Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Refactor RulesTableContext into separate Installed, Upgrade, & New RulesContexts #154614

Closed
Tracked by #174167
spong opened this issue Apr 6, 2023 · 3 comments
Assignees
Labels
8.9 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules Feature:Rule Management Security Solution Detection Rule Management refactoring Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture v8.9.0

Comments

@spong
Copy link
Member

spong commented Apr 6, 2023

Epic: https://github.com/elastic/security-team/issues/1974 (internal)

Summary

As detailed in the design diagram in #153751 (comment), this is an implementation issue is for refactoring the current Rule Management state logic to support separate react contexts for each InstalledRules (for main mgmt and monitoring tables), UpgradeRules, and NewRules tables.

Example contexts (state/actions subject to change):

@spong spong added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules v8.8.0 labels Apr 6, 2023
@spong spong self-assigned this Apr 6, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror added 8.8 candidate refactoring technical debt Improvement of the software architecture and operational architecture labels Apr 17, 2023
@banderror banderror assigned jpdjere and unassigned spong May 23, 2023
xcrzx added a commit that referenced this issue Jun 14, 2023
…158450)

Addresses: #154614
#154615

Figma designs:
https://www.figma.com/file/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?type=design&node-id=2935-577576&t=ziqgnlEJBpowqa7F-0

## Summary

- Removes `prebuiltRulesNewUpgradeAndInstallationWorkflowsEnabled`
feature flag. All new prebuilt endpoints now available by default.
- Creates the UI for the new **rules installation** and **rules
upgrade** workflows.
- Creates new **Add Rules** page, which lists rules available for
installation.
- Creates new **Rule Updates** page, which lists rules which have
available updates.
- Creates new, separate contexts for the **Add Rules** and the **Rule
Updates** page, and the hooks to use them
(`useAddPrebuiltRulesTableContext` and
`useUpgradePrebuiltRulesTableContext` respectively)
    - Creates prebuilt rule hooks, which consume new endpoints:
- `useFetchPrebuiltRulesStatusQuery` and `usePrebuiltRulesStatus`
consume the `/internal/detection_engine/prebuilt_rules/status` endpoint
and provide information about number of rules available for
installation, number of installed rules, and number of rules with
available updates.
- `useFetchPrebuiltRulesInstallReviewQuery` and
`usePrebuiltRulesInstallReview` consume the
`/internal/detection_engine/prebuilt_rules/installation/_review`
endpoint and return the rules available for installation which are
listed in the **Add Rules** page.
- `useFetchPrebuiltRulesUpgradeReviewQuery` and
`usePrebuiltRulesUpgradeReview` consume the
`/internal/detection_engine/prebuilt_rules/upgrade/_review` endpoint and
return the rules which have available updates, and are listed in the
**Rule Updates** page.
- `usePerformInstallAllRules`, `usePerformInstallSpecificRules`, and its
respective mutation hooks `usePerformAllRulesInstallMutation` and
`usePerformSpecificRulesInstallMutation` consume the
`/internal/detection_engine/prebuilt_rules/upgrade/_perform` endpoint in
order to install rules.
- `usePerformUpgradeAllRules`, `usePerformUpgradeSpecificRules` and its
respective mutation hooks `usePerformAllRulesUpgradeMutation` and
`usePerformSpecificRulesUpgradeMutation` consume the
`/internal/detection_engine/prebuilt_rules/upgrade/_perform` endpoint in
order to upgrade rules.

### Deprecated code

**Hooks:**
- `useCreatePrebuiltRulesMutation`
- `useInstallPrePackagedRules`
- `useCreatePrePackagedRules`
- `usePrePackagedRulesInstallationStatus`
- `usePrePackagedTimelinesInstallationStatus`

### Major points to resolve

- **Timeline templates installation**: Since this PR stops using the
`/api/detection_engine/rules/prepackaged` endpoint in favour of the new
ones, we are not currently installing timeline templates. Serverside, we
will need a new endpoint to install them separately from rules? In the
UI, how would this still work: would they get installed in the
background now? Or maybe have a new button for it somewhere?
- **ML Jobs warning**: when updating rules, we currently have a wrapper
to add confirmation modal for users who may be running older ML Jobs
that would be overridden by updating their rules. This PR removes that
code, but we'll need to reintroduce it for the cases of: upgrading
single rules, upgrading a selection of rules, upgrading all rules.


### Deviations from design

This PR includes a reduced scope to the final workflow shown in the
Figma designs.

Most notably, in Milestone 2, to be released in 8.9, we did not build
the flyout that, in the Add Rules page, shows the rule details when the
user clicks on it, so the user can review it before installing. The same
is true in the Rule Updates table, which does not allow, for now,
reviewing the rules. In both cases, the user can only click in "Install
Rule" and "Upgrade Rule".

There are other differences in the UI, for technical reasons:
- Both for the Add Rules page and the Rule Updates table we decided to
use **EUI's InMemoryTable**. Since the endpoint that return the data to
populate both of these tables do not allow for sorting, filtering and
paging, we decided to use the InMemoryTable for both cases, as all of
those functions are handled out-of-the-box by the EUI component. The
relatively low number of items that populate these tables means that we
won't face significant performance issues. However, this meant a number
of deviations from the designs:
- Since filtering, sorting and pagination are handled by the table, the
contexts for these table do not includes any internal state relating to
these functions. This makes it hard to recreate the RuleUtilityBar for
each of these components or make the existing one reusable. We therefore
decided to leave the Utility Bar for the new two tables out of scope,
and deviate from the design by moving the button that the user can click
on o install or upgrade the selected rules to beside the "Install all"
or "Upgrade all" buttons. This button is shown only when at least one
rule of the table is selected.
- The **tags filter box** that comes out-of-the-box with the
InMemoryTable can only be positioned to the right of the search bar,
instead of the left like we have in our main **Installed Rules** table.
Also, clicking on the tabs adds the text to the search bar, and the box
does not allow for negative selection of tabs (exclusion).
- The search bar filters on keystroke rather than on Enter. This
behaviour can be changed, but it feels more useful than the other
behaviour for these new two tables.
- The search bar filters by searching the user's input in any of the
string properties of first order within the rule object. This means that
the search bar can be used to look up rules according to their name,
description, rule_id, etc (but not for example for MITRE techniques,
which are an object.) This behaviour, however, is also customisable.
- Neither the Add Rules table nor the Rule Updates tables display the
_Last updated_ column which is shown in the design. Since the original
intent of the designers is to show when the rule asset (`security-rule`)
was created or updated, this is information we don't currently have
within the SO. After discussion with @ksevasilyeva and @ARWNightingale,
we decided, for now, to remove the column. In the meantime,
@terrancedejesus [created an issue to include `createdAt` and
`updatedAt`
fields](elastic/detection-rules#2826) within
the rule assets, that we can use to display in the table in later
iterations.

#### Other remaining work:

- Introduce confirmation modals when the user clicks on the "Install
all" or "Upgrade all" modal.
- Unit testing for new hooks and components.
- Other component redesign: Rule Filter, Tag Filter 

#### How to test rule upgrade

1. Have at least one rule installed
2. Find its `rule_id` from the Network tab.
3. Make a request to `PATCH /api/detection_engine/rules` with the
`rule_id` in the payload, and also set the `version` to a number lower
than the current version.
4. Reload the page.
5. The `/upgrade/_review` endpoint will now return that rule as
available for upgrade.

### Videos

#### Rule Installation Workflow



https://github.com/elastic/kibana/assets/5354282/5a219625-beb1-48ee-a9fc-ff48b69eeae0

#### Rule Upgrade Workflow



https://github.com/elastic/kibana/assets/5354282/b5f3c23b-004a-462c-bbdd-ed04321f5ce7

### TODO

- [x] Align copy, use "update" instead of "upgrade"
- [ ] Persist user's choice when they dismiss the upgrade/install rules
callouts till the next package release (create a separate task for that)
- [ ] Unify table controls (search bar and tags), use the ones we have
on the rules management table
- [ ] After rule installation, adjust copy, and display that all
available rules have been installed. Add a "Go Back" CTA
- [ ] Add links from the available rules table to docs
- [ ] Rule severity sorting should take semantics into consideration

---------

Co-authored-by: Dmitrii <[email protected]>
Co-authored-by: Dmitrii Shevchenko <[email protected]>
Co-authored-by: Sergi Massaneda <[email protected]>
@banderror
Copy link
Contributor

Addressed by #158450

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.9 candidate Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules Feature:Rule Management Security Solution Detection Rule Management refactoring Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture v8.9.0
Projects
None yet
Development

No branches or pull requests

4 participants