[SIEM] Adds Signals Histogram #53742
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spong
added
Team:SIEM
release_note:skip
|
Pinging @elastic/siem (Team:SIEM) |
spong
requested review from
XavierM,
FrankHassanabad,
dhurley14,
andrew-goldstein,
angorayc and
MichaelMarcialis
angorayc
reviewed
Jan 9, 2020
...gacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/index.tsx
Outdated
Show resolved
Hide resolved
angorayc
reviewed
Jan 9, 2020
...blic/pages/detection_engine/components/signals_histogram_panel/signals_histogram/helpers.tsx
Outdated
Show resolved
Hide resolved
angorayc
reviewed
Jan 9, 2020
| signalsByGrouping: { | ||
| terms: { | ||
| field: stackByField, | ||
| missing: stackByField.endsWith('.ip') ? '0.0.0.0' : i18n.ALL_OTHERS, |
There was a problem hiding this comment.
I like that we still have i18n in histograms' label!
...gacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/config.ts
Show resolved
Hide resolved
...blic/pages/detection_engine/components/signals_histogram_panel/signals_histogram/helpers.tsx
Outdated
Show resolved
Hide resolved
angorayc
approved these changes
Jan 9, 2020
...public/pages/detection_engine/components/signals_histogram_panel/signals_histogram/index.tsx
Outdated
Show resolved
Hide resolved
...egacy/plugins/siem/public/pages/detection_engine/components/signals_histogram_panel/types.ts
Show resolved
Hide resolved
| /> | ||
| </EuiFlexItem> | ||
| />, | ||
| rule?.updated_by != null ? ( |
There was a problem hiding this comment.
This is confusing for a few reasons and the intention is not really there.
The io-ts TypeScript for updated_by and created_by both say they cannot be null but looking at the operators it does look like they can be which I think is the actual use case. So I would change the types.
The second part is that when updated_by is null it will never hit these lines below and show an updated_by by UNKNOWN but rather just show an empty string.
So which is it we want? To show nothing for updated_by when it is null or to show it but mark it as UNKNOWN?
There was a problem hiding this comment.
Oooh good catch. This is existing code that got reformatted from my changes, so will have to hear from @XavierM on this, but my best guess is that we'd want the latter and show UNKNOWN. Although there may be some special logic I'm missing out on for how updated_by is used?
| by: rule?.updated_by ?? i18n.UNKNOWN, | ||
| date: ( | ||
| <FormattedDate | ||
| value={rule?.updated_at ?? new Date().toISOString()} |
There was a problem hiding this comment.
From the backend we always provide a updated_at and a created_at without mistake as far as I know now. So the checks for these should never happen.
However, same issues with TypeScript saying that these two can never be null/undefined. If you want to be safe and just guard against a regression bug on our side or something else, I would change the type system to reflect that and also I would not put "fake dates" such as new Date().toISOString() but rather defer to using a -- nonexistent placeholder to show that they just aren't present.
Up to you.
There was a problem hiding this comment.
cc @XavierM -- this may be an artifact from initial development when they weren't always present?
FrankHassanabad
approved these changes
Jan 10, 2020
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
spong
added a commit
to spong/kibana
that referenced
this pull request
Jan 10, 2020
## Summary Detection Engine Meta Issue: elastic#50405 This PR adds the `Signals Histogram` component for use on the main `Detection Engine` page, `Rule Details` page, and the newly designed `Overview` page. Out of the box configuration includes an `EuiSelect` for stacking by the following: * Risk Scores * Severities * Event Actions * Event Categories * Host Names * Rule Types * Rules * Users * Destination IPs * Source IPs Additional configuration properties are available to configure the component as needed depending on where it will be displayed (e.g. no `Stack By` option on `Overview`, filter to specific `rule_id` on `Rule Details`, etc): ``` ts interface SignalsHistogramPanelProps { defaultStackByOption?: SignalsHistogramOption; filters?: esFilters.Filter[]; from: number; query?: Query; legendPosition?: 'left' | 'right' | 'bottom' | 'top'; loadingInitial?: boolean; showLinkToSignals?: boolean; showTotalSignalsCount?: boolean; stackByOptions?: SignalsHistogramOption[]; title?: string; to: number; updateDateRange: (min: number, max: number) => void; } ``` ##### Light Theme:  ##### Dark Theme:  ##### Overview: Example props for overview impl: ``` jsx <SignalsHistogramPanel filters={filters} from={from} loadingInitial={loading} query={query} showTotalSignalsCount={true} showLinkToSignals={true} defaultStackByOption={{ text: 'Signals count by MITRE ATT&CK category', value: 'signal.rule.threats', }} legendPosition={'right'} to={to} title="Signals count by MITRE ATT&CK category" updateDateRange={updateDateRangeCallback} /> ```  Note @andrew-goldstein @angorayc @MichaelMarcialis -- looks like the MITRE ATT&CK Tactics are stored as a nested object in `signal.rule.threat`, so we may have to do some finangling to get it to show on the histogram. e.g. format: ``` json { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "reference": "https://attack.mitre.org/tactics/TA0010", "name": "Exfiltration" }, "techniques": [ { "id": "T1002", "name": "Data Compressed", "reference": "https://attack.mitre.org/techniques/T1002" } ] } ``` ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * Will work with @benskelker on any specific documentation - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
spong
added a commit
that referenced
this pull request
Jan 10, 2020
## Summary Detection Engine Meta Issue: #50405 This PR adds the `Signals Histogram` component for use on the main `Detection Engine` page, `Rule Details` page, and the newly designed `Overview` page. Out of the box configuration includes an `EuiSelect` for stacking by the following: * Risk Scores * Severities * Event Actions * Event Categories * Host Names * Rule Types * Rules * Users * Destination IPs * Source IPs Additional configuration properties are available to configure the component as needed depending on where it will be displayed (e.g. no `Stack By` option on `Overview`, filter to specific `rule_id` on `Rule Details`, etc): ``` ts interface SignalsHistogramPanelProps { defaultStackByOption?: SignalsHistogramOption; filters?: esFilters.Filter[]; from: number; query?: Query; legendPosition?: 'left' | 'right' | 'bottom' | 'top'; loadingInitial?: boolean; showLinkToSignals?: boolean; showTotalSignalsCount?: boolean; stackByOptions?: SignalsHistogramOption[]; title?: string; to: number; updateDateRange: (min: number, max: number) => void; } ``` ##### Light Theme:  ##### Dark Theme:  ##### Overview: Example props for overview impl: ``` jsx <SignalsHistogramPanel filters={filters} from={from} loadingInitial={loading} query={query} showTotalSignalsCount={true} showLinkToSignals={true} defaultStackByOption={{ text: 'Signals count by MITRE ATT&CK category', value: 'signal.rule.threats', }} legendPosition={'right'} to={to} title="Signals count by MITRE ATT&CK category" updateDateRange={updateDateRangeCallback} /> ```  Note @andrew-goldstein @angorayc @MichaelMarcialis -- looks like the MITRE ATT&CK Tactics are stored as a nested object in `signal.rule.threat`, so we may have to do some finangling to get it to show on the histogram. e.g. format: ``` json { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "reference": "https://attack.mitre.org/tactics/TA0010", "name": "Exfiltration" }, "techniques": [ { "id": "T1002", "name": "Data Compressed", "reference": "https://attack.mitre.org/techniques/T1002" } ] } ``` ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * Will work with @benskelker on any specific documentation - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
thomasneirynck
pushed a commit
to thomasneirynck/kibana
that referenced
this pull request
Jan 12, 2020
## Summary Detection Engine Meta Issue: elastic#50405 This PR adds the `Signals Histogram` component for use on the main `Detection Engine` page, `Rule Details` page, and the newly designed `Overview` page. Out of the box configuration includes an `EuiSelect` for stacking by the following: * Risk Scores * Severities * Event Actions * Event Categories * Host Names * Rule Types * Rules * Users * Destination IPs * Source IPs Additional configuration properties are available to configure the component as needed depending on where it will be displayed (e.g. no `Stack By` option on `Overview`, filter to specific `rule_id` on `Rule Details`, etc): ``` ts interface SignalsHistogramPanelProps { defaultStackByOption?: SignalsHistogramOption; filters?: esFilters.Filter[]; from: number; query?: Query; legendPosition?: 'left' | 'right' | 'bottom' | 'top'; loadingInitial?: boolean; showLinkToSignals?: boolean; showTotalSignalsCount?: boolean; stackByOptions?: SignalsHistogramOption[]; title?: string; to: number; updateDateRange: (min: number, max: number) => void; } ``` ##### Light Theme:  ##### Dark Theme:  ##### Overview: Example props for overview impl: ``` jsx <SignalsHistogramPanel filters={filters} from={from} loadingInitial={loading} query={query} showTotalSignalsCount={true} showLinkToSignals={true} defaultStackByOption={{ text: 'Signals count by MITRE ATT&CK category', value: 'signal.rule.threats', }} legendPosition={'right'} to={to} title="Signals count by MITRE ATT&CK category" updateDateRange={updateDateRangeCallback} /> ```  Note @andrew-goldstein @angorayc @MichaelMarcialis -- looks like the MITRE ATT&CK Tactics are stored as a nested object in `signal.rule.threat`, so we may have to do some finangling to get it to show on the histogram. e.g. format: ``` json { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "reference": "https://attack.mitre.org/tactics/TA0010", "name": "Exfiltration" }, "techniques": [ { "id": "T1002", "name": "Data Compressed", "reference": "https://attack.mitre.org/techniques/T1002" } ] } ``` ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials * Will work with @benskelker on any specific documentation - [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~
20 tasks
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Detection Engine Meta Issue: #50405
This PR adds the
Signals Histogramcomponent for use on the mainDetection Enginepage,Rule Detailspage, and the newly designedOverviewpage.Out of the box configuration includes an
EuiSelectfor stacking by the following:Additional configuration properties are available to configure the component as needed depending on where it will be displayed (e.g. no
Stack Byoption onOverview, filter to specificrule_idonRule Details, etc):Light Theme:
Dark Theme:
Overview:
Example props for overview impl:
Note @andrew-goldstein @angorayc @MichaelMarcialis -- looks like the MITRE ATT&CK Tactics are stored as a nested object in
signal.rule.threat, so we may have to do some finangling to get it to show on the histogram.e.g. format:
{ "framework": "MITRE ATT&CK", "tactic": { "id": "TA0010", "reference": "https://attack.mitre.org/tactics/TA0010", "name": "Exfiltration" }, "techniques": [ { "id": "T1002", "name": "Data Compressed", "reference": "https://attack.mitre.org/techniques/T1002" } ] }Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.This was checked for keyboard-only and screenreader accessibilityFor maintainers
This was checked for breaking API changes and was labeled appropriatelyThis includes a feature addition or change that requires a release note and was labeled appropriately