[Security Solution] Create new Add Rules page
#154615
Assignees
Labels
8.9 candidate
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.9.0
Comments
spong
added
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
added
8.8 candidate
and removed
Feature:Rule Management
13 tasks
xcrzx
added a commit
that referenced
this issue
Jun 14, 2023
…158450) Addresses: #154614 #154615 Figma designs: https://www.figma.com/file/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?type=design&node-id=2935-577576&t=ziqgnlEJBpowqa7F-0 ## Summary - Removes `prebuiltRulesNewUpgradeAndInstallationWorkflowsEnabled` feature flag. All new prebuilt endpoints now available by default. - Creates the UI for the new **rules installation** and **rules upgrade** workflows. - Creates new **Add Rules** page, which lists rules available for installation. - Creates new **Rule Updates** page, which lists rules which have available updates. - Creates new, separate contexts for the **Add Rules** and the **Rule Updates** page, and the hooks to use them (`useAddPrebuiltRulesTableContext` and `useUpgradePrebuiltRulesTableContext` respectively) - Creates prebuilt rule hooks, which consume new endpoints: - `useFetchPrebuiltRulesStatusQuery` and `usePrebuiltRulesStatus` consume the `/internal/detection_engine/prebuilt_rules/status` endpoint and provide information about number of rules available for installation, number of installed rules, and number of rules with available updates. - `useFetchPrebuiltRulesInstallReviewQuery` and `usePrebuiltRulesInstallReview` consume the `/internal/detection_engine/prebuilt_rules/installation/_review` endpoint and return the rules available for installation which are listed in the **Add Rules** page. - `useFetchPrebuiltRulesUpgradeReviewQuery` and `usePrebuiltRulesUpgradeReview` consume the `/internal/detection_engine/prebuilt_rules/upgrade/_review` endpoint and return the rules which have available updates, and are listed in the **Rule Updates** page. - `usePerformInstallAllRules`, `usePerformInstallSpecificRules`, and its respective mutation hooks `usePerformAllRulesInstallMutation` and `usePerformSpecificRulesInstallMutation` consume the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` endpoint in order to install rules. - `usePerformUpgradeAllRules`, `usePerformUpgradeSpecificRules` and its respective mutation hooks `usePerformAllRulesUpgradeMutation` and `usePerformSpecificRulesUpgradeMutation` consume the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` endpoint in order to upgrade rules. ### Deprecated code **Hooks:** - `useCreatePrebuiltRulesMutation` - `useInstallPrePackagedRules` - `useCreatePrePackagedRules` - `usePrePackagedRulesInstallationStatus` - `usePrePackagedTimelinesInstallationStatus` ### Major points to resolve - **Timeline templates installation**: Since this PR stops using the `/api/detection_engine/rules/prepackaged` endpoint in favour of the new ones, we are not currently installing timeline templates. Serverside, we will need a new endpoint to install them separately from rules? In the UI, how would this still work: would they get installed in the background now? Or maybe have a new button for it somewhere? - **ML Jobs warning**: when updating rules, we currently have a wrapper to add confirmation modal for users who may be running older ML Jobs that would be overridden by updating their rules. This PR removes that code, but we'll need to reintroduce it for the cases of: upgrading single rules, upgrading a selection of rules, upgrading all rules. ### Deviations from design This PR includes a reduced scope to the final workflow shown in the Figma designs. Most notably, in Milestone 2, to be released in 8.9, we did not build the flyout that, in the Add Rules page, shows the rule details when the user clicks on it, so the user can review it before installing. The same is true in the Rule Updates table, which does not allow, for now, reviewing the rules. In both cases, the user can only click in "Install Rule" and "Upgrade Rule". There are other differences in the UI, for technical reasons: - Both for the Add Rules page and the Rule Updates table we decided to use **EUI's InMemoryTable**. Since the endpoint that return the data to populate both of these tables do not allow for sorting, filtering and paging, we decided to use the InMemoryTable for both cases, as all of those functions are handled out-of-the-box by the EUI component. The relatively low number of items that populate these tables means that we won't face significant performance issues. However, this meant a number of deviations from the designs: - Since filtering, sorting and pagination are handled by the table, the contexts for these table do not includes any internal state relating to these functions. This makes it hard to recreate the RuleUtilityBar for each of these components or make the existing one reusable. We therefore decided to leave the Utility Bar for the new two tables out of scope, and deviate from the design by moving the button that the user can click on o install or upgrade the selected rules to beside the "Install all" or "Upgrade all" buttons. This button is shown only when at least one rule of the table is selected. - The **tags filter box** that comes out-of-the-box with the InMemoryTable can only be positioned to the right of the search bar, instead of the left like we have in our main **Installed Rules** table. Also, clicking on the tabs adds the text to the search bar, and the box does not allow for negative selection of tabs (exclusion). - The search bar filters on keystroke rather than on Enter. This behaviour can be changed, but it feels more useful than the other behaviour for these new two tables. - The search bar filters by searching the user's input in any of the string properties of first order within the rule object. This means that the search bar can be used to look up rules according to their name, description, rule_id, etc (but not for example for MITRE techniques, which are an object.) This behaviour, however, is also customisable. - Neither the Add Rules table nor the Rule Updates tables display the _Last updated_ column which is shown in the design. Since the original intent of the designers is to show when the rule asset (`security-rule`) was created or updated, this is information we don't currently have within the SO. After discussion with @ksevasilyeva and @ARWNightingale, we decided, for now, to remove the column. In the meantime, @terrancedejesus [created an issue to include `createdAt` and `updatedAt` fields](elastic/detection-rules#2826) within the rule assets, that we can use to display in the table in later iterations. #### Other remaining work: - Introduce confirmation modals when the user clicks on the "Install all" or "Upgrade all" modal. - Unit testing for new hooks and components. - Other component redesign: Rule Filter, Tag Filter #### How to test rule upgrade 1. Have at least one rule installed 2. Find its `rule_id` from the Network tab. 3. Make a request to `PATCH /api/detection_engine/rules` with the `rule_id` in the payload, and also set the `version` to a number lower than the current version. 4. Reload the page. 5. The `/upgrade/_review` endpoint will now return that rule as available for upgrade. ### Videos #### Rule Installation Workflow https://github.com/elastic/kibana/assets/5354282/5a219625-beb1-48ee-a9fc-ff48b69eeae0 #### Rule Upgrade Workflow https://github.com/elastic/kibana/assets/5354282/b5f3c23b-004a-462c-bbdd-ed04321f5ce7 ### TODO - [x] Align copy, use "update" instead of "upgrade" - [ ] Persist user's choice when they dismiss the upgrade/install rules callouts till the next package release (create a separate task for that) - [ ] Unify table controls (search bar and tags), use the ones we have on the rules management table - [ ] After rule installation, adjust copy, and display that all available rules have been installed. Add a "Go Back" CTA - [ ] Add links from the available rules table to docs - [ ] Rule severity sorting should take semantics into consideration --------- Co-authored-by: Dmitrii <[email protected]> Co-authored-by: Dmitrii Shevchenko <[email protected]> Co-authored-by: Sergi Massaneda <[email protected]>
|
Addressed by #158450 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Epic: https://github.com/elastic/security-team/issues/1974 (internal)
Summary
As detailed in the figma designs and in the screenshot below, this is an implementation issue for creating the new
Add Rulespage.The text was updated successfully, but these errors were encountered: