wazuh
Refine filter mechanism
| Wazuh | Rev |
|---|---|
| 4.9.0 | 00 |
Description
After testing all main features integrated we detected some odd behaviors that need fixing.
Tasks
- [x] Server management / Cluster applies any previous pinned agent and it shouldn't https://github.com/wazuh/wazuh-dashboard-plugins/pull/6681
- [x] Server management / Statistics applies any previous pinned agent and it shouldn't https://github.com/wazuh/wazuh-dashboard-plugins/pull/6682
- [x] When changing the API selected to a Wazuh server with cluster mode disabled the filter value is "disabled" https://github.com/wazuh/wazuh-dashboard-plugins/pull/6675
- [x] In the Vulnerabilities module, when we change the index pattern the view doesn't render any https://github.com/wazuh/wazuh-dashboard-plugins/pull/6674
- [x] Remove Wazuh server link (000) from alerts tables https://github.com/wazuh/wazuh-dashboard-plugins/pull/6679
- [x] Add link to agent id and name in discover table (in progress) https://github.com/wazuh/wazuh-dashboard-plugins/pull/6677
- [ ] Check remove filter icon visibility when entering in a module
- [ ] Check remove filter icon disappears when you unpin an agent https://github.com/wazuh/wazuh-dashboard-plugins/pull/6685
- [x] Check the order in which filters are rendered https://github.com/wazuh/wazuh-dashboard-plugins/pull/6684
- [x] When navigating to the home page if there is a pinned agent you should keep it. https://github.com/wazuh/wazuh-dashboard-plugins/pull/6686
- [x] Check the flyout of the discover table. https://github.com/wazuh/wazuh-dashboard-plugins/pull/6691
- [ ] Fix modules redirections with predefined filters via URL (In progress ⏳) @Machi3mfl
In the Vulnerabilities module, when we change the index pattern the view doesn't render any visualization
https://github.com/wazuh/wazuh-dashboard-plugins/pull/6674
Before
https://github.com/wazuh/wazuh-dashboard-plugins/assets/6089438/ed472a58-a6e7-4da9-b577-4074572a0e14
This error
After
https://github.com/wazuh/wazuh-dashboard-plugins/assets/6089438/b7756ab9-a9d6-479a-9387-7ffd0ebff7a7
Fix modules redirections with predefined filters via URL
Tasks
- Create a mechanism to make a redirect with filters by default.
- Add to the current solution the possibility to add filters that will be applied when entering the module.
Current solution
- Using the getUrlForApp to get the redirect href
<EuiButtonEmpty
iconType='popout'
aria-label='popout'
href={getCore().application.getUrlForApp(threatHunting.id, {
path: `#/overview/?tab=general&tabView=panels&addRuleFilter=1001`
})}
target='blank'
>
View alerts of this Rule
</EuiButtonEmpty>
- In
plugins/wazuh/public/services/common-data.js, globally check the URL query, search the addRuleFilter and add directly to the filter manager the filter
const regex = new RegExp('addRuleFilter=' + '[^&]*');
const match = this.$window.location.href.match(regex);
if (match && match[0]) {
const id = match[0].split('=')[1];
let filter = filterHandler.ruleIdQuery(id);
filter.$state.isImplicit = false;
filters.push(filter);
this.$window.location.href = this.$window.location.href.replace(
regex,
'',
);
}
Disadvantages
- Not scalable, for every filter that we want to add we must add a condition to check the param received, like for example, the
addRuleFilterparam. - To many responsibilities, the redirect touches the filter manager directly
# Possible solutions
-
Encapsulate the getCore().application.getUrlForApp method and create a function that creates the redirect URL with all the necessary params like:
- panel
- tab
- predefined filters (one or more)
For instance:
// redirect manager or something
redirector.redirectToApp({
tab: 'general',
tabView: 'panels',
applicationId: 'threat-hunting',
filters: [{ key: 'rule.id', value: '1001' }]
})
Then this service construct the URL with the params like:
- ruleId=1001 or inner a_ filters query
Problem
When the URL is refreshed using enter or F5 the a_ content is cleaned
- Use the same solution, adding custom query params manually and evaluate this query params in the data-source-pattern-filter-manager and add the filters
For instance:
getCore().application.getUrlForApp(threatHunting.id, {
path: `#/overview/?tab=general&tabView=panels&filters='ruleId=1001&ruleMitreId=T100`
})
Then, when the data source is loaded the data source filter manager gets the query params, creates the filters and add on it.
Proposals to display implicit filters in the search bar
Currently, to display the implicit filters, the search bar component native to OpenSearch is manipulated and the close buttons for the filter badges are removed. This practice sometimes results in incorrect functionality because we are interfering with the behavior of a component outside our control.
To achieve a stable behavior for displaying implicit filters, the following alternatives are proposed.
All options have the same technical solution but with different visual proposals.
Option 1: Show all implicit filters without the close button
This option, visually, is identical to how it is currently displayed, but technically the solution is different. We would be hiding the implicit filters from the native search bar and adding them as components of our application outside the bar in the DOM.
Option 2: Show all implicit filters without the close button and with another background color
Option 3: Hide the implicit filters and show a Tooltip to display the info
Option 4: Hide the implicit filters and show a Popover to display the info
Due to the scope and size of the proposed solution, we decided to create another issue to continue the development: https://github.com/wazuh/wazuh-dashboard-plugins/issues/6711
