Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Rule Preview Follow-up #121249

Merged
merged 11 commits into from
Jan 6, 2022

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Dec 14, 2021

Summary

Follow-up to #116374.

  • Changes the API response for the rule preview to include more in depth errors/warnings
  • Changes the error/warning display to be more readable for users
  • Fixes bug caused by preview not being disabled when ML job wasn't running
  • Addresses comments from previous PR
  • Fixes [Security Solution][Detections] No results in Rule Preview #119098

Screenshots

Screen Shot 2021-12-16 at 3 51 57 PM

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Feature:Detection Rule Preview Security Solution Detection Rule Preview feature Team:Detection Alerts Security Detection Alerts Area Team labels Dec 14, 2021
@dplumlee dplumlee self-assigned this Dec 14, 2021
@dplumlee dplumlee marked this pull request as ready for review December 16, 2021 20:57
@dplumlee dplumlee requested a review from a team as a code owner December 16, 2021 20:57
@dplumlee dplumlee requested review from marshallmain and a team December 16, 2021 20:58
@dplumlee dplumlee force-pushed the rule-preview-followup branch from 2771fc3 to 2a8cdbe Compare December 16, 2021 20:59
@dplumlee dplumlee requested a review from ecezalp December 17, 2021 18:59
@@ -24,7 +24,7 @@ import { ESQuery } from '../../../../../common/typed_json';
*/
export const isNoisy = (hits: number, timeframe: Unit): boolean => {
if (timeframe === 'h') {
return hits > 20;
return hits > 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reference somewhere that we're using to decide on these noisy thresholds?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going based off this comment, I think it was the spec in the original feature as well but we should get product to sign off for certain sure

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a quick git blame show the 1 alert per hour logic committed 14 months ago

errors.push(currentErrors);
}
if (currentWarnings.logs.length > 0) {
warnings.push(currentWarnings);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of storing the warnings as a separate array where each invocation only has an entry if the invocation generated a warning, it would be nice to return a single array of objects for both errors and warnings where each invocation always has an entry. E.g.

[
  {startedAt: 1st date, errors: [], warnings: []}, 
  {startedAt: 2nd date, errors: [your error object here], warnings: []},
  ...
]

This way we can (1) easily associated errors and warnings that came from the same rule execution, and (2) we have a place to add more status information for each invocation in the future.

Comment on lines 196 to 203
.map((item) => item.message ?? 'ERROR'),
warnings: warningsAndErrorsStore
.filter(
(item) =>
item.newStatus === RuleExecutionStatus['partial failure'] ||
item.newStatus === RuleExecutionStatus.warning
)
.map((item) => item.message ?? 'WARNING'),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marshallmain is there a good default to use for these messages that already exists? Would display when whatever error/warning occurred didn't have an associated message

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to have errors & warnings with no message? that's interesting, I think if that's the case we could probably handle it on the frontend with translated strings

Copy link
Contributor

@marshallmain marshallmain Jan 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't be creating errors or warnings with no message, so ideally we'd enforce that with type checking at some point. For now I think something like Unknown error and Unknown warning would be reasonable ways to represent it if we do run into that case. And if we see Unknown messages in the UI, we should track down where we're creating an error or warning and add a descriptive message.

@@ -24,7 +24,7 @@ import { ESQuery } from '../../../../../common/typed_json';
*/
export const isNoisy = (hits: number, timeframe: Unit): boolean => {
if (timeframe === 'h') {
return hits > 20;
return hits > 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a quick git blame show the 1 alert per hour logic committed 14 months ago

Comment on lines 196 to 203
.map((item) => item.message ?? 'ERROR'),
warnings: warningsAndErrorsStore
.filter(
(item) =>
item.newStatus === RuleExecutionStatus['partial failure'] ||
item.newStatus === RuleExecutionStatus.warning
)
.map((item) => item.message ?? 'WARNING'),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it possible to have errors & warnings with no message? that's interesting, I think if that's the case we could probably handle it on the frontend with translated strings

isError ? i18n.QUERY_PREVIEW_SEE_ALL_ERRORS : i18n.QUERY_PREVIEW_SEE_ALL_WARNINGS
}
>
{restOfLogs.map((log, key) => (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do the logs have a key defined? I thought the reducer above didn't actually add any keys

@ecezalp
Copy link
Contributor

ecezalp commented Dec 29, 2021

@elasticmachine merge upstream

@marshallmain marshallmain dismissed their stale review January 4, 2022 23:15

API changes made

@dplumlee dplumlee force-pushed the rule-preview-followup branch from 914f71e to 465e598 Compare January 5, 2022 17:38
@dplumlee dplumlee force-pushed the rule-preview-followup branch from 465e598 to 7199078 Compare January 5, 2022 17:39
@marshallmain
Copy link
Contributor

1 remaining bug I found: timestamps are no longer appearing with each warning/error message.
image
image

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 4.6MB 4.6MB +1.1KB
Unknown metric groups

ESLint disabled line counts

id before after diff
securitySolution 455 454 -1

Total ESLint disabled count

id before after diff
securitySolution 522 521 -1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dplumlee

@dplumlee dplumlee merged commit 6dc463d into elastic:main Jan 6, 2022
@dplumlee dplumlee added the auto-backport Deprecated - use backport:version if exact versions are needed label Jan 6, 2022
@kibanamachine
Copy link
Contributor

The following labels were identified as gaps in your version labels and will be added automatically:

  • v8.1.0

If any of these should not be on your pull request, please manually remove them.

@kibanamachine
Copy link
Contributor

💔 Backport failed

The backport operation could not be completed due to the following error:
You must specify a valid Github repository

You can specify it via either:

The backport PRs will be merged automatically after passing CI.

To backport manually run:
node scripts/backport --pr 121249

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed bug Fixes for quality problems that affect the customer experience Feature:Detection Rule Preview Security Solution Detection Rule Preview feature release_note:skip Skip the PR/issue when compiling release notes Team:Detection Alerts Security Detection Alerts Area Team v8.0.0 v8.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security Solution][Detections] No results in Rule Preview
5 participants