[Security Solutions] Create a new User Details Flyout by machadoum · Pull Request #154310 · elastic/kibana

machadoum · 2023-04-04T08:04:52Z

issue: https://github.com/elastic/security-team/issues/6154

Summary

Main changes

Creates a new user details flyout displayed on the Alerts page and timeline.
Introduce a new experimental feature newUserDetailsFlyout (disabled by default)
Create managedUserDetails API which fetches data from the index created by the Azure integration.

Miscellaneous

Delete unused lastSeen and first_seen types.
Delete unused jobKeyproperty from anomaly score components
Rename userDetails API and hook to observedUserDetails.
Add filterQuery property to useFirstLastSeen .
- To use it inside the flyout, since the user flyout show data in the time range.
Create a simplified TestProvidersComponent for Storybook named StorybookProviders
- It should allow us to render more complex components that require access to the redux store, theme, and kibana context.
- Add experimentalFeatures property to queryFactory.buildDsl.

Out of scope:

The user can Snooze or Dismiss this prompt.
Displaying integration errors inside the flyout
User page

Storybook

Please check the "💚 Build Succeeded" message

How to test it

You need a kibana instance with user data and alerts
Enable the experimental feature newUserDetailsFlyout
Go to the alerts page or timeline
Open the user flyout

How to install the new Azure integration

The integration is under development, so you have to follow a series of steps:

Install docker desktop for Mac (only for macOS)
Install elastic-package https://github.com/elastic/elastic-package
Add elastic-package to $PATH
Download the integration source code from GitHub branch https://github.com/taylor-swanson/integrations/tree/entityanalytics_azure
Start the local K8 cluster elastic-package stack up -vd --version 8.8.0-SNAPSHOT
Enter the integration folder cd packages/entityanalytics_azure/
Build the integration elastic-package build
Update the registry with the new integration build elastic-package stack up -vd --services package-registry
Open kibana integrations

Find entity analytics Azure integration (you need to check the 'display beta integrations' box)

Configured the integration with Azure tenant id, application id, and secret (ask @machadoum)
Configured the integration with login URL, Login scopes, and API URL (ask @machadoum)

Checklist

Delete any items that are not applicable to this PR.

Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
Unit or functional tests were updated or added to match the most common scenarios
Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
[x] This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
This was checked for cross-browser compatibility

x-pack/plugins/security_solution/public/explore/components/stat_items/use_kpi_matrix_status.ts

...strategy/security_solution/factory/users/observed_details/query.observed_user_details.dsl.ts

elasticmachine · 2023-04-11T11:22:15Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine · 2023-04-11T11:22:17Z

Pinging @elastic/security-solution (Team: SecuritySolution)

angorayc · 2023-04-12T12:49:03Z

Desk tested with
entityanalytics_azure.zip

Move the file to security_solution_cypress/es_archives
In security_solution folder
node ../../../scripts/es_archiver load ../../test/security_solution_cypress/es_archives/entityanalytics_azure --config ../../test/functional/config.base.js --es-url=http://username:password@localhost:9200 --kibana-url=http://username:password@localhost:5601

...ugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks.test.ts

...ck/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks.ts

x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/types.ts

...ty_solution/server/search_strategy/security_solution/factory/users/observed_details/index.ts

x-pack/plugins/security_solution/server/search_strategy/security_solution/index.ts

angorayc

Awesome work Pablo, thanks for adding this feature!

logeekal

LGTM mostly. Commented some comments/queries?

...lution/server/search_strategy/security_solution/factory/users/managed_details/index.test.tsx

...ategy/security_solution/factory/users/managed_details/query.managed_user_details.dsl.test.ts

...ty_solution/server/search_strategy/security_solution/factory/users/observed_details/index.ts

...ns/security_solution/common/search_strategy/security_solution/users/managed_details/index.ts

logeekal · 2023-04-17T07:59:55Z

x-pack/plugins/security_solution/public/common/mock/storybook_providers.tsx

👍 . @PhilippeOberti , I guess you might have already implemented this in your own flyout PR. In case not, this might help you.

x-pack/plugins/security_solution/public/timelines/components/side_panel/index.tsx

logeekal · 2023-04-17T08:09:58Z

...ck/plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks.ts

nit: Might make sense to extract it out to a separate config.

Do you mean placing it in a constants.ts file?

yes something like that. The reason I said it because labels and fields are hard coded and the array is quite big for both userData and managedUserDetails. You will have to pass userData/ managedUserDetails to get the complete object.

I don't have strong opinion about it.. you can decide. But at a later stage if more fields are added, I would prefer that /plugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks.ts is not changed at all.

...ugins/security_solution/public/timelines/components/side_panel/new_user_detail/hooks.test.ts

logeekal · 2023-04-17T08:20:13Z

...gins/security_solution/public/timelines/components/side_panel/new_user_detail/mocks/index.ts

should this file be under __mocks__ directory or was it intentional?

I just noticed that sometimes the mock folder is called mocks and other times __mocks__. I will rename it to __mock__ because it is used more often.

@logeekal Do you know what the difference is?

so from __mocks__ folder jest automatically picks up the mocks. It is a good way to create typesafe mocks. Here is the documentation: https://jestjs.io/docs/manual-mocks#mocking-user-modules.

But mocks can be used to mock one module in one file. Advantage is that you do not need to separately import mocks. It is automatically used.

I didn't know that. It is very convenient. I will use it frequently. Thanks!

…fix'

machadoum · 2023-04-18T13:38:09Z

@elasticmachine merge upstream

kibana-ci · 2023-04-18T15:01:44Z

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
`securitySolution`	3817	3826	+9

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	15.9MB	16.0MB	+65.4KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
`securitySolution`	58.2KB	58.3KB	+24.0B

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
`securitySolution`	432	435	+3

Total ESLint disabled count

id	before	after	diff
`securitySolution`	512	515	+3

History

💔 Build #120624 failed 07049ac
💔 Build #120283 failed 3414cd75e91d2c8f7ce5008d6f003c72cb422c01
💚 Build #119771 succeeded 3c10e60b9efc5c54366265e0796bd6e285d5eb8a
💔 Build #119714 failed ec5d798dfc02c96c7bac63704ab0269539b4f220
💚 Build #119025 succeeded 66ce13ec380b7a5fa6999123534acff991017b64

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @machadoum

…ng in a flyout (#155814) With #154310 a global decorator was added which caused all `security_solution` stories to be rendered in a flyout. This PR changes the decorator to be local instead so the `UserDetailsContentComponent` still renders in a flyout as expected, but all other components are still within the main canvas. ### Before <p align="center"> <img width="400" src="https://user-images.githubusercontent.com/2946766/234429269-46cf527d-f7f2-4229-9ca1-ae227ce8e1b6.png" /> <img width="400" alt="image" src="https://user-images.githubusercontent.com/2946766/234429444-f38229ef-1113-4416-9bb4-233cc058ee44.png"> </p> ### After <p align="center"> <img width="400" src="https://user-images.githubusercontent.com/2946766/234429580-82c99bb1-9064-4fc3-8b16-446fc418729d.png" /> <img width="400" alt="image" src="https://user-images.githubusercontent.com/2946766/234429444-f38229ef-1113-4416-9bb4-233cc058ee44.png"> </p>

machadoum added Feature:Entity Analytics Security Solution Entity Analytics features Feature:Users Security Solution Users feature labels Apr 4, 2023

machadoum force-pushed the siem-explore-6154 branch 2 times, most recently from 1c4f619 to ad33d0f Compare April 5, 2023 11:56

machadoum self-assigned this Apr 5, 2023

machadoum added Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore release_note:skip Skip the PR/issue when compiling release notes labels Apr 5, 2023

machadoum force-pushed the siem-explore-6154 branch 3 times, most recently from 92dc72e to 7a90532 Compare April 11, 2023 07:46

machadoum commented Apr 11, 2023

View reviewed changes

x-pack/plugins/security_solution/public/explore/components/stat_items/use_kpi_matrix_status.ts Outdated Show resolved Hide resolved

machadoum commented Apr 11, 2023

View reviewed changes

...strategy/security_solution/factory/users/observed_details/query.observed_user_details.dsl.ts Outdated Show resolved Hide resolved

machadoum force-pushed the siem-explore-6154 branch 3 times, most recently from b810197 to ab23557 Compare April 11, 2023 10:57

machadoum marked this pull request as ready for review April 11, 2023 11:22

machadoum requested review from a team as code owners April 11, 2023 11:22

machadoum changed the title ~~Siem explore 6154~~ [Security Solutions] Create a new User Details Flyout Apr 11, 2023

machadoum force-pushed the siem-explore-6154 branch from 47b38d2 to fdd6107 Compare April 11, 2023 13:44