[CTI] updates Alert Summary UI #107081
[CTI] updates Alert Summary UI #107081
Conversation
ecezalp
added
auto-backport
|
@elasticmachine merge upstream |
x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
Show resolved
Hide resolved
| @@ -81,11 +86,20 @@ const EnrichmentDescription: React.FC<ThreatSummaryItem['description']> = ({ | |||
| </RightMargin> | |||
| </> | |||
| )} | |||
| <ActionCell | |||
| data={(data ?? { field: fieldName }) as EventFieldsData} | |||
There was a problem hiding this comment.
Can we simply build an appropriate EventFieldsData from the existing parameters and what we know about these fields? I suspect that we don't need to pass data through all these layers like this.
There was a problem hiding this comment.
I am seeking @angorayc's guidance on how to approach this piece as I haven't been able to find an implementation that utilizes EventFieldsData type (with no casting)
There was a problem hiding this comment.
It might be simplest to "flatten" ActionCell's props to just what it needs; it looks like only a few properties from EventFieldsData are used in there (field, type, value, isObjectArray, and format), and some of those may be optional .
...urity_solution/public/common/components/event_details/table/use_action_cell_data_provider.ts
Outdated
Show resolved
Hide resolved
...security_solution/public/common/components/event_details/cti_details/threat_details_view.tsx
Show resolved
Hide resolved
|
@ecezalp some design feedback for the actions in the summary tab. Please let us know what you think! In order to to avoid the awkward wrapping of the action cell when a field values wraps to two or more lines, design is proposing this new behavior:
This way, the action cell is clearly associated with the hovered over value and has a consistnet behavior on how it appears. hover.gif.mov
cc: @yiyangliu9286 |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@monina-n @yiyangliu9286 please find the new screenshots where the icons are always in a single line
|
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
Approving! Layout looks good, behavior seems good. A few points to address before merging:
- There's some dead code; just a few lines that could be cleaned up
- I had nits/questions about some hardcoded widths/heights
- Having to thread through a parallel, redundant set of data for these action fields isn't great
- Not a requirement here, but a better approach might be to pass e.g. a
buildActionsfunction prop toThreatSummaryViewor some other kind of control inversion
- Not a requirement here, but a better approach might be to pass e.g. a
One other UX concern: the interaction on hover isn't nice: you have to hover the blank area to the right of a field's value to see the actions available; hovering anywhere else has no effect. This is bad enough that I would consider it a bug.
| @@ -6,15 +6,19 @@ | |||
| */ | |||
|
|
|||
| import styled from 'styled-components'; | |||
| import React from 'react'; | |||
| import { get } from 'lodash/fp'; | |||
There was a problem hiding this comment.
Was there a reason for preferring the FP version of this function?
There was a problem hiding this comment.
no reason - updated to lodash
...security_solution/public/common/components/event_details/cti_details/threat_summary_view.tsx
Show resolved
Hide resolved
| @@ -50,22 +56,23 @@ const EnrichmentTitle: React.FC<ThreatSummaryItem['title']> = ({ title, type }) | |||
| const EnrichmentDescription: React.FC<ThreatSummaryItem['description']> = ({ | |||
| timelineId, | |||
| eventId, | |||
| fieldName, | |||
There was a problem hiding this comment.
We're still generating this value in buildThreatSummaryItems, but it's now unused.
There was a problem hiding this comment.
thanks for the catch! removed fieldName from ThreatSummaryItem type
| @@ -213,7 +219,7 @@ export const getSummaryColumns = ( | |||
| field: 'title', | |||
| truncateText: false, | |||
| render: getTitle, | |||
| width: '33%', | |||
| width: '220px', | |||
There was a problem hiding this comment.
Is there significance to this value? Was this specified by design, or is this intended to be more dynamic than fixed?
There was a problem hiding this comment.
there is no particular significance, it is to ensure that the indentation is fixed. Previously this value was 160px for both AlertSummary and ThreatSummary items. Recently it was changed to 33% for AlertSummary only. To ensure the consistency between AlertSummary and ThreatSummary values, a change needed to be made. Viewing the designs, I thought that a fixed 220px was good to go. We can get confirmation from @yiyangliu9286 for this one.
There was a problem hiding this comment.
For the design changes in 7.15, we made the "value" field indent 8px from each section header since we have added the section header in 7.15, so which setting that allows the "value" field to be indented at the right position will work here.
| @@ -40,6 +40,7 @@ export const AdditionalContent = styled.div` | |||
| AdditionalContent.displayName = 'AdditionalContent'; | |||
|
|
|||
| const StyledHoverActionsContainer = styled.div<{ $showTopN: boolean; $showOwnFocus: boolean }>` | |||
| min-width: 138px; | |||
There was a problem hiding this comment.
Ditto on questioning the magic number here
There was a problem hiding this comment.
This was to ensure that the Icon Row never wraps as per Monina's request here
| @@ -196,9 +198,13 @@ export const onEventDetailsTabKeyPressed = ({ | |||
| } | |||
| }; | |||
|
|
|||
| const StyledH5 = styled.h5` | |||
| line-height: 1.7rem; | |||
There was a problem hiding this comment.
Is the intention here to give more spacing between table rows? If so, should this be applied to StyledEuiInMemoryTable so that all rows are at least a min height?
There was a problem hiding this comment.
yeah so this is a good question - previously the table in Alert Summary tab and the table in Threat Intel tab had the same line height, and at a certain point they went out of sync. I looked through the changes and I was unable to identify how this change took place (didn't see any CSS associated with the change, and the tables are the same, with the same compressed prop that makes the rows closer to each other) - it could be that the ActionCell component is enlarging the row height in the Alert Summary tab now that I think about it. I added this explicit line height to ensure that all rows have the same line height.
removed, thanks for noticing!
looped in Yiyang for the column one to get the desired indentation percentage / value, answered the other two questions with no code changes, please let me know if further changes would be desired
leaving this for now, will come back at the end of sprint if there is any spare time remaining
@monina-n @yiyangliu9286 can provide more insight on this one, I am happy to implement any other changes as desired |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @ecezalp |
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
Co-authored-by: Ece Özalp <[email protected]>
|
hey @ecezalp! sorry for the late response. in terms of a response to:
I couldn't tell from the screenshots, but the user should be able to hover over the field itself to reveal the hover action menu, not just over the space where the hover action menu is itself. I think if it appears when a user hovers on both areas (above the value and above where the action menu appears), that should work |
according to our slack conversation, @angorayc will be taking care of this feature as a part of her UX changes. Thanks for bringing it up! |
|
wip #108192 |
Summary
indicator match rule with multiple imphash hits
custom query rule with small browser window
small browser window (hidden icons)
Checklist
Delete any items that are not applicable to this PR.