[RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table #108502
Conversation
kqualters-elastic
added
release_note:skip
kqualters-elastic
changed the title
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
This looks good! X-Posting for visibility... Not sure if this will be in this PR or not, but bulk menu should also expose all the menu options and avoid nesting. |
| </EuiFlexItem> | ||
| <EuiFlexItem> | ||
| <EuiPopover | ||
| id="contextMenuExample" |
There was a problem hiding this comment.
we prob want to change this at some point 😁
| const isAlert = useMemo(() => { | ||
| if (event !== undefined) { | ||
| const data = [...event.data]; | ||
| return data.some(({ field }) => field === 'kibana.alert.uuid'); |
There was a problem hiding this comment.
Given all the changes going on, we should use the constant from @kbn/rule-data-utils
| notifications: { toasts }, | ||
| } = useKibana<TimelinesStartServices>().services; | ||
|
|
||
| const [isPopoverOpen, setIsPopoverOpen] = useState(false); | ||
| const openPopover = useCallback(() => setIsPopoverOpen(true), []); | ||
| const closePopover = useCallback(() => setIsPopoverOpen(false), []); | ||
| const isEventSupported = !isEmpty(ecsRowData.signal?.rule?.id); | ||
| const isAlert = useMemo(() => { | ||
| if (event !== undefined) { |
There was a problem hiding this comment.
could event ever be null?
| } | ||
| }, [event]); | ||
| const isSecurityAlert = useMemo(() => { | ||
| return !isEmpty(event?.ecs.signal?.rule?.id); |
There was a problem hiding this comment.
This won't always be true as signal will eventually go away in place of kibana.alert. We probably want to check `event?.ecs['ALERT_RULE_PRODUCER'] here. @yctercero or @dhurley14 can confirm
| }); | ||
| const caseDetailsUrl = getCaseDetailsUrl({ id }); | ||
| const appUrl = getUrlForApp(appId); | ||
| const fullCaseUrl = `${appUrl}/cases/${caseDetailsUrl}`; |
There was a problem hiding this comment.
We may run into issues in the future if the url path is ever changed here. We should probably try and still have it all encapsulated as much as possible
| props: AddToCaseActionProps, | ||
| { store, storage, setStore }: { store: Store; storage: Storage; setStore: (store: Store) => void } | ||
| ) => { | ||
| let tGridStore = store; |
There was a problem hiding this comment.
Can we put this in a util like this to re-use across all these calls?
const initializeMissingStore = (store, setStore) => {
let tGridStore = store;
if (!tGridStore) {
tGridStore = createStore(initialTGridState, storage);
setStore(tGridStore);
}
}
There was a problem hiding this comment.
Pulled it down and tested locally and all was working well. Alerts in cases may still turned off in Observability detailing why we don't seem them in the created case at the moment, but I was able to create a case in Observability successfully. I made some nit comments in the code, but nothing too crazy. Spoke with @kqualters-elastic separately, and we'll address these changes in a follow up PR. Merging to make sure Observability has time to test it on their end at the start of the week.
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
Unknown metric groupsAPI count
API count missing comments
Non-exported public API item count
History
To update your PR or re-run it, just comment with: |
…dd to existing case actions to observability alerts table (elastic#108502) * [RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table * Remove fake data and make features work with observability data format * Remove console.log and unused translations * Remove commented out code * Remove unneeded copy pasta id, create initializeStore function in timelines Co-authored-by: Kibana Machine <[email protected]>
…dd to existing case actions to observability alerts table (#108502) (#108691) * [RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table * Remove fake data and make features work with observability data format * Remove console.log and unused translations * Remove commented out code * Remove unneeded copy pasta id, create initializeStore function in timelines Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
Summary
This pr adds the add to new case and add to existing case actions to the observability alerts table. Some unused code in the observability alerts table is removed, and components refactored to prevent needless re-rendering. Observability alerts do not make as much use of ECS as security solution alerts do, and so some changes were made to pass the entire alert event as props instead of just the ECS fields as before.
Checklist
Delete any items that are not applicable to this PR.