[Security Solution][Endpoint] Show consistent Endpoint Agent Status across security solution#154961
Conversation
…omponents/endpoint/`
…mponent (delete prior component)
paul-tavares
added
release_note:skip
…reated HostInfoInterface (not immutable)
…ew-response-actions-to-pending-actions
| hostInfo: endpointData, | ||
| endpointPolicy: endpointData.metadata.Endpoint.policy.applied.name, | ||
| policyStatus: endpointData.metadata.Endpoint.policy.applied.status, | ||
| sensorVersion: endpointData.metadata.agent.version, |
There was a problem hiding this comment.
If we put everything into the hostInfo entry, why do we need to have the other 3? Looks like we send redundant data.
There was a problem hiding this comment.
@semd - True. I was waiting for a response from the 'security-threat-hunting' on whether we needed to maintain backwards compatibility in this API. Looks like Pablo replied today and based on his response, I plan to remove the extra data here in a subsequent PR (don't want to increase the scope of this one)
…ew-response-actions-to-pending-actions
machadoum
left a comment
machadoum
left a comment
There was a problem hiding this comment.
The threat-hunting-explore team code looks good to me.
| metadata: HostMetadata; | ||
| // Host Information as return by the Host Details API. | ||
| // NOTE: `HostInfo` type is the original and defined as Immutable. If needing to | ||
| // work with data that is not mutable, use `HostInfo` instead |
There was a problem hiding this comment.
This message is confusing. It sounds like you are telling me to use HostInfo instead of HostInfo. 🤔
There was a problem hiding this comment.
yeah, this does not sound like a clear message. I'll change it in my next PR or this one if I end up making another change.
Thanks for the feedback.
paul-tavares
requested review from
ashokaditya
and removed request for
patrykkopycinski
paul-tavares
requested review from
joeypoon
and removed request for
gergoabraham
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
I've looked at the code changes partially. Will give it another go a bit later. I tested it out locally with emulator data and I'm seeing some inconsistency with the isolated badge when isolated. It says isolating... and then shows nothing sometimes and switches to isolated. Also, when released it shows isolated even after it is released. Here are a few clips I managed to record while testing locally.
Not sure if you saw it too.
badge doesn't show up until flyout is closed.
doesn't show isolated badge after isolating (goes into a "release"d UI without a badge and then shows isolated)
(have to see the clip a little further after the actions fail)
still shows isolated badge after release
| >({ | ||
| isolate: 'isolate', | ||
| unisolate: 'release', | ||
| execute: 'execute', | ||
| 'get-file': 'get-file', | ||
| 'running-processes': 'processes', | ||
| 'kill-process': 'kill-process', | ||
| 'suspend-process': 'suspend-process', | ||
| }); |
There was a problem hiding this comment.
You can also use lodash zipObject here e.g. Object.freeze(zipObject(RESPONSE_ACTION_API_COMMANDS_NAMES, CONSOLE_RESPONSE_ACTION_COMMANDS)). We'd need to ensure that the values in those two consts (RESPONSE_ACTION_API_COMMANDS_NAMES and CONSOLE_RESPONSE_ACTION_COMMANDS) are in the same order if you decide to use zipObject. Perhaps with comments.
There was a problem hiding this comment.
Had not known about that lodash function. I kind of prefer this here only because it's its clearer what the values are and I don['t have to worry about the ordering of items in the arrays.
|
|
||
| export type HostInfo = Immutable<{ | ||
| metadata: HostMetadata; | ||
| // Host Information as return by the Host Details API. |
| return merge(hostMetadataDoc, overrides); | ||
| } | ||
|
|
||
| /** Generates the complete `HostInfo` as return by a call to the Endpoint host details api */ |
| EuiTextColor, | ||
| EuiToolTip, | ||
| } from '@elastic/eui'; | ||
| import styled from 'styled-components'; |
There was a problem hiding this comment.
Don't have to change but eui also exports a euiStyled that you can use.
import { euiStyled } from '@kbn/kibana-react-plugin/common'; Then you can use it the same way as we use styled
euiStyled(EuiFlexGroup) or euiStyled.div etc.
| import { getAgentStatusText } from '../agent_status_text'; | ||
|
|
||
| const TOOLTIP_CONTENT_STYLES: React.CSSProperties = Object.freeze({ width: 150 }); | ||
| const AUTO_REFRESH_INTERVAL = 10000; |
There was a problem hiding this comment.
This is same as the DEFAULT_POLL_INTERVAL. No?
| import { getAgentStatusText } from '../agent_status_text'; | ||
|
|
||
| const TOOLTIP_CONTENT_STYLES: React.CSSProperties = Object.freeze({ width: 150 }); | ||
| const AUTO_REFRESH_INTERVAL = 10000; |
There was a problem hiding this comment.
This is same as the DEFAULT_POLL_INTERVAL. No?
There was a problem hiding this comment.
Good point. I think that's a common const so I will use that instead
| * If set to `true` (Default), then the endpoint isolation state and response actions count | ||
| * will be kept up to date by querying the API periodically | ||
| */ | ||
| autoFresh?: boolean; |
There was a problem hiding this comment.
Maybe name thisauotRefresh instead for naming consistency
There was a problem hiding this comment.
ahhh. Crap. Yeah, I meant to rename that and forgot. Will do it
…ew-response-actions-to-pending-actions
|
Thanks for the reviews. Re:
This is a known problem. The list currently only refreshes the data when the details flyout is closed. I think we might have an issue tracking this. re:
And
I will take a closer look at these, but I'm guessing they are due to how the component is being used from the endpoint list/details. The I'm also wondering if what you highlighted here also exists prior to my changes 🤔 |
|
@ashokaditya , I'm going to see if I can still address this today, but if not, then I can put up a separate PR to only add the |
…ew-response-actions-to-pending-actions
|
Ok. I made some changes that I think will mitigate the issues you were seeing on the Endpoint list/details (FYI: can't wait until we rip out Redux stuff out this area of the code). There are still issues with refreshing the list data while the flyout is opened, but at least now the refreshed data (including the pending actions) are passed directly to the Also - FYI: the emulator seems to have some issues with sending the metadata update after an isolate/release response action. I'm not sure what the issue is (maybe timestamps and transform dropping the document?), but I tested with a real endpoint and it seem ok. |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsasync chunk count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
I tested it out a couple more times. I am kind of seeing similar behavior on the endpoint list as I'm seeing on the main branch. There are still sometimes when I see the Isolating badge disappearing for a couple of seconds before Isolated badge shows up.
I'm not seeing the pending actions badge on the Hosts page on auto-refresh.
on main
We talked offline. The changes look alright on the PR
| * If set to `true` (Default), then the endpoint status and isolation/action counts will | ||
| * be kept up to date by querying the API periodically | ||
| */ | ||
| autoFresh?: boolean; |
There was a problem hiding this comment.
Maybe you missed this one. We can alsochange in a new PR.
paul-tavares
deleted the
task/olm-6308-add-new-response-actions-to-pending-actions
branch
…se and remove redundant endpoint data (#156709) ## Summary - Removes several pieces of data from the Host Details search strategy response that is now available via the `hostInfo` property of the data returned. This PR is a follow up from #154961 (comment)
related to changes in elastic/pull/154961 where `endpointDetails.hostInfo` was added
8 participants
Summary
PR refactors the display of the Endpoint Host Agent status across the multiple places in Security solution so that it uses 1 common component. The Status of an Endpoint Host also displays the isolation state of the endpoint along with any other Actions that might be pending against it.
The refactor also address a prior issue where new added response actions were not accounted for when the component displays (on hover in a popover) the itemized count of pending response actions against the host. The new implementation will display the summary of all pending actions going forward as they are added without having to remember to update the Component.
The Endpoint host agent pending actions display was also adjusted to ensure that isolation state is primary shown when there are multiple pending actions, so that its always visible to the user the state of isolation (see GIF below)
As a result of the refactor, several redundant components were deleted.
Pages that display Endpoint Host Agent status, and thus impacted by these changes, are:
Screen capture:
Different condition for displaying isolation state:
Endpoint List:
Endpoint Details:
Alert Details:
Host overview:
Timeline:
Case:
Checklist