-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Actions] System actions #160367
Comments
Pinging @elastic/response-ops (Team:ResponseOps) |
Any chance we can leverage the internal implementation of Are these space agnostic? Perhaps they wouldn't be visible in a space due to RBAC, but otherwise are available in every space? I'm not sure "no config and no secrets" is a must here. I don't see much of a need for secrets, but config would be a nice way to parameterize multiple system actions with one connector type.
These seem to contradict each other. If they can use the execute API, not clear why you can't test from the UI, which is all that does. |
I am not very familiar with the framework, but I think it is possible. I like the idea. It will make the code easier. Any suggestion for the naming? I think we should rename
Yes, they will be available in every space. How preconfigured connectors work? Are available in all spaces?
Multiple system connectors of the same action type will not be allowed. There will always be one connector for each type. For example, only one case connector will be available. Users will not be able to create a connector from the UI or the HTTP API. I can see a scenario where this unique connector needs to be parameterized based on some configuration specific to the deployment (
Maybe we can let the user test the connector from the UI but as system connectors do not have any form (they cannot be created from the UI) we should only show the testing tab in the UI. |
## Summary This PR introduces the `isSystemAction: boolean` to the `ActionResult` type. It also, adds the same to the `ActionType` type. I added validation to verify that system actions cannot be registered at the moment. More PRs are going to follow to incrementally build the feature. Related: #160367 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Kibana Machine <[email protected]>
Hey, great to see progress with system actions, I am very excited about this functionality ❤️ I have some questions, to make sure we could easily migrate current 'response actions'.
Thanks in advance for the answers. Trying to address some issues as soon as possible :) |
Thank you @tomsonpl for the feedback! I also am very excited about this. I hope it will meet your needs. The system actions will be supported by the actions' framework meaning that all functionalities of the framework will be used by the system actions out of the box. Any diverge from the framework is mentioned in this issue.
The actions framework does the appropriate permissions/license checks for all actions/connectors before executing. The same will apply to the system actions.
System actions, using connector adapters (see Action parameters section), will be able to define how the actions will behave. For example, you can define if you want the system action to be triggered with a summarization of alerts found in the last query or if you want the action to be triggered for each alert found. The configuration will be hidden by the users and they will not be able to change it. Based on the alert data the system action can decide how to proceed. As I am not familiar with the internals of the OsQuery and Endpoint actions I would like to discuss it more offline to be sure that our implementation takes care of your needs. cc @patrykkopycinski
Yes, the behavior will be the same for system actions as with the "normal" connectors. |
We decided for the MVP that system actions will always run with a summarization of the alerts. This behavior cannot be configured by connector adapters. Also, connector adapters will only be available for system actions. I updated the issue accordingly. |
A few questions from a UI standpoint:
I wasn't clear what 'logging' meant here? If system actions are classified as those not needing configuration, what happens if I select Osquery or run ML job, and I don't have any setup? Do we need to account for jumping off into that flow? (Sounded like a no on this last question based on your previous comments) Do we have a sense of what choices are required to run an ML job? Are there more options needed than just picking the job? Am I selecting anything from the alert context? (maybe that wouldn't make sense, but just curious how much we need to account for in the UI) Here's a screen-smash dropping Osquery form into our action block (and removing the action frequency and connector option. Does this (roughly) align with our thinking on how these should be presented alongside the connector actions? |
I'd prefer the second approach, and I'd even question whether we need the "System" badge. The user shouldn't need to care if there's a connector involved, they just want to see a list of icons with stuff they can do. Whether something is a "system action" or "connector action" is purely our concern as developers. See the example of the Log connector, which the user should never need to care about. |
From the user perspective, the difference is that they cannot create, edit, or see the connector on the connectors page. If there is no separation at all (even with a badge) users may wonder why they cannot see the system connectors or create them and get confused. |
Fix: #170097 Meta: #160367 ## Summary This PR enables system actions for the Bulk Disable Rule API. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Fix: #170097 Meta: #160367 ## Summary This PR enables system actions for the Bulk Enable Rule API. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
Fix: #170392 Meta: #160367 ## Summary This PR enables system actions for the Bulk Delete Rule API. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@cnasikas We're preparing to merge the feature branch containing the system actions framework. Note that this will not ship any actual system actions, just the framework for them. I understand the first planned system action is the Case Connector. Is this feature being tracked in #94498, or is there a new issue for implementation? I'd like to close this issue when the feature branch merges, but I want to make sure the next steps are being tracked. |
This is exciting 🥇 |
## Summary A system action is an action that triggers Kibana workflows—for example, creating a case, running an OsQuery, running an ML job, or logging. In this PR: - Enable rule routes to accept system actions. The schema of the action is not changed. The framework deducts which action is a system action automatically. System actions do not accept properties like the `notifyWhen` or `group`. - Enable rule client methods to accept system actions. The methods accept a new property called `systemActions`. The methods merge the actions with the system actions before persisting the rule to ES. The methods split the actions from the system actions and return two arrays, `actions` and `systemActions`. - Introduce connector adapters: a way to transform the action params to the corresponding connector params. - Allow the execution of system actions. Only alert summaries are supported. Users cannot control the execution of system actions. - Register an example system action. - Change the UI to handle system action. All configuration regarding execution like "Run when" is hidden for system actions. Users cannot select the same system action twice. Closes #160367 This PR merges the system actions framework, a culmination of several issues merged to the `system_actions_mvp` feature branch over the past several months. ## Testing A system action with ID `system-connector-.system-log-example` will be available to be used by the APIs and the UI if you start Kibana with `--run-examples`. Please ensure the following: - You can create and update rules with actions and system actions. - A rule with actions and system actions is executed as expected. - Entries about the system action execution are added to the event log as expected. - Existing rules with actions work without issues (BWC). - You can perform bulk actions in the rules table to rules with actions and system actions. - License restrictions are respected. - Permission restrictions are respected. - Disabled system actions cannot be used. - Users cannot specify how the system action will run in the UI and the API. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [x] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) --------- Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Julia <[email protected]> Co-authored-by: Zacqary Xeper <[email protected]> Co-authored-by: Zacqary Adam Xeper <[email protected]> Co-authored-by: Ying Mao <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]>
Summary
Actions can be executed by rules when alerts are triggered. A user, at the creation of a rule, can define which actions will be executed. To define actions, users need to create connectors. Connectors contain information needed by the actions to execute. For example, they can contain credentials, instance URLs, or configuration options. Usually, connectors are used to communicate with external services like PagerDuty or ServiceNow. Automated actions like opening a case or running an OsQuery do not need any configuration. This document explores ways of supporting these kinds of actions in the actions’ framework. From now on they will be referred to as system actions.
High-level solution
A system action is an action that triggers Kibana workflows. For example, creating a case, running an OsQuery, running an ML job, or logging. System actions will be defined by developers with the use of the existing actions’ framework. By using the existing actions framework, system actions will get all features supported by the framework like retries, using the task manager, conditional actions, etc.
Registration
Solutions should be able to register their system action the same way they register action types through the actions registry. The definition of the system action will be almost identical to the actions. The key differences are:
isSystemAction
must be set to truerequiredPrivileges
should be defined if authentication is needed (See RBAC section)SavedObjects
System actions will not be persisted as a saved object as they do not have any configuration or secrets. As a consequence, all features supported by saved objects will not be available to system actions. For example, exporting/importing a system action will not be supported. A system action will be represented as a JS object by the actions’ framework. The object will have the same attributes as the actions’ saved object. Attributes, like the config and secrets, that are not needed by the system actions will default to empty values. This will simplify the actions’ framework and reduce the development effort.
The JS object will be loaded in memory at Kibana startup and it will live during the lifecycle of Kibana. The ID of a system action will be generated by the framework automatically and deterministically based on the actionTypeId for all Kibana nodes. The ID will never change during the lifecycle of Kibana and it will be the same between Kibana restarts.
APIs
Users will not be able to create, update, delete, and execute a system action through the APIs. The system actions will not be returned from the Get all connectors API, and the Get connector API and the system connector types will not be returned from the List connector types API.
Preconfigured connectors
Users will not be able to define system actions as preconfigured connectors. The action’s framework will throw an error on such an attempt.
Spaces
As with preconfigured connectors, the system actions will be space-agnostic. There is no need to create one connector for each space.
RBAC
It is possible for system actions to use kibana features that need their own authorization. For example, to use the case action the user needs to have “All” access to Cases to be able to create a case automatically. The actions framework will perform all the needed authorization checks on behalf of the system actions. Creators of system action will have to define a list of the Kibana privileges required by the system action with the use of
security.authz.actions.*.get(...)
. For example, for the case actionsecurity.auth.actions.cases.get(‘case_owner’, ‘case_operation’)
and for access to a specific saved objectsecurity.auth.actions.savedObject.get(‘my_so_object’,’my_operation’)
.Regarding the UI, a user that does not have access to the feature privilege should not be able to view and select the system action when creating a rule. For example, if a user does not have access to Cases, they should not be able to select the case system action to automatically create cases even if she has permission to create rules.
Alerts
System actions, like the case action, may need information about the alerts generated by the rule. The framework should provide the alert IDs and indices to the system action through the executor function.
Execution
To preserve the stability of the system, users should not be able to configure the system action execution configuration (action parameters) through the Rules APIs, nor should they be able to modify it through UI forms. The alerting framework should dictate how the system actions will be executed. A system action will not have a group, a frequency, or an alertFilter. The only available and required properties will be
id
andparams
.Action parameters
Usually users, with mustache templating through rule forms, pass certain parameters to the actions. System actions require certain data like a summarization of alerts, information about the rule, etc. To avoid setting them behind the scenes in the UI when configuring a rule and being part of rules’ action parameters and to keep the actions framework agnostic of the implementation details of the alerting framework and vice-versa, we will introduce Connector Adapters. With connector adapters action parameters set in the rule and parameters required by the system action can be different. A connector adapter, specified for a specific connector type, can build extra parameters, required by the connector, based on the rule parameters and extra metadata passed to it like the alerts or the rule.
The alerting framework will expose a registry to allow connectors to register their execution configuration.
PoC: #159866
Schema of actions in the rule
In the rules client (domain layer), a new attribute will be introduced called systemActions, which will aid the methods of the client to handle system actions. The scheme of the system action will be:
The systemActions attribute will not be persisted to ES. All methods of the rules’ client will merge the default actions with the system actions before saving the rule. Also, they will split up the actions after they get any rule SO.
All rules APIs will not accept the systemActions in their requests. The system will deduct if an action is a system action automatically using the actions’ client. As system actions are not allowed to have a group, the property will be optional (at the moment it is required) in all APIs. The APIs will convert the actions to the schema needed by the rules client. Finally, the APIs will merge the system actions with the default actions before sending the response back to the client.
UI
Connectors
System actions do not require a configuration. For that reason, users will not be able to create or test system connectors from the UI. Also, the system actions will not be shown in the connector’s list on the connector’s page.
Rules
Users will be able to select a system action when creating a rule. The system actions will be shown in the same list as the other action types, and the users will not be able to select a system action twice. As with actions, the system actions will have to provide a React component to allow users to provide parameters for the system action, usually with the use of a form.
Tasks
isSystemAction
property to actions #160753)actionTypeRegistry
([Actions] Set system actions on Kibana start #160983)GET
APIs #161845)kibana.yml
([Actions] System actions enhancements #161340)Feature branch: #166267
Related: #155644, #70303, https://github.com/elastic/security-team/issues/6475, https://github.com/elastic/security-team/issues/5849, https://github.com/elastic/security-team/issues/6200, #153837
The text was updated successfully, but these errors were encountered: