[Security Solution][Detections] Rule Preview should process override fields and exceptions (#4680) #140221
Conversation
e40pud
added
release_note:enhancement
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
merge conflict between base and head |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
| @@ -68,29 +68,21 @@ TagContainer.displayName = 'TagContainer'; | |||
|
|
|||
| const StepAboutRuleComponent: FC<StepAboutRuleProps> = ({ | |||
| addPadding = false, | |||
| defaultValues, | |||
| defaultValues: initialState, | |||
There was a problem hiding this comment.
One confusing behaviour of this step:
I tested the overrides locally and realized that two of the possible overridable fields (Severity override and Risk score override) are "normal" settings -not hidden-, while two others (Rule name override and Timestamp override) are part of the "Advanced settings" submenu, which the user has to unfold to see.
When testing updating these overrides and refreshing the preview, I realised there is a confusing difference between these two groups of overrides. The first two are applied to the Rule Preview as soon as you update them and click on "Refresh" in the Rule Preview flyout. On the contrary, if you update the "advanced" overrides, and click on "Refresh" the previewed alerts won't be updated. You first have to click on the "Continue" button of the "About rule" step, and only then click on "Refresh". Only then will the Rule Preview be updated.
Not exactly sure why this happens since they are all part of the same form, bu I think, considering all overrides live within the same step, that they should share the same behaviour.
There was a problem hiding this comment.
Yeah, that is a good point. I need to add those few fields to be observed and thus the value to be used to affect Rule Preview immediately. Thanks for catching that!
| </EuiText> | ||
| </> | ||
| </EuiFlexItem> | ||
| <EuiSpacer /> |
There was a problem hiding this comment.
I realize this is not part of this PR but is the "loading" text (passed as subtitle prop to HeaderSection) when creating the Histogram intended? Looks a little weird to me, especially having the loading icon already there:
There was a problem hiding this comment.
Yes it is intended and was like this since a long time (at least I see the same in 7.17.5 version). Though, we can ask what design team thinks about it and whether we need to update this behaviour. @yiyangliu9286 What do you think about this one?
|
@elasticmachine merge upstream |
…-ref HEAD~1..HEAD --fix'
x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/edit/index.tsx
Outdated
Show resolved
Hide resolved
...gins/security_solution/public/detections/components/rules/rule_preview/use_preview_route.tsx
Outdated
Show resolved
Hide resolved
| if (isRequestTriggered && rule === null) { | ||
| setRule( | ||
| formatPreviewRule({ | ||
| index, |
There was a problem hiding this comment.
Nice work cleaning this up 👌🏾
x-pack/plugins/security_solution/public/detections/components/rules/rule_preview/index.tsx
Outdated
Show resolved
Hide resolved
|
Nice work with implementing this @e40pud! There were just a couple things I noticed doing some clickthrough testing. The rule preview seems to unmount when the window is resized? The other thing I saw was the data was retained when switching between rule types? It looks like a a refresh of a query takes place, but sometimes data is still shown without an actual associated query in the rule type selection view. |
e40pud
changed the title
|
@elasticmachine merge upstream |
|
Thanks @michaelolo24 for the feedback! I addressed your comments in code and here are couple more notes:
Looks like the whole create rule page is being unmounted due to restricted space. I might need to fix that in a separate PR due to limited time before the FF. @peluja1012 what do you think? Screen.Recording.2022-09-13.at.12.20.36.mov
We do not clear preview results until user manually refreshes them. Even when user switches between different rule types. |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: cc @e40pud |
|
This issue is happening on main already so not associated with this particular PR. 👍🏾
|
|
One thing to add with the unmounting-remounting is that when you switch the rule type the "refresh" in the rule preview might lead a user to think the query has been rerun with the new rule type, but it actually hasn't. It might be worth just completely unmounting the component if the user changes the rule? Even though I start in ML in the video below, I was originally on a threshold rule. When I got to custom query nothing changes in the panel, but it does a little reload. When I hit refresh it still shows the threshold results. The results are only updated when I close and re-open the panel Screen.Recording.2022-09-13.at.3.04.29.PM.mov |
There was a problem hiding this comment.
Thanks for the work on this @e40pud 👍🏾 ! We discussed this ticket offline and the mounting issues will be taken care of on a follow up PR.
|
Thank you @michaelolo24! @peluja1012 could you please review those issues that Micheal found while testing? We need to decide whether those could be fixed in one of the upcoming PRs. |
kibanamachine
added
v8.5.0
backport:skip
Summary
This PR restructures the Rule Preview functionality to allow better UX. Main changes are:
Main ticket #4680
Checklist
Delete any items that are not applicable to this PR.
Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:
For maintainers