[Security solution] Sourcerer: Kibana index pattern selector for security views #74706

stephmilovic · 2020-08-10T20:36:24Z

Summary

This PR introduces a Kibana index pattern selector to the security solution... I call it the Sourcerer. The Sourcerer finds all available Kibana index patterns and compares them against the recommended default index patterns for SIEM, and selects the available recommended patterns to pass to the source query. The component shows the available selections, unavailable selections, and allows the user to select which index patterns will go into the SIEM. I've connected one component to this data, overview_host. Hard to describe, check gifs below.

Available index patterns are all displayed, recommended index patterns are checked. When a pattern gets unchecked, we remove it from the query

Recommended index patterns that are not configured as Kibana index patterns are shown as disabled with a note
A button directs the user to create new patterns

To test you'll need to turn on the feature flag. Set SOURCERER_FEATURE_FLAG_ON to true.

Sourcerer

Checklist

Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
Unit or functional tests were updated or added to match the most common scenarios

elasticmachine · 2020-08-10T20:39:14Z

Pinging @elastic/siem (Team:SIEM)

x-pack/plugins/security_solution/public/common/containers/sourcerer/constants.ts

x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx

angorayc · 2020-08-12T11:08:33Z

@marrasherrier @stephmilovic I played around with it and here is my thought about the experience:
https://docs.google.com/document/d/1-FmYsL2ZaitGoH5oh24ssqkjihsbTWB44rFsjDGl3xg/edit?usp=sharing

stephmilovic · 2020-08-12T12:14:46Z

x-pack/plugins/security_solution/public/overview/components/overview_host/index.tsx

@@ -107,7 +108,10 @@ const OverviewHostComponent: React.FC<OverviewHostProps> = ({
                      />
                    }
                  >
-                    {hostPageButton}
+                    <>
+                      <Sourcerer />


this can be put anywhere in the app, putting it here for demo

stephmilovic · 2020-08-12T12:15:53Z

x-pack/plugins/security_solution/public/overview/containers/overview_host/index.tsx

@@ -38,6 +40,13 @@ export interface OverviewHostProps extends QueryTemplateProps {

 const OverviewHostComponentQuery = React.memo<OverviewHostProps & PropsFromRedux>(
  ({ id = ID, children, filterQuery, isInspected, sourceId, startDate, endDate }) => {
+    const { activeSourceGroupId, getManageSourceGroupById } = useManageSource();


activeSourceGroupId will be determined by which page/view the component is called in

x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx

x-pack/plugins/security_solution/public/common/containers/sourcerer/format.ts

angorayc · 2020-08-12T14:47:21Z

x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx

+  id,
+  indexPattern: getIndexFields(defaultIndex.join(), []),
+  indexPatterns: defaultIndex,
+  indicesExist: indicesExistOrDataTemporarilyUnavailable(undefined),


Could we keep it as undefined or null as default value instead of converting into true?

As some components may be mislead by this, start fetching data, and cause some errors on the client side.

I'm not sure why this was like this before (in useWithSource), but I imagine it solved a bug somewhere. Afraid to create it again

yes, that important to keep as null at the beginning because that 's the way we know that we did not ask yet for it. so we do not show the splash screen and then the data.

@XavierM im confused if you're saying to change it or not??

we need to keep it as undefined

x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx

x-pack/plugins/security_solution/public/common/containers/sourcerer/constants.ts

XavierM · 2020-08-12T20:32:57Z

x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx

+  id,
+  indexPattern: getIndexFields(defaultIndex.join(), []),
+  indexPatterns: defaultIndex,
+  indicesExist: indicesExistOrDataTemporarilyUnavailable(undefined),


we need to keep it as undefined

XavierM

@stephmilovic, I still think that we still need to see if we can get back the indexPatterns and build our browserfields from the index pattern services and see what you need from our server-side to be able to do that.

x-pack/plugins/security_solution/public/common/components/sourcerer/index.tsx

stephmilovic · 2020-08-14T14:06:50Z

@elasticmachine merge upstream

kibanamachine · 2020-08-14T15:59:46Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request
Commit: b427c51

Build metrics

@kbn/optimizer bundle module count

id	value	diff	baseline
securitySolution	1914	+5	1909

async chunks size

id	value	diff	baseline
securitySolution	7.2MB	+27.3KB	7.2MB

page load bundle size

id	value	diff	baseline
securitySolution	806.1KB	+150.0B	805.9KB

History

💚 Build #67999 succeeded c09927e
💚 Build #67970 succeeded 870ddbe
💚 Build #67740 succeeded f9d18c1
💔 Build #67734 failed a5cac92
💚 Build #67374 succeeded 78a546a

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

spong · 2020-08-14T16:50:44Z

Just stopping by to say I am 5000% excited about this feature and am super stoked for what this change will mean to the EmbeddableMap component as users will finally be able to granularly configure the index patterns used to create layers. This will yuuuuge for them and will make many happy users! 🙂

Many thanks @stephmilovic @angorayc @XavierM!! ❤️ 🎉 🚀

…rity views (elastic#74706)

* master: (24 commits) [ML] Functional tests - skip regression and classification tests [Ingest Manager] fix removing ingest pipelines from elasticsearch (elastic#75092) move tests for placeholder indices to setup (elastic#75096) [jest] temporarily extend default test timeout (elastic#75118) [cli] remove reference to removed --optimize flag (elastic#75083) skip flaky suite (elastic#75044) Adding /etc/rc.d/init.d/functions to the init script when present to … (elastic#22985) [jenkins] add pipeline for hourly security solution cypress tests (elastic#75087) [Reporting/Flaky Test] Skip test for paging list of reports (elastic#75075) remove .kbn-optimizer-cache upload (elastic#75086) skip flaky suite (elastic#74814) Actions add proxy support (elastic#74289) [ILM] TS conversion of Edit policy components (elastic#74747) [Resolver] simulator tests select elements directly instead of using descendant selectors. (elastic#75058) [Enterprise Search] Add Workplace Search side navigation (elastic#74894) [Security solution] Sourcerer: Kibana index pattern selector for security views (elastic#74706) [Logs UI] Remove apollo deps from log link-to routes (elastic#74502) [Maps] add map configurations to docker list (elastic#75035) [functional test][saved objects] update tests for additional copy saved objects to space (elastic#74907) Make the alerts plugin support generics (elastic#72716) ...

…rity views (#74706) (#75128)

elasticmachine · 2021-09-23T14:27:43Z

Pinging @elastic/security-solution (Team: SecuritySolution)

stephmilovic added 5 commits August 6, 2020 07:24

init commit

f630f48

lots of cleanup

a1986df

starting on tests... problems

d51828d

Merge branch 'master' into sourcerer

005e127

Ready for review

d4c9421

stephmilovic added Team:SIEM v8.0.0 release_note:skip Skip the PR/issue when compiling release notes v7.10.0 labels Aug 10, 2020

stephmilovic requested a review from XavierM August 10, 2020 20:36

stephmilovic self-assigned this Aug 10, 2020

remove sample data

78a546a

stephmilovic marked this pull request as ready for review August 10, 2020 20:39

stephmilovic requested review from a team as code owners August 10, 2020 20:39

stephmilovic changed the title ~~[Security solution] Sourcerer - Kibana index pattern selector for security views~~ [Security solution] Sourcerer: Kibana index pattern selector for security views Aug 10, 2020