[9.0] [Security Solution] [Attack discovery] Fixes alerts filtering issues (#211371) #211646
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…lastic#211371) ### [Security Solution] [Attack discovery] Fixes alerts filtering issues This PR resolves the following Attack discovery alerts filtering issues: - [[Security Solution] [Bug] A few filters show error 'Unexpected error from Elasticsearch' for the alerts flyout elastic#208481](elastic#208481) - [[Security Solution] [Bug] Lucene not updated as the space holder when we apply Lucene as the filtering language elastic#208170](elastic#208170) - Connector selection resets in non-default spaces - Saving a filter edited via `Edit Query DSL` with an unknown `user.name` value results in a `filter value is invalid or incomplete` filter - Local field Reset clears the preview dropdowns when they are in an error state - Updates the formatting of `Up to _n_ alerts` for Borealis #### Feature flag required for testing The following feature flag is required to test this PR: ```yaml xpack.securitySolution.enableExperimental: - 'attackDiscoveryAlertFiltering' ``` The following sections provide details and desk testing steps for the alerts filtering issues fixed by this PR. ### [Security Solution] [Bug] A few filters show error 'Unexpected error from Elasticsearch' for the alerts flyout elastic#208481 To resolve [[Security Solution] [Bug] A few filters show error 'Unexpected error from Elasticsearch' for the alerts flyout elastic#208481](elastic#208481): - The `_ignored` metadata field was added to the [METADATA](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-metadata-fields.html) keyword in the `ES|QL` queries that power the `Alert summary` and `Alerts preview` tabs - The `Alert summary` and `Alerts preview` tabs dropdowns are now filtered to only display fields in the alerts index - Example: Previously, if the `dll.Ext.load_index` field was in a `logs-*` index, but not the alerts index, it would still appear in the `Alerts summary` dropdown, and result in an error if selected. After the fix in this PR, this (example) field would not appear in the dropdown. #### Desk testing To desk test this fix: - See issue <elastic#208481> - In addition to the steps in [issue elastic#208481](elastic#208481), verify the `Alert summary` and `Alerts preview` dropdowns - Do NOT display an error when the `_ignored` field is selected - Identify a field that is present in a `logs-*` index, but not the alerts index, for example `dll.Ext.load_index`. Verify this field is NOT displayed in the dropdown ### [Security Solution] [Bug] Lucene not updated as the space holder when we apply Lucene as the filtering language elastic#208170 To resolve [[Security Solution] [Bug] Lucene not updated as the space holder when we apply Lucene as the filtering language elastic#208170](elastic#208170), the custom placeholder was removed, as illustrated by the _before_ and _after_ screenshots below: **Before**  **After**  #### Desk testing To desk test this fix, see <elastic#208170> ### Connector selection resets in non-default spaces This PR fixes an issue where the last selected connector would reset in non-default spaces when all of the following were true: - The user is in a non-default space - Two or more generative AI connectors are configured This issue occurred in non-default spaces because: - `spaceId` loads asynchronously - Kibana's `package.json` references an older version of `react-use`, with a known bug in the `useLocalStorage` hook, which is fixed by <streamich/react-use#1944> - I verified (locally) the fix from <streamich/react-use#1944> would work if Kibana's version of `react-use` was updated in `package.json`, however that effort appears to be on hold: <elastic#179268> . For now (to minimize changes), `spaceId` has been removed from all Attack discovery local storage keys. #### Desk testing 1. Create a new space (if you only have the default space) 2. Configure two or more Gen AI connectors 3. Select the newly created space 4. Navigate to Security > Attack discovery 5. Select a connector, for example `Claude 3.5 Sonnet` 6. Now select a _different_ connector, for example `Gemini 1.5 Pro 002` 7. Navigate to a different page in the Security solution, for example Security > Alerts 9. Once again, navigate to Security > Attack discovery **Expected result** - The previously selected connector, e.g. `Gemini 1.5 Pro 002` is still selected ### Saving a filter edited via `Edit Query DSL` with an unknown `user.name` value results in a `filter value is invalid or incomplete` filter This PR fixes an issue where editing a previously created non-Query DSL filter via `Edit Query DSL`, and then entering an unknown `user.name`, resulted in a filter with text that reads: `filter value is invalid or incomplete`, as illustrated by the screenshot below:  Generating attack discoveries with a filter like the one shown in the screenshot above would also result in errors. This issue was resolved by adding a `FilterManager` to manage the local state of the filters in the settings panel. #### Desk testing 1. Navigate to Security > Attack discovery 2. Click the settings gear 3. Click the `+` button to open the `Add filter` popover 4. In the popover, configure a `user.name` `is` `Administrator` filter Note: replace `Administrator` with a real `user.name` value if your alerts index doesn't have the value ``Administrator`` 5. Click `Add filter` to close the popover **Expected result** - The `user.name: Administrator` filter appears below the query bar 6. Click the `user.name: Administrator` filter, and choose `Edit filter` from the popover 7. Click the `Edit as Query DSL` button (in the upper right hand corner) 8. In the `Edit filter` Elasticsearch Query DSL editor, edit the Query DSL such that it has a value that does NOT exist in the index, like the following example: ```json { "match_phrase": { "user.name": "Admasdfinistrator" } } ``` 9. Click `Update filter` **Expected results** - The `user.name: Admasdfinistrator` filter, which references a value that does not exist in the alerts index, appears below the query bar - The updated filter does NOT have the text `filter value is invalid or incomplete`, as illustrated by the the screenshot in the description of this issue above. ### Local field Reset clears the preview dropdowns when they are in an error state This PR fixes an issue where the local (to the preview tab) reset button did not clear the preview dropdowns if they were in an error state. The issue is fixed by calling `clearSearchValue()` to reset the stack by field when it's in an error state (i.e. because an invalid field was entered) Note: The "local" (to the tab) `Reset` button shown in the screenshot below is fixed by this PR:  , however the `Reset` button at the bottom of the flyout will NOT clear the dropdown if it's in an error state. (For now, this is the expected behavior.) The workaround is to manually select a valid value in the dropdown, or click `Save` or `Cancel`. (The preview dropdown does not effect the Attack discovery query, is not saved, and automatically resets to the default every time the flyout is opened.) #### Desk testing 1. Navigate to Security > Attack discovery 2. Click the settings gear 3. In the `Alert summary` tab, focus the dropdown and delete the text until it reads: ``` kibana.alert.rule.na ``` 4. Blur the dropdown by clicking outside it **Expected results** - The dropdown is highlighted red - The `Reset` button appears below the text `Select a field` 5. Click the `Reset` button below the text `Select a field` **Expected results** - The dropdown is NOT highlighted red (the error state is cleared) - The dropdown text is reset to the (valid) default value: `kibana.alert.rule.name` ### Updates the formatting of `Up to _n_ alerts` for Borealis This PR updates the formatting of the `Up to n alerts` text in Borealis, as illustrated by the before and after screenshots below: **Before**  **After**  #### Desk testing To desk test this fix: 1. Configure Kibana to use the `dark` theme 2. Navigate to Security > Attack discovery 3. In the connector selector, choose `+ Add new Connector...` 4. Click in the `Select a connector` dialog, click `OpenAI` 4. Enter a throwaway configuration for the connector (note: you won't actually use it), and click `Save` **Expected results** - The animated `Up to 100 alerts will be analyzed` message will appear - The color of the animated numeric text, e.g. `100` matches the color of the `Up to` text that precedes it - The extra whitespace trailing the `100`, shown in the _Before_ image (above) does NOT appear. The trailing whitespace after the `100` looks like the _After_ image (also above). (cherry picked from commit 05ae2b1)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
💔 Build Failed
Failed CI Steps |
|
@elasticmachine merge upstream |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto9.0:Questions ?
Please refer to the Backport tool documentation