[Security Solution][Detections] New Rule Execution Log UI #119599
Assignees
Labels
8.2 candidate
considered, but not committed, for 8.2 release
Feature:Rule Monitoring
Security Solution Detection Rule Monitoring
SecuritySolution:QAAssist
Part of QA testing process for release
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.2.0
Comments
banderror
added
Team:Detections and Resp
Closed
2 tasks
banderror
added
the
Feature:Rule Monitoring
28 tasks
13 tasks
|
Discussed #124198 with team, holding for 8.2 to further iterate on implementation and UX. |
7 tasks
banderror
added
the
SecuritySolution:QAAssist
spong
added a commit
that referenced
this issue
Mar 28, 2022
## Summary Resolves #119598, #119599, #101014 Test plan ([internal doc](https://docs.google.com/document/d/1-prIUGYaPHiwGA79CgSdw1926lxIPKGWWkYOUD2BM1U/edit#heading=h.womzsfdt6zt8)) Adds `Rule Execution Log` table to Rule Details page: <p align="center"> <img width="700" src="https://user-images.githubusercontent.com/2946766/158540840-e9cddb9b-f33d-4b95-86ad-cb3e0a00cf39.gif" /> </p> ### Implementation notes The useful metrics within `event-log` for a given rule execution are spread between a few different platform (`execute-start`, `execute`) and security (`execution-metrics`, `status-change`) events. In effort to provide consolidated metrics per rule execution (and avoiding a lot of empty cells and mis-matched statuses like in the image below) <p align="center"> <img width="700" src="https://user-images.githubusercontent.com/2946766/151933881-2e58f4d7-4cda-4528-9d44-37cb7bd5de9c.png" /> </p> these rule execution events are aggregated by their `executionId`, and then fields are merged from each different event. This PR was re-worked to take advantage of the new event-log aggregation support added in #126948, and is no longer implemented as an in-memory aggregation server side. * Due to restrictions around supplying search filters that may match multiple sub-agg buckets and missing data ([see discussion here](https://github.com/elastic/kibana/pull/127339/files#r825240516)), it was decided that we'd disable the search bar for the time being. We have both a near-term (writing single rollup event) and long-term (ES|QL) solution that will allow us to re-enable this functionality. * Note, since a `terms` agg is used to fetch all execution events, an upper bound must be set. See [this discussion](https://github.com/elastic/kibana/pull/127339/files#r823035420) for more details, but setting this max to `1000` events for the time being, and returning total cardinality of execution events back within `total` to allow the UI to inform the user that they should narrow their search further to better isolate and find possible issues. This should be a be a reasonable constraint for most all rules as a rule executing every 5 minutes, 1000 executions would cover over 3 days of execution time. <p align="center"> <img width="700" src="https://user-images.githubusercontent.com/2946766/159045563-966896b4-3cd1-475d-9f0e-c2d300683546.png" /> </p> The `Filter for alerts` action will be available on all `Succeeded`/`Partial Failure` executions even if there weren't alerts generated until #126210 is merged and we can start returning the alert count, at which point we can programmatically enabled/disable this action based on alert count. <p align="center"> <img width="300" src="https://user-images.githubusercontent.com/2946766/159051762-e2f97ba4-4ce1-4f67-8ae1-395e4b191cab.png" /> </p>
|
Resolved in #126215, closing... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Parent ticket: #101014
Summary
Implement a basic Rule Execution Log UI. A simple log view with search, basic filters and pagination. No visualized view, no grouping by the rule execution UUID.
The text was updated successfully, but these errors were encountered: