Skip to content

[SecuritySolution] Create PrivMon index import flow#224822

Merged
machadoum merged 12 commits intoelastic:mainfrom
machadoum:siem-ea-12533-index-upload-ui
Jun 24, 2025
Merged

[SecuritySolution] Create PrivMon index import flow#224822
machadoum merged 12 commits intoelastic:mainfrom
machadoum:siem-ea-12533-index-upload-ui

Conversation

@machadoum
Copy link
Member

@machadoum machadoum commented Jun 23, 2025
edited
Loading

Depends on #221610

This PR adds the import index workflow to privileged user monitoring and API changes required to support it.

API Enhancements

  • New API for privilege monitoring index creation: Added a new API endpoint (PUT /api/entity_analytics/monitoring/privileges/indices) to create indices for privilege monitoring with support for standard and lookup modes. This includes the implementation of request and response schemas (create_indidex.gen.ts, create_indidex.schema.yaml). [1] [2]
  • Updated privilege monitoring health response: Modified the health response schema to include a status field and an optional error object for detailed error handling (privilege_monitoring/health.gen.ts, privilege_monitoring/health.schema.yaml). [1] [2]

Frontend Integration

  • **Introduce the create index modal that opens when the create index button is clicked.
  • Onboarding modal improvements: Updated the AddDataSourcePanel component to handle index creation more robustly by passing callbacks to the modal (add_data_source.tsx).
  • Error handling in UI: Enhanced the PrivilegedUserMonitoring component to display error callouts when privilege monitoring data fails to load (privileged_user_monitoring/index.tsx). [1] [2]

How to test it?

  • Go to the priv mon page with an empty cluster
  • Click on the data source by the index button
  • Search for available indices, it should return indices with user.name.keyword fields
  • Click 'create index' and create a new index
  • Choose the created index and click 'Add privileged users'
  • You should be redirected to the dashboard (The API is currently not working)

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

Identify risks

Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.

@machadoum machadoum force-pushed the siem-ea-12533-index-upload-ui branch from fc97791 to 2e66488 Compare June 23, 2025 10:10
@machadoum machadoum force-pushed the siem-ea-12533-index-upload-ui branch from c271a47 to d7080df Compare June 23, 2025 11:55
@machadoum machadoum self-assigned this Jun 23, 2025
@machadoum machadoum marked this pull request as ready for review June 23, 2025 12:26
@machadoum machadoum requested review from a team as code owners June 23, 2025 12:26
@machadoum machadoum requested a review from CAWilson94 June 23, 2025 12:26
@machadoum machadoum added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: entity_analytics Feature:Entity Analytics Security Solution Entity Analytics features labels Jun 23, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 23, 2025

Pinging @elastic/security-solution (Team: SecuritySolution)

machadoum
machadoum commented Jun 23, 2025
View reviewed changes
...olution/server/lib/entity_analytics/privilege_monitoring/privilege_monitoring_data_client.ts
index: [query ? `*${query}*` : '*', ...PRE_EXCLUDE_INDICES],
types: ['keyword'],
fields: ['user.name'], // search for indices with field 'user.name' of type 'keyword'
fields: ['user.name.keyword'], // search for indices with field 'user.name.keyword' of type 'keyword'
Copy link
Member Author

@machadoum machadoum Jun 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The engine requires user.name.keyword to work.

tiansivive
tiansivive approved these changes Jun 23, 2025
View reviewed changes
Copy link
Contributor

@tiansivive tiansivive left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

didnt pay much attention to code but desk tested and look good!
Many thanks Pablo!
🚀

@machadoum machadoum requested review from a team as code owners June 24, 2025 06:31
florent-leborgne
florent-leborgne approved these changes Jun 24, 2025
View reviewed changes
Copy link
Contributor

@florent-leborgne florent-leborgne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

output docs files LGTM!

@machadoum machadoum enabled auto-merge (squash) June 24, 2025 08:39
@machadoum machadoum merged commit 5363883 into elastic:main Jun 24, 2025
11 checks passed
@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 24, 2025

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 7671 7673 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 9.4MB 9.4MB +4.8KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 95.2KB 95.2KB -1.0B

History

cc @machadoum

akowalska622 pushed a commit to akowalska622/kibana that referenced this pull request Jun 25, 2025
@machadoum @kibanamachine @akowalska622
[SecuritySolution] Create PrivMon index import flow (elastic#224822)
2cc1cdf 
Depends on elastic#221610

This PR adds the import index workflow to privileged user monitoring and
API changes required to support it.

### API Enhancements

* **New API for privilege monitoring index creation**: Added a new API
endpoint (`PUT /api/entity_analytics/monitoring/privileges/indices`) to
create indices for privilege monitoring with support for `standard` and
`lookup` modes. This includes the implementation of request and response
schemas (`create_indidex.gen.ts`, `create_indidex.schema.yaml`).
[[1]](diffhunk://#diff-68329bb90dea945f343e1637990d5d05bc159e0aa2511ef1e45d37ed1a6cda51R1-R41)
[[2]](diffhunk://#diff-e979499654a27b3c1930d63c5b1002113c1c3f53f84ce27a4d75a5c492717a96R1-R42)
* **Updated privilege monitoring health response**: Modified the health
response schema to include a `status` field and an optional `error`
object for detailed error handling
(`privilege_monitoring/health.gen.ts`,
`privilege_monitoring/health.schema.yaml`).
[[1]](diffhunk://#diff-00f39a3e65a336eaddf7d3203d1370d910f5ecd2062b6cc21d9c06922c12884eR19-R28)
[[2]](diffhunk://#diff-83afa72b7a1fc48f3cc063e9fb855190d3525228bc0488fb8b871e112b90e961L22-R33)

### Frontend Integration

* **Introduce the create index modal that opens when the create index
button is clicked.
* **Onboarding modal improvements**: Updated the `AddDataSourcePanel`
component to handle index creation more robustly by passing callbacks to
the modal (`add_data_source.tsx`).
* **Error handling in UI**: Enhanced the `PrivilegedUserMonitoring`
component to display error callouts when privilege monitoring data fails
to load (`privileged_user_monitoring/index.tsx`).
[[1]](diffhunk://#diff-273ad32c97dcf15c6c6054fd7c5516d587132674578d25986b235cd174c75789R22-R26)
[[2]](diffhunk://#diff-273ad32c97dcf15c6c6054fd7c5516d587132674578d25986b235cd174c75789R38-R51)

### How to test it?
* Go to the priv mon page with an empty cluster
* Click on the data source by the index button
* Search for available indices, it should return indices with
`user.name.keyword` fields
* Click 'create index' and create a new index 
* Choose the created index and click 'Add privileged users'
* You should be redirected to the dashboard (The API is currently not
working)




### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhishekbhatia1710 abhishekbhatia1710 abhishekbhatia1710 left review comments

@jaredburgettelastic jaredburgettelastic jaredburgettelastic left review comments

@tiansivive tiansivive tiansivive approved these changes

@florent-leborgne florent-leborgne florent-leborgne approved these changes

@leemthompo leemthompo leemthompo approved these changes

@CAWilson94 CAWilson94 Awaiting requested review from CAWilson94 CAWilson94 is a code owner automatically assigned from elastic/security-entity-analytics

Assignees

@machadoum machadoum

Labels

backport:skip This PR does not require backporting Feature:Entity Analytics Security Solution Entity Analytics features release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: entity_analytics v9.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@machadoum @elasticmachine @tiansivive @florent-leborgne @leemthompo @abhishekbhatia1710 @jaredburgettelastic @kibanamachine