Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Security Solution] [Attack discovery] Alerts filtering (#205070)…
… (#205137) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] [Attack discovery] Alerts filtering (#205070)](#205070) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2024-12-24T10:49:10Z","message":"[Security Solution] [Attack discovery] Alerts filtering (#205070)\n\n## [Security Solution] [Attack discovery] Alerts filtering\r\n\r\n![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)\r\n\r\nThis PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).\r\n\r\nUsing the new resizeable _Attack discovery settings flyout_, users may:\r\n\r\n- Filter alerts via a search bar and filters\r\n- Control the time window (previously fixed to `Last 24 hrs`)\r\n\r\n### Before (feature flag disabled)\r\n\r\nPreviously, users could only set the number of alerts sent as context to the LLM via a modal:\r\n\r\n![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)\r\n\r\n### After (feature flag enabled)\r\n\r\nThe new Attack discovery settings flyout replaces the modal:\r\n\r\n![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)\r\n\r\nIt has two tabs, _Alert summary_ and _Alerts preview_.\r\n\r\n### Alert summary\r\n\r\nThe _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:\r\n\r\n![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)\r\n\r\nThe Alert summary query is an aggregation. It does NOT display the details of individual alerts.\r\n\r\n### Alerts preview\r\n\r\nThe _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:\r\n\r\n![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)\r\n\r\nUsers may resize the settings flyout to view all the fields in the Alerts preview.\r\n\r\n### Feature flag\r\n\r\nEnable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental:\r\n - 'attackDiscoveryAlertFiltering'\r\n```\r\n\r\nEnabling the feature flag:\r\n\r\n- Replaces the `Settings` modal with the `Attack discovery settings` flyout\r\n- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries\r\n- Enables new loading messages\r\n\r\n### Details\r\n\r\n#### Loading messages\r\n\r\nThe loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:\r\n\r\n1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:\r\n\r\n![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)\r\n\r\n2) Relative date ranges:\r\n\r\n![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)\r\n\r\n3) Absolute date ranges:\r\n\r\n![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)\r\n\r\n#### Filtering preferences\r\n\r\nAlert filtering preferences are stored in local storage.\r\n\r\nThis PR adds the following new local storage keys:\r\n\r\n```\r\nelasticAssistantDefault.attackDiscovery.default.end\r\nelasticAssistantDefault.attackDiscovery.default.filters\r\nelasticAssistantDefault.attackDiscovery.default.query\r\nelasticAssistantDefault.attackDiscovery.default.start\r\n```\r\n\r\nUsers may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.\r\n\r\n#### Known limitations\r\n\r\nThe following known limitations in this PR may be mitigated in follow-up PRs:\r\n\r\n#### Table cell hover actions are disabled\r\n\r\nTable cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.\r\n\r\nThe actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.\r\n\r\n##### Default table sort indicators are hidden\r\n\r\nThe `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.\r\n\r\nThe tables _should_ display default sort indicators, as illustrated by the screenshots below:\r\n\r\n![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)\r\n\r\n![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)\r\n\r\nThe default indicators are hidden in this PR as a workaround for an error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:\r\n\r\n```\r\nTypeError: Cannot read properties of undefined (reading 'split')\r\n```\r\n\r\nTo re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:\r\n\r\n```typescript\r\n <PreviewTab\r\n dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}\r\n embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}\r\n end={end}\r\n filters={filters}\r\n getLensAttributes={getAlertSummaryLensAttributes}\r\n getPreviewEsqlQuery={getAlertSummaryEsqlQuery}\r\n maxAlerts={maxAlerts}\r\n query={query}\r\n setTableStackBy0={setAlertSummaryStackBy0}\r\n start={start}\r\n sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator\r\n tableStackBy0={alertSummaryStackBy0}\r\n />\r\n```\r\n\r\n##### Selected date range not persisted\r\n\r\nThe `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.","sha":"681d40eee64316bea85d04077f918bd7121988b9","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team: SecuritySolution","ci:cloud-deploy","ci:cloud-persist-deployment","Team:Security Generative AI","backport:version","v8.18.0"],"title":"[Security Solution] [Attack discovery] Alerts filtering","number":205070,"url":"https://github.com/elastic/kibana/pull/205070","mergeCommit":{"message":"[Security Solution] [Attack discovery] Alerts filtering (#205070)\n\n## [Security Solution] [Attack discovery] Alerts filtering\r\n\r\n![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)\r\n\r\nThis PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).\r\n\r\nUsing the new resizeable _Attack discovery settings flyout_, users may:\r\n\r\n- Filter alerts via a search bar and filters\r\n- Control the time window (previously fixed to `Last 24 hrs`)\r\n\r\n### Before (feature flag disabled)\r\n\r\nPreviously, users could only set the number of alerts sent as context to the LLM via a modal:\r\n\r\n![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)\r\n\r\n### After (feature flag enabled)\r\n\r\nThe new Attack discovery settings flyout replaces the modal:\r\n\r\n![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)\r\n\r\nIt has two tabs, _Alert summary_ and _Alerts preview_.\r\n\r\n### Alert summary\r\n\r\nThe _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:\r\n\r\n![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)\r\n\r\nThe Alert summary query is an aggregation. It does NOT display the details of individual alerts.\r\n\r\n### Alerts preview\r\n\r\nThe _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:\r\n\r\n![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)\r\n\r\nUsers may resize the settings flyout to view all the fields in the Alerts preview.\r\n\r\n### Feature flag\r\n\r\nEnable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental:\r\n - 'attackDiscoveryAlertFiltering'\r\n```\r\n\r\nEnabling the feature flag:\r\n\r\n- Replaces the `Settings` modal with the `Attack discovery settings` flyout\r\n- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries\r\n- Enables new loading messages\r\n\r\n### Details\r\n\r\n#### Loading messages\r\n\r\nThe loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:\r\n\r\n1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:\r\n\r\n![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)\r\n\r\n2) Relative date ranges:\r\n\r\n![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)\r\n\r\n3) Absolute date ranges:\r\n\r\n![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)\r\n\r\n#### Filtering preferences\r\n\r\nAlert filtering preferences are stored in local storage.\r\n\r\nThis PR adds the following new local storage keys:\r\n\r\n```\r\nelasticAssistantDefault.attackDiscovery.default.end\r\nelasticAssistantDefault.attackDiscovery.default.filters\r\nelasticAssistantDefault.attackDiscovery.default.query\r\nelasticAssistantDefault.attackDiscovery.default.start\r\n```\r\n\r\nUsers may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.\r\n\r\n#### Known limitations\r\n\r\nThe following known limitations in this PR may be mitigated in follow-up PRs:\r\n\r\n#### Table cell hover actions are disabled\r\n\r\nTable cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.\r\n\r\nThe actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.\r\n\r\n##### Default table sort indicators are hidden\r\n\r\nThe `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.\r\n\r\nThe tables _should_ display default sort indicators, as illustrated by the screenshots below:\r\n\r\n![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)\r\n\r\n![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)\r\n\r\nThe default indicators are hidden in this PR as a workaround for an error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:\r\n\r\n```\r\nTypeError: Cannot read properties of undefined (reading 'split')\r\n```\r\n\r\nTo re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:\r\n\r\n```typescript\r\n <PreviewTab\r\n dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}\r\n embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}\r\n end={end}\r\n filters={filters}\r\n getLensAttributes={getAlertSummaryLensAttributes}\r\n getPreviewEsqlQuery={getAlertSummaryEsqlQuery}\r\n maxAlerts={maxAlerts}\r\n query={query}\r\n setTableStackBy0={setAlertSummaryStackBy0}\r\n start={start}\r\n sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator\r\n tableStackBy0={alertSummaryStackBy0}\r\n />\r\n```\r\n\r\n##### Selected date range not persisted\r\n\r\nThe `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.","sha":"681d40eee64316bea85d04077f918bd7121988b9"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/205070","number":205070,"mergeCommit":{"message":"[Security Solution] [Attack discovery] Alerts filtering (#205070)\n\n## [Security Solution] [Attack discovery] Alerts filtering\r\n\r\n![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)\r\n\r\nThis PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).\r\n\r\nUsing the new resizeable _Attack discovery settings flyout_, users may:\r\n\r\n- Filter alerts via a search bar and filters\r\n- Control the time window (previously fixed to `Last 24 hrs`)\r\n\r\n### Before (feature flag disabled)\r\n\r\nPreviously, users could only set the number of alerts sent as context to the LLM via a modal:\r\n\r\n![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)\r\n\r\n### After (feature flag enabled)\r\n\r\nThe new Attack discovery settings flyout replaces the modal:\r\n\r\n![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)\r\n\r\nIt has two tabs, _Alert summary_ and _Alerts preview_.\r\n\r\n### Alert summary\r\n\r\nThe _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:\r\n\r\n![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)\r\n\r\nThe Alert summary query is an aggregation. It does NOT display the details of individual alerts.\r\n\r\n### Alerts preview\r\n\r\nThe _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:\r\n\r\n![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)\r\n\r\nUsers may resize the settings flyout to view all the fields in the Alerts preview.\r\n\r\n### Feature flag\r\n\r\nEnable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental:\r\n - 'attackDiscoveryAlertFiltering'\r\n```\r\n\r\nEnabling the feature flag:\r\n\r\n- Replaces the `Settings` modal with the `Attack discovery settings` flyout\r\n- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries\r\n- Enables new loading messages\r\n\r\n### Details\r\n\r\n#### Loading messages\r\n\r\nThe loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:\r\n\r\n1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:\r\n\r\n![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)\r\n\r\n2) Relative date ranges:\r\n\r\n![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)\r\n\r\n3) Absolute date ranges:\r\n\r\n![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)\r\n\r\n#### Filtering preferences\r\n\r\nAlert filtering preferences are stored in local storage.\r\n\r\nThis PR adds the following new local storage keys:\r\n\r\n```\r\nelasticAssistantDefault.attackDiscovery.default.end\r\nelasticAssistantDefault.attackDiscovery.default.filters\r\nelasticAssistantDefault.attackDiscovery.default.query\r\nelasticAssistantDefault.attackDiscovery.default.start\r\n```\r\n\r\nUsers may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.\r\n\r\n#### Known limitations\r\n\r\nThe following known limitations in this PR may be mitigated in follow-up PRs:\r\n\r\n#### Table cell hover actions are disabled\r\n\r\nTable cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.\r\n\r\nThe actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.\r\n\r\n##### Default table sort indicators are hidden\r\n\r\nThe `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.\r\n\r\nThe tables _should_ display default sort indicators, as illustrated by the screenshots below:\r\n\r\n![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)\r\n\r\n![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)\r\n\r\nThe default indicators are hidden in this PR as a workaround for an error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:\r\n\r\n```\r\nTypeError: Cannot read properties of undefined (reading 'split')\r\n```\r\n\r\nTo re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:\r\n\r\n```typescript\r\n <PreviewTab\r\n dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}\r\n embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}\r\n end={end}\r\n filters={filters}\r\n getLensAttributes={getAlertSummaryLensAttributes}\r\n getPreviewEsqlQuery={getAlertSummaryEsqlQuery}\r\n maxAlerts={maxAlerts}\r\n query={query}\r\n setTableStackBy0={setAlertSummaryStackBy0}\r\n start={start}\r\n sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator\r\n tableStackBy0={alertSummaryStackBy0}\r\n />\r\n```\r\n\r\n##### Selected date range not persisted\r\n\r\nThe `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.","sha":"681d40eee64316bea85d04077f918bd7121988b9"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
- Loading branch information