[TIP] Add to timeline

[PhilippeOberti]

Summary

This PR adds buttons to multiple places in the indicators page, to add a field/value pair to an untitled timeline. This mimics the functionality of the Alerts page. Here are the 3 places the Add to Timeline icon button is added to:

• to every cells in the indicators table
  • the button is only visible if the value in the cell exists (i.e. NOT the empty value -)
  • the button isn't shown on the first Actions column of the table, as this one will have the Investigate in Timeline button handled in a future PR (see this ticket)
• to a new actions column for the indicator flyout table
• to the barchart legend (this implementation slightly differs from the Alerts page, see discussion here)

This PR also cleans up a bit our Storybook stories by extracting some logic out (KibanaContext and SecuritySoluetionContext).

To Do

• add new and update storybook stories
• write unit and e2e tests
• fix type check
• add code documentation
• verify it's ok to export the interface from the timeline plugin

https://github.com/elastic/security-team/issues/4557

Screen.Recording.2022-08-15.at.6.16.12.PM.mov

How/what to test

When clicking on one of the 3 add to timeline buttons, an entry will be added to the untitled timeline (accessible by clicking on the Untitled timeline button at the bottom left of the screen. The timeline should have a new entry, with the indicator field and its value.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)

[lgestc]

Looks good to me overall, the only issue is that column mapping thing I pointed out. Good job:)

[YulNaumenko]

I have an overall question: are there any specific reasons why threat intelligence plugin made the decision to implement own data grid instead of reuse T-Grid which is used by security_solution and observability?

This data grid already contains all the row and bulk actions, which is configurable. For example in SessionsViewComponent:

kibana/x-pack/plugins/security_solution/public/common/components/sessions_viewer/index.tsx

Lines 86 to 99 in 69ef96f

	<StatefulEventsViewer
	pageFilters={sessionsFilter}
	defaultModel={getSessionsDefaultModel(columns, defaultColumns)}
	end={endDate}
	entityType={entityType}
	id={timelineId}
	leadingControlColumns={leadingControlColumns}
	renderCellValue={DefaultCellRenderer}
	rowRenderers={defaultRowRenderers}
	scopeId={SourcererScopeName.default}
	start={startDate}
	unit={unit}
	/>
	</div>

[lgestc]

Hey Yuliia! Well. we did start working on threat intel around july, and I was not aware of TGrid up until the beginning of august, when I stumbled upon it working on adding fields browser to our thing. Shortly after, there was a presentation about it that you made - this is why our current implementation skips the existing API.

One of our primary goals was to kick off the development early, with all of us discovering kibana codebase along the way.
We will surely reuse more code in the future, being more familiar with what is available every day:).

It's just my view, thoughts @maxcold @PhilippeOberti ?

[PhilippeOberti]

I have an overall question: are there any specific reasons why threat intelligence plugin made the decision to implement own data grid instead of reuse T-Grid which is used by security_solution and observability?

hi @YulNaumenko, thanks for the comment!

Our team is pretty new and I'm the freshest of all of us, so my knowledge of the Kibana repo is still very limited 😄
When I started looking at this add to timeline feature I did a naive search throughout the repo for addtotimline and started working on the first thing I found that seemed that it would be working for me.
Like @lgmys said I'm sure we'll be cleaning up things and use the proper ways at a later phase. Actually, do we have documentation on how to use this T-Grid feature? During my investigation I had seen this StatefulEventsViewer using InspectButtonContainer but to be frank I couldn't really understand all the magic that was happening in there 😆

@maxcold do you want me to create a tech debt ticket now or we'll discuss about it in our Tech Planning meeting in a few hours?

[maxcold]

@PhilippeOberti @lgmys let's discuss it in our tech planning, we might want to do an investigation first if TGrid has the right level of abstraction for us as not everything we plan to do with our data grid will work exactly the same as in Alerts, for example, "Investigate in Timeline" we invision differently that it currently works in Alerts

@YulNaumenko thanks a lot for investing your time in reviewing the PR, it's great to have someone with a lot of experience with Kibana dev looking at our code as we are all new to Elastic!
I will add my 5 cents to the TGrid discussion, though everything Philippe and Lukasz wrote is correct.
When we started the UX/UI of our data grid looked quite different from what Alerts have currently, only during the work on 8.4 did we decide to be closer to the experience users have in Alerts. As the team already mentioned we try to reuse the functionality available in security_solution and other plugins related to the Security Solution but for someone who hasn't worked on the security_solution codebase before it's not an easy task to discover and understand bits and pieces that can be reused there.
The particular questions I have when looking at TGrid for the first time (I haven't watched your presentation yet, so maybe some of the questions/concerns I have are answered there):

1. I didn't expect the reusable data grid component living in the Timeline plugin and being called TGrid. Integration with Timeline doesn't seem like smth that defines a data grid as it has a lot of other features like Fields browser, Filter In/Out and integration with KQL in general, sorting, and integration with cases to name a few. The component also has a lot of Alert named components inside, which makes me wonder, if it's coupled to Alerts or if it can be used for any Elastic document, eg. Indicator of Compromise in our case. I totally understand that there is probably a long history behind this component.
2. Related to the first question, is it the right level abstraction for a new experience in Security Solution? Will it enable us to move faster or will it be a blocker if we need to do things a bit differently in the future? Eg. for "Investigate in timeline" we want to bring not the _id: <id of a document> to the Timeline but a more sophisticated query and it is hard to say by looking at the code if it is supported or not
3. On a more conceptual level from my experience large and complex components with a lot of options and settings proved to be less effective than small building blocks. It will always be a question of course how to share smth complex built with these lego blocks and when to reuse this complex thing vs rebuilding from the blocks again and again. There are trade-offs to each approach, we are still figuring out the trade-offs applicable to our team and product
4. And all these questions are very hard to answer for a new team when there is no documentation on a tool or a component. I understand that security_solution plugin moves fast and changes very often, but as it matures I hope we all invest more in the good documentation together

I hope my long comment and newbie feedback on the current component state won't stop you from giving us advice in the future on what is available in security_solution and what can we reuse. As I said in the beginning it is super helpful for us!
We will discuss the usage of TGrid within the team and probably spend a bit more time trying to integrate it into our codebase.

[YulNaumenko]

1. I didn't expect the reusable data grid component living in the Timeline plugin and being called TGrid. Integration with Timeline doesn't seem like smth that defines a data grid as it has a lot of other features like Fields browser, Filter In/Out and integration with KQL in general, sorting, and integration with cases to name a few. The component also has a lot of Alert named components inside, which makes me wonder, if it's coupled to Alerts or if it can be used for any Elastic document, eg. Indicator of Compromise in our case. I totally understand that there is probably a long history behind this component.

@maxcold yes, I agree that TGrid is overloaded with the features. Basically TGrid has two interfaces - the simpler one is for Observability and more feature loaded for Security.
Observability UI:

Security UI:

Another thing about the roadmap for TGrid - together with ResponseOps team we are planning migrate it to the new table currently exposed by triggers_actions_ui plugin. I recommend you take a look (cc @XavierM):

kibana/x-pack/plugins/triggers_actions_ui/public/plugin.ts

Lines 108 to 109 in 2b15e2a

	getAlertsTable: (props: AlertsTableProps) => ReactElement<AlertsTableProps>;
	getAlertsStateTable: (props: AlertsTableStateProps) => ReactElement<AlertsTableStateProps>;

Now you can find the example in Cases UI:

2. Related to the first question, is it the right level abstraction for a new experience in Security Solution?

To be honest - No. And that's why we are working now on the architecture redesign of this component.

Will it enable us to move faster or will it be a blocker if we need to do things a bit differently in the future?

For now it probably could slow you down, but for confirming this assumption I need to know you upcoming requirements and feature on top of the data grid

Eg. for "Investigate in timeline" we want to bring not the _id: <id of a document> to the Timeline but a more sophisticated query and it is hard to say by looking at the code if it is supported or not

We can discuss the details of this requirement.

3. On a more conceptual level from my experience large and complex components with a lot of options and settings proved to be less effective than small building blocks. It will always be a question of course how to share smth complex built with these lego blocks and when to reuse this complex thing vs rebuilding from the blocks again and again. There are trade-offs to each approach, we are still figuring out the trade-offs applicable to our team and product

Agree, but recommend you to review the new table designed by ResponseOps, which I've mentioned above. Again, we have an upcoming changes to simplify and separate TGrid by reusable parts.

4. And all these questions are very hard to answer for a new team when there is no documentation on a tool or a component. I understand that security_solution plugin moves fast and changes very often, but as it matures I hope we all invest more in the good documentation together

Unfortunately this is a known problem. Security teams are working now to make a documentation better and add the visibility over the code base. Please, help us to move this initiative.

I hope my long comment and newbie feedback on the current component state won't stop you from giving us advice in the future on what is available in security_solution and what can we reuse. As I said in the beginning it is super helpful for us! We will discuss the usage of TGrid within the team and probably spend a bit more time trying to integrate it into our codebase.

Please, invite me to the discussion if it makes sense for the team. I'm happy to help. Feel free to reach out with any technical questions you have.

[maxcold]

@YulNaumenko thanks a lot for more context on the TGrid! I created an issue in our backlog to play with TGrid for our Indicators view #138836 (comment), feel free to add any context you think is missing there

For now it probably could slow you down, but for confirming this assumption I need to know you upcoming requirements and feature on top of the data grid

this is a hard part as we don't yet have a long-term vision for our feature, we want to put it out there and get feedback from our users before planning too far ahead. Filtering in/out, sorting and integration with Cases are on our roadmap for sure

We can discuss the details of this requirement.

You can find more details in this issue https://github.com/elastic/security-team/issues/4558

Please, invite me to the discussion if it makes sense for the team. I'm happy to help. Feel free to reach out with any technical questions you have.

We had this discussion last week, where we agreed that we need to investigate TGrid capabilities closer but also decided that it's not a top priority for us right now. We will keep in mind that you are happy to help us with the context on TGrid when we get to building some POC with it

[maxcold]

while this plugin is the only artifact that we own, should we just link to https://docs.elastic.dev/security-solution/protections/protections-experience-team/dev-setup to have one source of truth? (or wise-versa ofc if you think README is a better place )

[PhilippeOberti]

yup I'm ok with that, I'm modifying this README to point to the dev-setup one!

[maxcold]

does it make sense to return early from the component?
smth like

if (!value) { return <></> }

right after getting the value

[PhilippeOberti]

unless I'm mistaken you shouldn't use useMemo (or any other react hooks) conditionally. By that I mean I believe it's not good to have a early return on a component and have a react hook after that. If that is true I don't think you can return this <></> empty component any earlier than it is currently...

Am I mistaken?

[maxcold]

yes you are right, couple of thoughts:

1. one of the reasons I wasn't really sold on the idea of using memorization extensively without clearly measured performance gains was that it comes with a cost, in this case we need to adjust the way we code to the fact that we use hooks. not really specific to useMemo but to all hooks ofc
2. When looking at the component I'm a bit confused with the fact that we wrap the whole component in memo HOC and also use useMemo inside. If the component is wrapped in memo are there gains of using useMemo inside it additionally?
3. initially the usage of EMPTY_VALUE caught my eye. Do we really need this logic of assigning EMPTY_VALUE and then checking against it? We used EMPTY_VALUE as an UI component for an empty cell, I wouldn't introduce it if it doesn't serve the purpose of displaying - somewhere

[PhilippeOberti]

I took the opportunity to read more about useMemo vs React.memo when to use them when to now.
I feel like this addToTimeline component for sure doesn't need to be wrapped by a memo.
Also, I feel like that the use of useMemo inside it is also not providing any positive value (I was doing useMemo on the creation of a basic object, not any complex heavy logic..)

I have removed both of them (to be honest the code was lifted off of a Security Solution component). This allows me like you mentioned to early return if value is undefined.

I will be more careful in the future about when to use vs not to use this. I also ned to learn about performance testing with React!
Thanks for challenging me on this!

[maxcold]

@PhilippeOberti two comments after running the branch locally:

1. there is a small visual improvement we can make - align "expand" and "add to timeline" icons in the data grid

2. I see that "add to timeline" is not available on the Indicator column. My thinking was that we also want to support it for that column, it will just require some custom logic compare to all other columns

[maxcold]

one comment on my comment :)
regarding

I see that "add to timeline" is not available on the Indicator column. My thinking was that we also want to support it for that column, it will just require some custom logic compare to all other columns

I'm also totally ok with having this covered in a separate PR

[YulNaumenko]

On the current stage of the discussion the timelines changes LGTM

[PhilippeOberti]

@PhilippeOberti two comments after running the branch locally:

1. there is a small visual improvement we can make - align "expand" and "add to timeline" icons in the data grid

2. I see that "add to timeline" is not available on the Indicator column. My thinking was that we also want to support it for that column, it will just require some custom logic compare to all other columns

1. Good catch on the alignment of the icon. This is now fixed thank you!

2. For the add to timeline in the Indicator column, I just needed to add some custom logic, wasn't too difficult. It's here if you want to check it out

[maxcold]

should we add some helper function in indicators/lib to get the display_name original field by an IoC type? We will probably need it for other features, eg. for filter in/out

[PhilippeOberti]

I had thought about it but decided against it as it's only a one liner... I will extract it!

[maxcold]

agree, don't have a strong opinion, maybe it's a preemptive optimisation as well :)

[PhilippeOberti]

extracted like we discussed, colocated with the displayValue method

[maxcold]

I think we need to add more test cases to cover the logic for display value

[PhilippeOberti]

good idea! When I first wrote this component it was a lot simpler, but now that it has more logic I need to add more test cases!

[PhilippeOberti]

added! Now supporting:

• good value/field input (both string and Indicator type)
• value is EMPTY_VALUE has input
• calculated value is null
• field doesn't exist in the Indicator
• field exist but has an unknown value (meaning NOT url, file or ip for now)

[maxcold]

I believe this won't work for ip indicator. The type possible values for the IP indicator are ipv4-addr and ipv6-addr. In general, I'd think of how we could avoid having this mapping separate from the logic we have in display_value.ts file. Every time we add support for a new type of indicator we would need to remember to add the mapping here, which is very error prone

[PhilippeOberti]

I know but couldn't find a better way to do this. I stole the logic from here where we return the actual value to display. We have a ruleArray with only 3 options: isIpIndicator, isUrlIndicator and isFileIndicator with the extract method hardcoded. To your knowledge do we have a better solution to do this?

[maxcold]

my main point that the logic in add_to_timeline.tsx

field = indicatorTypeToFieldMap[unwrapValue(data, RawIndicatorFieldId.Type) || ''];

won't even work, because unwrapValue(data, RawIndicatorFieldId.Type) will return ipv4-addr and you don't have a mapping for that. Ofc the simplest would be to add all the possible keys from https://docs.google.com/spreadsheets/d/1oYx9CQodKVmr0OtlJcjm1mNoUBlDcbHai0UYxtP8YzY/edit#gid=1814426429

file
url
email-addr
email (doesn't exist in STIX 2.0)
email-message
domain-name
domain
ipv4-addr
ipv6-addr
x509-certificate
x509 Serial (doesn't exist in STIX 2.0)
windows-registry-key
autonomous-system
suppress (doesn't exist in STIX 2.0)
mac-addr
unknown

to the mapping, but then when a new type is added I'm 99% confident that we won't add it to the mapping until a user complain :)
Let me think on how we could awoid that

[PhilippeOberti]

ok thanks for the pointer, I will spend time thinking about a good way to handle this!

[PhilippeOberti]

for now still with a very basic key-value object, like discussed a cleaner work will be done in this ticket

[maxcold]

unwrapValue can be null, I think that's because you have || '' there but I'd prefer more direct handling of null case. Right now it's a bit unclear what will be rendered if unwrapValue returns null, to me it seems that the component will go in some undefined state

[PhilippeOberti]

good point!

[PhilippeOberti]

this is now handled, along side an EMPTY_VALUE I had forgotten to support and that my newly added unit tests revealed :)

[maxcold]

very weird diff, is it just git incorrectly interpreting it as a rename of the file?

[PhilippeOberti]

yeah for some reason git thinks I've renamed the file. Let me try to delete and recreate it real quick...

[PhilippeOberti]

didn't fix this as I would have had to amend the commit instead of adding a new one...

[maxcold]

I believe ipv4-addr and ipv6-addr should have replaced ip mapping, not the url one

[PhilippeOberti]

🤦

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 98a56c3
• Storybooks Preview

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
threatIntelligence	126	129	+3

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
threatIntelligence	4	3	-1
timelines	340	343	+3
total			+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
threatIntelligence	62.5KB	63.7KB	+1.2KB

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
timelines	32	33	+1

Unknown metric groups

API count

id	before	after	diff
timelines	445	449	+4

ESLint disabled line counts

id	before	after	diff
threatIntelligence	12	7	-5

Total ESLint disabled count

id	before	after	diff
threatIntelligence	13	8	-5

History

• 💔 Build #66964 failed 3e25136
• 💚 Build #66739 succeeded a651fa1
• 💚 Build #66681 succeeded c1cbf89
• 💔 Build #66669 failed c3006c0a7abb97a72b5a28466134c7bb1c297c9b
• 💔 Build #66652 failed accaccea624b4e1dd7432d08a1cae914e2fbd87c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)