-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution] [Attack discovery] Alerts filtering (#205070)
## [Security Solution] [Attack discovery] Alerts filtering ![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6) This PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM). Using the new resizeable _Attack discovery settings flyout_, users may: - Filter alerts via a search bar and filters - Control the time window (previously fixed to `Last 24 hrs`) ### Before (feature flag disabled) Previously, users could only set the number of alerts sent as context to the LLM via a modal: ![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5) ### After (feature flag enabled) The new Attack discovery settings flyout replaces the modal: ![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614) It has two tabs, _Alert summary_ and _Alerts preview_. ### Alert summary The _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query: ![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6) The Alert summary query is an aggregation. It does NOT display the details of individual alerts. ### Alerts preview The _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query: ![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c) Users may resize the settings flyout to view all the fields in the Alerts preview. ### Feature flag Enable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`: ```yaml xpack.securitySolution.enableExperimental: - 'attackDiscoveryAlertFiltering' ``` Enabling the feature flag: - Replaces the `Settings` modal with the `Attack discovery settings` flyout - Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries - Enables new loading messages ### Details #### Loading messages The loading messages displayed when generating Attack discoveries were updated to render three types of date ranges: 1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions: ![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800) 2) Relative date ranges: ![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624) 3) Absolute date ranges: ![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d) #### Filtering preferences Alert filtering preferences are stored in local storage. This PR adds the following new local storage keys: ``` elasticAssistantDefault.attackDiscovery.default.end elasticAssistantDefault.attackDiscovery.default.filters elasticAssistantDefault.attackDiscovery.default.query elasticAssistantDefault.attackDiscovery.default.start ``` Users may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults. #### Known limitations The following known limitations in this PR may be mitigated in follow-up PRs: #### Table cell hover actions are disabled Table cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables. The actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app. ##### Default table sort indicators are hidden The `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries. The tables _should_ display default sort indicators, as illustrated by the screenshots below: ![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4) ![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e) The default indicators are hidden in this PR as a workaround for an error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled: ``` TypeError: Cannot read properties of undefined (reading 'split') ``` To re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code: ```typescript <PreviewTab dataTestSubj={ALERT_SUMMARY_TEST_SUBJ} embeddableId={SUMMARY_TAB_EMBEDDABLE_ID} end={end} filters={filters} getLensAttributes={getAlertSummaryLensAttributes} getPreviewEsqlQuery={getAlertSummaryEsqlQuery} maxAlerts={maxAlerts} query={query} setTableStackBy0={setAlertSummaryStackBy0} start={start} sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator tableStackBy0={alertSummaryStackBy0} /> ``` ##### Selected date range not persisted The `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.
- Loading branch information
1 parent
71144ed
commit 681d40e
Showing
61 changed files
with
2,380 additions
and
77 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.