[Security Solution] Open alerts with an associated template in the template view #123333
Conversation
kqualters-elastic
added
v8.0.0
release_note:skip
| const alertGroupId = alertGroupIdField?.length | ||
| ? alertGroupIdField[0] | ||
| : 'unknown-group-id'; | ||
| const alertGroupId = alertGroupIdField?.length ? alertGroupIdField : 'unknown-group-id'; |
There was a problem hiding this comment.
alertGroupIdField ?? 'unknown-group-id'?
There was a problem hiding this comment.
+1 to @madirey suggestion.
| dataProviders: [], | ||
| filters: buildAlertsKqlFilter('_id', alertsIds), | ||
| filters: [], | ||
| dataProviders: alertsIds.map((id) => { |
There was a problem hiding this comment.
👍 appreciate this, as it ensures the _id is populated in data providers vs filters (as before)
| const queryMatchField = getFieldKey(ecs, ALERT_GROUP_ID); | ||
| const alertGroupId = alertGroupIdField?.length ? alertGroupIdField[0] : 'unknown-group-id'; | ||
| const alertGroupId = alertGroupIdField?.length ? alertGroupIdField : 'unknown-group-id'; |
There was a problem hiding this comment.
If alertGroupIdField is not array any more, why we have this length check alertGroupIdField?.length?
|
@kqualters-elastic thank you for the great work! Are there any chances to have some unit tests for |
| @@ -344,9 +359,7 @@ export const buildEqlDataProviderOrFilter = ( | |||
| 'signal.group.id', | |||
There was a problem hiding this comment.
One more thing, can we update this to ALERT_GROUP_ID per the sync from yesterday? Thanks!
|
@elasticmachine merge upstream |
| if (!acc.includes(dateTimestamp.valueOf())) { | ||
| return [...acc, dateTimestamp.valueOf()]; | ||
| } | ||
| const dateTimestamp = new Date(item.timestamp ?? ''); |
There was a problem hiding this comment.
is it ok that new Date('') returns an Invalid Date?
| const alertGroupId = alertGroupIdField?.length | ||
| ? alertGroupIdField[0] | ||
| : 'unknown-group-id'; | ||
| const alertGroupId = !Array.isArray(alertGroupIdField) |
There was a problem hiding this comment.
nit: consider removing the negation via:
const alertGroupId = Array.isArray(alertGroupIdField)
? alertGroupIdField[0]
: alertGroupIdField;
| @@ -137,12 +135,12 @@ export const determineToAndFrom = ({ ecs }: { ecs: Ecs[] | Ecs }) => { | |||
| const ecsData = ecs as Ecs; | |||
| const ruleFrom = getField(ecsData, ALERT_RULE_FROM); | |||
| const elapsedTimeRule = moment.duration( | |||
| moment().diff(dateMath.parse(ruleFrom != null ? ruleFrom[0] : 'now-0s')) | |||
| moment().diff(dateMath.parse(ruleFrom != null ? ruleFrom[0] : 'now-1d')) | |||
| return { | ||
| dataProviders: [], | ||
| filters: buildAlertsKqlFilter( | ||
| 'signal.group.id', | ||
| ALERT_GROUP_ID, |
| const { to, from } = determineToAndFrom({ ecs }); | ||
|
|
||
| // For now we do not want to populate the template timeline if we have alertIds | ||
| if (!isEmpty(timelineId) && isEmpty(alertIds)) { | ||
| if (!isEmpty(timelineId) && isThresholdRule(ecsData) === false) { |
There was a problem hiding this comment.
to ensure the template is applied to threshold rules, consider the following change suggested by @michaelolo24 :
if (!isEmpty(timelineId) && !isEmpty(alertIds)) {…a template, fix test that should never have passed
There was a problem hiding this comment.
Thanks for all the thought and effort you put into this fix @kqualters-elastic! 🙏
Desk tested locally
LGTM 🚀
There was a problem hiding this comment.
Discussed recent changes offline. Re-approving. Thanks for the changes @kqualters-elastic! LGTM
For posterity: retested the following rule & rule - template matches and everything worked as expected
- Query Rule no templates attached Works as expected
- Query Rule with custom template attached Works as expected
- Query Rule with network template attached Works as expected
- Query Rule with process template attached Works as expected
- Threshold Rule no template attached Works as expected
- Threshold Rule with process template attached Works as expected
- EQL Rule with no template attached Works as expected
- EQL Rule with process template attached Works as expected
Regarding the non-alert views:
Hosts Page (Events, External Alerts)
Network Page (External Alerts)
Tested and they properly load an event in the timeline and fill the query builder.
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
|
The following labels were identified as gaps in your version labels and will be added automatically:
If any of these should not be on your pull request, please manually remove them. |
…mplate view (elastic#123333) * Open alerts with a template, with a template * Add default values back instead of template derived ones * Use data providers over filters always, set timeline description to alert id * Remove prepopulated description from non threshold alerts * Open any event in timeline, use correct timestamp * Remove unneeded @timestamp, make sure alertsEcsData is not empty array * Add basic getField tests * Explicity check if alertGroupId is an array instead of using length * Always use a valid date for time range * Only use filter if more than 1 alert is present * Possibly controversial change to calculate threshold time range with a template, fix test that should never have passed * Create threshold timeline in separate function * Use better type for createTimeline passed to createThresholdTimeline * Invert negation as suggested in pr comment * Use template timeline filters/query/data providers for threshold alerts Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit cef886f)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…mplate view (#123333) (#123689) * Open alerts with a template, with a template * Add default values back instead of template derived ones * Use data providers over filters always, set timeline description to alert id * Remove prepopulated description from non threshold alerts * Open any event in timeline, use correct timestamp * Remove unneeded @timestamp, make sure alertsEcsData is not empty array * Add basic getField tests * Explicity check if alertGroupId is an array instead of using length * Always use a valid date for time range * Only use filter if more than 1 alert is present * Possibly controversial change to calculate threshold time range with a template, fix test that should never have passed * Create threshold timeline in separate function * Use better type for createTimeline passed to createThresholdTimeline * Invert negation as suggested in pr comment * Use template timeline filters/query/data providers for threshold alerts Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit cef886f) Co-authored-by: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
Summary
Resolves #123300 resolves #120898 and resolves #123370 alerts with an associated timeline template now use the derived notes, filters, data providers and query with the other defaults.
Checklist