[Security team: AWP] [Session view] Add alert fly out callback

[zizhouW]

Issue: https://github.com/elastic/security-team/issues/3266

• Add callback in session view for security solution plugin to trigger an alert flyout
• Add callback in session view for updating alert status on flyout close

TODO: Add tests for alert_status_route and use AlertsClient after #127500 is merged

[zizhouW]

duplicate of https://github.com/elastic/kibana/pull/127500/files#diff-3f0eab56b857974f26a9eb0b3987c0c099c5b8b6506f19c766c9e56273eef26d

[opauloh]

since getAlerts() comes from ProcessImpl, what about adding an update function to ProcessImpl? i.e process.setAlerts(), to make more explicit the intention of changing alerts in the process

then also, could change to a more functional approach using map transforms:

i.e:

process.setAlerts(updateAlertEventStatus(process.getAlerts(), updatedAlertsStatus))

// updateAlertEventStatus

export const updateAlertEventStatus = (
  events: ProcessEvent[],
  updatedAlertsStatus: UpdateAlertStatus
) => (
events.map((event) => ({
    ...event, kibana: { ...event.kibana, alert: {
        ...event.kibana.alert,
        workflow_status : updatedAlertsStatus[event.kibana.alert.uuid].status
   }}
)})

[zizhouW]

The alerts currently are placed together with events in process.events. It's probably a good idea to separate them to process.events and process.alerts. It seems to relate to some changes made in #127500 in efforts to separate fetching events and alerts. Should we make the optimization in a separate PR?

cc: @mitodrummer

[mitodrummer]

Yea, separate PR seems best. Maybe after i merge the alerts tab stuff.

[opauloh]

yeah another PR sounds nice to me too

[opauloh]

this type seems too generic and doesn't seem to tell much about it, can it be improved somehow?

[mitodrummer]

We may want to update this to use the AlertsClient once I've merged my alerts tab work. It handles authorized indexes and other rbac type stuff.

[zizhouW]

Sounds good, I can do it in a separate PR since the flyout callback is also needed in your PR. I will get this one merged in first

[mitodrummer]

LGTM!

[opauloh]

lgtm

[michaelolo24]

This is okay I think since we know the data, but using lodash clone might be safer long term and potentially faster? Not sure though...

[michaelolo24]

With Kibana, I would never assume you'll actually get the data so I would do updatedAlertStatus[event.kibana?.alert?.uuid]

[zizhouW]

Thanks for letting me know! There are other places in session_view that will require similar fixes. I will fix this one here and create a tech debt ticket to address the rest separately.

[michaelolo24]

Great, thanks!

[michaelolo24]

👍🏾

[michaelolo24]

Suggested change

	processEntityId: events[0].process.entity_id,
	processEntityId: events[0]?.process?.entity_id,

[michaelolo24]

It should always be there, but best to err on the side of caution

[zizhouW]

@elasticmachine merge upstream

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: bc09de9
• Storybooks Preview
• Webpack Bundle Analyzer

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
sessionView	37.1KB	39.1KB	+2.0KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
sessionView	61.1KB	61.0KB	-73.0B

History

• 💔 Build #32701 failed 07e5811
• 💚 Build #32277 succeeded a61c73e
• 💔 Build #31953 failed 8a5c745
• 💛 Build #31525 was flaky 57f24b2

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[michaelolo24]

Can do in a follow up PR, but in the future event.kibana may have other sub-properties, so may be best to use event?.kibana?.alert to be explicit

[zizhouW]

Thanks Michael, will update in my follow up PR!

[michaelolo24]

Thanks for doing this work! LGTM 🚀