[RAM][SECURITYSOLUTION][ALERTS] - Show warning that custom action intervals cannot be shorter than the rule's check interval #155684
Conversation
…ervals cannot be shorter than the rule's check interval (elastic#155502)
|
@elasticmachine merge upstream |
|
ruled edit form for actions allows to save rule, even if validation fails Screen.Recording.2023-04-25.at.15.24.16.movIt is not possible to save rule on other forms. Please, refer to a recorded video. Same happens on rule creation |
I think we leverage bulk actions dry mode, that was created exactly for this purpose: prevent edit errors by letting know users beforehand the likely outcome of the request. One of the possible ways of implementations:
|
There was a problem hiding this comment.
@e40pud it's a nice UX improvement to the the custom action frequency 👍
I've looked through the changes and left some minor comments. On top of that I've run it locally and noticed inconsistencies like 1 minute interval causes the warning to appear while 60 seconds don't. Warning sign appears either in one or two fields (if there is 1 seconds interval) so it can be unclear for users why it works this way.
Screen.Recording.2023-04-25.at.16.41.12.mov
| value: 0, | ||
| }; | ||
| const filterTimeVal = time.match(/\d+/g); | ||
| const filterTimeType = time.match(/[a-zA-Z]+/g); |
There was a problem hiding this comment.
Is there some reason to match all letters here and check separately for s, m, h and d below? What if there is time string like 1abch or 20mms?
It could be one regex like
/^(\d+)?(ms|s|m|h|d)?$/
to match an expected format strictly.
There was a problem hiding this comment.
Agree with Maxim here, with the additional doubt of why defaulting to 0ms if the only accepted Units are actually ['s', 'm', 'h', 'd']
There was a problem hiding this comment.
Same here.
I just moved this method from another file x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts :-)
If I will have time before the release to address the concerns that you put, I will look into this as well.
| import { isEmpty } from 'lodash/fp'; | ||
| import type { Unit } from '@kbn/datemath'; | ||
|
|
||
| export const getTimeTypeValue = (time: string): { unit: Unit; value: number } => { |
There was a problem hiding this comment.
It'd be really helpful to have a comment with an expected time format.
There was a problem hiding this comment.
+1
I worked last year on creating a TimeDuration io-ts type and added there some explanation of how the type works, that could be of inspiration:
https://github.com/elastic/kibana/blob/main/packages/kbn-securitysolution-io-ts-types/src/time_duration/index.ts
There was a problem hiding this comment.
I just moved this method from another file x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/pages/rule_creation/helpers.ts :-)
If I will have time before the release to address the concerns that you put, I will look into this as well.
| ].forEach(({ interval, value, unit }) => { | ||
| it(`should correctly return time duration and time unit when 'interval' is ${interval}`, () => { | ||
| const { value: actualValue, unit: actualUnit } = getTimeTypeValue(interval); | ||
| expect(actualValue).toEqual(value); |
There was a problem hiding this comment.
nit: toBe is stricter and better for asserting primitive values.
What would happen now if a user bulk edited the actions interval to be shorter than the rules' execution interval? |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@e40pud I didn't have time to check this one today, but noticed a lot of valid comments here. I have a few questions off the top of my head:
|
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
Replying here for 🧵ing...
These changes won't apply to Bulk operation, since we don't have access to all rules there. We would need to get the minimum schedule interval among the selected rules in that case and use it in the UI.
I think we leverage bulk actions dry mode, that was created exactly for this purpose: prevent edit errors by letting know users beforehand the likely outcome of the request. Details on implementation and usage can be found here
One of the possible ways of implementations:
- retrieve the smallest allowed interval through this API and then use it on bulk edit actions form
@vitaliidm do you suggest to add another variable to BulkEditActionResponse which will have minimum interval of the rules in bulk operation? And then on dry run of bulk.edit operation and type one of BulkActionEditType.set_rule_actions, BulkActionEditType.add_rule_actions we would calculate minimum interval among those rules and return as part of the response?
This definitely doable, just thinking if that new parameters will fit the current structure of the response. It is all about updated, created, deleted, skipped and number of succeeded and failed rules. Now we will add another attribute which is kind of not related to anything of that.
There was a problem hiding this comment.
Right now, on dry_run=true we send the following payload
POST http://localhost:5601/kbn/api/detection_engine/rules/_bulk_action?dry_run=true
{
"action":"edit",
"ids":[
"0483b100-e5c9-11ed-a754-61de71d8c618",
"22670e00-e5d4-11ed-a029-c5fa447f7c6e",
"a51fa760-e5e5-11ed-8c3b-19bc4e0ce732"
],
"edit":[
{
"type":"add_rule_actions",
"value":{
"actions":[
]
}
}
]
}
Instead, if we can send here action with the minimal throttle frequency, let's say 1s and perform validation check on BE: we can receive a response with new error code for exceeding action's interval value.
{
"statusCode":500,
"error":"Internal Server Error",
"message":"Bulk edit partially failed",
"attributes":{
"errors":[
{
"message":"action interval can not be smaller than interval",
"status_code":500,
"err_code":"ACTION_INTERVAL_CAN_NOT_BE_SMALLER_THAN_RULE_INTERVAL",
"params": {
"minimalValidActionInterval": "5s"
},
"rules":[
{
"id":"22670e00-e5d4-11ed-a029-c5fa447f7c6e",
"name":"test ml"
}
]
}
],
"results":{
"updated":[
],
"created":[
],
"deleted":[
],
"skipped":[
]
},
"summary":{
"failed":1,
"succeeded":1,
"skipped":0,
"total":2
}
}
}
Introducing a new params property that will have minimal valid action interval can help to keep the same format of response.
There is, though, one thing we need to be conscientious of. We do not include actions values for dry run, only action type. As we don't know what user will select. So if we plan to send action with rule actions payload, new ACTION_INTERVAL_CAN_NOT_BE_SMALLER_THAN_RULE_INTERVAL errors should not count when we checking if we want to show dry run warning modal window. That might overcomplicate dry run processing logic
Other solution might be, introducing warnings or conditional_errors property. That woudn't interfere with summary section of the response
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: cc @e40pud |
Summary
Closes #155502
These changes fixes the issue with the incompatible action frequency selected while creating or updating the rule. The action frequency should never be shorter than the rule's schedule interval. We will show the warning when user selects the action's frequency which is shorter than the rule's schedule interval.
These changes won't apply to Bulk operation, since we don't have access to all rules there. We would need to get the minimum schedule interval among the selected rules in that case and use it in the UI.
Here is how the warning will look like: