-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes #71321
[Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes #71321
Conversation
'', | ||
'kuery', | ||
[], | ||
['.siem-signals'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll need to use the siemSignalsIndex hook here to get the right indexPattern
}: { | ||
query: Query; | ||
language: Language; | ||
lists: ExceptionListItemSchema[] | undefined; | ||
lists: Array<ExceptionListItemSchema | CreateExceptionListItemSchema> | undefined; | ||
exclude?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is needed because the logic is negated when adding an exception (we want to exclude), but when closing alerts we don't want to do that.
exceptionItemsToAddOrUpdate, | ||
false | ||
); | ||
await updateAlertStatus({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@FrankHassanabad I think we may need to use wait_for_completion=false
on the updateByQuery
here. Otherwise the request could take a while.
? [buildExceptionItemEntries({ lists: exceptionItem.entries, language, exclude })] | ||
: []), | ||
]; | ||
}, [] as string[]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be able to do, lists.reduce<string>(
and avoid the as string
cast fwiw.
'kuery', | ||
[], | ||
['.siem-signals'], | ||
exceptionItemsToAddOrUpdate, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The query for bulk closing has to account for the event
fields in the original event being moved to original_event
in the signal - https://github.com/elastic/kibana/blob/master/x-pack/plugins/security_solution/server/lib/detection_engine/signals/build_signal.ts#L57
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that i'll have to replace any exception item fields that start with event.
with signal.original_event.
before creating the ES Filter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah in general signal.original_event
holds the original event's event
fieldset and event.
in the signal refers to the "signal creation" event rather than the original event - so replacing all event.
uses with signal.original_event.
would be safest in case we use more signal specific event
fields later on. Right now the only difference between I know of between event
and signal.original_event
is that event.kind
is hardcoded to signal
.
a9a3ea5
to
6d4e4f1
Compare
Pinging @elastic/siem (Team:SIEM) |
@@ -22,10 +22,82 @@ import { | |||
EntryMatch, | |||
EntryMatchAny, | |||
EntriesArray, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6d4e4f1
to
e7ecadc
Compare
|
||
return exceptionItems.map((item: ExceptionListItemSchema | CreateExceptionListItemSchema) => { | ||
if (item.entries !== undefined) { | ||
const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => { | |
const newEntries = item.entries.map((itemEntry: Entry | EntryNested) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm adding this too
if (item.entries !== undefined) { | ||
const newEntries = item.entries.map((itemEntry: EntriesArray[0]) => { | ||
if (itemEntry.type === 'nested') { | ||
const newNestedEntries = itemEntry.entries.map((nestedEntry: EntryMatch) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we only want to replace top level entries that start with event.
so we can remove the whole if (itemEntry.type === 'nested') {
block and always execute what is currently the else
part.
entries: [ | ||
{ | ||
...getEntryMatchMock(), | ||
field: 'event.module', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the full path to this field would be host.name.event.module
? In that case the field would stay the same, it wouldn't move to host.name.signal.original_event.module
💚 Build SucceededBuild metrics@kbn/optimizer bundle module count
History
To update your PR or re-run it, just comment with: |
* master: (314 commits) [APM] Use status_code field to calculate error rate (elastic#71109) [Observability] Change appLink passing the date range (elastic#71259) [Security] Add Timeline improvements (elastic#71506) adjust vislib bar opacity (elastic#71421) Fix ScopedHistory mock and adapt usages (elastic#71404) [Security Solution] Add hook for reading/writing resolver query params (elastic#70809) [APM] Bug fixes from ML integration testing (elastic#71564) [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404) [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275) [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321) Change signal.rule.risk score mapping from keyword to float (elastic#71126) Added help text where needed on connectors and alert actions UI (elastic#69601) [SIEM][Detections] Value Lists Management Modal (elastic#67068) [test] Skips test preventing promotion of ES snapshot elastic#71582 [test] Skips test preventing promotion of ES snapshot elastic#71555 [ILM] Fix alignment of the timing field (elastic#71273) [SIEM][Detection Engine][Lists] Adds the ability for exception lists to be multi-list queried. (elastic#71540) initial telemetry setup (elastic#69330) [Reporting] Formatting fixes for CSV export in Discover, CSV download from Dashboard panel (elastic#67027) Search across spaces (elastic#67644) ...
…t-apps-page-titles * 'master' of github.com:elastic/kibana: (88 commits) [ML] Functional tests - disable DFA creation and cloning tests [APM] Use status_code field to calculate error rate (elastic#71109) [Observability] Change appLink passing the date range (elastic#71259) [Security] Add Timeline improvements (elastic#71506) adjust vislib bar opacity (elastic#71421) Fix ScopedHistory mock and adapt usages (elastic#71404) [Security Solution] Add hook for reading/writing resolver query params (elastic#70809) [APM] Bug fixes from ML integration testing (elastic#71564) [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404) [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275) [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321) Change signal.rule.risk score mapping from keyword to float (elastic#71126) Added help text where needed on connectors and alert actions UI (elastic#69601) [SIEM][Detections] Value Lists Management Modal (elastic#67068) [test] Skips test preventing promotion of ES snapshot elastic#71582 [test] Skips test preventing promotion of ES snapshot elastic#71555 [ILM] Fix alignment of the timing field (elastic#71273) [SIEM][Detection Engine][Lists] Adds the ability for exception lists to be multi-list queried. (elastic#71540) initial telemetry setup (elastic#69330) [Reporting] Formatting fixes for CSV export in Discover, CSV download from Dashboard panel (elastic#67027) ... # Conflicts: # x-pack/plugins/index_management/public/application/index.tsx
* master: (72 commits) [test] Skips test preventing promotion of ES snapshot elastic#71612 [Logs UI] Remove UUID from Alert Instances (elastic#71340) [Metrics UI] Remove UUID from Alert Instance IDs (elastic#71335) [ML] Functional tests - disable DFA creation and cloning tests [APM] Use status_code field to calculate error rate (elastic#71109) [Observability] Change appLink passing the date range (elastic#71259) [Security] Add Timeline improvements (elastic#71506) adjust vislib bar opacity (elastic#71421) Fix ScopedHistory mock and adapt usages (elastic#71404) [Security Solution] Add hook for reading/writing resolver query params (elastic#70809) [APM] Bug fixes from ML integration testing (elastic#71564) [Discover] Add caused_by.type and caused_by.reason to error toast modal (elastic#70404) [Security Solution] Add 3rd level breadcrumb to admin page (elastic#71275) [Security Solution][Exceptions] Exception modal bulk close alerts that match exception attributes (elastic#71321) Change signal.rule.risk score mapping from keyword to float (elastic#71126) Added help text where needed on connectors and alert actions UI (elastic#69601) [SIEM][Detections] Value Lists Management Modal (elastic#67068) [test] Skips test preventing promotion of ES snapshot elastic#71582 [test] Skips test preventing promotion of ES snapshot elastic#71555 [ILM] Fix alignment of the timing field (elastic#71273) ...
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Adds the bulk close feature to the Exception modal. A couple of items of note:
.signals
index that match the exception's fields and values included in the Exception ModalBulk close disabled when "is in list" operator is selected
Bulk closing 4,100 alerts from Edit Modal
Testing
Navigate to the Alerts page, click on the overflow menu and select
Add exception
. After selecting the exception attributes, click the checkbox with textClose all alerts that match attributes in this exception
.Checklist
Delete any items that are not applicable to this PR.
For maintainers