[Security Solution] Support rule snoozing on the Rule Editing page #147737
Assignees
Labels
8.8 candidate
Feature:Rule Actions
Security Solution Detection Rule Actions area
Feature:Rule Creation
Security Solution Detection Rule Creation workflow
needs design
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
7 tasks
3 tasks
maximpn
added a commit
that referenced
this issue
Apr 25, 2023
**Addresses:** #147737 ## Summary This PR adds rule snooze feature on the Rule editing page. https://user-images.githubusercontent.com/3775283/234186169-72db1d91-ad34-4cea-922d-b0c96752c3d3.mov ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
1 task
maximpn
added a commit
that referenced
this issue
May 5, 2023
…age (#155850) **Addresses:** #147737 **Relates to:** #155612 ## Summary After merging #155612 back there is one issue is left unresolved described in this [comment](#155612 (comment)): > Looks like we show the `Actions will not be preformed until it is unsnoozed` message unconditionally, i.e. regardless of whether the rule is snoozed or not. Since it's in bold it feels like a warning in the case where it doesn't really matter: > Can we hide it when the rule is not snoozed? If it's not trivial, can we make it look less dangerous by making the font regular and playing with the copy a little bit? E.g. `If snoozed actions will not be triggered`. This PR resolves rule snooze description text issue. As snooze settings are resolved outside the security solution plugin having any logic to conditionally display a message will increase the complexity. This way the message was changes to avoid any text to appear conditionally. *Before:* <img width="703" alt="Screenshot 2023-04-24 at 18 36 31" src="https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png"> *After:*  ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
May 5, 2023
…age (elastic#155850) **Addresses:** elastic#147737 **Relates to:** elastic#155612 ## Summary After merging elastic#155612 back there is one issue is left unresolved described in this [comment](elastic#155612 (comment)): > Looks like we show the `Actions will not be preformed until it is unsnoozed` message unconditionally, i.e. regardless of whether the rule is snoozed or not. Since it's in bold it feels like a warning in the case where it doesn't really matter: > Can we hide it when the rule is not snoozed? If it's not trivial, can we make it look less dangerous by making the font regular and playing with the copy a little bit? E.g. `If snoozed actions will not be triggered`. This PR resolves rule snooze description text issue. As snooze settings are resolved outside the security solution plugin having any logic to conditionally display a message will increase the complexity. This way the message was changes to avoid any text to appear conditionally. *Before:* <img width="703" alt="Screenshot 2023-04-24 at 18 36 31" src="https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png"> *After:*  ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) (cherry picked from commit 6714d92)
maximpn
added a commit
to maximpn/kibana
that referenced
this issue
May 5, 2023
…age (elastic#155850) **Addresses:** elastic#147737 **Relates to:** elastic#155612 ## Summary After merging elastic#155612 back there is one issue is left unresolved described in this [comment](elastic#155612 (comment)): > Looks like we show the `Actions will not be preformed until it is unsnoozed` message unconditionally, i.e. regardless of whether the rule is snoozed or not. Since it's in bold it feels like a warning in the case where it doesn't really matter: > Can we hide it when the rule is not snoozed? If it's not trivial, can we make it look less dangerous by making the font regular and playing with the copy a little bit? E.g. `If snoozed actions will not be triggered`. This PR resolves rule snooze description text issue. As snooze settings are resolved outside the security solution plugin having any logic to conditionally display a message will increase the complexity. This way the message was changes to avoid any text to appear conditionally. *Before:* <img width="703" alt="Screenshot 2023-04-24 at 18 36 31" src="https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png"> *After:*  ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) (cherry picked from commit 6714d92)
kibanamachine
referenced
this issue
May 5, 2023
…ting page (#155850) (#156888) # Backport This will backport the following commits from `main` to `8.8`: - [[Security Solution] Fix rule snooze description on the rule editing page (#155850)](#155850) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2023-05-05T16:14:41Z","message":"[Security Solution] Fix rule snooze description on the rule editing page (#155850)\n\n**Addresses:** https://github.com/elastic/kibana/issues/147737\r\n**Relates to:** https://github.com/elastic/kibana/pull/155612\r\n\r\n## Summary\r\n\r\nAfter merging #155612 back there is one issue is left unresolved described in this [comment](https://github.com/elastic/kibana/pull/155612#discussion_r1175545697):\r\n\r\n> Looks like we show the `Actions will not be preformed until it is unsnoozed` message unconditionally, i.e. regardless of whether the rule is snoozed or not. Since it's in bold it feels like a warning in the case where it doesn't really matter:\r\n\r\n> Can we hide it when the rule is not snoozed? If it's not trivial, can we make it look less dangerous by making the font regular and playing with the copy a little bit? E.g. `If snoozed actions will not be triggered`.\r\n\r\nThis PR resolves rule snooze description text issue. As snooze settings are resolved outside the security solution plugin having any logic to conditionally display a message will increase the complexity. This way the message was changes to avoid any text to appear conditionally.\r\n\r\n*Before:*\r\n\r\n<img width=\"703\" alt=\"Screenshot 2023-04-24 at 18 36 31\" src=\"https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png\">\r\n\r\n*After:*\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)","sha":"6714d926ee041d61c627037189263905918303b3","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Detections and Resp","Team: SecuritySolution","Feature:Rule Management","Team:Detection Rules","ui-copy","v8.8.0","v8.9.0"],"number":155850,"url":"https://github.com/elastic/kibana/pull/155850","mergeCommit":{"message":"[Security Solution] Fix rule snooze description on the rule editing page (#155850)\n\n**Addresses:** https://github.com/elastic/kibana/issues/147737\r\n**Relates to:** https://github.com/elastic/kibana/pull/155612\r\n\r\n## Summary\r\n\r\nAfter merging #155612 back there is one issue is left unresolved described in this [comment](https://github.com/elastic/kibana/pull/155612#discussion_r1175545697):\r\n\r\n> Looks like we show the `Actions will not be preformed until it is unsnoozed` message unconditionally, i.e. regardless of whether the rule is snoozed or not. Since it's in bold it feels like a warning in the case where it doesn't really matter:\r\n\r\n> Can we hide it when the rule is not snoozed? If it's not trivial, can we make it look less dangerous by making the font regular and playing with the copy a little bit? E.g. `If snoozed actions will not be triggered`.\r\n\r\nThis PR resolves rule snooze description text issue. As snooze settings are resolved outside the security solution plugin having any logic to conditionally display a message will increase the complexity. This way the message was changes to avoid any text to appear conditionally.\r\n\r\n*Before:*\r\n\r\n<img width=\"703\" alt=\"Screenshot 2023-04-24 at 18 36 31\" src=\"https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png\">\r\n\r\n*After:*\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)","sha":"6714d926ee041d61c627037189263905918303b3"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/155850","number":155850,"mergeCommit":{"message":"[Security Solution] Fix rule snooze description on the rule editing page (#155850)\n\n**Addresses:** https://github.com/elastic/kibana/issues/147737\r\n**Relates to:** https://github.com/elastic/kibana/pull/155612\r\n\r\n## Summary\r\n\r\nAfter merging #155612 back there is one issue is left unresolved described in this [comment](https://github.com/elastic/kibana/pull/155612#discussion_r1175545697):\r\n\r\n> Looks like we show the `Actions will not be preformed until it is unsnoozed` message unconditionally, i.e. regardless of whether the rule is snoozed or not. Since it's in bold it feels like a warning in the case where it doesn't really matter:\r\n\r\n> Can we hide it when the rule is not snoozed? If it's not trivial, can we make it look less dangerous by making the font regular and playing with the copy a little bit? E.g. `If snoozed actions will not be triggered`.\r\n\r\nThis PR resolves rule snooze description text issue. As snooze settings are resolved outside the security solution plugin having any logic to conditionally display a message will increase the complexity. This way the message was changes to avoid any text to appear conditionally.\r\n\r\n*Before:*\r\n\r\n<img width=\"703\" alt=\"Screenshot 2023-04-24 at 18 36 31\" src=\"https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png\">\r\n\r\n*After:*\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)","sha":"6714d926ee041d61c627037189263905918303b3"}}]}] BACKPORT--> Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
\r\n\r\n\r\n###](https://user-images.githubusercontent.com/7359339/234060523-fe9161a1-0e83-4d39-a193-81c946d95106.png\">\r\n\r\n*After:*\r\n\r\n\r\n\r\n\r\n###){kind=link}
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Epic: https://github.com/elastic/security-team/issues/5308 (internal)
Depends on: #147735
Summary
Add an indication that the rule is muted/snoozed to the Actions tab of the Rule Editing page.
The current behavior in Security Solution regarding showing actions on the Editing page: if the user sees actions on the Editing page, it means they will be triggered if the rule is enabled and generates alerts. When #147736 is done, muted/snoozed rules will not be shown as having the "Perform no actions" frequency and an empty list of actions anymore. So users might think that these actions will be executed because this is the current behavior. To avoid this confusion, we need to let the user know if the rule is currently muted/snoozed and explain that in this case the actions won't be executed.
The text was updated successfully, but these errors were encountered: