Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Entity Analytics] Internal API to upload asset criticality records via CSV file #179930

Merged
merged 43 commits into from
Apr 11, 2024
Merged

[Entity Analytics] Internal API to upload asset criticality records via CSV file #179930

merged 43 commits into from
Apr 11, 2024

Conversation

hop-dev
Copy link
Contributor

@hop-dev hop-dev commented Apr 3, 2024
edited
Loading

Summary

Adds a new internal API to provide a CSV file of asset criticality records to bulk upload.

The CSV has some constraints:

  • It must use a comma as the delimiter
  • its must have 3 columns in the following order:
    • entity type: host or user
    • entity ID:any string up to 1000 characters
    • criticality level: one of low_impact, medium_impact, high_impact, extreme_impact
  • we do not support header rows at the moment

Here is an example of a good file:

host,host-01,low_impact
host,host-02,medium_impact
host,host-03,high_impact
user,user-04,extreme_impact

We send the updates to elasticsearch using the bulk API stream helper, this allows us to configure the max request size and the number of retries on error. I have mapped these to config just incase we ever need to change them for a certain env. Here are the keys and their defaults:

xpack.securitySolution.entityAnalytics.assetCriticality.csvUpload.errorRetries: 1
xpack.securitySolution.entityAnalytics.assetCriticality.csvUpload.maxBulkRequestBodySizeBytes: 100000

Example Curl with response:

curl -X POST -F "file=@./1k.csv;type=text/csv" http: //<kibana>/internal/asset_criticality/upload_csv -H "kbn-xsrf:hello" -H "elastic-api-version:1"
{
    "errors": [],
    "stats": {
        "successful": 1000,
        "failed": 0,
        "total": 1000
    }
}

Errors are reported line by line, here are some examples:

{
    "errors": [
        {
            "index": 0,
            "message": "Invalid criticality level invalid_criticality"
        },
        {
            "index": 1,
            "message": "Invalid entity type invalid_entity"
        },
        {
            "index": 2,
            "message": "Missing ID"
        },
        {
            "index": 3,
            "message": "Missing criticality level"
        },
    ]
}

@hop-dev hop-dev changed the title working e2e [Entity Analytics] API to upload asset criticality CSV file Apr 3, 2024
@hop-dev hop-dev force-pushed the asset-criticality-csv-upoad-api branch from bd8e992 to 71f393c Compare April 3, 2024 16:10
@hop-dev hop-dev marked this pull request as ready for review April 5, 2024 15:15
@hop-dev hop-dev requested review from a team as code owners April 5, 2024 15:15
@hop-dev hop-dev requested a review from tiansivive April 5, 2024 15:15
maximpn
maximpn approved these changes Apr 10, 2024
View reviewed changes
Copy link
Contributor

@maximpn maximpn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detection and Response LGTM

@hop-dev The changes here aren't really owned by Detection and Response. I left comments about moving the code from common files to entity analytics domain where ownership is limited to entity analytics.

x-pack/plugins/security_solution/server/routes/index.ts
@@ -178,6 +179,7 @@ export const initRoutes = (
assetCriticalityGetRoute(router, logger);
assetCriticalityDeleteRoute(router, logger);
assetCriticalityPrivilegesRoute(router, getStartServices, logger);
assetCriticalityCSVUploadRoute(router, logger, config, getStartServices);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While it's possible to register individual routes here it's much better to incapsulate the details. I recommend to move all assetCriticality... route registrations into registerAssetCriticalityRoutes() function. This function file should have explicit ownership.

x-pack/plugins/security_solution/common/constants.ts
@@ -272,6 +272,7 @@ export const RISK_ENGINE_SETTINGS_URL = `${RISK_ENGINE_URL}/settings`;
export const ASSET_CRITICALITY_URL = `/internal/asset_criticality`;
export const ASSET_CRITICALITY_PRIVILEGES_URL = `/internal/asset_criticality/privileges`;
export const ASSET_CRITICALITY_STATUS_URL = `${ASSET_CRITICALITY_URL}/status`;
export const ASSET_CRITICALITY_CSV_UPLOAD_URL = `${ASSET_CRITICALITY_URL}/upload_csv`;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend to move ASSET_CRITICALITY... constants into Asset criticality domain. Create common/asset_criticality folder with constants.ts. It will help to define proper ownership avoid expanding common/constants.ts with not really common constants.

@hop-dev hop-dev mentioned this pull request Apr 10, 2024
Closed
@hop-dev
Copy link
Contributor Author

hop-dev commented Apr 10, 2024
edited
Loading

@maximpn thanks for the really useful recommendations, I don't want to grow this PR any more so I have created an issue for our team to implement them separately soon 👍 #180531

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #72 / transform /internal/transform/schedule_now_transforms bulk schedule "after each" hook for "should schedule multiple transforms by transformIds, even if one of the transformIds is invalid"

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 5302 5303 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 17.0MB 17.0MB +18.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @hop-dev

JDKurma
JDKurma approved these changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@JDKurma JDKurma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SDA LGTM

tiansivive
tiansivive approved these changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@tiansivive tiansivive left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hop-dev hop-dev merged commit 40da1dd into elastic:main Apr 11, 2024
36 checks passed
@hop-dev hop-dev deleted the asset-criticality-csv-upoad-api branch April 11, 2024 08:17
@kibanamachine kibanamachine added v8.14.0 backport:skip This commit does not require backporting labels Apr 11, 2024
@machadoum machadoum mentioned this pull request Apr 11, 2024
Merged
5 tasks
@jaredburgettelastic jaredburgettelastic mentioned this pull request Apr 12, 2024
Closed
@hop-dev hop-dev mentioned this pull request Apr 12, 2024
Merged
machadoum added a commit that referenced this pull request Apr 12, 2024
@machadoum @hop-dev
[SecuritySolutions] Create Asset Criticality CSV upload page (#179891)
79096be 
## Summary
Create a new Asset Criticality page for updating asset criticality by
file upload.
Flaky test runner:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5662
Server side PR: #179930


https://github.com/elastic/kibana/assets/1490444/f524b5e8-8efa-40c7-8e43-45cf43decefb


The new page has three steps. You can access the page by going to
Security -> Manage -> Asset Criticality.

<img
src="https://github.com/elastic/kibana/assets/1490444/080a51bf-20e9-4f4b-84b2-13fe1cfdc1d5"
width="400" />




### File picker Step:
<img
src="https://github.com/elastic/kibana/assets/1490444/e3aea4b8-2083-49a4-b4bf-dbb645fb463b"
width="400" />


### File validation step
<img
src="https://github.com/elastic/kibana/assets/1490444/54b3018e-ef0e-4ac4-93b2-67ae02743eb8"
width="400" />

### Result step

<img
src="https://github.com/elastic/kibana/assets/1490444/aa47a7af-1108-4ad6-8dc0-f728e0187026"
width="400" />


### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
a-docker)
- [x] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))


## How to test it?
* Open the page
* Upload a valid CSV file
* Check if everything is ok on the validation step
* Click Assign
* Check if the success message is displayed
* Open the alert flyout for an updated asset and check if it has the new
value

## What is not included?
* Serverless
* Disable the feature when asset criticality advanced setting is
disabled


## Code owners files:

<details>
  <summary>elastic/docs</summary>

* packages/kbn-doc-links/src/get_doc_links.ts
* packages/kbn-doc-links/src/types.ts
</details>

<details>
  <summary>elastic/security-defend-workflows</summary>

* x-pack/plugins/security_solution/public/management/links.ts
</details>

<details>
  <summary>elastic/security-detection-engine</summary>

* x-pack/test/security_solution_cypress/cypress/urls/navigation.ts
</details>

<details>
  <summary>elastic/security-detections-response</summary>

*
x-pack/test/security_solution_cypress/cypress/fixtures/asset_criticality.csv
</details>

<details>
  <summary>elastic/security-engineering-productivity</summary>

*
x-pack/test/security_solution_cypress/cypress/e2e/entity_analytics/asset_criticality_upload_page.cy.ts
*
x-pack/test/security_solution_cypress/cypress/fixtures/asset_criticality.csv
*
x-pack/test/security_solution_cypress/cypress/screens/asset_criticality.ts
*
x-pack/test/security_solution_cypress/cypress/tasks/asset_criticality.ts
* x-pack/test/security_solution_cypress/cypress/urls/navigation.ts
</details>

<details>
  <summary>elastic/security-threat-hunting</summary>

*
x-pack/test/security_solution_cypress/cypress/fixtures/asset_criticality.csv
</details>

<details>
  <summary>elastic/security-threat-hunting-investigations</summary>

*
x-pack/plugins/security_solution/public/resolver/view/panels/node_list.tsx
* x-pack/test/security_solution_cypress/cypress/urls/navigation.ts
</details>

---------

Co-authored-by: Mark Hopkin <[email protected]>
hop-dev added a commit that referenced this pull request Apr 15, 2024
@hop-dev @kibanamachine
[Entity Analytics] Move routes and constants into folders owned by th…
47582c4 
…e entity analytics team (#180702)

## Summary

Closes #180531
This pull request moves entity analytics route registration and url
definition into files owned by our team.

Currently, to add a new route we require a code owners review from both
the `security-detections-response` and `security-threat-hunting` teams
unnecessarily. This is because we needed to change the following files:

- `x-pack/plugins/security_solution/common/constants.ts`
- `x-pack/plugins/security_solution/server/routes/index.ts`

As recommended by @maximpn
[here](#179930 (review))

I have also removed redundant feature flag checks for enabling risk
scoring and risk engine privileges routes, these feature flags are
enabled now.

---------

Co-authored-by: Kibana Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaredburgettelastic jaredburgettelastic jaredburgettelastic approved these changes

@JDKurma JDKurma JDKurma approved these changes

@maximpn maximpn maximpn approved these changes

@tiansivive tiansivive tiansivive approved these changes

@oatkiller oatkiller Awaiting requested review from oatkiller

@machadoum machadoum Awaiting requested review from machadoum

Assignees

@hop-dev hop-dev

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Entity Analytics Security Entity Analytics Team v8.14.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@hop-dev @elasticmachine @kibana-ci @oatkiller @machadoum @tiansivive @maximpn @JDKurma @jaredburgettelastic @kibanamachine