[RAC][Alert Triage][Timeline] Update the Alerts Table and Timeline APIs #94520
Labels
Feature:Detection Alerts
Security Solution Detection Alerts Feature
Feature:Timeline
Security Solution Timeline feature
Team:Detections and Resp
Security Detection Response Team
Team:Observability
Team label for Observability Team (for things that are handled across all of observability)
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Threat Hunting
Security Solution Threat Hunting Team
Theme: rac
label obsolete
Comments
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
5 tasks
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this issue
Apr 1, 2021
… implement `renderCellValue` - This PR implements a superset of the `renderCellValue` API from [EuiDataGrid](https://elastic.github.io/eui/#/tabular-content/data-grid) in the `TGrid` (Timeline grid) API - The TGrid API was also updated to accept a collection of `RowRenderer`s as a prop The API changes are summarized by the following screenshot: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> Related (RAC) issue: elastic#94520 ### Details The `StatefulEventsViewer` has been updated to accept `renderCellValue` as a (required) prop: ``` renderCellValue: (props: CellValueElementProps) => React.ReactNode; ``` The type definition of `CellValueElementProps` is: ``` export type CellValueElementProps = EuiDataGridCellValueElementProps & { data: TimelineNonEcsData[]; eventId: string; // _id header: ColumnHeaderOptions; linkValues: string[] | undefined; timelineId: string; }; ``` The `CellValueElementProps` type above is a _superset_ of `EuiDataGridCellValueElementProps`. The additional properties above include the `data` returned by the TGrid when it performs IO to retrieve alerts and events. ### Using `renderCellValue` to control rendering The internal implementation of TGrid's cell rendering didn't change with this PR; it moved to `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` as shown below: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => ( <> {getColumnRenderer(header.id, columnRenderers, data).renderColumn({ columnName: header.id, eventId, field: header, linkValues, timelineId, truncate: true, values: getMappedNonEcsValue({ data, fieldName: header.id, }), })} </> ); ``` Any usages of TGrid were updated to pass `DefaultCellRenderer` as the value of the `renderCellValue` prop, as shown in the screenshot below: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The `EuiDataGrid` [codesandbox example](https://codesandbox.io/s/nsmzs) provides the following example `renderCellValue` implementation, which highlights a cell green based on it's numeric value: ``` const renderCellValue = useMemo(() => { return ({ rowIndex, columnId, setCellProps }) => { const data = useContext(DataContext); useEffect(() => { if (columnId === 'amount') { if (data.hasOwnProperty(rowIndex)) { const numeric = parseFloat( data[rowIndex][columnId].match(/\d+\.\d+/)[0], 10 ); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.0002})`, }, }); } } }, [rowIndex, columnId, setCellProps, data]); function getFormatted() { return data[rowIndex][columnId].formatted ? data[rowIndex][columnId].formatted : data[rowIndex][columnId]; } return data.hasOwnProperty(rowIndex) ? getFormatted(rowIndex, columnId) : null; }; }, []); ``` The sample code above formats the `amount` column in the example `EuiDataGrid` with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="956" alt="datagrid-cell-formatting" src="https://user-images.githubusercontent.com/4459398/113348300-a782af80-92f3-11eb-896a-3d92cf4b9b53.png"> To demonstrate that similar styling can be applied to TGrid using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs), we can update the `DefaultCellRenderer` in `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` to apply a similar technique: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => { useEffect(() => { if (columnId === 'signal.rule.risk_score') { const value = getMappedNonEcsValue({ data, fieldName: columnId, }); if (Array.isArray(value) && value.length > 0) { const numeric = parseFloat(value[0]); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.002})`, }, }); } } }, [columnId, data, setCellProps]); return ( <> {getMappedNonEcsValue({ data, fieldName: columnId, })} </> ); }; ``` The example code above renders the `signal.rule.risk_score` column in the Alerts table with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are not rendered as draggables.
andrew-goldstein
added a commit
that referenced
this issue
Apr 5, 2021
…lement `renderCellValue` (#96098) ### [RAC][Alert Triage][TGrid] Update the Alerts Table (TGrid) API to implement `renderCellValue` - This PR implements a superset of the `renderCellValue` API from [EuiDataGrid](https://elastic.github.io/eui/#/tabular-content/data-grid) in the `TGrid` (Timeline grid) API - The TGrid API was also updated to accept a collection of `RowRenderer`s as a prop The API changes are summarized by the following screenshot: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The following screenshot shows the `signal.rule.risk_score` column in the Alerts table being rendered with a green background color, using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs): <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are also _not_ rendered as draggables. Related (RAC) issue: #94520 ### Details The `StatefulEventsViewer` has been updated to accept `renderCellValue` as a (required) prop: ``` renderCellValue: (props: CellValueElementProps) => React.ReactNode; ``` The type definition of `CellValueElementProps` is: ``` export type CellValueElementProps = EuiDataGridCellValueElementProps & { data: TimelineNonEcsData[]; eventId: string; // _id header: ColumnHeaderOptions; linkValues: string[] | undefined; timelineId: string; }; ``` The `CellValueElementProps` type above is a _superset_ of `EuiDataGridCellValueElementProps`. The additional properties above include the `data` returned by the TGrid when it performs IO to retrieve alerts and events. ### Using `renderCellValue` to control rendering The internal implementation of TGrid's cell rendering didn't change with this PR; it moved to `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` as shown below: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => ( <> {getColumnRenderer(header.id, columnRenderers, data).renderColumn({ columnName: header.id, eventId, field: header, linkValues, timelineId, truncate: true, values: getMappedNonEcsValue({ data, fieldName: header.id, }), })} </> ); ``` Any usages of TGrid were updated to pass `DefaultCellRenderer` as the value of the `renderCellValue` prop, as shown in the screenshot below: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The `EuiDataGrid` [codesandbox example](https://codesandbox.io/s/nsmzs) provides the following example `renderCellValue` implementation, which highlights a cell green based on it's numeric value: ``` const renderCellValue = useMemo(() => { return ({ rowIndex, columnId, setCellProps }) => { const data = useContext(DataContext); useEffect(() => { if (columnId === 'amount') { if (data.hasOwnProperty(rowIndex)) { const numeric = parseFloat( data[rowIndex][columnId].match(/\d+\.\d+/)[0], 10 ); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.0002})`, }, }); } } }, [rowIndex, columnId, setCellProps, data]); function getFormatted() { return data[rowIndex][columnId].formatted ? data[rowIndex][columnId].formatted : data[rowIndex][columnId]; } return data.hasOwnProperty(rowIndex) ? getFormatted(rowIndex, columnId) : null; }; }, []); ``` The sample code above formats the `amount` column in the example `EuiDataGrid` with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="956" alt="datagrid-cell-formatting" src="https://user-images.githubusercontent.com/4459398/113348300-a782af80-92f3-11eb-896a-3d92cf4b9b53.png"> To demonstrate that similar styling can be applied to TGrid using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs), we can update the `DefaultCellRenderer` in `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` to apply a similar technique: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => { useEffect(() => { if (columnId === 'signal.rule.risk_score') { const value = getMappedNonEcsValue({ data, fieldName: columnId, }); if (Array.isArray(value) && value.length > 0) { const numeric = parseFloat(value[0]); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.002})`, }, }); } } }, [columnId, data, setCellProps]); return ( <> {getMappedNonEcsValue({ data, fieldName: columnId, })} </> ); }; ``` The example code above renders the `signal.rule.risk_score` column in the Alerts table with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are not rendered as draggables.
andrew-goldstein
added a commit
to andrew-goldstein/kibana
that referenced
this issue
Apr 5, 2021
…lement `renderCellValue` (elastic#96098) ### [RAC][Alert Triage][TGrid] Update the Alerts Table (TGrid) API to implement `renderCellValue` - This PR implements a superset of the `renderCellValue` API from [EuiDataGrid](https://elastic.github.io/eui/#/tabular-content/data-grid) in the `TGrid` (Timeline grid) API - The TGrid API was also updated to accept a collection of `RowRenderer`s as a prop The API changes are summarized by the following screenshot: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The following screenshot shows the `signal.rule.risk_score` column in the Alerts table being rendered with a green background color, using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs): <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are also _not_ rendered as draggables. Related (RAC) issue: elastic#94520 ### Details The `StatefulEventsViewer` has been updated to accept `renderCellValue` as a (required) prop: ``` renderCellValue: (props: CellValueElementProps) => React.ReactNode; ``` The type definition of `CellValueElementProps` is: ``` export type CellValueElementProps = EuiDataGridCellValueElementProps & { data: TimelineNonEcsData[]; eventId: string; // _id header: ColumnHeaderOptions; linkValues: string[] | undefined; timelineId: string; }; ``` The `CellValueElementProps` type above is a _superset_ of `EuiDataGridCellValueElementProps`. The additional properties above include the `data` returned by the TGrid when it performs IO to retrieve alerts and events. ### Using `renderCellValue` to control rendering The internal implementation of TGrid's cell rendering didn't change with this PR; it moved to `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` as shown below: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => ( <> {getColumnRenderer(header.id, columnRenderers, data).renderColumn({ columnName: header.id, eventId, field: header, linkValues, timelineId, truncate: true, values: getMappedNonEcsValue({ data, fieldName: header.id, }), })} </> ); ``` Any usages of TGrid were updated to pass `DefaultCellRenderer` as the value of the `renderCellValue` prop, as shown in the screenshot below: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The `EuiDataGrid` [codesandbox example](https://codesandbox.io/s/nsmzs) provides the following example `renderCellValue` implementation, which highlights a cell green based on it's numeric value: ``` const renderCellValue = useMemo(() => { return ({ rowIndex, columnId, setCellProps }) => { const data = useContext(DataContext); useEffect(() => { if (columnId === 'amount') { if (data.hasOwnProperty(rowIndex)) { const numeric = parseFloat( data[rowIndex][columnId].match(/\d+\.\d+/)[0], 10 ); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.0002})`, }, }); } } }, [rowIndex, columnId, setCellProps, data]); function getFormatted() { return data[rowIndex][columnId].formatted ? data[rowIndex][columnId].formatted : data[rowIndex][columnId]; } return data.hasOwnProperty(rowIndex) ? getFormatted(rowIndex, columnId) : null; }; }, []); ``` The sample code above formats the `amount` column in the example `EuiDataGrid` with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="956" alt="datagrid-cell-formatting" src="https://user-images.githubusercontent.com/4459398/113348300-a782af80-92f3-11eb-896a-3d92cf4b9b53.png"> To demonstrate that similar styling can be applied to TGrid using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs), we can update the `DefaultCellRenderer` in `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` to apply a similar technique: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => { useEffect(() => { if (columnId === 'signal.rule.risk_score') { const value = getMappedNonEcsValue({ data, fieldName: columnId, }); if (Array.isArray(value) && value.length > 0) { const numeric = parseFloat(value[0]); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.002})`, }, }); } } }, [columnId, data, setCellProps]); return ( <> {getMappedNonEcsValue({ data, fieldName: columnId, })} </> ); }; ``` The example code above renders the `signal.rule.risk_score` column in the Alerts table with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are not rendered as draggables.
andrew-goldstein
added a commit
that referenced
this issue
Apr 5, 2021
…lement `renderCellValue` (#96098) (#96233) ### [RAC][Alert Triage][TGrid] Update the Alerts Table (TGrid) API to implement `renderCellValue` - This PR implements a superset of the `renderCellValue` API from [EuiDataGrid](https://elastic.github.io/eui/#/tabular-content/data-grid) in the `TGrid` (Timeline grid) API - The TGrid API was also updated to accept a collection of `RowRenderer`s as a prop The API changes are summarized by the following screenshot: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The following screenshot shows the `signal.rule.risk_score` column in the Alerts table being rendered with a green background color, using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs): <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are also _not_ rendered as draggables. Related (RAC) issue: #94520 ### Details The `StatefulEventsViewer` has been updated to accept `renderCellValue` as a (required) prop: ``` renderCellValue: (props: CellValueElementProps) => React.ReactNode; ``` The type definition of `CellValueElementProps` is: ``` export type CellValueElementProps = EuiDataGridCellValueElementProps & { data: TimelineNonEcsData[]; eventId: string; // _id header: ColumnHeaderOptions; linkValues: string[] | undefined; timelineId: string; }; ``` The `CellValueElementProps` type above is a _superset_ of `EuiDataGridCellValueElementProps`. The additional properties above include the `data` returned by the TGrid when it performs IO to retrieve alerts and events. ### Using `renderCellValue` to control rendering The internal implementation of TGrid's cell rendering didn't change with this PR; it moved to `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` as shown below: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => ( <> {getColumnRenderer(header.id, columnRenderers, data).renderColumn({ columnName: header.id, eventId, field: header, linkValues, timelineId, truncate: true, values: getMappedNonEcsValue({ data, fieldName: header.id, }), })} </> ); ``` Any usages of TGrid were updated to pass `DefaultCellRenderer` as the value of the `renderCellValue` prop, as shown in the screenshot below: <img width="1239" alt="render-cell-value" src="https://user-images.githubusercontent.com/4459398/113345484-c121f800-92ef-11eb-8a21-2b6dd8ef499b.png"> The `EuiDataGrid` [codesandbox example](https://codesandbox.io/s/nsmzs) provides the following example `renderCellValue` implementation, which highlights a cell green based on it's numeric value: ``` const renderCellValue = useMemo(() => { return ({ rowIndex, columnId, setCellProps }) => { const data = useContext(DataContext); useEffect(() => { if (columnId === 'amount') { if (data.hasOwnProperty(rowIndex)) { const numeric = parseFloat( data[rowIndex][columnId].match(/\d+\.\d+/)[0], 10 ); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.0002})`, }, }); } } }, [rowIndex, columnId, setCellProps, data]); function getFormatted() { return data[rowIndex][columnId].formatted ? data[rowIndex][columnId].formatted : data[rowIndex][columnId]; } return data.hasOwnProperty(rowIndex) ? getFormatted(rowIndex, columnId) : null; }; }, []); ``` The sample code above formats the `amount` column in the example `EuiDataGrid` with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="956" alt="datagrid-cell-formatting" src="https://user-images.githubusercontent.com/4459398/113348300-a782af80-92f3-11eb-896a-3d92cf4b9b53.png"> To demonstrate that similar styling can be applied to TGrid using the same technique illustrated by `EuiDataGrid`'s [codesandbox example](https://codesandbox.io/s/nsmzs), we can update the `DefaultCellRenderer` in `x-pack/plugins/security_solution/public/timelines/components/timeline/cell_rendering/default_cell_renderer.tsx` to apply a similar technique: ``` export const DefaultCellRenderer: React.FC<CellValueElementProps> = ({ columnId, data, eventId, header, linkValues, setCellProps, timelineId, }) => { useEffect(() => { if (columnId === 'signal.rule.risk_score') { const value = getMappedNonEcsValue({ data, fieldName: columnId, }); if (Array.isArray(value) && value.length > 0) { const numeric = parseFloat(value[0]); setCellProps({ style: { backgroundColor: `rgba(0, 255, 0, ${numeric * 0.002})`, }, }); } } }, [columnId, data, setCellProps]); return ( <> {getMappedNonEcsValue({ data, fieldName: columnId, })} </> ); }; ``` The example code above renders the `signal.rule.risk_score` column in the Alerts table with a green `backgroundColor` based on the value of the data, as shown in the screenshot below: <img width="1231" alt="alerts" src="https://user-images.githubusercontent.com/4459398/113349015-a30ac680-92f4-11eb-8518-5c1b7465e76e.png"> Note: In the screenshot above, the values in the Alerts table are not rendered as draggables. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
14 tasks
|
#98241 updates the TGrid API to implement a subset of the
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[RAC][Alert Triage][Timeline] Update the Alerts Table and Timeline APIs
Timeline-based tables provide APIs for configuring columns, customizing actions, and integrating with Kibana APIs for other concerns such as applying filters to the KQL bar at the top of the page, querying for alerts / events, and persisting investigations via saved objects.
The purpose of this issue is to update the public APIs for the Alerts Table and Timeline for consumers outside of the Security Solution.
The updated APIs must continue to provide the following functionality:
Timeline-based tables are configured via an API to provide a custom set of default columns for different views, e.g. the Alerts table on the Detections page, Rule Details Pages, Events / External alerts tables, and Timeline itself
Static, page-level query filters are applied via the API to implement Rule Detail, Host Detail, and Network pages
The common
View detailsrow-level action integrates with a flyout to display alert / event detailsThe API allows each table to provide custom row-level actions
Cases optionally link directly to Analyzer (Resolver) Graph Views via URLs
Table-level filtering enables the alerts table to be filtered by alert status
The API enables two-way integration with the KQL bar and Filters, which are located at the top of most pages
All fields on a page, including chart legends and table content, are (optionally) rendered via a component that includes a hover menu that affords a consistent experience for:
Integration with the Detections API, enabling bulk-actions for changing the status of alerts (e.g.
Open,Closed)The API accepts a unique identifier, enabling user-customized columns to persist across page loads via
localStorageTimeline based tables combine query results from alert and non-alert indexes
Investigations containing notes and pinned events are persisted via saved objects in the form of saved Timelines
ndjsonfilesTimeline-based tables are configured via an API to provide a custom set of default columns
Timeline-based tables are configured via an API to provide a custom set of default columns for the:
Alertstable on the Detections pageAlertstable on the Rule Details pageEventsandExternal alertstables on the Host Details pageEventsandExternal alertstables on the Host PageExternal alertson the Network pageTimelineitselfThe API implemented today enables each page where a Timeline-based table is used to specify a unique set of default columns. The configuration includes:
signal.rule.namei18n) custom column label, e.g.Rule nameFor example, the following array defines the default columns used by the Alerts table on the Detections page:
The column configuration above is used in the
Alertstable on the Detections page below:The Alerts table on the Detections page
Static, page-level query filters
Some pages specify static, page-level query filters to some Timeline-based tables.
The following views in the Security Solution are rendered by Timeline-based tables, which pass page-level context to the tables query (via the API):
signal.rule.idfilters the Rule Details page's Timeline-based tableA Rule Details page
host.namefilters both theEventsandExternal Alertstables on Host Details pagesA Host Details page
event.kind": "alert" and source.ip: * and destination.ip: *filters theExternal Alertstable on the Network pageThe Network page
signal.rule.id, to be applied to the table's queryThe common
View detailsrow-level flyout interactionAll Timeline-based tables provide a row level action that, when clicked, displays the details of the alert or event in a flyout:
The View details row-level action opens an Alert Details flyout
View detailsrow-level actionCustom row-level actions
Today, the API enables each Timeline-based table to display a custom set of row-level actions:
Alerts table actions
Events table actions
Timeline contains the superset of all table actions, including some actions that are exclusive to Timeline itself, i.e. the
Add notes for this eventandPin eventactions:Timeline's table actions
Additional actions are programmatically provided to each table via an array of
JSX.Element[]:Row-level actions for updating alert status, and adding rule exceptions
The Alerts view integrates with the Detections API to update the status of alerts and add rule exceptions:
Cases optionally link directly to Analyzer (Resolver) Graph Views via URLs
Timeline-based tables provide the Analyze Event row-level action shown below:
When users click the Analyze Event action, the (Resolver) process graph view is displayed as a table overlay:
Users may attach cases that directly link to Timeline's Analyzer view, shown below:
Table-level filtering
The API enables Timeline-based tables to implement table-level filtering.
For example, the Alerts table provides filtering by alert status:
Table-level filtering
Two-Way integration with the page-level KQL bar and filters
Timeline-based tables use Kibana APIs for two-way integration with the KQL bar and it's Filters, which are located at the top of most pages:
Two-way filtering on the Detections page
An integration with Kibana APIs enables, in the screenshot above:
The Alerts table to be filtered by the KQL bar at the top of the page
The Alerts table to be filtered by Filters added to the KQL bar
Users may, via the hover menu on fields, add filters to the KQL bar at the top of the page
The API must enable the table to be filtered by a page-level KQL bar and its Filters
The API must enable filters in the table to be added to page-level Filters
Hover menu actions
All fields on a page, including chart legends and table content, are (optionally) rendered via a component that includes a hover menu that affords a consistent experience for:
Every field rendered in a Timeline-based table provides the following actions via a hover menu:
Clicking the button above programmatically drag-and-drops the field to Timeline's query area:
Clicking the button above displays an an interactive Top N popover, shown below:
The animated gif below shows the Top N popover appearing when user user clicks
Show top event.actionin the hover menu:The legend items rendered in the popover also contain a hover menu proffering the same actions.
The API must enable consumers to specify the indexes included in Top N aggregations
Copy to clipboard
The Copy to clipboard action formats the field and value using
KQLsyntax, e.g.:Any field on a page, whether it's rendered in a table or not, can be wrapped in a React component that provides the hover menu functionality. By default, the field is rendered / styled as a draggable.
Some applications may not wish to render fields as draggables. Thus:
Integration with the Detections API, enabling bulk-actions for changing the status of alerts (e.g.
Open,Closed)The alerts table enables integrates with the Detections API, enabling bulk-actions for changing the status of alerts (e.g.
Open,Closed):User-customized columns are saved to
localStorageto persist across page-loadsUsers may customize the columns in a table via the Fields Browser, shown below:
The fields browser groups fields from multiple indexes / field mappings into a single view, organized by category, with descriptions. It also provides an affordance for resetting the table to it's specific set of default columns.
Customize ColumnsviewTimeline-based tables persist user-customized columns to the browser's
localStoragewhen:Columns are added to the table via the
Customize ColumnsviewDefault columns are restored via the
Reset fieldsaction in theCustomize ColumnsviewColumns are re-arranged via drag-and drop:
Tableview in the Alert / Event details flyout:localStorageTimeline based tables combine query results from alert and non-alert indexes
Timeline based tables combine query results from alert and non-alert indexes.
Today, Timeline-based tables directly query alert indexes, but a new abstraction layer for querying alerts may soon be available.
Timelines persisted as saved objects
While performing an investigation, users may add inline notes to alerts and events in Timeline via Markdown:
Users may also pin events of interest:
When users are ready to share the notes and pinned events gathered during an investigation, they give the untitled timeline a name. The timeline is then in-turn persisted as a saved object in the Kibana space where it was created.
Timeline saved objects created in the Security Solution before the Timeline is moved to it's own plugin must still be readable, ideally without the need for a saved object migration
Timelines created in the same Kibana space must be readable by any app that embeds Timeline
An API must be provided for exporting Timelines as downlodable
ndjsonfilesAn API must be provided for importing Timeline
ndjsonfiles into a Kibana spaceAcceptance Criteria
signal.rule.id, to be applied to the table's queryView detailsrow-level actionCustomize ColumnsviewlocalStoragendjsonfilesndjsonfiles into a Kibana spaceThe text was updated successfully, but these errors were encountered: