaining({ anomaly_threshold: 30, author: [], description: 'Test ML rule description', @@ -174,7 +174,7 @@ export default ({ getService }: FtrProviderContext) => { to: 'now', type: 'machine_learning', version: 1, - }, + }), [ALERT_DEPTH]: 1, [ALERT_REASON]: `event with process store, by root on mothra created critical alert Test ML rule.`, [ALERT_ORIGINAL_TIME]: expect.any(String), diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts new file mode 100644 index 0000000000000..b29ce8abbb8ef --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/trial_license_complete_tier/execution_logic/machine_learning_alert_suppression.ts @@ -0,0 +1,1106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { expect } from 'expect'; + +import { + MachineLearningRuleCreateProps, + RuleExecutionStatusEnum, +} from '@kbn/security-solution-plugin/common/api/detection_engine'; +import type { Anomaly } from '@kbn/security-solution-plugin/server/lib/machine_learning'; +import { + ALERT_LAST_DETECTED, + ALERT_START, + ALERT_SUPPRESSION_DOCS_COUNT, + ALERT_SUPPRESSION_END, + ALERT_SUPPRESSION_START, + ALERT_SUPPRESSION_TERMS, + TIMESTAMP, +} from '@kbn/rule-data-utils'; +import { ALERT_ORIGINAL_TIME } from '@kbn/security-solution-plugin/common/field_maps/field_names'; +import { DETECTION_ENGINE_SIGNALS_STATUS_URL as DETECTION_ENGINE_ALERTS_STATUS_URL } from '@kbn/security-solution-plugin/common/constants'; +import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder'; +import { FtrProviderContext } from '../../../../../../ftr_provider_context'; +import { + dataGeneratorFactory, + executeSetupModuleRequest, + forceStartDatafeeds, + getAlerts, + getOpenAlerts, + getPreviewAlerts, + patchRule, + previewRule, + previewRuleWithExceptionEntries, + setAlertStatus, +} from '../../../../utils'; +import { + createRule, + deleteAllAlerts, + deleteAllAnomalies, + deleteAllRules, +} from '../../../../../../../common/utils/security_solution'; +import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils'; + +export default ({ getService }: FtrProviderContext) => { + const supertest = getService('supertest'); + const esArchiver = getService('esArchiver'); + const es = getService('es'); + const log = getService('log'); + const config = getService('config'); + + const isServerless = config.get('serverless'); + const dataPathBuilder = new EsArchivePathBuilder(isServerless); + const auditbeatArchivePath = dataPathBuilder.getPath('auditbeat/hosts'); + + const { indexListOfDocuments } = dataGeneratorFactory({ + es, + index: '.ml-anomalies-custom-v3_linux_anomalous_network_activity', + log, + }); + + const mlModuleName = 'security_linux_v3'; + const mlJobId = 'v3_linux_anomalous_network_activity'; + const baseRuleProps: MachineLearningRuleCreateProps = { + name: 'Test ML rule', + description: 'Test ML rule description', + risk_score: 50, + severity: 'critical', + type: 'machine_learning', + anomaly_threshold: 40, + machine_learning_job_id: mlJobId, + from: '1900-01-01T00:00:00.000Z', + rule_id: 'ml-rule-id', + }; + let ruleProps: MachineLearningRuleCreateProps; + const baseAnomaly: Partial = { + is_interim: false, + record_score: 43, // exceeds anomaly_threshold above + result_type: 'record', + job_id: mlJobId, + 'user.name': ['root'], + }; + + // The tests described in this file rely on the + // 'alertSuppressionForMachineLearningRuleEnabled' feature flag, and are thus + // skipped in MKI + describe('@ess @serverless @skipInServerlessMKI Machine Learning Detection Rule - Alert Suppression', () => { + describe('with an active ML Job', () => { + before(async () => { + // Order is critical here: auditbeat data must be loaded before attempting to start the ML job, + // as the job looks for certain indices on start + await esArchiver.load(auditbeatArchivePath); + await executeSetupModuleRequest({ module: mlModuleName, rspCode: 200, supertest }); + await forceStartDatafeeds({ jobId: mlJobId, rspCode: 200, supertest }); + await esArchiver.load('x-pack/test/functional/es_archives/security_solution/anomalies'); + await deleteAllAnomalies(log, es); + }); + + after(async () => { + await esArchiver.load(auditbeatArchivePath); + await esArchiver.unload('x-pack/test/functional/es_archives/security_solution/anomalies'); + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + }); + + afterEach(async () => { + await deleteAllAlerts(supertest, log, es); + await deleteAllRules(supertest, log); + await deleteAllAnomalies(log, es); + }); + + describe('with per-execution suppression duration', () => { + beforeEach(() => { + ruleProps = { + ...baseRuleProps, + alert_suppression: { + group_by: ['user.name'], + missing_fields_strategy: 'suppress', + }, + }; + }); + + it('performs no suppression if a single alert is generated', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + }; + await indexListOfDocuments([anomaly]); + const createdRule = await createRule(supertest, log, ruleProps); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [{ field: 'user.name', value: ['root'] }], + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + }); + + it('suppresses alerts within a single execution', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + }; + await indexListOfDocuments([anomaly, anomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: timestamp, + }); + + const alerts = await getAlerts(supertest, log, es, createdRule); + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, + }) + ); + }); + + it('deduplicates previously suppressed alerts if rule has overlapping execution windows', async () => { + const firstTimestamp = new Date().toISOString(); + const firstAnomaly = { + ...baseAnomaly, + timestamp: firstTimestamp, + }; + await indexListOfDocuments([firstAnomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: firstTimestamp, + }); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + // suppression boundaries equal to original event time, since no alert been suppressed + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: firstTimestamp, + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + + const secondTimestamp = new Date().toISOString(); + const secondAnomaly = { + ...baseAnomaly, + timestamp: secondTimestamp, + }; + + // Add more anomalies, then disable and re-enable to trigger another + // rule run. The second anomaly should trigger an update to the + // existing alert without changing the timestamp + await indexListOfDocuments([secondAnomaly, secondAnomaly]); + await patchRule(supertest, log, { id: createdRule.id, enabled: false }); + await patchRule(supertest, log, { id: createdRule.id, enabled: true }); + const secondAlerts = await getOpenAlerts( + supertest, + log, + es, + createdRule, + RuleExecutionStatusEnum.succeeded, + undefined, + new Date() + ); + + expect(secondAlerts.hits.hits).toHaveLength(2); + expect(secondAlerts.hits.hits[1]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: secondTimestamp, + [ALERT_SUPPRESSION_START]: secondTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, // 1 of the two new anomalies was suppressed on this execution + }) + ); + }); + }); + + describe('with interval suppression duration', () => { + beforeEach(() => { + ruleProps = { + ...baseRuleProps, + alert_suppression: { + duration: { + value: 300, + unit: 'm', + }, + group_by: ['user.name'], + missing_fields_strategy: 'suppress', + }, + }; + }); + + it('performs no suppression if a single alert is generated', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + }; + await indexListOfDocuments([anomaly]); + const createdRule = await createRule(supertest, log, ruleProps); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [{ field: 'user.name', value: ['root'] }], + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + }); + + it('suppresses alerts across two executions', async () => { + const firstTimestamp = new Date().toISOString(); + const firstAnomaly = { + ...baseAnomaly, + timestamp: firstTimestamp, + }; + await indexListOfDocuments([firstAnomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: firstTimestamp, + }); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + // suppression boundaries equal to original event time, since no alert been suppressed + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: firstTimestamp, + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + + const secondTimestamp = new Date().toISOString(); + const secondAnomaly = { + ...baseAnomaly, + timestamp: secondTimestamp, + }; + + // Add more anomalies, then disable and re-enable to trigger another + // rule run. The second anomaly should trigger an update to the + // existing alert without changing the timestamp + await indexListOfDocuments([secondAnomaly, secondAnomaly]); + await patchRule(supertest, log, { id: createdRule.id, enabled: false }); + await patchRule(supertest, log, { id: createdRule.id, enabled: true }); + const secondAlerts = await getOpenAlerts( + supertest, + log, + es, + createdRule, + RuleExecutionStatusEnum.succeeded, + undefined, + new Date() + ); + + expect(secondAlerts.hits.hits).toHaveLength(1); + expect(secondAlerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 2, // 1 of the two new anomalies was suppressed on this execution + }) + ); + }); + + describe('with anomalies spanning multiple rule execution windows', () => { + const firstTimestamp = '2020-10-28T05:45:00.000Z'; + const secondTimestamp = '2020-10-28T06:15:00.000Z'; + const thirdTimestamp = '2020-10-28T06:45:00.000Z'; + const afterThirdTimestamp = '2020-10-28T07:00:00.000Z'; + + beforeEach(async () => { + const firstAnomaly = { + ...baseAnomaly, + timestamp: firstTimestamp, + }; + const secondAnomaly = { + ...baseAnomaly, + timestamp: secondTimestamp, + }; + const thirdAnomaly = { + ...baseAnomaly, + timestamp: thirdTimestamp, + }; + + await indexListOfDocuments([ + firstAnomaly, + firstAnomaly, + secondAnomaly, + secondAnomaly, + thirdAnomaly, + ]); + }); + + it('suppresses alerts across three executions', async () => { + const rule = { ...ruleProps, interval: '30m' }; + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(afterThirdTimestamp), + invocationCount: 3, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(1); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [TIMESTAMP]: '2020-10-28T06:00:00.000Z', + [ALERT_LAST_DETECTED]: afterThirdTimestamp, + [ALERT_START]: '2020-10-28T06:00:00.000Z', + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: thirdTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 4, // in total 4 alert got suppressed: 1 from the first run, 2 from the second, 1 from the third + }) + ); + }); + + it('suppresses alerts across multiple, sparse executions', async () => { + const fifthTimestamp = '2020-10-28T07:45:00.000Z'; + const afterFifthTimestamp = '2020-10-28T08:00:00.000Z'; + const fifthAnomaly = { ...baseAnomaly, timestamp: fifthTimestamp }; + // no anomaly for fourth execution + await indexListOfDocuments([fifthAnomaly]); + + const rule = { ...ruleProps, interval: '30m' }; + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(afterFifthTimestamp), + invocationCount: 5, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(1); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [TIMESTAMP]: '2020-10-28T06:00:00.000Z', + [ALERT_LAST_DETECTED]: afterFifthTimestamp, + [ALERT_START]: '2020-10-28T06:00:00.000Z', + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: fifthTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 5, // in total 5 alerts were suppressed: 1 from the first run, 2 from the second, 1 from the third run, none from the fourth, and one from the fifth. + }) + ); + }); + }); + + it('suppresses alerts on multiple fields', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + 'process.name': ['auditbeat'], + }; + await indexListOfDocuments([anomaly, anomaly]); + + const rule = { + ...ruleProps, + alert_suppression: { + ...ruleProps.alert_suppression, + group_by: ['user.name', 'process.name'], + }, + }; + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(timestamp), + invocationCount: 1, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(1); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + { + field: 'process.name', + value: ['auditbeat'], + }, + ], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, + }) + ); + }); + + it('suppresses alerts with missing fields, if configured to do so', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + 'host.name': ['relevant'], + }; + const anomalyWithoutSuppressionField = { + ...baseAnomaly, + timestamp, + }; + await indexListOfDocuments([anomaly, anomaly, anomalyWithoutSuppressionField]); + + const rule = { + ...ruleProps, + alert_suppression: { + ...ruleProps.alert_suppression, + group_by: ['host.name'], + }, + }; + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(timestamp), + invocationCount: 1, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_SUPPRESSION_DOCS_COUNT], + }); + + expect(previewAlerts.length).toEqual(2); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'host.name', + value: null, + }, + ], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + + expect(previewAlerts[1]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'host.name', + value: ['relevant'], + }, + ], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, // the anomaly without `host.name` is not represented here + }) + ); + }); + + it('does not suppress alerts with missing fields, if not configured to do so', async () => { + const rule = { + ...ruleProps, + alert_suppression: { + ...ruleProps.alert_suppression, + group_by: ['host.name'], + missing_fields_strategy: 'doNotSuppress' as const, + }, + }; + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + 'host.name': ['relevant'], + }; + const anomalyWithoutSuppressionField = { + ...baseAnomaly, + timestamp, + 'user.name': ['irrelevant'], + }; + await indexListOfDocuments([ + anomaly, + anomaly, + anomalyWithoutSuppressionField, + anomalyWithoutSuppressionField, + ]); + + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(timestamp), + invocationCount: 1, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(3); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + 'user.name': ['irrelevant'], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + }) + ); + + expect(previewAlerts[0]._source).toEqual( + expect.not.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: expect.anything(), + [ALERT_ORIGINAL_TIME]: expect.anything(), + [ALERT_SUPPRESSION_START]: expect.anything(), + [ALERT_SUPPRESSION_END]: expect.anything(), + [ALERT_SUPPRESSION_DOCS_COUNT]: expect.anything(), + }) + ); + + expect(previewAlerts[1]._source).toEqual( + expect.objectContaining({ + 'user.name': ['irrelevant'], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + }) + ); + expect(previewAlerts[1]._source).toEqual( + expect.not.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: expect.anything(), + [ALERT_ORIGINAL_TIME]: expect.anything(), + [ALERT_SUPPRESSION_START]: expect.anything(), + [ALERT_SUPPRESSION_END]: expect.anything(), + [ALERT_SUPPRESSION_DOCS_COUNT]: expect.anything(), + }) + ); + + expect(previewAlerts[2]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'host.name', + value: ['relevant'], + }, + ], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, // the anomaly without `host.name` is not represented here + }) + ); + }); + + it('does not suppress into a closed alert', async () => { + const firstTimestamp = new Date().toISOString(); + const firstAnomaly = { + ...baseAnomaly, + timestamp: firstTimestamp, + }; + await indexListOfDocuments([firstAnomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: firstTimestamp, + }); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + const alertId = alerts.hits.hits[0]._id!; + + // close generated alert + await supertest + .post(DETECTION_ENGINE_ALERTS_STATUS_URL) + .set('kbn-xsrf', 'true') + .send(setAlertStatus({ alertIds: [alertId], status: 'closed' })) + .expect(200); + + const secondTimestamp = new Date().toISOString(); + const secondAnomaly = { + ...baseAnomaly, + timestamp: secondTimestamp, + }; + + // Add more anomalies, then disable and re-enable to trigger another + // rule run. The second anomalies should create a new alert, since the existing alert is closed. + await indexListOfDocuments([secondAnomaly, secondAnomaly]); + await patchRule(supertest, log, { id: createdRule.id, enabled: false }); + await patchRule(supertest, log, { id: createdRule.id, enabled: true }); + const secondAlerts = await getOpenAlerts( + supertest, + log, + es, + createdRule, + RuleExecutionStatusEnum.succeeded, + undefined, + new Date() + ); + + expect(secondAlerts.hits.hits).toHaveLength(1); + expect(secondAlerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: secondTimestamp, + [ALERT_SUPPRESSION_START]: secondTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, + }) + ); + }); + + it('does not suppress into an unsuppressed alert', async () => { + const firstTimestamp = new Date().toISOString(); + const firstAnomaly = { + ...baseAnomaly, + timestamp: firstTimestamp, + }; + await indexListOfDocuments([firstAnomaly]); + + const ruleWithoutSuppression = { ...ruleProps, alert_suppression: undefined }; + const createdRule = await createRule(supertest, log, { + ...ruleWithoutSuppression, + from: firstTimestamp, + }); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + + // update the rule to include suppression + await patchRule(supertest, log, { + id: createdRule.id, + alert_suppression: ruleProps.alert_suppression, + }); + + const secondTimestamp = new Date().toISOString(); + const secondAnomaly = { + ...baseAnomaly, + timestamp: secondTimestamp, + }; + + // Add more anomalies, then disable and re-enable to trigger another + // rule run. The second anomalies should create a new suppressed alert, since the original was not suppressed. + await indexListOfDocuments([secondAnomaly, secondAnomaly, secondAnomaly]); + await patchRule(supertest, log, { id: createdRule.id, enabled: false }); + await patchRule(supertest, log, { id: createdRule.id, enabled: true }); + const secondAlerts = await getOpenAlerts( + supertest, + log, + es, + createdRule, + RuleExecutionStatusEnum.succeeded, + undefined, + new Date() + ); + + expect(secondAlerts.hits.hits).toHaveLength(2); + // assert that the first alert does not have suppression fields + expect(secondAlerts.hits.hits[0]._source).toEqual( + expect.not.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: expect.anything(), + [ALERT_ORIGINAL_TIME]: expect.anything(), + [ALERT_SUPPRESSION_START]: expect.anything(), + [ALERT_SUPPRESSION_END]: expect.anything(), + [ALERT_SUPPRESSION_DOCS_COUNT]: expect.anything(), + }) + ); + + expect(secondAlerts.hits.hits[1]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: secondTimestamp, + [ALERT_SUPPRESSION_START]: secondTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 2, + }) + ); + }); + + it('suppresses alerts that would be _created_ within the suppression duration window, even if the original anomalies were outside that suppression duration window', async () => { + const rule = { + ...ruleProps, + interval: '30m', + alert_suppression: { + ...ruleProps.alert_suppression, + duration: { + value: 1, + unit: 'm', + }, + }, + } as MachineLearningRuleCreateProps; + const firstTimestamp = '2020-10-28T06:00:00.000Z'; + const secondTimestamp = '2020-10-28T06:15:00.000Z'; + const firstAnomaly = { ...baseAnomaly, timestamp: firstTimestamp }; + const secondAnomaly = { ...baseAnomaly, timestamp: secondTimestamp }; + await indexListOfDocuments([firstAnomaly, secondAnomaly]); + + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(secondTimestamp), + invocationCount: 1, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(1); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [TIMESTAMP]: secondTimestamp, + [ALERT_LAST_DETECTED]: secondTimestamp, + [ALERT_START]: secondTimestamp, + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, + }) + ); + }); + + it('does not suppress across multiple runs if the suppression interval is less than the rule interval ', async () => { + const rule = { + ...ruleProps, + interval: '5m', + alert_suppression: { + ...ruleProps.alert_suppression, + duration: { + value: 1, + unit: 'm', + }, + }, + } as MachineLearningRuleCreateProps; + const firstTimestamp = '2020-10-28T06:00:00.000Z'; + const secondTimestamp = '2020-10-28T06:15:00.000Z'; + const firstAnomaly = { ...baseAnomaly, timestamp: firstTimestamp }; + const secondAnomaly = { ...baseAnomaly, timestamp: secondTimestamp }; + await indexListOfDocuments([firstAnomaly, secondAnomaly]); + + const { previewId } = await previewRule({ + supertest, + rule, + timeframeEnd: new Date(secondTimestamp), + invocationCount: 3, + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(2); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: firstTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + expect(previewAlerts[1]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: secondTimestamp, + [ALERT_SUPPRESSION_START]: secondTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + }); + + it('suppresses alerts within a single execution', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + }; + await indexListOfDocuments([anomaly, anomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: timestamp, + }); + + const alerts = await getAlerts(supertest, log, es, createdRule); + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, + }) + ); + }); + + it('deduplicates previously suppressed alerts if rule has overlapping execution windows', async () => { + const firstTimestamp = new Date().toISOString(); + const firstAnomaly = { + ...baseAnomaly, + timestamp: firstTimestamp, + }; + await indexListOfDocuments([firstAnomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: firstTimestamp, + }); + const alerts = await getAlerts(supertest, log, es, createdRule); + + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + // suppression boundaries equal to original event time, since no alert been suppressed + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: firstTimestamp, + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, + }) + ); + + const secondTimestamp = new Date().toISOString(); + const secondAnomaly = { + ...baseAnomaly, + timestamp: secondTimestamp, + }; + + // Add more anomalies, then disable and re-enable to trigger another + // rule run. The second anomaly should trigger an update to the + // existing alert without changing the timestamp + await indexListOfDocuments([secondAnomaly, secondAnomaly]); + await patchRule(supertest, log, { id: createdRule.id, enabled: false }); + await patchRule(supertest, log, { id: createdRule.id, enabled: true }); + const secondAlerts = await getOpenAlerts( + supertest, + log, + es, + createdRule, + RuleExecutionStatusEnum.succeeded, + undefined, + new Date() + ); + + expect(secondAlerts.hits.hits).toHaveLength(1); + expect(secondAlerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [ALERT_ORIGINAL_TIME]: firstTimestamp, + [ALERT_SUPPRESSION_START]: firstTimestamp, + [ALERT_SUPPRESSION_END]: secondTimestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 2, // both new anomalies were suppressed into the original + }) + ); + }); + + it('suppresses alerts with array field values', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + 'user.name': ['host1', 'host2'], + timestamp, + }; + await indexListOfDocuments([anomaly, anomaly]); + + const createdRule = await createRule(supertest, log, { + ...ruleProps, + from: timestamp, + }); + + const alerts = await getAlerts(supertest, log, es, createdRule); + expect(alerts.hits.hits).toHaveLength(1); + expect(alerts.hits.hits[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['host1', 'host2'], + }, + ], + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 1, + }) + ); + }); + + describe('with exceptions', () => { + beforeEach(async () => { + await deleteAllExceptions(supertest, log); + }); + + it('applies exceptions before suppression', async () => { + const timestamp = new Date().toISOString(); + const anomaly = { + ...baseAnomaly, + timestamp, + }; + const anomalyWithExceptionField = { + ...anomaly, + 'process.name': ['auditbeat'], + }; + await indexListOfDocuments([anomaly, anomalyWithExceptionField]); + + const { previewId } = await previewRuleWithExceptionEntries({ + supertest, + rule: ruleProps, + log, + timeframeEnd: new Date(timestamp), + entries: [ + [ + { + field: 'process.name', + operator: 'included', + type: 'match', + value: 'auditbeat', + }, + ], + ], + }); + const previewAlerts = await getPreviewAlerts({ + es, + previewId, + sort: [ALERT_ORIGINAL_TIME], + }); + + expect(previewAlerts.length).toEqual(1); + expect(previewAlerts[0]._source).toEqual( + expect.objectContaining({ + [ALERT_SUPPRESSION_TERMS]: [ + { + field: 'user.name', + value: ['root'], + }, + ], + [TIMESTAMP]: timestamp, + [ALERT_START]: timestamp, + [ALERT_ORIGINAL_TIME]: timestamp, + [ALERT_SUPPRESSION_START]: timestamp, + [ALERT_SUPPRESSION_END]: timestamp, + [ALERT_SUPPRESSION_DOCS_COUNT]: 0, // the anomaly with the exception field was not suppressed but omitted due to the exception + }) + ); + }); + }); + }); + }); + }); +}; diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts index a9b9bf1c8ce5b..fa0c6fa4f78b5 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/machine_learning/machine_learning_setup.ts @@ -6,6 +6,7 @@ */ import type SuperTest from 'supertest'; +import { ML_GROUP_ID } from '@kbn/security-solution-plugin/common/constants'; import { getCommonRequestHeader } from '../../../../../functional/services/ml/common_api'; export const executeSetupModuleRequest = async ({ @@ -22,7 +23,7 @@ export const executeSetupModuleRequest = async ({ .set(getCommonRequestHeader('1')) .send({ prefix: '', - groups: ['auditbeat'], + groups: [ML_GROUP_ID], indexPatternName: 'auditbeat-*', startDatafeed: false, useDedicatedIndex: true, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/remove_server_generated_properties_including_rule_id.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/remove_server_generated_properties_including_rule_id.ts index 1b57b5663ec23..176ce575a6457 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/remove_server_generated_properties_including_rule_id.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/utils/rules/remove_server_generated_properties_including_rule_id.ts @@ -7,7 +7,10 @@ import type { RuleResponse } from '@kbn/security-solution-plugin/common/api/detection_engine'; -import { removeServerGeneratedProperties } from './remove_server_generated_properties'; +import { + removeServerGeneratedProperties, + type RuleWithoutServerGeneratedProperties, +} from './remove_server_generated_properties'; /** * This will remove server generated properties such as date times, etc... including the rule_id @@ -15,9 +18,8 @@ import { removeServerGeneratedProperties } from './remove_server_generated_prope */ export const removeServerGeneratedPropertiesIncludingRuleId = ( rule: RuleResponse -): Partial => { +): Omit => { const ruleWithRemovedProperties = removeServerGeneratedProperties(rule); - // eslint-disable-next-line @typescript-eslint/naming-convention - const { rule_id, ...additionalRuledIdRemoved } = ruleWithRemovedProperties; + const { rule_id: _, ...additionalRuledIdRemoved } = ruleWithRemovedProperties; return additionalRuledIdRemoved; }; diff --git a/x-pack/test/security_solution_cypress/config.ts b/x-pack/test/security_solution_cypress/config.ts index 6e65ab15324a6..092fe4b79d38f 100644 --- a/x-pack/test/security_solution_cypress/config.ts +++ b/x-pack/test/security_solution_cypress/config.ts @@ -47,6 +47,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { `--xpack.securitySolution.enableExperimental=${JSON.stringify([ 'alertSuppressionForEsqlRuleEnabled', 'bulkCustomHighlightedFieldsEnabled', + 'alertSuppressionForMachineLearningRuleEnabled', 'manualRuleRunEnabled', ])}`, // mock cloud to enable the guided onboarding tour in e2e tests diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_suppression_serverless_essentials.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_suppression_serverless_essentials.cy.ts index d6f23687cf418..946e0190bc1f8 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_suppression_serverless_essentials.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_suppression_serverless_essentials.cy.ts @@ -15,6 +15,7 @@ import { login } from '../../../../tasks/login'; import { visit } from '../../../../tasks/navigation'; import { ALERT_SUPPRESSION_FIELDS_INPUT, + MACHINE_LEARNING_TYPE, THRESHOLD_ENABLE_SUPPRESSION_CHECKBOX, } from '../../../../screens/create_new_rule'; import { CREATE_RULE_URL } from '../../../../urls/navigation'; @@ -22,7 +23,7 @@ import { CREATE_RULE_URL } from '../../../../urls/navigation'; describe( 'Detection rules, Alert Suppression for Essentials tier', { - // skipped in MKI as it depends on feature flag alertSuppressionForEsqlRuleEnabled + // skipped in MKI as it depends on feature flag alertSuppressionForEsqlRuleEnabled, alertSuppressionForMachineLearningRuleEnabled tags: ['@serverless', '@skipInServerlessMKI'], env: { ftrConfig: { @@ -35,6 +36,7 @@ describe( kbnServerArgs: [ `--xpack.securitySolution.enableExperimental=${JSON.stringify([ 'alertSuppressionForEsqlRuleEnabled', + 'alertSuppressionForMachineLearningRuleEnabled', ])}`, ], }, @@ -60,6 +62,9 @@ describe( selectEsqlRuleType(); cy.get(ALERT_SUPPRESSION_FIELDS_INPUT).should('be.enabled'); + + // ML Rules require Complete tier + cy.get(MACHINE_LEARNING_TYPE).get('button').should('be.disabled'); }); } ); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_supression_ess_basic.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_supression_ess_basic.cy.ts index 1f86d6d0dd789..a4e7a7dabb5fe 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_supression_ess_basic.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/common_flows_supression_ess_basic.cy.ts @@ -8,6 +8,7 @@ import { THRESHOLD_ENABLE_SUPPRESSION_CHECKBOX, ALERT_SUPPRESSION_DURATION_INPUT, + MACHINE_LEARNING_TYPE, } from '../../../../screens/create_new_rule'; import { @@ -52,6 +53,9 @@ describe( selectEsqlRuleType(); openSuppressionFieldsTooltipAndCheckLicense(); + // ML Rules require Platinum license + cy.get(MACHINE_LEARNING_TYPE).get('button').should('be.disabled'); + selectThresholdRuleType(); cy.get(THRESHOLD_ENABLE_SUPPRESSION_CHECKBOX).should('be.disabled'); cy.get(THRESHOLD_ENABLE_SUPPRESSION_CHECKBOX).parent().trigger('mouseover'); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/machine_learning_rule_suppression.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/machine_learning_rule_suppression.cy.ts new file mode 100644 index 0000000000000..befa75fce93ff --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/machine_learning_rule_suppression.cy.ts @@ -0,0 +1,198 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getMachineLearningRule } from '../../../../objects/rule'; +import { TOOLTIP } from '../../../../screens/common'; +import { + ALERT_SUPPRESSION_FIELDS, + ALERT_SUPPRESSION_FIELDS_INPUT, +} from '../../../../screens/create_new_rule'; +import { + DEFINITION_DETAILS, + DETAILS_TITLE, + SUPPRESS_BY_DETAILS, + SUPPRESS_FOR_DETAILS, + SUPPRESS_MISSING_FIELD, +} from '../../../../screens/rule_details'; +import { + executeSetupModuleRequest, + forceStartDatafeeds, + forceStopAndCloseJob, +} from '../../../../support/machine_learning'; +import { + continueFromDefineStep, + fillAlertSuppressionFields, + fillDefineMachineLearningRule, + selectMachineLearningRuleType, + selectAlertSuppressionPerInterval, + setAlertSuppressionDuration, + selectDoNotSuppressForMissingFields, + skipScheduleRuleAction, + fillAboutRuleMinimumAndContinue, + createRuleWithoutEnabling, +} from '../../../../tasks/create_new_rule'; +import { login } from '../../../../tasks/login'; +import { visit } from '../../../../tasks/navigation'; +import { getDetails } from '../../../../tasks/rule_details'; +import { CREATE_RULE_URL } from '../../../../urls/navigation'; + +describe( + 'Machine Learning Detection Rules - Creation', + { + // Skipped in MKI as tests depend on feature flag alertSuppressionForMachineLearningRuleEnabled + tags: ['@ess', '@serverless', '@skipInServerlessMKI'], + env: { + ftrConfig: { + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'alertSuppressionForMachineLearningRuleEnabled', + ])}`, + ], + }, + }, + }, + () => { + let mlRule: ReturnType; + const jobId = 'v3_linux_anomalous_network_activity'; + const suppressByFields = ['by_field_name', 'by_field_value']; + + beforeEach(() => { + login(); + visit(CREATE_RULE_URL); + }); + + describe('with Alert Suppression', () => { + describe('when no ML jobs have run', () => { + before(() => { + const machineLearningJobIds = ([] as string[]).concat( + getMachineLearningRule().machine_learning_job_id + ); + // ensure no ML jobs are started before the suite + machineLearningJobIds.forEach((j) => forceStopAndCloseJob({ jobId: j })); + }); + + beforeEach(() => { + mlRule = getMachineLearningRule(); + selectMachineLearningRuleType(); + fillDefineMachineLearningRule(mlRule); + }); + + it('disables the suppression fields and displays a message', () => { + cy.get(ALERT_SUPPRESSION_FIELDS_INPUT).should('be.disabled'); + cy.get(ALERT_SUPPRESSION_FIELDS_INPUT).realHover(); + cy.get(TOOLTIP).should( + 'contain.text', + 'To enable alert suppression, start relevant Machine Learning jobs.' + ); + }); + }); + + describe('when ML jobs have run', () => { + before(() => { + cy.task('esArchiverLoad', { archiveName: '../auditbeat/hosts', type: 'ftr' }); + executeSetupModuleRequest({ moduleName: 'security_linux_v3' }); + forceStartDatafeeds({ jobIds: [jobId] }); + cy.task('esArchiverLoad', { archiveName: 'anomalies', type: 'ftr' }); + }); + + after(() => { + cy.task('esArchiverUnload', { archiveName: 'anomalies', type: 'ftr' }); + cy.task('esArchiverUnload', { archiveName: '../auditbeat/hosts', type: 'ftr' }); + }); + + describe('when not all jobs are running', () => { + beforeEach(() => { + mlRule = getMachineLearningRule(); + selectMachineLearningRuleType(); + fillDefineMachineLearningRule(mlRule); + }); + + it('displays a warning message on the suppression fields', () => { + cy.get(ALERT_SUPPRESSION_FIELDS_INPUT).should('be.enabled'); + cy.get(ALERT_SUPPRESSION_FIELDS).should( + 'contain.text', + 'This list of fields might be incomplete as some Machine Learning jobs are not running. Start all relevant jobs for a complete list.' + ); + }); + }); + + describe('when all jobs are running', () => { + beforeEach(() => { + mlRule = getMachineLearningRule({ machine_learning_job_id: [jobId] }); + selectMachineLearningRuleType(); + fillDefineMachineLearningRule(mlRule); + }); + + it('allows a rule with per-execution suppression to be created and displayed', () => { + fillAlertSuppressionFields(suppressByFields); + continueFromDefineStep(); + + // ensures details preview works correctly + cy.get(DEFINITION_DETAILS).within(() => { + getDetails(SUPPRESS_BY_DETAILS).should('have.text', suppressByFields.join('')); + getDetails(SUPPRESS_FOR_DETAILS).should('have.text', 'One rule execution'); + getDetails(SUPPRESS_MISSING_FIELD).should( + 'have.text', + 'Suppress and group alerts for events with missing fields' + ); + + // suppression functionality should be under Tech Preview + cy.contains(DETAILS_TITLE, SUPPRESS_FOR_DETAILS).contains('Technical Preview'); + }); + + fillAboutRuleMinimumAndContinue(mlRule); + skipScheduleRuleAction(); + createRuleWithoutEnabling(); + + cy.get(DEFINITION_DETAILS).within(() => { + getDetails(SUPPRESS_BY_DETAILS).should('have.text', suppressByFields.join('')); + getDetails(SUPPRESS_FOR_DETAILS).should('have.text', 'One rule execution'); + getDetails(SUPPRESS_MISSING_FIELD).should( + 'have.text', + 'Suppress and group alerts for events with missing fields' + ); + }); + }); + + it('allows a rule with interval suppression to be created and displayed', () => { + fillAlertSuppressionFields(suppressByFields); + selectAlertSuppressionPerInterval(); + setAlertSuppressionDuration(45, 'm'); + selectDoNotSuppressForMissingFields(); + continueFromDefineStep(); + + // ensures details preview works correctly + cy.get(DEFINITION_DETAILS).within(() => { + getDetails(SUPPRESS_BY_DETAILS).should('have.text', suppressByFields.join('')); + getDetails(SUPPRESS_FOR_DETAILS).should('have.text', '45m'); + getDetails(SUPPRESS_MISSING_FIELD).should( + 'have.text', + 'Do not suppress alerts for events with missing fields' + ); + + // suppression functionality should be under Tech Preview + cy.contains(DETAILS_TITLE, SUPPRESS_FOR_DETAILS).contains('Technical Preview'); + }); + + fillAboutRuleMinimumAndContinue(mlRule); + skipScheduleRuleAction(); + createRuleWithoutEnabling(); + + cy.get(DEFINITION_DETAILS).within(() => { + getDetails(SUPPRESS_BY_DETAILS).should('have.text', suppressByFields.join('')); + getDetails(SUPPRESS_FOR_DETAILS).should('have.text', '45m'); + getDetails(SUPPRESS_MISSING_FIELD).should( + 'have.text', + 'Do not suppress alerts for events with missing fields' + ); + }); + }); + }); + }); + }); + } +); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts new file mode 100644 index 0000000000000..5e6cd673070ba --- /dev/null +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/machine_learning_rule.cy.ts @@ -0,0 +1,178 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getMachineLearningRule } from '../../../../objects/rule'; +import { + ALERT_SUPPRESSION_DURATION_INPUT, + ALERT_SUPPRESSION_FIELDS, + ALERT_SUPPRESSION_MISSING_FIELDS_DO_NOT_SUPPRESS, +} from '../../../../screens/create_new_rule'; +import { + DEFINITION_DETAILS, + DETAILS_TITLE, + SUPPRESS_BY_DETAILS, + SUPPRESS_FOR_DETAILS, + SUPPRESS_MISSING_FIELD, +} from '../../../../screens/rule_details'; +import { + executeSetupModuleRequest, + forceStartDatafeeds, + forceStopAndCloseJob, +} from '../../../../support/machine_learning'; +import { editFirstRule } from '../../../../tasks/alerts_detection_rules'; +import { deleteAlertsAndRules } from '../../../../tasks/api_calls/common'; +import { createRule } from '../../../../tasks/api_calls/rules'; +import { + clearAlertSuppressionFields, + fillAlertSuppressionFields, + selectAlertSuppressionPerInterval, + selectAlertSuppressionPerRuleExecution, + setAlertSuppressionDuration, +} from '../../../../tasks/create_new_rule'; +import { saveEditedRule } from '../../../../tasks/edit_rule'; +import { login } from '../../../../tasks/login'; +import { visit } from '../../../../tasks/navigation'; +import { assertDetailsNotExist, getDetails } from '../../../../tasks/rule_details'; +import { RULES_MANAGEMENT_URL } from '../../../../urls/rules_management'; + +describe( + 'Machine Learning Detection Rules - Editing', + { + // Skipping in MKI as it depends on feature flag alertSuppressionForMachineLearningRuleEnabled + tags: ['@ess', '@serverless', '@skipInServerlessMKI'], + env: { + ftrConfig: { + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'alertSuppressionForMachineLearningRuleEnabled', + ])}`, + ], + }, + }, + }, + () => { + let mlRule: ReturnType; + const suppressByFields = ['by_field_name', 'by_field_value']; + const jobId = 'v3_linux_anomalous_network_activity'; + + before(() => { + const machineLearningJobIds = ([] as string[]).concat( + getMachineLearningRule().machine_learning_job_id + ); + // ensure no ML jobs are started before the test + machineLearningJobIds.forEach((j) => forceStopAndCloseJob({ jobId: j })); + }); + + beforeEach(() => { + login(); + deleteAlertsAndRules(); + cy.task('esArchiverLoad', { archiveName: '../auditbeat/hosts', type: 'ftr' }); + executeSetupModuleRequest({ moduleName: 'security_linux_v3' }); + forceStartDatafeeds({ jobIds: [jobId] }); + cy.task('esArchiverLoad', { archiveName: 'anomalies', type: 'ftr' }); + }); + + describe('without Alert Suppression', () => { + beforeEach(() => { + mlRule = getMachineLearningRule({ machine_learning_job_id: [jobId] }); + createRule(mlRule); + visit(RULES_MANAGEMENT_URL); + editFirstRule(); + }); + + it('allows editing of a rule to add suppression configuration', () => { + fillAlertSuppressionFields(suppressByFields); + selectAlertSuppressionPerInterval(); + setAlertSuppressionDuration(2, 'h'); + + saveEditedRule(); + + cy.get(DEFINITION_DETAILS).within(() => { + getDetails(SUPPRESS_BY_DETAILS).should('have.text', suppressByFields.join('')); + getDetails(SUPPRESS_FOR_DETAILS).should('have.text', '2h'); + getDetails(SUPPRESS_MISSING_FIELD).should( + 'have.text', + 'Suppress and group alerts for events with missing fields' + ); + + // suppression functionality should be under Tech Preview + cy.contains(DETAILS_TITLE, SUPPRESS_FOR_DETAILS).contains('Technical Preview'); + }); + }); + }); + + describe('with Alert Suppression', () => { + beforeEach(() => { + mlRule = { + ...getMachineLearningRule({ machine_learning_job_id: [jobId] }), + alert_suppression: { + group_by: suppressByFields, + duration: { value: 360, unit: 's' }, + missing_fields_strategy: 'doNotSuppress', + }, + }; + + createRule(mlRule); + visit(RULES_MANAGEMENT_URL); + editFirstRule(); + }); + + it('allows editing of a rule to change its suppression configuration', () => { + // check saved suppression settings + cy.get(ALERT_SUPPRESSION_DURATION_INPUT) + .eq(0) + .should('be.enabled') + .should('have.value', 360); + cy.get(ALERT_SUPPRESSION_DURATION_INPUT) + .eq(1) + .should('be.enabled') + .should('have.value', 's'); + + cy.get(ALERT_SUPPRESSION_FIELDS).should('contain', suppressByFields.join('')); + cy.get(ALERT_SUPPRESSION_MISSING_FIELDS_DO_NOT_SUPPRESS).should('be.checked'); + + // set new duration first to overcome some flaky racing conditions during form save + setAlertSuppressionDuration(2, 'h'); + selectAlertSuppressionPerRuleExecution(); + + saveEditedRule(); + + // check execution duration has changed + cy.get(DEFINITION_DETAILS).within(() => { + getDetails(SUPPRESS_FOR_DETAILS).should('have.text', 'One rule execution'); + }); + }); + + it('allows editing of a rule to remove suppression configuration', () => { + // check saved suppression settings + cy.get(ALERT_SUPPRESSION_DURATION_INPUT) + .eq(0) + .should('be.enabled') + .should('have.value', 360); + cy.get(ALERT_SUPPRESSION_DURATION_INPUT) + .eq(1) + .should('be.enabled') + .should('have.value', 's'); + + cy.get(ALERT_SUPPRESSION_FIELDS).should('contain', suppressByFields.join('')); + cy.get(ALERT_SUPPRESSION_MISSING_FIELDS_DO_NOT_SUPPRESS).should('be.checked'); + + // set new duration first to overcome some flaky racing conditions during form save + setAlertSuppressionDuration(2, 'h'); + + clearAlertSuppressionFields(); + saveEditedRule(); + + // check suppression is now absent + cy.get(DEFINITION_DETAILS).within(() => { + assertDetailsNotExist(SUPPRESS_FOR_DETAILS); + assertDetailsNotExist(SUPPRESS_BY_DETAILS); + }); + }); + }); + } +); diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts index 4b4a9542ff1bc..fca78851ddf03 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/prebuilt_rules/prebuilt_rules_preview.cy.ts @@ -220,9 +220,17 @@ describe('Detection rules, Prebuilt Rules Installation and Update workflow', () type: 'machine_learning', anomaly_threshold: 65, machine_learning_job_id: ['auth_high_count_logon_events', 'auth_high_count_logon_fails'], + alert_suppression: { + group_by: ['host.name'], + duration: { unit: 'm', value: 5 }, + missing_fields_strategy: 'suppress', + }, }), ['security-rule.query', 'security-rule.language'] - ) as typeof CUSTOM_QUERY_INDEX_PATTERN_RULE; + ) as Omit< + ReturnType, + 'security-rule.query' | 'security-rule.language' + >; const THRESHOLD_RULE_INDEX_PATTERN = createRuleAssetSavedObject({ name: 'Threshold index pattern rule', @@ -500,24 +508,30 @@ describe('Detection rules, Prebuilt Rules Installation and Update workflow', () }); it('Machine learning rule properties', function () { - clickAddElasticRulesButton(); - - openRuleInstallPreview(MACHINE_LEARNING_RULE['security-rule'].name); - - assertCommonPropertiesShown(commonProperties); - const { + name, + alert_suppression: alertSuppression, anomaly_threshold: anomalyThreshold, machine_learning_job_id: machineLearningJobIds, } = MACHINE_LEARNING_RULE['security-rule'] as { + name: string; anomaly_threshold: number; machine_learning_job_id: string[]; + alert_suppression: AlertSuppression; }; + + clickAddElasticRulesButton(); + openRuleInstallPreview(name); + + assertCommonPropertiesShown(commonProperties); + assertMachineLearningPropertiesShown( anomalyThreshold, machineLearningJobIds, this.mlModules ); + + assertAlertSuppressionPropertiesShown(alertSuppression); }); it('Threshold rule properties', () => { diff --git a/x-pack/test/security_solution_cypress/cypress/support/machine_learning.ts b/x-pack/test/security_solution_cypress/cypress/support/machine_learning.ts index e562a693865e3..5fb869cebc29f 100644 --- a/x-pack/test/security_solution_cypress/cypress/support/machine_learning.ts +++ b/x-pack/test/security_solution_cypress/cypress/support/machine_learning.ts @@ -5,8 +5,72 @@ * 2.0. */ +import { ML_GROUP_ID } from '@kbn/security-solution-plugin/common/constants'; import { rootRequest } from '../tasks/api_calls/common'; +/** + * + * Calls the internal ML Module API to set up a module, which installs the jobs + * contained in that module. + * @param moduleName the name of the ML module to set up + * @returns the response from the setup module request + */ +export const executeSetupModuleRequest = ({ moduleName }: { moduleName: string }) => + rootRequest({ + headers: { + 'elastic-api-version': 1, + }, + method: 'POST', + url: `/internal/ml/modules/setup/${moduleName}`, + failOnStatusCode: true, + body: { + prefix: '', + groups: [ML_GROUP_ID], + indexPatternName: 'auditbeat-*', + startDatafeed: false, + useDedicatedIndex: true, + applyToAllSpaces: true, + }, + }); + +/** + * + * Calls the internal ML Jobs API to force start the datafeeds for the given job IDs. Necessary to get them in the "started" state for the purposes of the detection engine + * @param jobIds the job IDs for which to force start datafeeds + * @returns the response from the force start datafeeds request + */ +export const forceStartDatafeeds = ({ jobIds }: { jobIds: string[] }) => + rootRequest({ + headers: { + 'elastic-api-version': 1, + }, + method: 'POST', + url: '/internal/ml/jobs/force_start_datafeeds', + failOnStatusCode: true, + body: { + datafeedIds: jobIds.map((jobId) => `datafeed-${jobId}`), + start: new Date().getUTCMilliseconds(), + }, + }); + +/** + * Calls the internal ML Jobs API to stop the datafeeds for the given job IDs. + * @param jobIds the job IDs for which to stop datafeeds + * @returns the response from the stop datafeeds request + */ +export const stopDatafeeds = ({ jobIds }: { jobIds: string[] }) => + rootRequest({ + headers: { + 'elastic-api-version': 1, + }, + method: 'POST', + url: '/internal/ml/jobs/stop_datafeeds', + failOnStatusCode: true, + body: { + datafeedIds: jobIds.map((jobId) => `datafeed-${jobId}`), + }, + }); + /** * Calls the internal ML Jobs API to force stop the datafeed of, and force close * the job with the given ID. diff --git a/x-pack/test/security_solution_cypress/serverless_config.ts b/x-pack/test/security_solution_cypress/serverless_config.ts index ebdd5d1b333c9..b9f153028e5c8 100644 --- a/x-pack/test/security_solution_cypress/serverless_config.ts +++ b/x-pack/test/security_solution_cypress/serverless_config.ts @@ -37,6 +37,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { `--xpack.securitySolution.enableExperimental=${JSON.stringify([ 'alertSuppressionForEsqlRuleEnabled', 'bulkCustomHighlightedFieldsEnabled', + 'alertSuppressionForMachineLearningRuleEnabled', 'manualRuleRunEnabled', ])}`, ], diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml index 9f3220959c486..5f86c7a23ca27 100644 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml @@ -34,6 +34,7 @@ viewer: - ".fleet-actions*" - "risk-score.risk-score-*" - ".asset-criticality.asset-criticality-*" + - ".ml-anomalies-*" privileges: - read applications: @@ -100,6 +101,10 @@ editor: - "read" - "write" allow_restricted_indices: false + - names: + - ".ml-anomalies-*" + privileges: + - read applications: - application: "kibana-.kibana" privileges: @@ -155,6 +160,7 @@ t1_analyst: - ".fleet-actions*" - risk-score.risk-score-* - .asset-criticality.asset-criticality-* + - ".ml-anomalies-*" privileges: - read applications: @@ -203,6 +209,7 @@ t2_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read - names: @@ -265,6 +272,7 @@ t3_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -330,6 +338,7 @@ threat_intelligence_analyst: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -389,6 +398,7 @@ rule_author: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -454,6 +464,7 @@ soc_manager: - .fleet-agents* - .fleet-actions* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read applications: @@ -515,6 +526,7 @@ detections_admin: - metrics-endpoint.metadata_current_* - .fleet-agents* - .fleet-actions* + - ".ml-anomalies-*" privileges: - read - names: @@ -573,6 +585,10 @@ platform_engineer: privileges: - read - write + - names: + - ".ml-anomalies-*" + privileges: + - read applications: - application: "kibana-.kibana" privileges: @@ -624,6 +640,7 @@ endpoint_operations_analyst: - .lists* - .items* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read - names: @@ -692,6 +709,7 @@ endpoint_policy_manager: - packetbeat-* - winlogbeat-* - risk-score.risk-score-* + - ".ml-anomalies-*" privileges: - read - names: From ad4fe8407838309fc24d92837be058fabc1c8b3b Mon Sep 17 00:00:00 2001 From: Steph Milovic Date: Tue, 2 Jul 2024 13:42:22 -0600 Subject: [PATCH 07/10] [Security solution] Assistant race condition bug fixing (#187186) --- .../assistant_header_flyout.tsx | 3 ++ .../assistant/chat_send/use_chat_send.tsx | 2 +- .../impl/assistant/index.test.tsx | 37 ++++++++++++------- .../impl/assistant/index.tsx | 25 ++++++------- 4 files changed, 39 insertions(+), 28 deletions(-) diff --git a/x-pack/packages/kbn-elastic-assistant/impl/assistant/assistant_header/assistant_header_flyout.tsx b/x-pack/packages/kbn-elastic-assistant/impl/assistant/assistant_header/assistant_header_flyout.tsx index d9ba27b96655f..bd75e80aef0ca 100644 --- a/x-pack/packages/kbn-elastic-assistant/impl/assistant/assistant_header/assistant_header_flyout.tsx +++ b/x-pack/packages/kbn-elastic-assistant/impl/assistant/assistant_header/assistant_header_flyout.tsx @@ -125,6 +125,7 @@ export const AssistantHeaderFlyout: React.FC = ({ `, onClick: showDestroyModal, icon: 'refresh', + 'data-test-subj': 'clear-chat', }, ], }, @@ -243,6 +244,7 @@ export const AssistantHeaderFlyout: React.FC = ({ aria-label="test" iconType="boxesVertical" onClick={onButtonClick} + data-test-subj="chat-context-menu" /> } isOpen={isPopoverOpen} @@ -266,6 +268,7 @@ export const AssistantHeaderFlyout: React.FC = ({ confirmButtonText={i18n.RESET_BUTTON_TEXT} buttonColor="danger" defaultFocusedButton="confirm" + data-test-subj="reset-conversation-modal" >

{i18n.CLEAR_CHAT_CONFIRMATION}

diff --git a/x-pack/packages/kbn-elastic-assistant/impl/assistant/chat_send/use_chat_send.tsx b/x-pack/packages/kbn-elastic-assistant/impl/assistant/chat_send/use_chat_send.tsx index 020822821d163..f42fe17242d86 100644 --- a/x-pack/packages/kbn-elastic-assistant/impl/assistant/chat_send/use_chat_send.tsx +++ b/x-pack/packages/kbn-elastic-assistant/impl/assistant/chat_send/use_chat_send.tsx @@ -35,7 +35,7 @@ export interface UseChatSendProps { export interface UseChatSend { abortStream: () => void; - handleOnChatCleared: () => void; + handleOnChatCleared: () => Promise; handlePromptChange: (prompt: string) => void; handleSendMessage: (promptText: string) => void; handleRegenerateResponse: () => void; diff --git a/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.test.tsx b/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.test.tsx index c023970803da4..b25945dd247bf 100644 --- a/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.test.tsx +++ b/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.test.tsx @@ -7,7 +7,7 @@ import React from 'react'; -import { act, fireEvent, render, screen, within } from '@testing-library/react'; +import { act, fireEvent, render, screen, waitFor, within } from '@testing-library/react'; import { Assistant } from '.'; import type { IHttpFetchError } from '@kbn/core/public'; @@ -63,15 +63,25 @@ const mockData = { }, }; const mockDeleteConvo = jest.fn(); +const clearConversation = jest.fn(); const mockUseConversation = { + clearConversation: clearConversation.mockResolvedValue(mockData.welcome_id), getConversation: jest.fn(), getDefaultConversation: jest.fn().mockReturnValue(mockData.welcome_id), deleteConversation: mockDeleteConvo, setApiConfig: jest.fn().mockResolvedValue({}), }; +const refetchResults = jest.fn(); + describe('Assistant', () => { - beforeAll(() => { + let persistToLocalStorage: jest.Mock; + let persistToSessionStorage: jest.Mock; + + beforeEach(() => { + jest.clearAllMocks(); + persistToLocalStorage = jest.fn(); + persistToSessionStorage = jest.fn(); (useConversation as jest.Mock).mockReturnValue(mockUseConversation); jest.mocked(useConnectorSetup).mockReturnValue({ comments: [], @@ -89,13 +99,14 @@ describe('Assistant', () => { ]; jest.mocked(useLoadConnectors).mockReturnValue({ isFetched: true, + isFetchedAfterMount: true, data: connectors, } as unknown as UseQueryResult); jest.mocked(useFetchCurrentUserConversations).mockReturnValue({ data: mockData, isLoading: false, - refetch: jest.fn().mockResolvedValue({ + refetch: refetchResults.mockResolvedValue({ isLoading: false, data: { ...mockData, @@ -107,16 +118,6 @@ describe('Assistant', () => { }), isFetched: true, } as unknown as DefinedUseQueryResult, unknown>); - }); - - let persistToLocalStorage: jest.Mock; - let persistToSessionStorage: jest.Mock; - - beforeEach(() => { - jest.clearAllMocks(); - persistToLocalStorage = jest.fn(); - persistToSessionStorage = jest.fn(); - jest .mocked(useLocalStorage) .mockReturnValue([undefined, persistToLocalStorage] as unknown as ReturnType< @@ -234,6 +235,16 @@ describe('Assistant', () => { }); expect(mockDeleteConvo).toHaveBeenCalledWith(mockData.welcome_id.id); }); + it('should refetchConversationsState after clear chat history button click', async () => { + renderAssistant({ isFlyoutMode: true }); + fireEvent.click(screen.getByTestId('chat-context-menu')); + fireEvent.click(screen.getByTestId('clear-chat')); + fireEvent.click(screen.getByTestId('confirmModalConfirmButton')); + await waitFor(() => { + expect(clearConversation).toHaveBeenCalled(); + expect(refetchResults).toHaveBeenCalled(); + }); + }); }); describe('when selected conversation changes and some connectors are loaded', () => { it('should persist the conversation id to local storage', async () => { diff --git a/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.tsx b/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.tsx index 830c5d2b7080a..907e4d70accd5 100644 --- a/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.tsx +++ b/x-pack/packages/kbn-elastic-assistant/impl/assistant/index.tsx @@ -220,7 +220,7 @@ const AssistantComponent: React.FC = ({ ); useEffect(() => { - if (conversationsLoaded && Object.keys(conversations).length > 0) { + if (areConnectorsFetched && conversationsLoaded && Object.keys(conversations).length > 0) { setCurrentConversation((prev) => { const nextConversation = (currentConversationId && conversations[currentConversationId]) || @@ -256,13 +256,13 @@ const AssistantComponent: React.FC = ({ }); } }, [ + areConnectorsFetched, conversationTitle, conversations, - getDefaultConversation, - getLastConversationId, conversationsLoaded, - currentConversation?.id, currentConversationId, + getDefaultConversation, + getLastConversationId, isAssistantEnabled, isFlyoutMode, ]); @@ -549,7 +549,7 @@ const AssistantComponent: React.FC = ({ const { abortStream, - handleOnChatCleared, + handleOnChatCleared: onChatCleared, handlePromptChange, handleSendMessage, handleRegenerateResponse, @@ -567,6 +567,11 @@ const AssistantComponent: React.FC = ({ setCurrentConversation, }); + const handleOnChatCleared = useCallback(async () => { + await onChatCleared(); + await refetchResults(); + }, [onChatCleared, refetchResults]); + const handleChatSend = useCallback( async (promptText: string) => { await handleSendMessage(promptText); @@ -733,15 +738,7 @@ const AssistantComponent: React.FC = ({ } } })(); - }, [ - currentConversation, - defaultConnector, - refetchConversationsState, - setApiConfig, - showMissingConnectorCallout, - areConnectorsFetched, - mutateAsync, - ]); + }, [areConnectorsFetched, currentConversation, mutateAsync]); const handleCreateConversation = useCallback(async () => { const newChatExists = find(conversations, ['title', NEW_CHAT]); From 9fae9c536ad54113f376e12885339189fc243266 Mon Sep 17 00:00:00 2001 From: Rickyanto Ang Date: Tue, 2 Jul 2024 13:07:33 -0700 Subject: [PATCH 08/10] [Cloud Security] Update CSP Version to 1.9.0 for Test (#186657) ## Summary With 8.14 released, we want to make sure our CSP is using the latest CSP version for our test environment --- .../cloud_security_posture/common/constants.ts | 2 +- .../components/package_policy_input_var_field.tsx | 1 + .../page_objects/add_cis_integration_form_page.ts | 5 +++++ .../cis_integrations/cspm/cis_integration_aws.ts | 4 ++++ .../cis_integrations/cspm/cis_integration_azure.ts | 12 ++---------- .../cis_integrations/kspm/cis_integration_eks.ts | 2 ++ .../config.cloud_security_posture.essentials.ts | 3 ++- 7 files changed, 17 insertions(+), 12 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/common/constants.ts b/x-pack/plugins/cloud_security_posture/common/constants.ts index 57f1e465ea73b..27fc64d44966f 100644 --- a/x-pack/plugins/cloud_security_posture/common/constants.ts +++ b/x-pack/plugins/cloud_security_posture/common/constants.ts @@ -199,6 +199,6 @@ export const TEMPLATE_URL_ACCOUNT_TYPE_ENV_VAR = 'ACCOUNT_TYPE'; export const ORGANIZATION_ACCOUNT = 'organization-account'; export const SINGLE_ACCOUNT = 'single-account'; -export const CLOUD_SECURITY_PLUGIN_VERSION = '1.8.1'; +export const CLOUD_SECURITY_PLUGIN_VERSION = '1.9.0'; // Cloud Credentials Template url was implemented in 1.10.0-preview01. See PR - https://github.com/elastic/integrations/pull/9828 export const CLOUD_CREDENTIALS_PACKAGE_VERSION = '1.10.0-preview01'; diff --git a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx index 653986a7128de..114d973f32541 100644 --- a/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx +++ b/x-pack/plugins/fleet/public/applications/fleet/sections/agent_policy/create_package_policy_page/components/steps/components/package_policy_input_var_field.tsx @@ -420,6 +420,7 @@ function SecretInputField({ iconType="refresh" iconSide="left" size="xs" + data-test-subj={`button-replace-${fieldTestSelector}`} > { + return await testSubjects.find(`button-replace-${secretField}`); + }; + return { cisAzure, cisAws, @@ -311,5 +315,6 @@ export function AddCisIntegrationFormPageProvider({ getValueInEditPage, isOptionChecked, checkIntegrationPliAuthBlockExists, + getReplaceSecretButton, }; } diff --git a/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_aws.ts b/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_aws.ts index cae23e9bfe8a4..5523e05120912 100644 --- a/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_aws.ts +++ b/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_aws.ts @@ -124,6 +124,7 @@ export default function (providerContext: FtrProviderContext) { (await cisIntegration.getFieldValueInEditPage(DIRECT_ACCESS_KEY_ID_TEST_ID)) === directAccessKeyId ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('secret-access-key')).to.not.be(null); }); }); @@ -159,6 +160,7 @@ export default function (providerContext: FtrProviderContext) { (await cisIntegration.getValueInEditPage(TEMP_ACCESS_SESSION_TOKEN_TEST_ID)) === tempAccessSessionToken ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('secret-access-key')).to.not.be(null); }); }); @@ -247,6 +249,7 @@ export default function (providerContext: FtrProviderContext) { (await cisIntegration.getFieldValueInEditPage(DIRECT_ACCESS_KEY_ID_TEST_ID)) === directAccessKeyId ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('secret-access-key')).to.not.be(null); }); }); @@ -283,6 +286,7 @@ export default function (providerContext: FtrProviderContext) { (await cisIntegration.getValueInEditPage(TEMP_ACCESS_SESSION_TOKEN_TEST_ID)) === tempAccessSessionToken ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('secret-access-key')).to.not.be(null); }); }); diff --git a/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_azure.ts b/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_azure.ts index 6bd117c36a85d..99cc57905d46e 100644 --- a/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_azure.ts +++ b/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/cspm/cis_integration_azure.ts @@ -111,11 +111,7 @@ export default function (providerContext: FtrProviderContext) { CIS_AZURE_INPUT_FIELDS_TEST_SUBJECTS.TENANT_ID )) === tenantId ).to.be(true); - expect( - (await cisIntegration.getValueInEditPage( - CIS_AZURE_INPUT_FIELDS_TEST_SUBJECTS.CLIENT_SECRET - )) === clientSecret - ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('client-secret')).to.not.be(null); }); }); @@ -227,11 +223,7 @@ export default function (providerContext: FtrProviderContext) { CIS_AZURE_INPUT_FIELDS_TEST_SUBJECTS.TENANT_ID )) === tenantId ).to.be(true); - expect( - (await cisIntegration.getValueInEditPage( - CIS_AZURE_INPUT_FIELDS_TEST_SUBJECTS.CLIENT_SECRET - )) === clientSecret - ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('client-secret')).to.not.be(null); }); }); diff --git a/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/kspm/cis_integration_eks.ts b/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/kspm/cis_integration_eks.ts index ec4a7c61239ea..db567d335b0ff 100644 --- a/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/kspm/cis_integration_eks.ts +++ b/x-pack/test/cloud_security_posture_functional/pages/cis_integrations/kspm/cis_integration_eks.ts @@ -73,6 +73,7 @@ export default function (providerContext: FtrProviderContext) { (await cisIntegration.getFieldValueInEditPage(DIRECT_ACCESS_KEY_ID_TEST_ID)) === directAccessKeyId ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('secret-access-key')).to.not.be(null); }); }); @@ -107,6 +108,7 @@ export default function (providerContext: FtrProviderContext) { (await cisIntegration.getValueInEditPage(TEMP_ACCESS_SESSION_TOKEN_TEST_ID)) === tempAccessSessionToken ).to.be(true); + expect(await cisIntegration.getReplaceSecretButton('secret-access-key')).to.not.be(null); }); }); diff --git a/x-pack/test_serverless/functional/test_suites/security/config.cloud_security_posture.essentials.ts b/x-pack/test_serverless/functional/test_suites/security/config.cloud_security_posture.essentials.ts index 320b130e63e91..11b4f056841f1 100644 --- a/x-pack/test_serverless/functional/test_suites/security/config.cloud_security_posture.essentials.ts +++ b/x-pack/test_serverless/functional/test_suites/security/config.cloud_security_posture.essentials.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { CLOUD_SECURITY_PLUGIN_VERSION } from '@kbn/cloud-security-posture-plugin/common/constants'; import { createTestConfig } from '../../config.base'; export default createTestConfig({ @@ -14,7 +15,7 @@ export default createTestConfig({ }, kbnServerArgs: [ `--xpack.fleet.packages.0.name=cloud_security_posture`, - `--xpack.fleet.packages.0.version=1.5.2`, + `--xpack.fleet.packages.0.version=${CLOUD_SECURITY_PLUGIN_VERSION}`, `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([ { product_line: 'security', product_tier: 'essentials' }, { product_line: 'endpoint', product_tier: 'essentials' }, From 32e7bf98284d5afff87d69a54721234a540b11f4 Mon Sep 17 00:00:00 2001 From: Khristinin Nikita Date: Tue, 2 Jul 2024 23:04:54 +0200 Subject: [PATCH 09/10] Telemetry for manual rule run (#186364) ## Summary report following events: - open modal window for manual rule run - execute manual rule run + save time range in ms - cancel backfill job - filter in event log by run type - show source event date range Epic - https://github.com/elastic/security-team/issues/2840 ### How to test enable feature flag - `manualRuleRunEnabled` You can see feature demo here - https://github.com/elastic/kibana/pull/184500 Check that events appears here after some time - https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/r/s/7YYlg --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine --- .../public/common/lib/telemetry/constants.ts | 5 + .../lib/telemetry/events/event_log/index.ts | 37 +++++ .../lib/telemetry/events/event_log/types.ts | 29 ++++ .../telemetry/events/manual_rule_run/index.ts | 79 +++++++++++ .../telemetry/events/manual_rule_run/types.ts | 43 ++++++ .../lib/telemetry/events/telemetry_events.ts | 11 ++ .../lib/telemetry/telemetry_client.mock.ts | 5 + .../common/lib/telemetry/telemetry_client.ts | 27 ++++ .../public/common/lib/telemetry/types.ts | 34 ++++- .../execution_log_table.test.tsx | 45 ++++++- .../execution_log_table.tsx | 21 ++- .../components/rule_backfills_info/index.tsx | 2 +- .../stop_backfill.test.tsx | 126 ++++++++++++++++++ .../rule_backfills_info/stop_backfill.tsx | 12 +- .../logic/use_schedule_rule_run.test.tsx | 78 ++++++++++- .../rule_gaps/logic/use_schedule_rule_run.ts | 14 +- .../bulk_actions/use_bulk_actions.tsx | 11 ++ .../rules_table/use_rules_table_actions.tsx | 8 +- .../execution_run_type_filter/index.test.tsx | 47 +++++++ .../execution_run_type_filter/index.tsx | 13 +- .../rule_actions_overflow/index.test.tsx | 27 ++++ .../rules/rule_actions_overflow/index.tsx | 9 +- 22 files changed, 665 insertions(+), 18 deletions(-) create mode 100644 x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/index.ts create mode 100644 x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/types.ts create mode 100644 x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts create mode 100644 x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/types.ts create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.test.tsx create mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.test.tsx diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/constants.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/constants.ts index 4d7c8f180d0ec..bc9004c8d99c7 100644 --- a/x-pack/plugins/security_solution/public/common/lib/telemetry/constants.ts +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/constants.ts @@ -79,6 +79,11 @@ export enum TelemetryEventTypes { OnboardingHubStepOpen = 'Onboarding Hub Step Open', OnboardingHubStepFinished = 'Onboarding Hub Step Finished', OnboardingHubStepLinkClicked = 'Onboarding Hub Step Link Clicked', + ManualRuleRunOpenModal = 'Manual Rule Run Open Modal', + ManualRuleRunExecute = 'Manual Rule Run Execute', + ManualRuleRunCancelJob = 'Manual Rule Run Cancel Job', + EventLogFilterByRunType = 'Event Log Filter By Run Type', + EventLogShowSourceEventDateRange = 'Event Log -> Show Source -> Event Date Range', } export enum ML_JOB_TELEMETRY_STATUS { diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/index.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/index.ts new file mode 100644 index 0000000000000..c30efcee10cfc --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/index.ts @@ -0,0 +1,37 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { EventLogTelemetryEvent } from './types'; +import { TelemetryEventTypes } from '../../constants'; + +export const eventLogFilterByRunTypeEvent: EventLogTelemetryEvent = { + eventType: TelemetryEventTypes.EventLogFilterByRunType, + schema: { + runType: { + type: 'array', + items: { + type: 'keyword', + _meta: { + description: 'Filter event log by run type', + }, + }, + }, + }, +}; + +export const eventLogShowSourceEventDateRangeEvent: EventLogTelemetryEvent = { + eventType: TelemetryEventTypes.EventLogShowSourceEventDateRange, + schema: { + isVisible: { + type: 'boolean', + _meta: { + description: 'Show source event date range', + optional: false, + }, + }, + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/types.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/types.ts new file mode 100644 index 0000000000000..b196c9010b258 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/event_log/types.ts @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import type { RootSchema } from '@kbn/core/public'; +import type { TelemetryEventTypes } from '../../constants'; + +export interface ReportEventLogFilterByRunTypeParams { + runType: string[]; +} +export interface ReportEventLogShowSourceEventDateRangeParams { + isVisible: boolean; +} + +export type ReportEventLogTelemetryEventParams = + | ReportEventLogFilterByRunTypeParams + | ReportEventLogShowSourceEventDateRangeParams; + +export type EventLogTelemetryEvent = + | { + eventType: TelemetryEventTypes.EventLogFilterByRunType; + schema: RootSchema; + } + | { + eventType: TelemetryEventTypes.EventLogShowSourceEventDateRange; + schema: RootSchema; + }; diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts new file mode 100644 index 0000000000000..a1476944d9806 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts @@ -0,0 +1,79 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { TelemetryEvent } from '../../types'; +import { TelemetryEventTypes } from '../../constants'; + +export const manualRuleRunOpenModalEvent: TelemetryEvent = { + eventType: TelemetryEventTypes.ManualRuleRunOpenModal, + schema: { + type: { + type: 'keyword', + _meta: { + description: 'Open manual rule run modal (single|bulk)', + optional: false, + }, + }, + }, +}; + +export const manualRuleRunExecuteEvent: TelemetryEvent = { + eventType: TelemetryEventTypes.ManualRuleRunExecute, + schema: { + rangeInMs: { + type: 'integer', + _meta: { + description: + 'The time range (expressed in milliseconds) against which the manual rule run was executed', + optional: false, + }, + }, + status: { + type: 'keyword', + _meta: { + description: + 'Outcome state of the manual rule run. Possible values are "success" and "error"', + optional: false, + }, + }, + rulesCount: { + type: 'integer', + _meta: { + description: 'Number of rules that were executed in the manual rule run', + optional: false, + }, + }, + }, +}; + +export const manualRuleRunCancelJobEvent: TelemetryEvent = { + eventType: TelemetryEventTypes.ManualRuleRunCancelJob, + schema: { + totalTasks: { + type: 'integer', + _meta: { + description: + 'Total number of scheduled tasks (rule executions) at the moment of backfill cancellation', + optional: false, + }, + }, + completedTasks: { + type: 'integer', + _meta: { + description: 'Number of completed rule executions at the moment of backfill cancellation', + optional: false, + }, + }, + errorTasks: { + type: 'integer', + _meta: { + description: 'Number of error rule executions at the moment of backfill cancellation', + optional: false, + }, + }, + }, +}; diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/types.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/types.ts new file mode 100644 index 0000000000000..a58b0adf45503 --- /dev/null +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/types.ts @@ -0,0 +1,43 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import type { RootSchema } from '@kbn/core/public'; +import type { TelemetryEventTypes } from '../../constants'; + +export interface ReportManualRuleRunOpenModalParams { + type: 'single' | 'bulk'; +} + +export interface ReportManualRuleRunExecuteParams { + rangeInMs: number; + rulesCount: number; + status: 'success' | 'error'; +} + +export interface ReportManualRuleRunCancelJobParams { + totalTasks: number; + completedTasks: number; + errorTasks: number; +} + +export type ReportManualRuleRunTelemetryEventParams = + | ReportManualRuleRunOpenModalParams + | ReportManualRuleRunExecuteParams + | ReportManualRuleRunCancelJobParams; + +export type ManualRuleRunTelemetryEvent = + | { + eventType: TelemetryEventTypes.ManualRuleRunOpenModal; + schema: RootSchema; + } + | { + eventType: TelemetryEventTypes.ManualRuleRunExecute; + schema: RootSchema; + } + | { + eventType: TelemetryEventTypes.ManualRuleRunCancelJob; + schema: RootSchema; + }; diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/events/telemetry_events.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/telemetry_events.ts index 8fe949fc783e7..3cf5fb9b37818 100644 --- a/x-pack/plugins/security_solution/public/common/lib/telemetry/events/telemetry_events.ts +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/events/telemetry_events.ts @@ -38,6 +38,12 @@ import { onboardingHubStepLinkClickedEvent, onboardingHubStepOpenEvent, } from './onboarding'; +import { + manualRuleRunCancelJobEvent, + manualRuleRunExecuteEvent, + manualRuleRunOpenModalEvent, +} from './manual_rule_run'; +import { eventLogFilterByRunTypeEvent, eventLogShowSourceEventDateRangeEvent } from './event_log'; const mlJobUpdateEvent: TelemetryEvent = { eventType: TelemetryEventTypes.MLJobUpdate, @@ -175,4 +181,9 @@ export const telemetryEvents = [ onboardingHubStepOpenEvent, onboardingHubStepLinkClickedEvent, onboardingHubStepFinishedEvent, + manualRuleRunCancelJobEvent, + manualRuleRunExecuteEvent, + manualRuleRunOpenModalEvent, + eventLogFilterByRunTypeEvent, + eventLogShowSourceEventDateRangeEvent, ]; diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.mock.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.mock.ts index 747a0a3a57770..24057982ed588 100644 --- a/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.mock.ts +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.mock.ts @@ -35,4 +35,9 @@ export const createTelemetryClientMock = (): jest.Mocked = reportAssetCriticalityCsvPreviewGenerated: jest.fn(), reportAssetCriticalityFileSelected: jest.fn(), reportAssetCriticalityCsvImported: jest.fn(), + reportEventLogFilterByRunType: jest.fn(), + reportEventLogShowSourceEventDateRange: jest.fn(), + reportManualRuleRunCancelJob: jest.fn(), + reportManualRuleRunExecute: jest.fn(), + reportManualRuleRunOpenModal: jest.fn(), }); diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.ts index 266b3c737eb62..130bbc7817034 100644 --- a/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.ts +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.ts @@ -35,6 +35,11 @@ import type { OnboardingHubStepLinkClickedParams, OnboardingHubStepOpenParams, OnboardingHubStepFinishedParams, + ReportManualRuleRunCancelJobParams, + ReportManualRuleRunExecuteParams, + ReportManualRuleRunOpenModalParams, + ReportEventLogShowSourceEventDateRangeParams, + ReportEventLogFilterByRunTypeParams, } from './types'; import { TelemetryEventTypes } from './constants'; @@ -168,4 +173,26 @@ export class TelemetryClient implements TelemetryClientStart { public reportOnboardingHubStepLinkClicked = (params: OnboardingHubStepLinkClickedParams) => { this.analytics.reportEvent(TelemetryEventTypes.OnboardingHubStepLinkClicked, params); }; + + public reportManualRuleRunOpenModal = (params: ReportManualRuleRunOpenModalParams) => { + this.analytics.reportEvent(TelemetryEventTypes.ManualRuleRunOpenModal, params); + }; + + public reportManualRuleRunExecute = (params: ReportManualRuleRunExecuteParams) => { + this.analytics.reportEvent(TelemetryEventTypes.ManualRuleRunExecute, params); + }; + + public reportManualRuleRunCancelJob = (params: ReportManualRuleRunCancelJobParams) => { + this.analytics.reportEvent(TelemetryEventTypes.ManualRuleRunCancelJob, params); + }; + + public reportEventLogFilterByRunType = (params: ReportEventLogFilterByRunTypeParams) => { + this.analytics.reportEvent(TelemetryEventTypes.EventLogFilterByRunType, params); + }; + + public reportEventLogShowSourceEventDateRange( + params: ReportEventLogShowSourceEventDateRangeParams + ): void { + this.analytics.reportEvent(TelemetryEventTypes.EventLogShowSourceEventDateRange, params); + } } diff --git a/x-pack/plugins/security_solution/public/common/lib/telemetry/types.ts b/x-pack/plugins/security_solution/public/common/lib/telemetry/types.ts index 9e7a49a91497e..3aba8176d9f67 100644 --- a/x-pack/plugins/security_solution/public/common/lib/telemetry/types.ts +++ b/x-pack/plugins/security_solution/public/common/lib/telemetry/types.ts @@ -53,6 +53,19 @@ import type { OnboardingHubStepOpenParams, OnboardingHubTelemetryEvent, } from './events/onboarding/types'; +import type { + ManualRuleRunTelemetryEvent, + ReportManualRuleRunOpenModalParams, + ReportManualRuleRunExecuteParams, + ReportManualRuleRunCancelJobParams, + ReportManualRuleRunTelemetryEventParams, +} from './events/manual_rule_run/types'; +import type { + EventLogTelemetryEvent, + ReportEventLogFilterByRunTypeParams, + ReportEventLogShowSourceEventDateRangeParams, + ReportEventLogTelemetryEventParams, +} from './events/event_log/types'; export * from './events/ai_assistant/types'; export * from './events/alerts_grouping/types'; @@ -70,6 +83,8 @@ export type { ReportAssetCriticalityCsvImportedParams, } from './events/entity_analytics/types'; export * from './events/document_details/types'; +export * from './events/manual_rule_run/types'; +export * from './events/event_log/types'; export interface TelemetryServiceSetupParams { analytics: AnalyticsServiceSetup; @@ -112,7 +127,9 @@ export type TelemetryEventParams = | ReportDocumentDetailsTelemetryEventParams | OnboardingHubStepOpenParams | OnboardingHubStepFinishedParams - | OnboardingHubStepLinkClickedParams; + | OnboardingHubStepLinkClickedParams + | ReportManualRuleRunTelemetryEventParams + | ReportEventLogTelemetryEventParams; export interface TelemetryClientStart { reportAlertsGroupingChanged(params: ReportAlertsGroupingChangedParams): void; @@ -155,6 +172,17 @@ export interface TelemetryClientStart { reportOnboardingHubStepOpen(params: OnboardingHubStepOpenParams): void; reportOnboardingHubStepFinished(params: OnboardingHubStepFinishedParams): void; reportOnboardingHubStepLinkClicked(params: OnboardingHubStepLinkClickedParams): void; + + // manual rule run + reportManualRuleRunOpenModal(params: ReportManualRuleRunOpenModalParams): void; + reportManualRuleRunExecute(params: ReportManualRuleRunExecuteParams): void; + reportManualRuleRunCancelJob(params: ReportManualRuleRunCancelJobParams): void; + + // event log + reportEventLogFilterByRunType(params: ReportEventLogFilterByRunTypeParams): void; + reportEventLogShowSourceEventDateRange( + params: ReportEventLogShowSourceEventDateRangeParams + ): void; } export type TelemetryEvent = @@ -179,4 +207,6 @@ export type TelemetryEvent = eventType: TelemetryEventTypes.BreadcrumbClicked; schema: RootSchema; } - | OnboardingHubTelemetryEvent; + | OnboardingHubTelemetryEvent + | ManualRuleRunTelemetryEvent + | EventLogTelemetryEvent; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.test.tsx index 584a9a4e49026..3a221836e3a35 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.test.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.test.tsx @@ -7,7 +7,7 @@ import React from 'react'; import { noop } from 'lodash/fp'; -import { render, screen } from '@testing-library/react'; +import { render, screen, fireEvent } from '@testing-library/react'; import { coreMock } from '@kbn/core/public/mocks'; import { TestProviders } from '../../../../../common/mock'; @@ -18,10 +18,30 @@ import { useExecutionResults } from '../../../../rule_monitoring'; import { useSourcererDataView } from '../../../../../sourcerer/containers'; import { useRuleDetailsContext } from '../rule_details_context'; import { ExecutionLogTable } from './execution_log_table'; +import { useKibana } from '../../../../../common/lib/kibana'; +import { useKibana as mockUseKibana } from '../../../../../common/lib/kibana/__mocks__'; jest.mock('../../../../../sourcerer/containers'); jest.mock('../../../../rule_monitoring/components/execution_results_table/use_execution_results'); jest.mock('../rule_details_context'); +jest.mock('../../../../../common/lib/kibana'); +jest.mock('../../../../../common/hooks/use_experimental_features', () => { + return { + useIsExperimentalFeatureEnabled: jest.fn().mockReturnValue(true), + }; +}); + +const mockTelemetry = { + reportEventLogShowSourceEventDateRange: jest.fn(), +}; + +const mockedUseKibana = { + ...mockUseKibana(), + services: { + ...mockUseKibana().services, + telemetry: mockTelemetry, + }, +}; const coreStart = coreMock.createStart(); @@ -42,6 +62,11 @@ mockUseRuleExecutionEvents.mockReturnValue({ }); describe('ExecutionLogTable', () => { + beforeEach(() => { + jest.clearAllMocks(); + (useKibana as jest.Mock).mockReturnValue(mockedUseKibana); + }); + test('Shows total events returned', () => { const ruleDetailsContext = useRuleDetailsContextMock.create(); (useRuleDetailsContext as jest.Mock).mockReturnValue(ruleDetailsContext); @@ -50,4 +75,22 @@ describe('ExecutionLogTable', () => { }); expect(screen.getByTestId('executionsShowing')).toHaveTextContent('Showing 7 rule executions'); }); + + test('should call telemetry when the "Show Source Event Time Range" switch is toggled', async () => { + const ruleDetailsContext = useRuleDetailsContextMock.create(); + (useRuleDetailsContext as jest.Mock).mockReturnValue(ruleDetailsContext); + + const { getByText } = render( + , + { + wrapper: TestProviders, + } + ); + + const switchButton = getByText('Show source event time range'); + + fireEvent.click(switchButton); + + expect(mockTelemetry.reportEventLogShowSourceEventDateRange).toHaveBeenCalled(); + }); }); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.tsx index 981f80f36f744..37037719f8e42 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/execution_log_table/execution_log_table.tsx @@ -9,7 +9,12 @@ import React, { useCallback, useMemo, useRef } from 'react'; import { useDispatch } from 'react-redux'; import styled from 'styled-components'; import moment from 'moment'; -import type { OnTimeChangeProps, OnRefreshProps, OnRefreshChangeProps } from '@elastic/eui'; +import type { + OnTimeChangeProps, + OnRefreshProps, + OnRefreshChangeProps, + EuiSwitchEvent, +} from '@elastic/eui'; import { EuiTextColor, EuiFlexGroup, @@ -120,6 +125,7 @@ const ExecutionLogTableComponent: React.FC = ({ }, storage, timelines, + telemetry, } = useKibana().services; const isManualRuleRunEnabled = useIsExperimentalFeatureEnabled('manualRuleRunEnabled'); @@ -453,6 +459,17 @@ const ExecutionLogTableComponent: React.FC = ({ renderItem: renderExpandedItem, }); + const handleShowSourceEventTimeRange = useCallback( + (e: EuiSwitchEvent) => { + const isVisible = e.target.checked; + onShowSourceEventTimeRange(isVisible); + telemetry.reportEventLogShowSourceEventDateRange({ + isVisible, + }); + }, + [onShowSourceEventTimeRange, telemetry] + ); + const executionLogColumns = useMemo(() => { const columns = [...EXECUTION_LOG_COLUMNS].filter((item) => { if ('field' in item) { @@ -569,7 +586,7 @@ const ExecutionLogTableComponent: React.FC = ({ label={i18n.RULE_EXECUTION_LOG_SHOW_SOURCE_EVENT_TIME_RANGE} checked={showSourceEventTimeRange} compressed={true} - onChange={(e) => onShowSourceEventTimeRange(e.target.checked)} + onChange={handleShowSourceEventTimeRange} /> )} { const stopAction = { name: i18n.BACKFILLS_TABLE_COLUMN_ACTION, - render: (item: BackfillRow) => , + render: (item: BackfillRow) => , width: '10%', }; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.test.tsx new file mode 100644 index 0000000000000..b2cdd83d6f43f --- /dev/null +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.test.tsx @@ -0,0 +1,126 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { render, fireEvent, waitFor } from '@testing-library/react'; +import { useAppToasts } from '../../../../common/hooks/use_app_toasts'; +import { useDeleteBackfill } from '../../api/hooks/use_delete_backfill'; +import { StopBackfill } from './stop_backfill'; +import { TestProviders } from '../../../../common/mock'; +import { useKibana } from '../../../../common/lib/kibana'; +import * as i18n from '../../translations'; +import type { BackfillRow } from '../../types'; + +jest.mock('../../../../common/hooks/use_app_toasts'); +jest.mock('../../api/hooks/use_delete_backfill'); +jest.mock('../../../../common/lib/kibana'); + +const mockUseAppToasts = useAppToasts as jest.Mock; +const mockUseDeleteBackfill = useDeleteBackfill as jest.Mock; +const mockUseKibana = useKibana as jest.Mock; + +describe('StopBackfill', () => { + const mockTelemetry = { + reportManualRuleRunCancelJob: jest.fn(), + }; + + const addSuccess = jest.fn(); + const addError = jest.fn(); + + const backfill = { + id: 'backfill-id', + total: 10, + complete: 5, + error: 1, + duration: '1h', + enabled: true, + running: 1, + pending: 1, + timeout: 1, + end: '2024-06-28T12:05:38.955Z', + start: '2024-06-28T12:00:00.000Z', + status: 'pending', + created_at: '2024-06-28T12:05:42.572Z', + space_id: 'default', + rule: { + name: 'Rule', + }, + schedule: [ + { + run_at: '2024-06-28T13:00:00.000Z', + status: 'pending', + interval: '1h', + }, + ], + } as BackfillRow; + + beforeEach(() => { + jest.clearAllMocks(); + + mockUseAppToasts.mockReturnValue({ + addSuccess, + addError, + }); + + mockUseKibana.mockReturnValue({ + services: { + telemetry: mockTelemetry, + }, + }); + }); + + it('should call deleteBackfillMutation and telemetry when confirmed', async () => { + mockUseDeleteBackfill.mockImplementation((options) => ({ + mutate: () => { + if (options.onSuccess) { + options.onSuccess(); + } + }, + })); + + const { getByTestId } = render(, { + wrapper: TestProviders, + }); + + fireEvent.click(getByTestId('rule-backfills-delete-button')); + fireEvent.click(getByTestId('confirmModalConfirmButton')); + + await waitFor(() => { + expect(mockTelemetry.reportManualRuleRunCancelJob).toHaveBeenCalledWith({ + totalTasks: backfill.total, + completedTasks: backfill.complete, + errorTasks: backfill.error, + }); + }); + + expect(addSuccess).toHaveBeenCalledWith(i18n.BACKFILLS_TABLE_STOP_CONFIRMATION_SUCCESS); + }); + + it('should call addError on deleteBackfillMutation error', async () => { + mockUseDeleteBackfill.mockImplementation((options) => ({ + mutate: () => { + if (options.onError) { + options.onError(new Error('Error stopping backfill')); + } + }, + })); + + const { getByTestId } = render(, { + wrapper: TestProviders, + }); + + fireEvent.click(getByTestId('rule-backfills-delete-button')); + fireEvent.click(getByTestId('confirmModalConfirmButton')); + + await waitFor(() => { + expect(addError).toHaveBeenCalledWith(expect.any(Error), { + title: i18n.BACKFILLS_TABLE_STOP_CONFIRMATION_ERROR, + toastMessage: 'Error stopping backfill', + }); + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.tsx index 6dfca1922d2a4..84acf0b014d60 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/components/rule_backfills_info/stop_backfill.tsx @@ -10,12 +10,20 @@ import { EuiButtonEmpty, EuiConfirmModal } from '@elastic/eui'; import { useAppToasts } from '../../../../common/hooks/use_app_toasts'; import { useDeleteBackfill } from '../../api/hooks/use_delete_backfill'; import * as i18n from '../../translations'; +import type { BackfillRow } from '../../types'; +import { useKibana } from '../../../../common/lib/kibana'; -export const StopBackfill = ({ id }: { id: string }) => { +export const StopBackfill = ({ backfill }: { backfill: BackfillRow }) => { + const { telemetry } = useKibana().services; const { addSuccess, addError } = useAppToasts(); const deleteBackfillMutation = useDeleteBackfill({ onSuccess: () => { closeModal(); + telemetry.reportManualRuleRunCancelJob({ + totalTasks: backfill.total, + completedTasks: backfill.complete, + errorTasks: backfill.error, + }); addSuccess(i18n.BACKFILLS_TABLE_STOP_CONFIRMATION_SUCCESS); }, onError: (error) => { @@ -29,7 +37,7 @@ export const StopBackfill = ({ id }: { id: string }) => { const showModal = () => setIsModalVisible(true); const closeModal = () => setIsModalVisible(false); const onConfirm = () => { - deleteBackfillMutation.mutate({ backfillId: id }); + deleteBackfillMutation.mutate({ backfillId: backfill.id }); }; return ( diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.test.tsx index 94c3f7e36acdb..36bdf8a8bf821 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.test.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.test.tsx @@ -5,20 +5,38 @@ * 2.0. */ -import { INTERNAL_ALERTING_BACKFILL_SCHEDULE_API_PATH } from '@kbn/alerting-plugin/common'; import { act, renderHook } from '@testing-library/react-hooks'; import moment from 'moment'; import { useKibana } from '../../../common/lib/kibana'; +import { useKibana as mockUseKibana } from '../../../common/lib/kibana/__mocks__'; import { TestProviders } from '../../../common/mock'; import { useScheduleRuleRun } from './use_schedule_rule_run'; +const mockUseScheduleRuleRunMutation = jest.fn(); + jest.mock('../../../common/lib/kibana'); +jest.mock('../api/hooks/use_schedule_rule_run_mutation', () => ({ + useScheduleRuleRunMutation: () => { + return { + mutateAsync: mockUseScheduleRuleRunMutation, + }; + }, +})); -const useKibanaMock = useKibana as jest.MockedFunction; +const mockedUseKibana = { + ...mockUseKibana(), + services: { + ...mockUseKibana().services, + telemetry: { + reportManualRuleRunExecute: jest.fn(), + }, + }, +}; describe('When using the `useScheduleRuleRun()` hook', () => { beforeEach(() => { jest.clearAllMocks(); + (useKibana as jest.Mock).mockReturnValue(mockedUseKibana); }); it('should send schedule rule run request', async () => { @@ -31,13 +49,61 @@ describe('When using the `useScheduleRuleRun()` hook', () => { result.current.scheduleRuleRun({ ruleIds: ['rule-1'], timeRange }); }); - await waitFor(() => (useKibanaMock().services.http.fetch as jest.Mock).mock.calls.length > 0); + await waitFor(() => { + return mockUseScheduleRuleRunMutation.mock.calls.length > 0; + }); - expect(useKibanaMock().services.http.fetch).toHaveBeenCalledWith( - INTERNAL_ALERTING_BACKFILL_SCHEDULE_API_PATH, + expect(mockUseScheduleRuleRunMutation).toHaveBeenCalledWith( expect.objectContaining({ - body: `[{"rule_id":"rule-1","start":"${timeRange.startDate.toISOString()}","end":"${timeRange.endDate.toISOString()}"}]`, + ruleIds: ['rule-1'], + timeRange, }) ); }); + + it('should call reportManualRuleRunExecute with success status on success', async () => { + const { result, waitFor } = renderHook(() => useScheduleRuleRun(), { + wrapper: TestProviders, + }); + + const timeRange = { startDate: moment().subtract(1, 'd'), endDate: moment() }; + mockUseScheduleRuleRunMutation.mockResolvedValueOnce([{ id: 'rule-1' }]); + + act(() => { + result.current.scheduleRuleRun({ ruleIds: ['rule-1'], timeRange }); + }); + + await waitFor(() => { + return mockUseScheduleRuleRunMutation.mock.calls.length > 0; + }); + + expect(mockedUseKibana.services.telemetry.reportManualRuleRunExecute).toHaveBeenCalledWith({ + rangeInMs: timeRange.endDate.diff(timeRange.startDate), + status: 'success', + rulesCount: 1, + }); + }); + + it('should call reportManualRuleRunExecute with error status on failure', async () => { + const { result, waitFor } = renderHook(() => useScheduleRuleRun(), { + wrapper: TestProviders, + }); + + const timeRange = { startDate: moment().subtract(1, 'd'), endDate: moment() }; + mockUseScheduleRuleRunMutation.mockRejectedValueOnce(new Error('Error scheduling rule run')); + + act(() => { + result.current.scheduleRuleRun({ ruleIds: ['rule-1'], timeRange }); + }); + + await waitFor(() => { + return mockUseScheduleRuleRunMutation.mock.calls.length > 0; + }); + + expect(mockedUseKibana.services.telemetry.reportManualRuleRunExecute).toHaveBeenCalledWith({ + rangeInMs: timeRange.endDate.diff(timeRange.startDate), + status: 'error', + rulesCount: 1, + }); + }); }); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.ts index 7c00c4294acdc..7599d8685d3c0 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_gaps/logic/use_schedule_rule_run.ts @@ -7,6 +7,7 @@ import { useCallback } from 'react'; import { useAppToasts } from '../../../common/hooks/use_app_toasts'; +import { useKibana } from '../../../common/lib/kibana'; import { useScheduleRuleRunMutation } from '../api/hooks/use_schedule_rule_run_mutation'; import type { ScheduleBackfillProps } from '../types'; @@ -15,18 +16,29 @@ import * as i18n from '../translations'; export function useScheduleRuleRun() { const { mutateAsync } = useScheduleRuleRunMutation(); const { addError, addSuccess } = useAppToasts(); + const { telemetry } = useKibana().services; const scheduleRuleRun = useCallback( async (options: ScheduleBackfillProps) => { try { const results = await mutateAsync(options); + telemetry.reportManualRuleRunExecute({ + rangeInMs: options.timeRange.endDate.diff(options.timeRange.startDate), + status: 'success', + rulesCount: options.ruleIds.length, + }); addSuccess(i18n.BACKFILL_SCHEDULE_SUCCESS(results.length)); return results; } catch (error) { addError(error, { title: i18n.BACKFILL_SCHEDULE_ERROR_TITLE }); + telemetry.reportManualRuleRunExecute({ + rangeInMs: options.timeRange.endDate.diff(options.timeRange.startDate), + status: 'error', + rulesCount: options.ruleIds.length, + }); } }, - [addError, addSuccess, mutateAsync] + [addError, addSuccess, mutateAsync, telemetry] ); return { scheduleRuleRun }; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/use_bulk_actions.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/use_bulk_actions.tsx index 5ea5d3d456f15..c93e5040d7aca 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/use_bulk_actions.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/bulk_actions/use_bulk_actions.tsx @@ -239,6 +239,9 @@ export const useBulkActions = ({ } const modalManualRuleRunConfirmationResult = await showManualRuleRunConfirmation(); + startServices.telemetry.reportManualRuleRunOpenModal({ + type: 'bulk', + }); if (modalManualRuleRunConfirmationResult === null) { return; } @@ -253,6 +256,14 @@ export const useBulkActions = ({ end_date: modalManualRuleRunConfirmationResult.endDate.toISOString(), }, }); + + startServices.telemetry.reportManualRuleRunExecute({ + rangeInMs: modalManualRuleRunConfirmationResult.endDate.diff( + modalManualRuleRunConfirmationResult.startDate + ), + status: 'success', + rulesCount: enabledIds.length, + }); }; const handleBulkEdit = (bulkEditActionType: BulkActionEditType) => async () => { diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/use_rules_table_actions.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/use_rules_table_actions.tsx index 4af2fdd7ef356..984df06342a1a 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/use_rules_table_actions.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/use_rules_table_actions.tsx @@ -36,7 +36,10 @@ export const useRulesTableActions = ({ showManualRuleRunConfirmation: () => Promise; confirmDeletion: () => Promise; }): Array> => { - const { navigateToApp } = useKibana().services.application; + const { + application: { navigateToApp }, + telemetry, + } = useKibana().services; const hasActionsPrivileges = useHasActionsPrivileges(); const { startTransaction } = useStartTransaction(); const { executeBulkAction } = useExecuteBulkAction(); @@ -129,6 +132,9 @@ export const useRulesTableActions = ({ onClick: async (rule: Rule) => { startTransaction({ name: SINGLE_RULE_ACTIONS.MANUAL_RULE_RUN }); const modalManualRuleRunConfirmationResult = await showManualRuleRunConfirmation(); + telemetry.reportManualRuleRunOpenModal({ + type: 'single', + }); if (modalManualRuleRunConfirmationResult === null) { return; } diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.test.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.test.tsx new file mode 100644 index 0000000000000..50c35e7a6e529 --- /dev/null +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.test.tsx @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import React from 'react'; +import { render, screen, fireEvent } from '@testing-library/react'; +import { ExecutionRunTypeFilter } from '.'; +import { RuleRunTypeEnum } from '../../../../../../../common/api/detection_engine/rule_monitoring'; +import { useKibana } from '../../../../../../common/lib/kibana'; + +jest.mock('../../../../../../common/lib/kibana'); + +const mockTelemetry = { + reportEventLogFilterByRunType: jest.fn(), +}; + +const mockUseKibana = useKibana as jest.Mock; + +mockUseKibana.mockReturnValue({ + services: { + telemetry: mockTelemetry, + }, +}); + +const items = [RuleRunTypeEnum.backfill, RuleRunTypeEnum.standard]; + +describe('ExecutionRunTypeFilter', () => { + it('calls telemetry.reportEventLogFilterByRunType on selection change', () => { + const handleChange = jest.fn(); + + render(); + + const select = screen.getByText('Run type'); + fireEvent.click(select); + + const manualRun = screen.getByText('Manual'); + fireEvent.click(manualRun); + + expect(handleChange).toHaveBeenCalledWith([RuleRunTypeEnum.backfill]); + expect(mockTelemetry.reportEventLogFilterByRunType).toHaveBeenCalledWith({ + runType: [RuleRunTypeEnum.backfill], + }); + }); +}); diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.tsx index 773e64e71ffc9..9f144410a7590 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/components/basic/filters/execution_run_type_filter/index.tsx @@ -14,6 +14,7 @@ import { RULE_EXECUTION_TYPE_BACKFILL, RULE_EXECUTION_TYPE_STANDARD, } from '../../../../../../common/translations'; +import { useKibana } from '../../../../../../common/lib/kibana'; interface ExecutionRunTypeFilterProps { items: RuleRunType[]; @@ -26,6 +27,8 @@ const ExecutionRunTypeFilterComponent: React.FC = ( selectedItems, onChange, }) => { + const { telemetry } = useKibana().services; + const renderItem = useCallback((item: RuleRunType) => { if (item === RuleRunTypeEnum.backfill) { return RULE_EXECUTION_TYPE_BACKFILL; @@ -36,13 +39,21 @@ const ExecutionRunTypeFilterComponent: React.FC = ( } }, []); + const handleSelectionChange = useCallback( + (types: RuleRunType[]) => { + onChange(types); + telemetry.reportEventLogFilterByRunType({ runType: types }); + }, + [onChange, telemetry] + ); + return ( dataTestSubj="ExecutionRunTypeFilter" title={i18n.FILTER_TITLE} items={items} selectedItems={selectedItems} - onSelectionChange={onChange} + onSelectionChange={handleSelectionChange} renderItem={renderItem} /> ); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.test.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.test.tsx index 43a9246d8d5c9..298ae1c503533 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.test.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.test.tsx @@ -28,12 +28,17 @@ jest.mock('../../../../detection_engine/rule_management/logic/bulk_actions/use_b jest.mock('../../../../detection_engine/rule_gaps/logic/use_schedule_rule_run'); jest.mock('../../../../common/lib/apm/use_start_transaction'); jest.mock('../../../../common/hooks/use_app_toasts'); +const mockReportManualRuleRunOpenModal = jest.fn(); jest.mock('../../../../common/lib/kibana', () => { const actual = jest.requireActual('../../../../common/lib/kibana'); return { ...actual, useKibana: jest.fn().mockReturnValue({ services: { + telemetry: { + reportManualRuleRunOpenModal: (params: { type: 'single' | 'bulk' }) => + mockReportManualRuleRunOpenModal(params), + }, application: { navigateToApp: jest.fn(), }, @@ -287,5 +292,27 @@ describe('RuleActionsOverflow', () => { expect(getByTestId('rules-details-menu-panel')).not.toHaveTextContent('Manual run'); }); + + test('it calls telemetry.reportManualRuleRunOpenModal when rules-details-manual-rule-run is clicked', async () => { + const { getByTestId } = render( + Promise.resolve(true)} + />, + { wrapper: TestProviders } + ); + fireEvent.click(getByTestId('rules-details-popover-button-icon')); + fireEvent.click(getByTestId('rules-details-manual-rule-run')); + + await waitFor(() => { + expect(mockReportManualRuleRunOpenModal).toHaveBeenCalledWith({ + type: 'single', + }); + }); + }); }); }); diff --git a/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.tsx b/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.tsx index 6ed110483ecc4..f1889efd1a556 100644 --- a/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/rules/rule_actions_overflow/index.tsx @@ -68,7 +68,10 @@ const RuleActionsOverflowComponent = ({ confirmDeletion, }: RuleActionsOverflowComponentProps) => { const [isPopoverOpen, , closePopover, togglePopover] = useBoolState(); - const { navigateToApp } = useKibana().services.application; + const { + application: { navigateToApp }, + telemetry, + } = useKibana().services; const { startTransaction } = useStartTransaction(); const { executeBulkAction } = useExecuteBulkAction({ suppressSuccessToast: true }); const { bulkExport } = useBulkExport(); @@ -166,6 +169,9 @@ const RuleActionsOverflowComponent = ({ closePopover(); const modalManualRuleRunConfirmationResult = await showManualRuleRunConfirmation(); + telemetry.reportManualRuleRunOpenModal({ + type: 'single', + }); if (modalManualRuleRunConfirmationResult === null) { return; } @@ -221,6 +227,7 @@ const RuleActionsOverflowComponent = ({ confirmDeletion, scheduleRuleRun, isManualRuleRunEnabled, + telemetry, ] ); From 43058ca97b7518ffe362a67c58981bfff128ccc9 Mon Sep 17 00:00:00 2001 From: Ash <1849116+ashokaditya@users.noreply.github.com> Date: Tue, 2 Jul 2024 23:29:01 +0200 Subject: [PATCH 10/10] [Serverless][SecuritySolution][Endpoint] Update `serverless` tests for scan w.r.to. PLIs (#187376) ## Summary As `scan` response action is categorized now with Endpoint complete PLI include `scan` action in serverless tests using `responseActionScanEnabled` feature flag. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --- .../project_roles/security/roles.yml | 1 + .../serverless/feature_access/complete.cy.ts | 19 ++++++++++++------- .../complete_with_endpoint.cy.ts | 15 +++++++-------- .../feature_access/essentials.cy.ts | 15 +++++++++------ .../essentials_with_endpoint.cy.ts | 15 +++++++++------ .../roles/complete_with_endpoint_roles.cy.ts | 8 +++++++- .../management/cypress/screens/responder.ts | 6 ++---- .../cypress/tasks/response_actions.ts | 6 ++++++ .../es_serverless_resources/roles.yml | 1 + .../endpoint/common/roles_users/t3_analyst.ts | 1 + .../project_controller_security_roles.yml | 1 + 11 files changed, 56 insertions(+), 32 deletions(-) diff --git a/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml index 3c118688f6429..b05bb0de2f2c8 100644 --- a/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -289,6 +289,7 @@ t3_analyst: - feature_siem.process_operations_all - feature_siem.actions_log_management_all # Response actions history - feature_siem.file_operations_all + - feature_siem.scan_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_actions.read diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete.cy.ts index 57b2820921dd9..21a7253109d4a 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete.cy.ts @@ -16,7 +16,14 @@ describe( { tags: ['@serverless', '@skipInServerlessMKI'], env: { - ftrConfig: { productTypes: [{ product_line: 'security', product_tier: 'complete' }] }, + ftrConfig: { + productTypes: [{ product_line: 'security', product_tier: 'complete' }], + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'responseActionScanEnabled', + ])}`, + ], + }, }, }, () => { @@ -53,10 +60,9 @@ describe( } // No access to response actions (except `unisolate`) - // TODO: update tests when `scan` is included in PLIs for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - ).filter((apiName) => apiName !== 'unisolate')) { + (apiName) => apiName !== 'unisolate' + )) { it(`should not allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('none', actionName, username, password); }); @@ -79,10 +85,9 @@ describe( }); // No access to response actions (except `unisolate`) - // TODO: update tests when `scan` is included in PLIs for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - ).filter((apiName) => apiName !== 'unisolate')) { + (apiName) => apiName !== 'unisolate' + )) { it(`should not allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('none', actionName, username, password); }); diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete_with_endpoint.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete_with_endpoint.cy.ts index da17beb14d760..54d5b688aa1d1 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete_with_endpoint.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/complete_with_endpoint.cy.ts @@ -24,6 +24,11 @@ describe( { product_line: 'security', product_tier: 'complete' }, { product_line: 'endpoint', product_tier: 'complete' }, ], + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'responseActionScanEnabled', + ])}`, + ], }, }, }, @@ -47,10 +52,7 @@ describe( }); } - // TODO: update tests when `scan` is included in PLIs - for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - )) { + for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES) { it(`should allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('all', actionName, username, password); }); @@ -73,10 +75,7 @@ describe( }); }); - // TODO: update tests when `scan` is included in PLIs - for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - )) { + for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES) { it(`should allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('all', actionName, username, password); }); diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials.cy.ts index e4388924f05fc..7be22d7e7e5b5 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials.cy.ts @@ -18,6 +18,11 @@ describe( env: { ftrConfig: { productTypes: [{ product_line: 'security', product_tier: 'essentials' }], + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'responseActionScanEnabled', + ])}`, + ], }, }, }, @@ -55,10 +60,9 @@ describe( } // No access to response actions (except `unisolate`) - // TODO: update tests when `scan` is included in PLIs for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - ).filter((apiName) => apiName !== 'unisolate')) { + (apiName) => apiName !== 'unisolate' + )) { it(`should not allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('none', actionName, username, password); }); @@ -81,10 +85,9 @@ describe( }); // No access to response actions (except `unisolate`) - // TODO: update tests when `scan` is included in PLIs for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - ).filter((apiName) => apiName !== 'unisolate')) { + (apiName) => apiName !== 'unisolate' + )) { it(`should not allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('none', actionName, username, password); }); diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials_with_endpoint.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials_with_endpoint.cy.ts index 4a37f1089e897..a57102e7a2b2c 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials_with_endpoint.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/feature_access/essentials_with_endpoint.cy.ts @@ -24,6 +24,11 @@ describe( { product_line: 'security', product_tier: 'essentials' }, { product_line: 'endpoint', product_tier: 'essentials' }, ], + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'responseActionScanEnabled', + ])}`, + ], }, }, }, @@ -62,10 +67,9 @@ describe( }); } - // TODO: update tests when `scan` is included in PLIs for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - ).filter((apiName) => apiName !== 'unisolate')) { + (apiName) => apiName !== 'unisolate' + )) { it(`should not allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('none', actionName, username, password); }); @@ -92,10 +96,9 @@ describe( }); }); - // TODO: update tests when `scan` is included in PLIs for (const actionName of RESPONSE_ACTION_API_COMMANDS_NAMES.filter( - (apiName) => apiName !== 'scan' - ).filter((apiName) => apiName !== 'unisolate')) { + (apiName) => apiName !== 'unisolate' + )) { it(`should not allow access to Response Action: ${actionName}`, () => { ensureResponseActionAuthzAccess('none', actionName, username, password); }); diff --git a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/roles/complete_with_endpoint_roles.cy.ts b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/roles/complete_with_endpoint_roles.cy.ts index 8d2b564e9dd1a..a31ae854aa059 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/roles/complete_with_endpoint_roles.cy.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/e2e/serverless/roles/complete_with_endpoint_roles.cy.ts @@ -40,6 +40,11 @@ describe( { product_line: 'security', product_tier: 'complete' }, { product_line: 'endpoint', product_tier: 'complete' }, ], + kbnServerArgs: [ + `--xpack.securitySolution.enableExperimental=${JSON.stringify([ + 'responseActionScanEnabled', + ])}`, + ], }, }, }, @@ -118,7 +123,8 @@ describe( 'kill-process', 'suspend-process', 'get-file', - 'upload' + 'upload', + 'scan' ); const deniedResponseActions = pick(consoleHelpPanelResponseActionsTestSubj, 'execute'); diff --git a/x-pack/plugins/security_solution/public/management/cypress/screens/responder.ts b/x-pack/plugins/security_solution/public/management/cypress/screens/responder.ts index 7e920772374c5..19a86eb153bc2 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/screens/responder.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/screens/responder.ts @@ -14,9 +14,8 @@ const TEST_SUBJ = Object.freeze({ actionLogFlyout: 'responderActionLogFlyout', }); -// TODO: 8.15 Include `scan` in return type when responseActionsScanEnabled when `scan` is categorized in PLIs export const getConsoleHelpPanelResponseActionTestSubj = (): Record< - Exclude, + ConsoleResponseActionCommands, string > => { return { @@ -28,8 +27,7 @@ export const getConsoleHelpPanelResponseActionTestSubj = (): Record< 'get-file': 'endpointResponseActionsConsole-commandList-Responseactions-get-file', execute: 'endpointResponseActionsConsole-commandList-Responseactions-execute', upload: 'endpointResponseActionsConsole-commandList-Responseactions-upload', - // TODO: 8.15 Include `scan` in return type when responseActionsScanEnabled when `scan` is categorized in PLIs - // scan: 'endpointResponseActionsConsole-commandList-Responseactions-scan', + scan: 'endpointResponseActionsConsole-commandList-Responseactions-scan', }; }; diff --git a/x-pack/plugins/security_solution/public/management/cypress/tasks/response_actions.ts b/x-pack/plugins/security_solution/public/management/cypress/tasks/response_actions.ts index 488742ac945c8..a55e385b4b1d0 100644 --- a/x-pack/plugins/security_solution/public/management/cypress/tasks/response_actions.ts +++ b/x-pack/plugins/security_solution/public/management/cypress/tasks/response_actions.ts @@ -16,6 +16,7 @@ import { GET_PROCESSES_ROUTE, ISOLATE_HOST_ROUTE_V2, KILL_PROCESS_ROUTE, + SCAN_ROUTE, SUSPEND_PROCESS_ROUTE, UNISOLATE_HOST_ROUTE_V2, UPLOAD_ROUTE, @@ -243,6 +244,11 @@ export const ensureResponseActionAuthzAccess = ( } break; + case 'scan': + url = SCAN_ROUTE; + Object.assign(apiPayload, { parameters: { path: 'scan/two' } }); + break; + default: throw new Error(`Response action [${responseAction}] has no API payload defined`); } diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index c94d4a9a31d8e..12214295817a5 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -311,6 +311,7 @@ t3_analyst: - feature_siem.process_operations_all - feature_siem.actions_log_management_all # Response actions history - feature_siem.file_operations_all + - feature_siem.scan_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_actions.read diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index 304c4e6d744ee..872cb1c352fd3 100644 --- a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -31,6 +31,7 @@ export const getT3Analyst: () => Omit = () => { 'process_operations_all', 'actions_log_management_all', 'file_operations_all', + 'scan_operations_all', ], }, }, diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml index 5f86c7a23ca27..9e1e542df8e87 100644 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml @@ -292,6 +292,7 @@ t3_analyst: - feature_siem.process_operations_all - feature_siem.actions_log_management_all # Response actions history - feature_siem.file_operations_all + - feature_siem.scan_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_actions.read