Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RAC][Alert Triage] Alerts Table Component #93873

Closed
spong opened this issue Mar 6, 2021 · 9 comments
Closed

[RAC][Alert Triage] Alerts Table Component #93873

spong opened this issue Mar 6, 2021 · 9 comments
Assignees
@yctercero
Labels
enhancement New value added to drive a business result Feature:Detection Alerts Security Solution Detection Alerts Feature Team:Detections and Resp Security Detection Response Team Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team Theme: rac label obsolete

Comments

@spong
Copy link
Member

spong commented Mar 6, 2021
edited
Loading

Description

This issue is for the generification of the Alerts Table component used within the Alert Triage workflow on the main Security Detections page and Rule Details page.

As used within the Observability mocks:

Interface

Inputs
  • Page-level KQL query, filters, and daterange
  • .alerts index to query against
  • Alert Actions
    • Array of actions w/ underlying alert as context
    • Number of actions to display before overflowing
    • Alert details component provider
Outputs
  • Page-level KQL query, filters, and daterange

API Requirements

  • Generic query API for fetching documents from the .alerts index. Currently implementation is all handled server side, and takes index and query and timeline magic handles the rest 🙂

Destination Plugin/Package 🏠

  • Most likely dedicated timeline plugin/package, but TBD

Feature Extension

  • UtilityBar to be integrated directly within EventsViewer
  • Ability to specify Alert Details component provider for rendering custom view in Alert Details
  • Removal of Status/Additional Filters component (will be created as dedicated component)

Existing Source

Table wrapper, including utility bar, actions, and default configuration (columns, sort, etc) located here. Underlying table implemented as StatefulEventsViewer.
@spong spong added enhancement New value added to drive a business result Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Detection Alerts Security Solution Detection Alerts Feature Theme: rac label obsolete labels Mar 6, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@smith smith mentioned this issue Mar 7, 2021
Merged
@katrin-freihofner
Copy link
Contributor

There are a couple of things that I hope we can improve on this table as we move to a shared component. I ordered them according to what I think of as the highest priority. cc @lindseypoli @mdefazio

  1. Table actions
    I don't think that these icon buttons are self-explaining. I even wonder if we could apply the same UX as we already established in EUI data grid.

table-actions

  1. Row icon buttons
    These buttons are not self-explaining. In my opinion, it is not clear where to click and what these buttons mean. Also, in Observability, we will only need the details and context menu buttons for now, so this might not be an issue.

row-actions

  1. Accessibility: Keyboard navigation
    In my opinion, we need a couple of improvements to make the table and row action buttons and pagination accessible via keyboard.

  2. Select the number of rows
    A user selects a number of rows for a reason. Therefore, I suggest not restricting the height of the container in this case and showing the selected number of rows.
    no-of-rows

  3. Severity indicator
    In Observability we probably want a additional visual indicator for severity instead of text only. cc @cyrille-leclerc

Screenshot 2021-03-08 at 10 12 58

Something like the EUI health badge
Screenshot 2021-03-08 at 10 14 47

  1. In my opinion, responsive behavior is part of a high-quality UI. I also think it is especially important for these views as they are used for troubleshooting. This can happen anywhere, anytime, and on any device.

responsive

  1. There is a small bug with the background on this actions menu.
    action-menu

  2. Tooltips appear too slow
    In my opinion, there is too much delay when tooltips appear.

tooltips

@mdefazio
Copy link
Contributor

mdefazio commented Mar 8, 2021

Great points @katrin-freihofner , thanks for putting this together. In regards to your 1st point, are there downsides to switching to the EuiDatagrid? Perhaps doing so solves a few of these issues right out of the box (accessibility, responsiveness). Or do we simply take the Datagrid control bar and place it above the table?

@spong spong mentioned this issue Mar 9, 2021
Open
@spong spong added the Team:Threat Hunting Security Solution Threat Hunting Team label Mar 9, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@sorenlouv
Copy link
Member

are there downsides to switching to the EuiDatagrid? Perhaps doing so solves a few of these issues right out of the box (accessibility, responsiveness). Or do we simply take the Datagrid control bar and place it above the table?

Switching to the EuiDatagrid sounds like a good idea. I agree that it'll most likely solve the accessibility issues.

@tsg
Copy link
Contributor

tsg commented Mar 10, 2021

We definitely want to adopt the EuiDatagrid, we're just waiting for it to be ready. We have actually evaluated switching a few times already but there were missing capabilities. From what I understand, the main thing holding us now is support for variable-height rows, but when that is supported, we'll be most happy to switch.

Thank you for the review @katrin-freihofner, perhaps we can work together to solve some of these.

This was referenced Mar 10, 2021
Closed
Closed
Open
@smith smith mentioned this issue Apr 8, 2021
Closed
@peluja1012
Copy link
Contributor

Implemented by #103270

@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yctercero yctercero

Labels
enhancement New value added to drive a business result Feature:Detection Alerts Security Solution Detection Alerts Feature Team:Detections and Resp Security Detection Response Team Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team Theme: rac label obsolete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@tsg @sorenlouv @peluja1012 @kobelb @spong @mdefazio @yctercero @elasticmachine @katrin-freihofner