[Cases] Add import/export functionality #110148
Conversation
jonathan-buttner
added
v8.0.0
Team:Threat Hunting
| import { createCaseError, defaultSortField } from '../../common'; | ||
| import { ESCaseAttributes } from '../../services/cases/types'; | ||
|
|
||
| export async function handleExport({ |
There was a problem hiding this comment.
We intentionally do not want to do authorization checks while exporting because it is valid for a user to export a case while not having either security solution or observability cases read privileges.
There was a problem hiding this comment.
Why is valid? It seems like users can always read a case this way even if they do not have read access.
There was a problem hiding this comment.
Christos and I talked offline. This is the current behavior with other entities within Kibana. We don't have a way to enforce the feature privileges for import/export right now.
| } | ||
|
|
||
| const [{ savedObjects }] = await coreSetup.getStartServices(); | ||
| const savedObjectsClient = savedObjects.getScopedClient(context.request, { |
There was a problem hiding this comment.
I'm creating the saved objects client directly here instead of using our service layer because the service layer can mutate the data (for example creating the connector_id field when the objects are returned). We can also make more performant calls here for both the attachments and user actions at the same time using point in time searches instead of the implementation that the service layer uses.
| } | ||
| } | ||
|
|
||
| async function getAttachmentsAndUserActionsForCases( |
There was a problem hiding this comment.
We only need to export the attachments and user actions. The connectors are stored as outbound references so they are exported automatically by the framework.
| sortField: string; | ||
| type: string; | ||
| }): Promise<Array<SavedObject<T>>> { | ||
| const references = caseIds.map((id) => ({ type: CASE_SAVED_OBJECT, id })); |
There was a problem hiding this comment.
This is basically searching for all the case ids for attachments or user actions at the same time.
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticsearchmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
|
@cnasikas found an issue with the import where if the case is deleted and then imported it will mark the case as needing to be pushed. We talked about possible solutions for this and there are many other situations depending on what case is being imported that could cause us to get into a state where we think we need to push when we actually don't need to. For now we're going to leave it as it is and investigate other possible solutions for tracking when a case needs to be pushed. Like keeping a counter associated with the case to mark the sequential version of the case so that we don't need to use the user actions to determine if the case needs to be pushed. |
* Working export but not import * Adding user action import flag * Adding a few integration tests * Adding connector test * Finishing integration tests * Removing connector after each test to restore original state * Bumping migration version for comment so Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
|
Nice work @jonathan-buttner 🥇 |
* Working export but not import * Adding user action import flag * Adding a few integration tests * Adding connector test * Finishing integration tests * Removing connector after each test to restore original state * Bumping migration version for comment so Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
This PR allows the cases saved objects to be exported and imported. The functionality is provided through the Saved Objects Management Page.
Since cases uses inbound references, when a case is selected for export we search for all comments and user actions that reference that case.
What is exported?
Permissions
For a user to view the Saved Objects Management Page they must have the
Saved Objects ManagementprivilegeGranting this privilege also grants the user
allaccess to all saved objects. So it is possible for a user to have no Cases privileges but still be able to import/export via the Saved Objects Management privilege.Issues
Release note
Cases can now be imported and exported through the Saved Objects Management Page. Only the Cases themselves need to be selected for export. The Case title will be shown in the Saved Objects Management Page table's title column. Cases are also labeled with the case icon:
Rows labeled
cases-commentorcases-user-actionsshould be ignored and not selected when exporting.