[Security Solution][Detection Alerts] Alert tagging#157786
Merged
dplumlee merged 36 commits intoelastic:mainfrom Jun 21, 2023
Merged
[Security Solution][Detection Alerts] Alert tagging#157786dplumlee merged 36 commits intoelastic:mainfrom
dplumlee merged 36 commits intoelastic:mainfrom
Conversation
dplumlee
added
Team:Detections and Resp
dplumlee
force-pushed
the
security-alert-tags
branch
from
d514119 to
3ad0adf
Compare
yctercero
reviewed
May 17, 2023
yctercero
reviewed
May 22, 2023
|
|
||
| export type Privilege = t.TypeOf<typeof privilege>; | ||
|
|
||
| export const alert_tags = t.type({ |
Contributor
There was a problem hiding this comment.
What do you think of following the rules bulk edit tags schema? It may make it easier to expand the feature by following a more reusable pattern like:
const BulkActionEditPayloadTags = t.type({
type: t.union([
t.literal(BulkActionEditType.add_tags),
t.literal(BulkActionEditType.delete_tags),
t.literal(BulkActionEditType.set_tags),
]),
value: RuleTagArray,
});
That way if we decide theres a new action type we want to introduce for tags, the schema updates are minimal.
Contributor
Author
There was a problem hiding this comment.
I'd be open to more discussion on this pertaining to more reusable patterns and expandability, it's definitely a bit unusual, but the main reason we created it like this in the first place was because we have the intermediate state in the bulk actions tags dropdown, so we couldn't just handle setting all queried alerts to the same tags array. With the two different buckets of add and remove we can cover each of the possible use cases for each specific alert with one api call.
|
|
||
| const { setAlertTags } = useSetAlertTags(); | ||
| const initalTagsState = useMemo(() => { | ||
| const existingTags = alertIds.map( |
Contributor
There was a problem hiding this comment.
Nit: can we extract this into a helper or util we can unit test?
Also, would using a set here simplify the number of iterations through the tags?
.../plugins/security_solution/public/common/components/toolbar/bulk_actions/alert_bulk_tags.tsx
Outdated
Show resolved
Hide resolved
.../plugins/security_solution/public/common/components/toolbar/bulk_actions/alert_bulk_tags.tsx
Outdated
Show resolved
Hide resolved
| } else if (changedOption.checked === 'on') { | ||
| tagsToAdd[changedOption.label] = true; | ||
| delete tagsToRemove[changedOption.label]; | ||
| } else if (!changedOption.checked) { |
Contributor
There was a problem hiding this comment.
Here are you checking if the checked property exists or if it's null or undefined?
.../plugins/security_solution/public/common/components/toolbar/bulk_actions/alert_bulk_tags.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/routes/signals/helpers.ts
Outdated
Show resolved
Hide resolved
pgayvallet
approved these changes
Jun 20, 2023
| try { | ||
| setIsLoading(true); | ||
| setTableLoading(true); | ||
| const response = await http.fetch<estypes.UpdateByQueryResponse>( |
Contributor
There was a problem hiding this comment.
why not react-query?
x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/index.tsx
Outdated
Show resolved
Hide resolved
Contributor
kqualters-elastic
left a comment
kqualters-elastic
left a comment
There was a problem hiding this comment.
new warning when I apply a tag:
Warning: Can't perform a React state update on an unmounted component. This is a no-op, but it indicates a memory leak in your application. To fix, cancel all subscriptions and asynchronous tasks in a useEffect cleanup function.
at BulkAlertTagsPanelComponent (http://localhost:5601/9007199254740991/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_register_alerts_table_configuration.js:107579:3)
at div
at EuiResizeObserver (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:128128:81)
at div
at EuiContextMenuPanel (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:84005:81)
at div
at EuiContextMenu (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:83483:81)
at div
at EuiMutationObserver (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:127891:81)
at div
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:166047:73
at EuiPanel (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:131939:23)
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:166047:73
at EuiPopoverPanel (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:133242:23)
at div
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:366533:59
at FocusLockUI (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:362836:71)
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:363739:60
at EuiFocusTrap (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:105315:81)
at EuiPortal (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:133710:81)
at div
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:166047:73
at EuiPopover (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:132478:81)
at div
at forwardRef (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:423669:12)
at div
at AlertContextMenuComponent (http://localhost:5601/9007199254740991/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_register_alerts_table_configuration.js:142978:3)
at ConnectFunction (http://localhost:5601/9007199254740991/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.3.js:422:41)
at div
at forwardRef (http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:423669:12)
at ActionsComponent (http://localhost:5601/9007199254740991/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_register_alerts_table_configuration.js:95250:3)
at RowActionComponent (http://localhost:5601/9007199254740991/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_register_alerts_table_configuration.js:85295:3)
at div
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:166047:73
at http://localhost:5601/9007199254740991/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js:104071:23
at rowCellRender (http://localhost:5601/9007199254740991/bundles/plugin/triggersActionsUi/1.0.0/triggersActionsUi.chunk.24.js:1030:13)
kqualters-elastic
approved these changes
Jun 20, 2023
Contributor
kqualters-elastic
left a comment
kqualters-elastic
left a comment
There was a problem hiding this comment.
agree with needing additional unit tests, also should fix the warning(s) that appear, but overall feature works alright locally and any bugs/missing tests/warning fixes can be fixed post FF 👍
stephmilovic
approved these changes
Jun 20, 2023
Contributor
stephmilovic
left a comment
stephmilovic
left a comment
There was a problem hiding this comment.
Agree with @kqualters-elastic about the console warnings, that likely means we didn't catch the state updates on something dismounted. I strongly suggest updating the query to be managed either by useFetch or react-query to reduce risk of bad state updates. I added a comment to your unit test PR to address the console warnings as well. Thank you for the changes!
LGTM, please ping me directly for the follow up PR.
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @dplumlee |
1 task
PhilippeOberti
added a commit
that referenced
this pull request
Apr 28, 2025
…tack discovery and Cases pages in AI4DSOC (#219410) ## Summary This PR fixes an issue with the `apply alert tags` functionality. This [setAlertTags](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_set_alert_tags.tsx) hook introduced in [this PR](#157786) was making use of a `useRef` and a `useCallback` which lead to the table having a `null` reference when it was expecting a `function`. This meant that for parent table components that were written efficiently (meaning that do not render too many times), the set alert tags bulk actions was just plain not working. As can be seen in the following video: https://github.com/user-attachments/assets/50545677-d7a7-4d45-828e-89bdd7b2de34 And this is with the fix in this PR https://github.com/user-attachments/assets/b1f07e55-43bb-4d01-bfd9-3b0dd23e30cc The PR also makes 2 very small adjustments to the AI4DSOC alerts table in the Cases and Attack discovery pages, to make sure that the table refreshes after applying alert tags. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
1 task
PhilippeOberti
added a commit
that referenced
this pull request
May 1, 2025
…ssignees (#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](#170579), and I believe the code was using the similar logic of [the alert tag PR](#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
…tack discovery and Cases pages in AI4DSOC (elastic#219410) ## Summary This PR fixes an issue with the `apply alert tags` functionality. This [setAlertTags](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_set_alert_tags.tsx) hook introduced in [this PR](elastic#157786) was making use of a `useRef` and a `useCallback` which lead to the table having a `null` reference when it was expecting a `function`. This meant that for parent table components that were written efficiently (meaning that do not render too many times), the set alert tags bulk actions was just plain not working. As can be seen in the following video: https://github.com/user-attachments/assets/50545677-d7a7-4d45-828e-89bdd7b2de34 And this is with the fix in this PR https://github.com/user-attachments/assets/b1f07e55-43bb-4d01-bfd9-3b0dd23e30cc The PR also makes 2 very small adjustments to the AI4DSOC alerts table in the Cases and Attack discovery pages, to make sure that the table refreshes after applying alert tags. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
…ssignees (elastic#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](elastic#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](elastic#170579), and I believe the code was using the similar logic of [the alert tag PR](elastic#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
PhilippeOberti
added a commit
to PhilippeOberti/kibana
that referenced
this pull request
May 30, 2025
…tack discovery and Cases pages in AI4DSOC (elastic#219410) ## Summary This PR fixes an issue with the `apply alert tags` functionality. This [setAlertTags](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_set_alert_tags.tsx) hook introduced in [this PR](elastic#157786) was making use of a `useRef` and a `useCallback` which lead to the table having a `null` reference when it was expecting a `function`. This meant that for parent table components that were written efficiently (meaning that do not render too many times), the set alert tags bulk actions was just plain not working. As can be seen in the following video: https://github.com/user-attachments/assets/50545677-d7a7-4d45-828e-89bdd7b2de34 And this is with the fix in this PR https://github.com/user-attachments/assets/b1f07e55-43bb-4d01-bfd9-3b0dd23e30cc The PR also makes 2 very small adjustments to the AI4DSOC alerts table in the Cases and Attack discovery pages, to make sure that the table refreshes after applying alert tags. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 6f4d780)
PhilippeOberti
added a commit
to PhilippeOberti/kibana
that referenced
this pull request
May 30, 2025
…ssignees (elastic#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](elastic#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](elastic#170579), and I believe the code was using the similar logic of [the alert tag PR](elastic#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 254477e)
PhilippeOberti
added a commit
to PhilippeOberti/kibana
that referenced
this pull request
May 30, 2025
…tack discovery and Cases pages in AI4DSOC (elastic#219410) ## Summary This PR fixes an issue with the `apply alert tags` functionality. This [setAlertTags](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_set_alert_tags.tsx) hook introduced in [this PR](elastic#157786) was making use of a `useRef` and a `useCallback` which lead to the table having a `null` reference when it was expecting a `function`. This meant that for parent table components that were written efficiently (meaning that do not render too many times), the set alert tags bulk actions was just plain not working. As can be seen in the following video: https://github.com/user-attachments/assets/50545677-d7a7-4d45-828e-89bdd7b2de34 And this is with the fix in this PR https://github.com/user-attachments/assets/b1f07e55-43bb-4d01-bfd9-3b0dd23e30cc The PR also makes 2 very small adjustments to the AI4DSOC alerts table in the Cases and Attack discovery pages, to make sure that the table refreshes after applying alert tags. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 6f4d780)
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jun 3, 2025
…ssignees (elastic#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](elastic#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](elastic#170579), and I believe the code was using the similar logic of [the alert tag PR](elastic#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
PhilippeOberti
added a commit
to PhilippeOberti/kibana
that referenced
this pull request
Jun 4, 2025
…tack discovery and Cases pages in AI4DSOC (elastic#219410) ## Summary This PR fixes an issue with the `apply alert tags` functionality. This [setAlertTags](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_set_alert_tags.tsx) hook introduced in [this PR](elastic#157786) was making use of a `useRef` and a `useCallback` which lead to the table having a `null` reference when it was expecting a `function`. This meant that for parent table components that were written efficiently (meaning that do not render too many times), the set alert tags bulk actions was just plain not working. As can be seen in the following video: https://github.com/user-attachments/assets/50545677-d7a7-4d45-828e-89bdd7b2de34 And this is with the fix in this PR https://github.com/user-attachments/assets/b1f07e55-43bb-4d01-bfd9-3b0dd23e30cc The PR also makes 2 very small adjustments to the AI4DSOC alerts table in the Cases and Attack discovery pages, to make sure that the table refreshes after applying alert tags. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 6f4d780)
PhilippeOberti
added a commit
to PhilippeOberti/kibana
that referenced
this pull request
Jun 4, 2025
…ssignees (elastic#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](elastic#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](elastic#170579), and I believe the code was using the similar logic of [the alert tag PR](elastic#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 254477e)
PhilippeOberti
added a commit
to PhilippeOberti/kibana
that referenced
this pull request
Jun 4, 2025
…ssignees (elastic#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](elastic#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](elastic#170579), and I believe the code was using the similar logic of [the alert tag PR](elastic#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 254477e)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Epic (internal): https://github.com/elastic/security-team/issues/3273
Adds tagging feature to alerts generated by security solution detection rules. Users will now be able to tag individual alerts via a dropdown on the alerts page or via the take action menu in the alert details flyout. They will also be able to bulk manage tags within the bulk actions menu on the alerts table. Tag options are generated from a field in the advanced settings and will be defaulted to 3 options (Duplicate, False positive, Further investigation required).
From a code standpoint, alert tags will live in a new field:
kibana.alert.workflow_tagsin order to avoid merging with copied source event tags in existing schema fieldsScreenshots
From alert context menu
From bulk actions
Checklist
Delete any items that are not applicable to this PR.
For maintainers