-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAC] Add external/related/associated Case IDs and 3rd party incidence link #115808
Comments
Pinging @elastic/security-threat-hunting-cases (Team:Threat Hunting:Cases) |
Hi @hbharding, I would like to make it apparent that providing that feature is not trivial. The problems we will face are a) concurrency and b) migrations (cases uses the SavedObjects API). ConcurrencyImagine there are two Kibana nodes. The nodes do not share any memory or communicate. Two users simultaneously create a case and each request is routed to one of the nodes accordingly. Each Kibana node will query ES to get the latest Case to deduct the latest human-readable ID (let's say is a field saved in ES for each case). Both of the nodes will get the same ID and both of them will increase the ID by one. That will result in two different cases with the same ID. To resolve this problem we need to think of a way of creating distributed human-readable IDs. MigrationsAll cases created before this feature need to be migrated so each case is assigned an ID. The problem is it is not possible to keep state during migrations and the order of documents is random. The state is needed to keep a counter so each case is assigned the next ID. The order is needed to assign the IDs chronologically (created_at). |
Thanks for the excellent write up. I'd like to add a few points along the lines of what @cnasikas has brought up: How unique should these IDs be?Assume we start with a brand new deployment. If the first ever case is created in space 'A' and the second case is created in space 'B', would each have the id: "#1", or would the second case have the id: "#2"? Today SOs (and therefore cases) aren't shareable between spaces, but the functionality is planned. If we want to eventually have the option to share cases between spaces, we might want to make them unique across the entire kibana instance. However there is a downside to this approach. Users with read/write privileges in a single space could infer how many cases are being created in other spaces. They could do this by creating a case and noting its ID, then waiting some time and creating another case. By subtracting the first id from the second they could infer the number of cases created in all other spaces during that time. If that raises no security concerns, then I propose that we make the IDs unique to the kibana instance, not the space. Otherwise we'll have to deduplicate IDs between spaces if we decide to make cases shareable in the future. Sub questionI'd like to ask someone on the ES team about other gotchas we should be aware of. Re: Considering an Optimistic Concurrency Control approachAssuming that the case IDs are unique within a space, we could have a single document per space that holds the last used space ID. The document would be a special, singleton, saved object that keeps a the space ID that was last used to create a case. It could store this in a This approach has a serious downside though. As cases can be created programmatically, it's possible that there could be high contention on this check. If the system tries to create On situations where getting an incrementing integer is impracticalThere are several known cases where getting an incremented integer id would be impractical:
We could mitigate this limitation by adding this requirement:
We can use the same approach in any situation where getting a unique, incremented, ID would be impractical. MigrationsIn the above section on concurrency I described an approach where we'd use a hash in place of the ID in certain cases. We could use that approach here. Import / ExportWhat would the human readable id of a case by after import? We could keep the human readable id from the imported data when importing the case. That could introduce duplicates. Otherwise we could replace the human readable id with a less human readable one. For example if the id was |
What about copying off of the github's commit hash link idea instead? TODO, explore |
Thanks @cnasikas and @oatkiller. Great questions and ideas! Clearly we have some more thinking to do on how to handle all these situations. I want to briefly summarize the points I see so far:
I'll work with @vinaychandrasekhar (and maybe some help from @jasonrhodes) to add more detail to the AC. It might be useful for us all to have a brainstorming meeting. Stay tuned. cc @katrin-freihofner |
I think this could easily eat up many many dev cycles on trying to figure out the non-functional requirements of making these IDs work when we already have UUIDs that do what we need, so I want to push back a bit on the importance here before we commit to that much eng work. I totally understand why we want these, but I like @oatkiller's suggestion of using GitHub's model of a shortened version of the UUID as a reasonably safe-unique value that's more readable than the full UUID (though not as nice as "#23", obviously). |
This is the GitHub method that @oatkiller and I are referring to, for reference (I think they are just using the first 6-7 chars): |
@oatkiller just wanted to note that the current implementation of the saved object management's page import (which cases leverages) doesn't allow custom functionality to be executed. So currently, we can't perform validation or manipulate the data being imported. |
Pinging @elastic/response-ops-cases (Feature:Cases) |
Pinging @elastic/response-ops (Team:ResponseOps) |
Hi everyone! In #146864 we added the cases column to the alerts table. |
Part of #132772
Summary
We want to introduce human readable Case IDs so that users can easily reference a specific case. We will use an "incremental" pattern similar to tools like Github where the first case created is labeled
#1
, the 2nd is#2
, and so on. When users create a new case, an ID will automatically be assigned and cannot be changed. Cases originating from different apps like Observability and Security would share the same sequence. For example, if cases #1 and #2 were created in Observability, and then a user creates a third case in Security, that case ID would be #3.There are several places in our UI where it makes sense to show this information, documented below.
AC
Alerts list view
We have a separate issue for this since we want to append the Case ID to the alert index. The "Cases" column shows the Case ID with a link to view the case. If multiple Cases exist for a single alert, we can use a comma separated list of Case IDs. https://github.com/elastic/observability-design/issues/102
Alerts detail flyout
We should provide a link to the Case ID in the alert details flyout. If more than one Case exists, use a comma separated list. If no cases exist, the value can just use a - to denote that a case does not exist. These links should use the same hover tooltip from the alerts table (more about this below).
Modal: Add to existing case
We can show the Case ID in the table users see in order to select a case to add an alert to.
Cases list view
We can append the case ID to the Case name on the Cases table. Users should be able to search for a specific case by referencing it's number. i.e. 254 or #254.
Case detail page
We can append the Case ID to the Case detail page's title text. This way the relationship is clear when a user clicks on a Case ID and land on this page. If the user clicks the "edit" button icon to change the Case's name, the Case ID portion should disappear while they are editing. The Case ID should not change if a user changes the case name.
Tooltips
We should provide tooltips when users hover on the case ID to provide additional context about the cases. This way, we can set expectations for what the user will see if they click the case ID link. These tooltips should appear everywhere that we show the Case ID as a link. For now, this includes the Alerts list page and the Alert detail flyout.
The text was updated successfully, but these errors were encountered: