-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table #108502
[RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table #108502
Conversation
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
</EuiFlexItem> | ||
<EuiFlexItem> | ||
<EuiPopover | ||
id="contextMenuExample" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we prob want to change this at some point 😁
const isAlert = useMemo(() => { | ||
if (event !== undefined) { | ||
const data = [...event.data]; | ||
return data.some(({ field }) => field === 'kibana.alert.uuid'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given all the changes going on, we should use the constant from @kbn/rule-data-utils
notifications: { toasts }, | ||
} = useKibana<TimelinesStartServices>().services; | ||
|
||
const [isPopoverOpen, setIsPopoverOpen] = useState(false); | ||
const openPopover = useCallback(() => setIsPopoverOpen(true), []); | ||
const closePopover = useCallback(() => setIsPopoverOpen(false), []); | ||
const isEventSupported = !isEmpty(ecsRowData.signal?.rule?.id); | ||
const isAlert = useMemo(() => { | ||
if (event !== undefined) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could event ever be null?
} | ||
}, [event]); | ||
const isSecurityAlert = useMemo(() => { | ||
return !isEmpty(event?.ecs.signal?.rule?.id); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This won't always be true as signal
will eventually go away in place of kibana.alert
. We probably want to check `event?.ecs['ALERT_RULE_PRODUCER'] here. @yctercero or @dhurley14 can confirm
}); | ||
const caseDetailsUrl = getCaseDetailsUrl({ id }); | ||
const appUrl = getUrlForApp(appId); | ||
const fullCaseUrl = `${appUrl}/cases/${caseDetailsUrl}`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may run into issues in the future if the url path is ever changed here. We should probably try and still have it all encapsulated as much as possible
props: AddToCaseActionProps, | ||
{ store, storage, setStore }: { store: Store; storage: Storage; setStore: (store: Store) => void } | ||
) => { | ||
let tGridStore = store; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we put this in a util like this to re-use across all these calls?
const initializeMissingStore = (store, setStore) => {
let tGridStore = store;
if (!tGridStore) {
tGridStore = createStore(initialTGridState, storage);
setStore(tGridStore);
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pulled it down and tested locally and all was working well. Alerts in cases may still turned off in Observability detailing why we don't seem them in the created case at the moment, but I was able to create a case in Observability successfully. I made some nit comments in the code, but nothing too crazy. Spoke with @kqualters-elastic separately, and we'll address these changes in a follow up PR. Merging to make sure Observability has time to test it on their end at the start of the week.
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
Unknown metric groupsAPI count
API count missing comments
Non-exported public API item count
History
To update your PR or re-run it, just comment with: |
…dd to existing case actions to observability alerts table (elastic#108502) * [RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table * Remove fake data and make features work with observability data format * Remove console.log and unused translations * Remove commented out code * Remove unneeded copy pasta id, create initializeStore function in timelines Co-authored-by: Kibana Machine <[email protected]>
…dd to existing case actions to observability alerts table (#108502) (#108691) * [RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table * Remove fake data and make features work with observability data format * Remove console.log and unused translations * Remove commented out code * Remove unneeded copy pasta id, create initializeStore function in timelines Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
Summary
This pr adds the add to new case and add to existing case actions to the observability alerts table. Some unused code in the observability alerts table is removed, and components refactored to prevent needless re-rendering. Observability alerts do not make as much use of ECS as security solution alerts do, and so some changes were made to pass the entire alert event as props instead of just the ECS fields as before.
Checklist
Delete any items that are not applicable to this PR.