[Security Solution] Refactor timeline to use global query string helpers #136273

machadoum · 2022-07-13T11:25:58Z

original issue #123617
Following up #134210
Documentation use_url_state proposal

Summary

Refactor timeline to use global query string.
It also deletes use_url_state and related code.

Checklist

Delete any items that are not applicable to this PR.

Unit or functional tests were updated or added to match the most common scenarios

Migration status

What to test

It should not present changes to the final user.
Test timelines page and timeline widget
Changes to the timeline should reflect on the URL
When opening a timeline and refreshing the page the timeline should open again.
I should fetch the conflicted timeline when opening a timeline from the conflict id warning message (the conflict scenario happens when migrating from an older version to 8.0+).

How to reproduce conflicted timeline ids?

Open the console and execute:

POST .kibana/_bulk
{"index":{"_id":"siem-ui-timeline:f3b13020-302d-11ec-8418-4787b7fe6908-test1"}}
{"siem-ui-timeline":{"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1634573446178,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":"2021-10-19T03:59:59.999Z","start":"2021-10-18T04:00:00.000Z"},"description":"","eqlOptions":{"eventCategoryField":"event.category","query":"","size":100,"tiebreakerField":"","timestampField":"@timestamp"},"eventType":"all","excludedRowRendererIds":[],"filters":[],"indexNames":["logs-*",".siem-signals-default"],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"event.id: * ","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"event.id\"}}],\"minimum_should_match\":1}}"}},"sort":[{"columnId":"@timestamp","columnType":"number","sortDirection":"desc"}],"status":"active","templateTimelineId":null,"templateTimelineVersion":null,"timelineType":"default","title":"Exportable Timeline","updated":1634573457363,"updatedBy":"elastic"},"coreMigrationVersion":"8.0.0","migrationVersion":{"siem-ui-timeline":"8.0.0"},"references":[],"type":"siem-ui-timeline","updated_at":"2021-10-18T16:10:57.366Z","namespaces":["test1"]}
{"index":{"_id":"siem-ui-timeline:f3b13020-302d-11ec-8418-4787b7fe6908-test2-newId"}}
{"siem-ui-timeline":{"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1634573446178,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":"2021-10-19T03:59:59.999Z","start":"2021-10-18T04:00:00.000Z"},"description":"","eqlOptions":{"eventCategoryField":"event.category","query":"","size":100,"tiebreakerField":"","timestampField":"@timestamp"},"eventType":"all","excludedRowRendererIds":[],"filters":[],"indexNames":["logs-*",".siem-signals-default"],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"event.id: * ","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"event.id\"}}],\"minimum_should_match\":1}}"}},"sort":[{"columnId":"@timestamp","columnType":"number","sortDirection":"desc"}],"status":"active","templateTimelineId":null,"templateTimelineVersion":null,"timelineType":"default","title":"Exportable Timeline","updated":1634573457363,"updatedBy":"elastic"},"coreMigrationVersion":"8.0.0","migrationVersion":{"siem-ui-timeline":"8.0.0"},"references":[],"type":"siem-ui-timeline","updated_at":"2021-10-18T16:10:57.366Z","namespaces":["test2"]}
{"index":{"_id":"siem-ui-timeline:f3b13020-302d-11ec-8418-4787b7fe6908-test3"}}
{"siem-ui-timeline":{"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1634573446178,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":"2021-10-19T03:59:59.999Z","start":"2021-10-18T04:00:00.000Z"},"description":"","eqlOptions":{"eventCategoryField":"event.category","query":"","size":100,"tiebreakerField":"","timestampField":"@timestamp"},"eventType":"all","excludedRowRendererIds":[],"filters":[],"indexNames":["logs-*",".siem-signals-default"],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"event.id: * ","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"event.id\"}}],\"minimum_should_match\":1}}"}},"sort":[{"columnId":"@timestamp","columnType":"number","sortDirection":"desc"}],"status":"active","templateTimelineId":null,"templateTimelineVersion":null,"timelineType":"default","title":"Exportable Timeline","updated":1634573457363,"updatedBy":"elastic"},"coreMigrationVersion":"8.0.0","migrationVersion":{"siem-ui-timeline":"8.0.0"},"references":[],"type":"siem-ui-timeline","updated_at":"2021-10-18T16:10:57.366Z","namespaces":["test3"]}
{"index":{"_id":"siem-ui-timeline:f3b13020-302d-11ec-8418-4787b7fe6908-test3-newId"}}
{"siem-ui-timeline":{"columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"created":1634573446178,"createdBy":"elastic","dataProviders":[],"dateRange":{"end":"2021-10-19T03:59:59.999Z","start":"2021-10-18T04:00:00.000Z"},"description":"","eqlOptions":{"eventCategoryField":"event.category","query":"","size":100,"tiebreakerField":"","timestampField":"@timestamp"},"eventType":"all","excludedRowRendererIds":[],"filters":[],"indexNames":["logs-*",".siem-signals-default"],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"expression":"event.id: * ","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"event.id\"}}],\"minimum_should_match\":1}}"}},"sort":[{"columnId":"@timestamp","columnType":"number","sortDirection":"desc"}],"status":"active","templateTimelineId":null,"templateTimelineVersion":null,"timelineType":"default","title":"Exportable Timeline","updated":1634573457363,"updatedBy":"elastic"},"coreMigrationVersion":"8.0.0","migrationVersion":{"siem-ui-timeline":"8.0.0"},"references":[],"type":"siem-ui-timeline","updated_at":"2021-10-18T16:10:57.366Z","namespaces":["test3"]}
{"index":{"_id":"legacy-url-alias:test2:siem-ui-timeline:f3b13020-302d-11ec-8418-4787b7fe6908-test2"}}
{"legacy-url-alias":{"targetNamespace":"test2","targetType":"siem-ui-timeline","targetId":"f3b13020-302d-11ec-8418-4787b7fe6908-test2-newId","sourceId":"f3b13020-302d-11ec-8418-4787b7fe6908-test2"},"type":"legacy-url-alias","references":[]}
{"index":{"_id":"legacy-url-alias:test3:siem-ui-timeline:f3b13020-302d-11ec-8418-4787b7fe6908-test3"}}
{"legacy-url-alias":{"targetNamespace":"test3","targetType":"siem-ui-timeline","targetId":"f3b13020-302d-11ec-8418-4787b7fe6908-test3-newId","sourceId":"f3b13020-302d-11ec-8418-4787b7fe6908-test3"},"type":"legacy-url-alias","references":[]}
{"index":{"_id":"space:test1"}}
{"space":{"name":"Test 1: Resolve Exact Match","initials":"T1","description":"In this space, test object(s) will resolve with an \"exactMatch\" outcome.","disabledFeatures":[]},"type":"space"}
{"index":{"_id":"space:test2"}}
{"space":{"name":"Test 2: Resolve Alias Match","initials":"T2","description":"In this space, test object(s) will resolve with an \"aliasMatch\" outcome.","disabledFeatures":[]},"type":"space"}
{"index":{"_id":"space:test3"}}
{"space":{"name":"Test 3: Resolve Conflict","initials":"T3","description":"In this space, test object(s) will resolve with a \"conflict\" outcome.","disabledFeatures":[]},"type":"space"}

Go to security solutions and open the conflicted id workspace (Test 3: Resolve Conflict).
Open the timelines page and click on one of the timelines
A warning message will show up. Then you click on the link
It should fetch the data for the new timeline.

machadoum · 2022-07-25T11:26:48Z

@elasticmachine merge upstream

...ecurity_solution/public/common/hooks/timeline/use_query_timeline_by_id_on_url_change.test.ts

...ins/security_solution/public/common/hooks/timeline/use_query_timeline_by_id_on_url_change.ts

x-pack/plugins/security_solution/public/common/hooks/use_update_browser_title.ts

x-pack/plugins/security_solution/public/common/utils/global_query_string/helpers.ts

elasticmachine · 2022-07-25T11:49:11Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine · 2022-07-25T11:49:13Z

Pinging @elastic/security-solution (Team: SecuritySolution)

zizhouW

x-pack/plugins/security_solution/public/common/components/sessions_viewer/index.test.tsx changes LGTM

x-pack/plugins/security_solution/public/common/hooks/timeline/use_sync_timeline_url_param.ts

semd

That's amazing Pablo. The url query logic has much more sense now. thanks for doing this improvement, and the cleaning 🧹 Tested locally, I have not detected any change in the application behavior.
I only left a small suggestion.
LGTM!

kibanamachine · 2022-08-02T15:41:42Z