[SIEM] Import timeline fix

[angorayc]

Summary

This PR is to allow template timeline updated via import,
and fix the case we had in #64439

How to verify this PR:

1. copy the json below and paste it onto a file

{"savedObjectId":null,"version":"WzM5LDFd","timelineType":"template","templateTimelineId":"49188240-6530-11ea-90dd-7d87cXavier","templateTimelineVersion":4,"columns":[{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"@timestamp","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"message","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.category","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"event.action","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"host.name","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"source.ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"destination.ip","searchable":null},{"indexes":null,"name":null,"columnHeaderType":"not-filtered","id":"user.name","searchable":null}],"dataProviders":[],"description":"is Super","eventType":"all","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}","kuery":{"expression":"host.name: *","kind":"kuery"}}},"title":"My template timeline updated","dateRange":{"start":1584020448645,"end":1584106848645},"savedQueryId":null,"sort":{"columnId":"@timestamp","sortDirection":"desc"},"favorite":[{"favoriteDate":1584480703444,"keySearch":"WGF2aWVyTQ==","fullName":"xavier mouligneau","userName":"XavierM"}],"created":1588693289719,"createdBy":"XavierM","updated":1588693315060,"updatedBy":"XavierM","eventNotes":[{"noteId":"e3cf0900-8ee6-11ea-bff9-5be90e832634","version":"WzM0LDFd","eventId":"Cfwg1HABO74GafNORxyF","note":"pinned and event note","timelineId":"e37d8da0-8ee6-11ea-bff9-5be90e832634","created":1588693290295,"createdBy":"XavierM","updated":1588693290295,"updatedBy":"XavierM"},{"noteId":"e3cfcc50-8ee6-11ea-bff9-5be90e832634","version":"WzM1LDFd","eventId":"Cvwg1HABO74GafNORxyF","note":"event note 1","timelineId":"e37d8da0-8ee6-11ea-bff9-5be90e832634","created":1588693290295,"createdBy":"XavierM","updated":1588693290295,"updatedBy":"XavierM"}],"globalNotes":[{"noteId":"e3cebae0-8ee6-11ea-bff9-5be90e832634","version":"WzI2LDFd","note":"Global","timelineId":"e37d8da0-8ee6-11ea-bff9-5be90e832634","created":1588693290295,"createdBy":"XavierM","updated":1588693290295,"updatedBy":"XavierM"},{"noteId":"e3cf3010-8ee6-11ea-bff9-5be90e832634","version":"WzM2LDFd","note":"Note","timelineId":"e37d8da0-8ee6-11ea-bff9-5be90e832634","created":1588693290295,"createdBy":"XavierM","updated":1588693290295,"updatedBy":"XavierM"}],"pinnedEventIds":["Yfwg1HABO74GafNObyFv","Cfwg1HABO74GafNORxyF","Cvwg1HABO74GafNORxyF"]}

2. save it as template_timeline.ndjson
3. import in to timeline
4. More tweak: [SIEM] Import timeline fix #65448 (comment)

Error cases:

1. Import a new timeline (Create timeline via import)

   • input validation:
     • timelineId has to be null / empty or a timelineId that doesn't exist in SO - if given a timelineId that's already exist, therefor throwing error: savedObjectId: "${id}" already exists
     • title must have - if not given, throw error: Title cannot be empty
     • version: has to be null (this is to reserve the possibility of version control for updating timeline in the future)
     • timelineType has to be null / default or not specified - if set to template, I'll assume it is trying to create a template
     • status has to be null / 'active' or not specified - we don't expose this field to exported file. So far we do not block the 'immutable' status as we need that when installing Elastic template. If status is given as draft, throw error Cannot create a draft timeline

2. Import an existing timeline (Update existing timeline via import)

   • We don't allow updating existing timeline atm: therefor throwing error: savedObjectId: "${id}" already exists

3. Import a new template (Create custom template via import)

   • input validation:
     • templateTimelineId has to be given a uuid that doesn't exist in SO, if given a timelineId that's already exist, therefor throwing error: savedObjectId: "${id}" already exists; if not given a templateTimelineId, throw error: Create template timeline without a template timeline ID is not allowed
     • title must have - if not given, throw error: Title cannot be empty
     • timelineType has to be template - if set to others, I'll assume it is trying to create a default timeline
     • status has to be null / 'active' or not specified - we don't expose this field to exported file. So far we do not block the 'immutable' status as we need that when installing Elastic template. If status is given as draft, throw error Cannot create a draft timeline

4. Import an existing template

   • input validation:
     • timelineType has to be the same as existing template timeline, otherwise throw error: 'Update timelineType is not allowed'
     • status has to be the same as existing template timeline. Otherwise throw error Update status is not allowed
     • templateTimelineId has to be given a uuid that matches an exist in SO.
       • If not given: template timeline without a template timeline ID is not allowed
       • if given a timelineId that's not exist, therefor throwing error: CREATE template timeline with PATCH is not allowed, please use POST instead (Given template timeline doesn't exist)
       • given timelineId doesn't match: Timeline id doesn't match with existing template timeline
       • given templateTimelineVersion doesn't match: TimelineVersion conflict: The given version doesn not match with existing timeline

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser
• This was checked for cross-browser compatibility, including a check against IE11

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[angorayc]

@elasticmachine merge upstream

[elasticmachine]

user doesn't have permission to update head repository

[patrykkopycinski]

@elasticmachine merge upstream

[elasticmachine]

user doesn't have permission to update head repository

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[patrykkopycinski]

does it support template timelines?

[angorayc]

yes, timeline_input is a generic input for both timeline and template.
When we init this object for template, we send templateTimelineVersion instead of version
https://github.com/angorayc/kibana/blob/af212242578580adf9e460ec7c4db6dd4d2dd01c/x-pack/plugins/siem/server/lib/timeline/routes/update_timelines_route.ts#L58

[angorayc]

@elasticmachine merge upstream

[elasticmachine]

user doesn't have permission to update head repository

[XavierM]

in this picture below, we are having two bugs

1. I should be able to add a global not in template timeline, only if it is immutable I cannot
2. The second msg is cut off

[angorayc]

in this picture below, we are having two bugs

1. I should be able to add a global note in template timeline, only if it is immutable I cannot
2. The second msg is cut off

Seems that the behaviour of add Note button is as expected. I checked on siem-dev, the add Note is disabled until we type something in the text box.

But sure, I'll fix item 2. in another PR.

[angorayc]

Todos in follow up PR: #69972

• More unit test
• Happy path in integration test
• Properly delete immutable timeline (check if it is linked to rules and handle it properly)
• Internal api for on boarding template timeline
• The error message from importing timeline should be more obvious, the import modal should not be closed if it fails.
• Update wordings for error messages.
• Update design for Template's callout message.
• Remove disableTemplate from constant.
• Fix known issue: Unexpected errors occurs when creating template timeline via import without templateTimelineId / templateTimelineVersion.
• Decide land on Elastic template or Custom template or no filter by default

[angorayc]

@elasticmachine merge upstream

[elasticmachine]

user doesn't have permission to update head repository

[patrykkopycinski]

I was able to import the timeline template smoothly now! LGTM 💪

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: fed80c3

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
securitySolution	788	+1	787

History

• 💚 Build #56852 succeeded 3db3ffc
• 💚 Build #56742 succeeded 0e3003d
• 💚 Build #56606 succeeded c917ce8
• 💔 Build #56603 failed 005c8d4
• 💔 Build #56440 failed c1127aa

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)