-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Rule Preview Follow-up #121249
Conversation
2771fc3
to
2a8cdbe
Compare
@@ -24,7 +24,7 @@ import { ESQuery } from '../../../../../common/typed_json'; | |||
*/ | |||
export const isNoisy = (hits: number, timeframe: Unit): boolean => { | |||
if (timeframe === 'h') { | |||
return hits > 20; | |||
return hits > 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reference somewhere that we're using to decide on these noisy thresholds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going based off this comment, I think it was the spec in the original feature as well but we should get product to sign off for certain sure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a quick git blame show the 1 alert per hour logic committed 14 months ago
errors.push(currentErrors); | ||
} | ||
if (currentWarnings.logs.length > 0) { | ||
warnings.push(currentWarnings); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of storing the warnings as a separate array where each invocation only has an entry if the invocation generated a warning, it would be nice to return a single array of objects for both errors and warnings where each invocation always has an entry. E.g.
[
{startedAt: 1st date, errors: [], warnings: []},
{startedAt: 2nd date, errors: [your error object here], warnings: []},
...
]
This way we can (1) easily associated errors and warnings that came from the same rule execution, and (2) we have a place to add more status information for each invocation in the future.
2a8cdbe
to
8a7d463
Compare
.map((item) => item.message ?? 'ERROR'), | ||
warnings: warningsAndErrorsStore | ||
.filter( | ||
(item) => | ||
item.newStatus === RuleExecutionStatus['partial failure'] || | ||
item.newStatus === RuleExecutionStatus.warning | ||
) | ||
.map((item) => item.message ?? 'WARNING'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marshallmain is there a good default to use for these messages that already exists? Would display when whatever error/warning occurred didn't have an associated message
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it possible to have errors & warnings with no message? that's interesting, I think if that's the case we could probably handle it on the frontend with translated strings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't be creating errors or warnings with no message, so ideally we'd enforce that with type checking at some point. For now I think something like Unknown error
and Unknown warning
would be reasonable ways to represent it if we do run into that case. And if we see Unknown
messages in the UI, we should track down where we're creating an error or warning and add a descriptive message.
@@ -24,7 +24,7 @@ import { ESQuery } from '../../../../../common/typed_json'; | |||
*/ | |||
export const isNoisy = (hits: number, timeframe: Unit): boolean => { | |||
if (timeframe === 'h') { | |||
return hits > 20; | |||
return hits > 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a quick git blame show the 1 alert per hour logic committed 14 months ago
x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/index.tsx
Show resolved
Hide resolved
...k/plugins/security_solution/public/detections/components/rules/rule_preview/preview_logs.tsx
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/public/detections/pages/detection_engine/rules/create/index.tsx
Outdated
Show resolved
Hide resolved
.map((item) => item.message ?? 'ERROR'), | ||
warnings: warningsAndErrorsStore | ||
.filter( | ||
(item) => | ||
item.newStatus === RuleExecutionStatus['partial failure'] || | ||
item.newStatus === RuleExecutionStatus.warning | ||
) | ||
.map((item) => item.message ?? 'WARNING'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it possible to have errors & warnings with no message? that's interesting, I think if that's the case we could probably handle it on the frontend with translated strings
...ty_solution/server/lib/detection_engine/signals/preview/preview_rule_execution_log_client.ts
Outdated
Show resolved
Hide resolved
...k/plugins/security_solution/public/detections/components/rules/rule_preview/preview_logs.tsx
Show resolved
Hide resolved
isError ? i18n.QUERY_PREVIEW_SEE_ALL_ERRORS : i18n.QUERY_PREVIEW_SEE_ALL_WARNINGS | ||
} | ||
> | ||
{restOfLogs.map((log, key) => ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do the logs have a key defined? I thought the reducer above didn't actually add any keys
...k/plugins/security_solution/public/detections/components/rules/rule_preview/preview_logs.tsx
Outdated
Show resolved
Hide resolved
@elasticmachine merge upstream |
914f71e
to
465e598
Compare
465e598
to
7199078
Compare
💚 Build Succeeded
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @dplumlee |
The following labels were identified as gaps in your version labels and will be added automatically:
If any of these should not be on your pull request, please manually remove them. |
💔 Backport failedThe backport operation could not be completed due to the following error: You can specify it via either:
The backport PRs will be merged automatically after passing CI. To backport manually run: |
Summary
Follow-up to #116374.
Screenshots
Checklist
Delete any items that are not applicable to this PR.
For maintainers