kibana icon indicating copy to clipboard operation
kibana copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Security Solution] Bulk editing rule custom highlighted fields

Open e40pud opened this issue 11 months ago • 23 comments

Resolves: https://github.com/elastic/kibana/issues/164301 Resolves: https://github.com/elastic/security-team/issues/8958

Summary

With these changes we introduce a new feature - Bulk custom highlighted fields update. It works similarly to bulk tags and indices update.

Here is the overview of the work that has been done:

https://github.com/elastic/kibana/assets/2700761/b1ba6670-9984-43c9-9f1e-e18a2b7f071f

Checklist

Delete any items that are not applicable to this PR.

e40pud avatar Mar 24 '24 19:03 e40pud

/ci

e40pud avatar Mar 24 '24 19:03 e40pud

@elasticmachine merge upstream

e40pud avatar Mar 27 '24 10:03 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 02 '24 10:04 e40pud

/ci

e40pud avatar Apr 02 '24 10:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 04 '24 10:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 05 '24 08:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 08 '24 07:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 10 '24 07:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 11 '24 09:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 12 '24 08:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 15 '24 08:04 e40pud

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine avatar Apr 15 '24 12:04 elasticmachine

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine avatar Apr 15 '24 12:04 elasticmachine

@elasticmachine merge upstream

e40pud avatar Apr 15 '24 12:04 e40pud

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine avatar Apr 16 '24 11:04 elasticmachine

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine avatar Apr 16 '24 11:04 elasticmachine

@elasticmachine merge upstream

e40pud avatar Apr 17 '24 12:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 22 '24 09:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 22 '24 11:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 23 '24 13:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 24 '24 12:04 e40pud

@elasticmachine merge upstream

e40pud avatar Apr 25 '24 07:04 e40pud

Left a couple questions and one nit but overall looks good @e40pud! I pulled down and tested all the edge cases I could think of. This is the first time I've seen the feature flag stuff used so heavily for the backend code, I think it's a pretty good way to go about it albeit adding a bit of complexity to the implementation as (correct me if I'm wrong) we aren't able to enable/disable routes themselves using the flags.

Yes, I had to add extra complexity in order to be able to block API behind feature flag. I think we can benefit from ti in future with other features that require adding public API and needs to be hidden for some time.

e40pud avatar Apr 29 '24 12:04 e40pud

Overall looks great! Appreciate the updates to the tests and additional tests too. A few small nits too.

I do believe we could simplify the code and have some performance improvements if we introduce the logic for fetching and gathering the data view titles into the bulk_get_sources route, update the hook useBulkGetRulesSources to reflect the new server-side functionality, and remove the useGetAllIndexPatternsFromSources. This would also have the added benefit of reducing the number of hooks we need to maintain and test.

Hey @dhurley14, we discussed potential performance issue and limitations with ES|QL and ML rules.

To avoid those issues, we decided to go with the next solution for the list of fields available in "custom highlighted fields" flyout: the dropdown will include fields from the index patterns defined in Security Solution advanced settings (more details here).

This means, I will remove the route to fetch all indices for selected rules.

e40pud avatar May 02 '24 08:05 e40pud

:green_heart: Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 5466 5467 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.7MB 13.7MB +18.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 83.1KB 83.3KB +268.0B
Unknown metric groups

ESLint disabled line counts

id before after diff
securitySolution 518 519 +1

Total ESLint disabled count

id before after diff
securitySolution 596 597 +1

History

  • :broken_heart: Build #207443 failed 450296c5b391f91120f316dec0687d5e11a44573
  • :yellow_heart: Build #206612 was flaky 8ad3a67cf3adeddb2508ba287a7a992b37e4ffb7
  • :green_heart: Build #206549 succeeded 611c445bf4d30a8c6e1951bf7489e2d17953c93d
  • :yellow_heart: Build #206052 was flaky 6c3c65e01d8390077deee2817f0885765f4ee855
  • :broken_heart: Build #206030 failed d805d62569952aff3619b42eb16e483aa28524f8
  • :yellow_heart: Build #205865 was flaky 411e618ab243cb6cd124c26f6ac99fac75264161

To update your PR or re-run it, just comment with: @elasticmachine merge upstream

cc @e40pud

kibana-ci avatar May 02 '24 12:05 kibana-ci