Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Exceptions] Rule exceptions TTL - Expiration #145180

Merged
merged 38 commits into from
Feb 7, 2023
Merged

[Security Solution][Exceptions] Rule exceptions TTL - Expiration #145180

merged 38 commits into from
Feb 7, 2023

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Nov 14, 2022
edited
Loading

Summary

Overview

Adds rule exception expiration component and related fields to Exceptions feature. Allows a user to set/edit an exception to run until a specific datetime is reached. It also updates certain orthogonal features/api's such as exporting exceptions to utilize the new expiration functionality.

Exceptions List Export

Users are able to select if they want to include expired exceptions when exporting their exception lists via a confirm modal on the lists and list details pages

Screenshots

Screen Shot 2022-11-15 at 11 45 12 PM

Screen Shot 2022-11-15 at 11 45 19 PM

Exceptions List

Screen Shot 2022-12-08 at 12 57 57 PM

Exporting Exceptions

Screen Shot 2023-01-04 at 4 07 40 PM

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dplumlee dplumlee added Team:Detections and Resp Security Detection Response Team release_note:feature Makes this part of the condensed release notes Team:Detection Alerts Security Detection Alerts Area Team v8.7.0 labels Nov 14, 2022
@dplumlee dplumlee self-assigned this Nov 14, 2022
@dplumlee dplumlee force-pushed the exceptions-ttl-expire branch from f45ba09 to 6aa07f7 Compare November 16, 2022 04:48
@dplumlee dplumlee force-pushed the exceptions-ttl-expire branch 3 times, most recently from f2eddb2 to 7c778d2 Compare December 15, 2022 05:02
@dplumlee dplumlee force-pushed the exceptions-ttl-expire branch from 4b27d54 to 43d0e4f Compare January 4, 2023 22:36
@dplumlee dplumlee marked this pull request as ready for review January 5, 2023 17:55
@dplumlee
Copy link
Contributor Author

@elasticmachine merge upstream

2 similar comments
@dplumlee
Copy link
Contributor Author

@elasticmachine merge upstream

@dplumlee
Copy link
Contributor Author

dplumlee commented Feb 2, 2023

@elasticmachine merge upstream

@dplumlee dplumlee force-pushed the exceptions-ttl-expire branch from b96d875 to 740be6e Compare February 6, 2023 17:32
WafaaNasr
WafaaNasr reviewed Feb 6, 2023
View reviewed changes
Copy link
Contributor

@WafaaNasr WafaaNasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dplumlee it is minor, just some UI points, I just noticed.

  1. Can we adjust the alignment of the items align-items: center; } so they can on the same line

image

  1. I am not sure why we have many spaces here, if we can reduce them that will be great

image

kqualters-elastic
kqualters-elastic approved these changes Feb 6, 2023
View reviewed changes
Copy link
Contributor

@kqualters-elastic kqualters-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

threat hunting changes lgtm 👍

dhurley14
dhurley14 approved these changes Feb 6, 2023
View reviewed changes
Copy link
Contributor

@dhurley14 dhurley14 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM just some small changes and ++ to what @WafaaNasr has commented on. Otherwise this looks great!

packages/kbn-securitysolution-io-ts-list-types/src/common/expire_time/index.ts Outdated Show resolved Hide resolved
...ity_solution/public/detection_engine/rule_exceptions/components/exception_item_card/meta.tsx
Comment on lines +54 to +57
const isExpired = useMemo(
() => (item.expire_time ? new Date(item.expire_time) <= new Date() : false),
[item]
);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we import this function from your changes here?

packages/kbn-securitysolution-exception-list-components/src/exception_item_card/meta/index.tsx

marshallmain
marshallmain reviewed Feb 7, 2023
View reviewed changes
Copy link
Contributor

@marshallmain marshallmain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add rule execution tests to verify that exceptions with an expiration date affect the created alerts as expected. I.e. unexpired exceptions are applied and expired exceptions are not applied at rule execution time. This can be done with rule preview instead of real executions to make the tests faster.

x-pack/plugins/lists/server/services/exception_lists/build_exception_filter.test.ts Outdated Show resolved Hide resolved
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Security Solution Tests #3 / Inspect Network stats and tables "after each" hook for "inspects the Top DNS Domains Table"
  • [job] [logs] Security Solution Tests #3 / Inspect Network stats and tables inspects the Top DNS Domains Table

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
lists 251 253 +2
securitySolution 3711 3716 +5
total +7

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/securitysolution-io-ts-list-types 498 503 +5
@kbn/securitysolution-list-utils 155 159 +4
total +9

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
lists 152.1KB 152.3KB +231.0B
securitySolution 13.8MB 13.8MB +30.7KB
total +31.0KB

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/saved-objects-service.html#_mappings

id before after diff
exception-list 41 42 +1
exception-list-agnostic 41 42 +1
total +2
Unknown metric groups

API count

id before after diff
@kbn/securitysolution-io-ts-list-types 511 516 +5
@kbn/securitysolution-list-utils 202 206 +4
lists 206 208 +2
total +11

ESLint disabled in files

id before after diff
@kbn/securitysolution-io-ts-list-types 14 15 +1

Total ESLint disabled count

id before after diff
@kbn/securitysolution-io-ts-list-types 14 15 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dplumlee

@dplumlee dplumlee merged commit 92a1689 into elastic:main Feb 7, 2023
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Feb 7, 2023
jloleysens added a commit to jloleysens/kibana that referenced this pull request Feb 8, 2023
@jloleysens
Merge branch 'main' into compatible-schema-change-check
0a185eb 
* main: (187 commits)
  [APM] Removing the icon for tech preview and fixing some of the alert badges (elastic#150528)
  [Cloud Posture][Bug]added fix for resource tab + small css fix on CSPM onboarding (elastic#149997)
  Making maxTransactionGroupsExceeded false by default (elastic#150458)
  [Fleet] refactor install registry and upload to extract common logic (elastic#150444)
  [ftr tests] split x-pack functional_with_es_ssl config (elastic#150416)
  [APM] switch get environment function to use terms_enum api (elastic#150175)
  [Unified search] Fixes ally issues (elastic#150411)
  [Synthetics] Fix overview status query (elastic#150285)
  [api-docs] 2023-02-08 Daily api_docs build (elastic#150518)
  [canvas] Run tests against @kbn/handlebars compileAST function (elastic#150439)
  [RAM] Bring flapping status and settings in o11y (elastic#150483)
  [data view mgmt] fix field refresh when index pattern is changed. (elastic#150403)
  [RAM] Allow alert table to show new alert status on apm (elastic#150500)
  [Synthetics] errors - adjust empty state content (elastic#150455)
  Uncomment tests (elastic#150481)
  [TIP] fix broken cypress tests after change made in cases plugin (elastic#150479)
  [enterprise search]: disallow removing last index from engine (elastic#150464)
  [Security Solution][Exceptions] Rule exceptions TTL - Expiration (elastic#145180)
  Adds link to Jan 2023 contributors newsletter. (elastic#150259)
  [Security Solution][Alerts] Fix bug when suppression has both created and updated alerts (elastic#150236)
  ...
@dplumlee dplumlee mentioned this pull request Feb 8, 2023
Open
@dplumlee dplumlee deleted the exceptions-ttl-expire branch February 9, 2023 17:46
@dplumlee dplumlee mentioned this pull request Feb 22, 2023
Merged
3 tasks
@dplumlee dplumlee mentioned this pull request Mar 2, 2023
Closed
4 tasks
@dplumlee dplumlee mentioned this pull request Mar 22, 2023
Closed
@peluja1012 peluja1012 mentioned this pull request Apr 14, 2023
Closed
@MadameSheema MadameSheema mentioned this pull request Jun 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WafaaNasr WafaaNasr WafaaNasr left review comments

@paul-tavares paul-tavares paul-tavares approved these changes

@kqualters-elastic kqualters-elastic kqualters-elastic approved these changes

@marshallmain marshallmain marshallmain approved these changes

@maximpn maximpn maximpn approved these changes

@e40pud e40pud e40pud approved these changes

@pgayvallet pgayvallet pgayvallet approved these changes

@dhurley14 dhurley14 dhurley14 approved these changes

@pzl pzl pzl approved these changes

Assignees

@dplumlee dplumlee

Labels
backport:skip This commit does not require backporting release_note:feature Makes this part of the condensed release notes Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team v8.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.