17b5fd39b4
Addresses: https://github.com/elastic/kibana/issues/154614 https://github.com/elastic/kibana/issues/154615 Figma designs: https://www.figma.com/file/gLHm8LpTtSkAUQHrkG3RHU/%5B8.7%5D-%5BRules%5D-Rule-Immutability%2FCustomization?type=design&node-id=2935-577576&t=ziqgnlEJBpowqa7F-0 ## Summary - Removes `prebuiltRulesNewUpgradeAndInstallationWorkflowsEnabled` feature flag. All new prebuilt endpoints now available by default. - Creates the UI for the new **rules installation** and **rules upgrade** workflows. - Creates new **Add Rules** page, which lists rules available for installation. - Creates new **Rule Updates** page, which lists rules which have available updates. - Creates new, separate contexts for the **Add Rules** and the **Rule Updates** page, and the hooks to use them (`useAddPrebuiltRulesTableContext` and `useUpgradePrebuiltRulesTableContext` respectively) - Creates prebuilt rule hooks, which consume new endpoints: - `useFetchPrebuiltRulesStatusQuery` and `usePrebuiltRulesStatus` consume the `/internal/detection_engine/prebuilt_rules/status` endpoint and provide information about number of rules available for installation, number of installed rules, and number of rules with available updates. - `useFetchPrebuiltRulesInstallReviewQuery` and `usePrebuiltRulesInstallReview` consume the `/internal/detection_engine/prebuilt_rules/installation/_review` endpoint and return the rules available for installation which are listed in the **Add Rules** page. - `useFetchPrebuiltRulesUpgradeReviewQuery` and `usePrebuiltRulesUpgradeReview` consume the `/internal/detection_engine/prebuilt_rules/upgrade/_review` endpoint and return the rules which have available updates, and are listed in the **Rule Updates** page. - `usePerformInstallAllRules`, `usePerformInstallSpecificRules`, and its respective mutation hooks `usePerformAllRulesInstallMutation` and `usePerformSpecificRulesInstallMutation` consume the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` endpoint in order to install rules. - `usePerformUpgradeAllRules`, `usePerformUpgradeSpecificRules` and its respective mutation hooks `usePerformAllRulesUpgradeMutation` and `usePerformSpecificRulesUpgradeMutation` consume the `/internal/detection_engine/prebuilt_rules/upgrade/_perform` endpoint in order to upgrade rules. ### Deprecated code **Hooks:** - `useCreatePrebuiltRulesMutation` - `useInstallPrePackagedRules` - `useCreatePrePackagedRules` - `usePrePackagedRulesInstallationStatus` - `usePrePackagedTimelinesInstallationStatus` ### Major points to resolve - **Timeline templates installation**: Since this PR stops using the `/api/detection_engine/rules/prepackaged` endpoint in favour of the new ones, we are not currently installing timeline templates. Serverside, we will need a new endpoint to install them separately from rules? In the UI, how would this still work: would they get installed in the background now? Or maybe have a new button for it somewhere? - **ML Jobs warning**: when updating rules, we currently have a wrapper to add confirmation modal for users who may be running older ML Jobs that would be overridden by updating their rules. This PR removes that code, but we'll need to reintroduce it for the cases of: upgrading single rules, upgrading a selection of rules, upgrading all rules. ### Deviations from design This PR includes a reduced scope to the final workflow shown in the Figma designs. Most notably, in Milestone 2, to be released in 8.9, we did not build the flyout that, in the Add Rules page, shows the rule details when the user clicks on it, so the user can review it before installing. The same is true in the Rule Updates table, which does not allow, for now, reviewing the rules. In both cases, the user can only click in "Install Rule" and "Upgrade Rule". There are other differences in the UI, for technical reasons: - Both for the Add Rules page and the Rule Updates table we decided to use **EUI's InMemoryTable**. Since the endpoint that return the data to populate both of these tables do not allow for sorting, filtering and paging, we decided to use the InMemoryTable for both cases, as all of those functions are handled out-of-the-box by the EUI component. The relatively low number of items that populate these tables means that we won't face significant performance issues. However, this meant a number of deviations from the designs: - Since filtering, sorting and pagination are handled by the table, the contexts for these table do not includes any internal state relating to these functions. This makes it hard to recreate the RuleUtilityBar for each of these components or make the existing one reusable. We therefore decided to leave the Utility Bar for the new two tables out of scope, and deviate from the design by moving the button that the user can click on o install or upgrade the selected rules to beside the "Install all" or "Upgrade all" buttons. This button is shown only when at least one rule of the table is selected. - The **tags filter box** that comes out-of-the-box with the InMemoryTable can only be positioned to the right of the search bar, instead of the left like we have in our main **Installed Rules** table. Also, clicking on the tabs adds the text to the search bar, and the box does not allow for negative selection of tabs (exclusion). - The search bar filters on keystroke rather than on Enter. This behaviour can be changed, but it feels more useful than the other behaviour for these new two tables. - The search bar filters by searching the user's input in any of the string properties of first order within the rule object. This means that the search bar can be used to look up rules according to their name, description, rule_id, etc (but not for example for MITRE techniques, which are an object.) This behaviour, however, is also customisable. - Neither the Add Rules table nor the Rule Updates tables display the _Last updated_ column which is shown in the design. Since the original intent of the designers is to show when the rule asset (`security-rule`) was created or updated, this is information we don't currently have within the SO. After discussion with @ksevasilyeva and @ARWNightingale, we decided, for now, to remove the column. In the meantime, @terrancedejesus [created an issue to include `createdAt` and `updatedAt` fields](https://github.com/elastic/detection-rules/issues/2826) within the rule assets, that we can use to display in the table in later iterations. #### Other remaining work: - Introduce confirmation modals when the user clicks on the "Install all" or "Upgrade all" modal. - Unit testing for new hooks and components. - Other component redesign: Rule Filter, Tag Filter #### How to test rule upgrade 1. Have at least one rule installed 2. Find its `rule_id` from the Network tab. 3. Make a request to `PATCH /api/detection_engine/rules` with the `rule_id` in the payload, and also set the `version` to a number lower than the current version. 4. Reload the page. 5. The `/upgrade/_review` endpoint will now return that rule as available for upgrade. ### Videos #### Rule Installation Workflow |
||
|---|---|---|
| .. | ||
| build_chromium | ||
| dev-tools | ||
| examples | ||
| packages | ||
| performance | ||
| plugins | ||
| scripts | ||
| test | ||
| test_serverless | ||
| .gitignore | ||
| .i18nrc.json | ||
| .telemetryrc.json | ||
| package.json | ||
| README.md | ||
Elastic License Functionality
This directory tree contains files subject to the Elastic License 2.0. The files subject to the Elastic License 2.0 are grouped in this directory to clearly separate them from files dual-licensed under the Server Side Public License and the Elastic License 2.0.
Alert Details page feature flags (feature-flag-per-App)
If you have:
xpack.observability.unsafe.alertDetails.metrics.enabled: true
[For Infrastructure rule types] In Kibana configuration, will allow the user to navigate to the new Alert Details page, instead of the Alert Flyout when clicking on View alert details in the Alert table
xpack.observability.unsafe.alertDetails.logs.enabled: true
[For Logs threshold rule type] In Kibana configuration, will allow the user to navigate to the new Alert Details page, instead of the Alert Flyout when clicking on View alert details in the Alert table
xpack.observability.unsafe.alertDetails.uptime.enabled: true
[For Uptime rule type] In Kibana configuration, will allow the user to navigate to the new Alert Details page, instead of the Alert Flyout when clicking on View alert details in the Alert table
Development
By default, Kibana will run with X-Pack installed as mentioned in the contributing guide.
Elasticsearch will run with a basic license. To run with a trial license, including security, you can specifying that with the yarn es command.
Example: yarn es snapshot --license trial --password changeme
By default, this will also set the password for native realm accounts to the password provided (changeme by default). This includes that of the kibana_system user which elasticsearch.username defaults to in development. If you wish to specify a password for a given native realm account, you can do that like so: --password.kibana_system=notsecure
Testing
For information on testing, see the Elastic functional test development guide.
Running functional tests
The functional UI tests, the API integration tests, and the SAML API integration tests are all run against a live browser, Kibana, and Elasticsearch install. Each set of tests is specified with a unique config that describes how to start the Elasticsearch server, the Kibana server, and what tests to run against them. The sets of tests that exist today are functional UI tests (specified by this config), API integration tests (specified by this config), and SAML API integration tests (specified by this config).
The script runs all sets of tests sequentially like so:
- builds Elasticsearch and X-Pack
- runs Elasticsearch with X-Pack
- starts up the Kibana server with X-Pack
- runs the functional UI tests against those servers
- tears down the servers
- repeats the same process for the API and SAML API integration test configs.
To do all of this in a single command run:
node scripts/functional_tests
Developing functional UI tests
If you are developing functional tests then you probably don't want to rebuild Elasticsearch and wait for all that setup on every test run, so instead use this command to build and start just the Elasticsearch and Kibana servers:
node scripts/functional_tests_server
After the servers are started, open a new terminal and run this command to run just the tests (without tearing down Elasticsearch or Kibana):
node scripts/functional_test_runner
For both of the above commands, it's crucial that you pass in --config to specify the same config file to both commands. This makes sure that the right tests will run against the right servers. Typically a set of tests and server configuration go together.
Read more about how the scripts work here.
For a deeper dive, read more about the way functional tests and servers work here.
Running API integration tests
API integration tests are run with a unique setup usually without UI assets built for the Kibana server.
API integration tests are intended to test only programmatic API exposed by Kibana. There is no need to run browser and simulate user actions, which significantly reduces execution time. In addition, the configuration for API integration tests typically sets optimize.enabled=false for Kibana because UI assets are usually not needed for these tests.
To run only the API integration tests:
node scripts/functional_tests --config test/api_integration/config
Running SAML API integration tests
We also have SAML API integration tests which set up Elasticsearch and Kibana with SAML support. Run only API integration tests with SAML enabled like so:
node scripts/functional_tests --config test/security_api_integration/saml.config
Running Jest integration tests
Jest integration tests can be used to test behavior with Elasticsearch and the Kibana server.
yarn test:jest_integration
Running Reporting functional tests
See here for more information on running reporting tests.
Running Security Solution Cypress E2E/integration tests
See here for information on running this test suite.