[Security Solution] Implement rule monitoring dashboard #159875
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
banderror
added
Team:Detections and Resp
banderror
force-pushed
the
security-rule-perfmon-dashboard
branch
from
04f313c to
cd3c358
Compare
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
force-pushed
the
security-rule-perfmon-dashboard
branch
from
cd3c358 to
34f04a3
Compare
jpdjere
approved these changes
Jun 19, 2023
banderror
force-pushed
the
security-rule-perfmon-dashboard
branch
from
34f04a3 to
50507b2
Compare
We should add it there - by adding "Security Solution" tag. cc @banderror |
|
Based on the received feedback I'm starting to work on the following fixes and improvements:
|
banderror
force-pushed
the
security-rule-perfmon-dashboard
branch
from
50507b2 to
3016d42
Compare
banderror
force-pushed
the
security-rule-perfmon-dashboard
branch
from
c73c6ae to
799686f
Compare
|
@approksiu @jpdjere I addressed all the feedback and updated the PR description accordingly. Hopefully, the CI will pass and the PR will be merged soon. |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @banderror |
banderror
added a commit
that referenced
this pull request
Jun 21, 2023
…PI (#160137) **Partially addresses:** #125642 ## Summary - fixes typos noticed by @maximpn in #159970 (comment) - adds additional docs for #159875
2 tasks
banderror
added a commit
that referenced
this pull request
Jun 27, 2023
**Epic:** elastic/security-team#6032 (internal) **Related to:** #159875 ## Summary In this PR we: - add a text block to the dashboard itself with helpful info about it - fix the 4 tables at the bottom of the dashboard - add unit tests for the dashboard's source `.json` files ## Text block <img width="1792" alt="Screenshot 2023-06-22 at 20 15 30" src="https://github.com/elastic/kibana/assets/7359339/55d267b7-7c39-4cdf-a917-fd17e9231a59"> ## Tables There were two issues with the tables: 1. When having the same prebuilt rules installed in two or more Kibana spaces, sorting in a table could break if the table rendered two different rules with the same name. It has been fixed by making the rule ID the first field in the table and making a few minor tweaks. Thanks to @maximpn for noticing the bug. 2. Widths of the columns were off in some cases. The fixed tables look like that: <img width="1775" alt="Screenshot 2023-06-22 at 19 52 13" src="https://github.com/elastic/kibana/assets/7359339/53475848-3238-4866-af70-080b8acd1f9e"> ## Full comparison | **BEFORE** | **AFTER** | |:------------:|:-----------:| |  |  | ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - elastic/security-docs#3478
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jun 27, 2023
**Epic:** elastic/security-team#6032 (internal) **Related to:** elastic#159875 ## Summary In this PR we: - add a text block to the dashboard itself with helpful info about it - fix the 4 tables at the bottom of the dashboard - add unit tests for the dashboard's source `.json` files ## Text block <img width="1792" alt="Screenshot 2023-06-22 at 20 15 30" src="https://github.com/elastic/kibana/assets/7359339/55d267b7-7c39-4cdf-a917-fd17e9231a59"> ## Tables There were two issues with the tables: 1. When having the same prebuilt rules installed in two or more Kibana spaces, sorting in a table could break if the table rendered two different rules with the same name. It has been fixed by making the rule ID the first field in the table and making a few minor tweaks. Thanks to @maximpn for noticing the bug. 2. Widths of the columns were off in some cases. The fixed tables look like that: <img width="1775" alt="Screenshot 2023-06-22 at 19 52 13" src="https://github.com/elastic/kibana/assets/7359339/53475848-3238-4866-af70-080b8acd1f9e"> ## Full comparison | **BEFORE** | **AFTER** | |:------------:|:-----------:| |  |  | ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - elastic/security-docs#3478 (cherry picked from commit f622809)
kibanamachine
referenced
this pull request
Jun 27, 2023
…60617) # Backport This will backport the following commits from `main` to `8.9`: - [[Security Solution] Fix rule monitoring dashboard (#160316)](#160316) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Georgii Gorbachev","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-06-27T12:45:12Z","message":"[Security Solution] Fix rule monitoring dashboard (#160316)\n\n**Epic:** https://github.com/elastic/security-team/issues/6032\r\n(internal)\r\n**Related to:** https://github.com/elastic/kibana/pull/159875\r\n\r\n## Summary\r\n\r\nIn this PR we:\r\n\r\n- add a text block to the dashboard itself with helpful info about it\r\n- fix the 4 tables at the bottom of the dashboard\r\n- add unit tests for the dashboard's source `.json` files\r\n\r\n## Text block\r\n\r\n<img width=\"1792\" alt=\"Screenshot 2023-06-22 at 20 15 30\"\r\nsrc=\"https://github.com/elastic/kibana/assets/7359339/55d267b7-7c39-4cdf-a917-fd17e9231a59\">\r\n\r\n## Tables\r\n\r\nThere were two issues with the tables:\r\n\r\n1. When having the same prebuilt rules installed in two or more Kibana\r\nspaces, sorting in a table could break if the table rendered two\r\ndifferent rules with the same name. It has been fixed by making the rule\r\nID the first field in the table and making a few minor tweaks. Thanks to\r\n@maximpn for noticing the bug.\r\n2. Widths of the columns were off in some cases.\r\n\r\nThe fixed tables look like that:\r\n\r\n<img width=\"1775\" alt=\"Screenshot 2023-06-22 at 19 52 13\"\r\nsrc=\"https://github.com/elastic/kibana/assets/7359339/53475848-3238-4866-af70-080b8acd1f9e\">\r\n\r\n## Full comparison\r\n\r\n| **BEFORE** | **AFTER** |\r\n|:------------:|:-----------:|\r\n| \r\n| \r\n|\r\n\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n - https://github.com/elastic/security-docs/issues/3478","sha":"f622809ee824a3341d767e7174177fbe7ac9578b","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","Team:Detections and Resp","Team: SecuritySolution","Feature:Rule Monitoring","Team:Detection Rule Management","v8.9.0","v8.10.0"],"number":160316,"url":"https://github.com/elastic/kibana/pull/160316","mergeCommit":{"message":"[Security Solution] Fix rule monitoring dashboard (#160316)\n\n**Epic:** https://github.com/elastic/security-team/issues/6032\r\n(internal)\r\n**Related to:** https://github.com/elastic/kibana/pull/159875\r\n\r\n## Summary\r\n\r\nIn this PR we:\r\n\r\n- add a text block to the dashboard itself with helpful info about it\r\n- fix the 4 tables at the bottom of the dashboard\r\n- add unit tests for the dashboard's source `.json` files\r\n\r\n## Text block\r\n\r\n<img width=\"1792\" alt=\"Screenshot 2023-06-22 at 20 15 30\"\r\nsrc=\"https://github.com/elastic/kibana/assets/7359339/55d267b7-7c39-4cdf-a917-fd17e9231a59\">\r\n\r\n## Tables\r\n\r\nThere were two issues with the tables:\r\n\r\n1. When having the same prebuilt rules installed in two or more Kibana\r\nspaces, sorting in a table could break if the table rendered two\r\ndifferent rules with the same name. It has been fixed by making the rule\r\nID the first field in the table and making a few minor tweaks. Thanks to\r\n@maximpn for noticing the bug.\r\n2. Widths of the columns were off in some cases.\r\n\r\nThe fixed tables look like that:\r\n\r\n<img width=\"1775\" alt=\"Screenshot 2023-06-22 at 19 52 13\"\r\nsrc=\"https://github.com/elastic/kibana/assets/7359339/53475848-3238-4866-af70-080b8acd1f9e\">\r\n\r\n## Full comparison\r\n\r\n| **BEFORE** | **AFTER** |\r\n|:------------:|:-----------:|\r\n| \r\n| \r\n|\r\n\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n - https://github.com/elastic/security-docs/issues/3478","sha":"f622809ee824a3341d767e7174177fbe7ac9578b"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/160316","number":160316,"mergeCommit":{"message":"[Security Solution] Fix rule monitoring dashboard (#160316)\n\n**Epic:** https://github.com/elastic/security-team/issues/6032\r\n(internal)\r\n**Related to:** https://github.com/elastic/kibana/pull/159875\r\n\r\n## Summary\r\n\r\nIn this PR we:\r\n\r\n- add a text block to the dashboard itself with helpful info about it\r\n- fix the 4 tables at the bottom of the dashboard\r\n- add unit tests for the dashboard's source `.json` files\r\n\r\n## Text block\r\n\r\n<img width=\"1792\" alt=\"Screenshot 2023-06-22 at 20 15 30\"\r\nsrc=\"https://github.com/elastic/kibana/assets/7359339/55d267b7-7c39-4cdf-a917-fd17e9231a59\">\r\n\r\n## Tables\r\n\r\nThere were two issues with the tables:\r\n\r\n1. When having the same prebuilt rules installed in two or more Kibana\r\nspaces, sorting in a table could break if the table rendered two\r\ndifferent rules with the same name. It has been fixed by making the rule\r\nID the first field in the table and making a few minor tweaks. Thanks to\r\n@maximpn for noticing the bug.\r\n2. Widths of the columns were off in some cases.\r\n\r\nThe fixed tables look like that:\r\n\r\n<img width=\"1775\" alt=\"Screenshot 2023-06-22 at 19 52 13\"\r\nsrc=\"https://github.com/elastic/kibana/assets/7359339/53475848-3238-4866-af70-080b8acd1f9e\">\r\n\r\n## Full comparison\r\n\r\n| **BEFORE** | **AFTER** |\r\n|:------------:|:-----------:|\r\n| \r\n| \r\n|\r\n\r\n\r\n### Checklist\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n - https://github.com/elastic/security-docs/issues/3478","sha":"f622809ee824a3341d767e7174177fbe7ac9578b"}}]}] BACKPORT--> Co-authored-by: Georgii Gorbachev <[email protected]>
|
@banderror don't know where to comment else wise. If you check the data view you are using you can append a data formatter for the fields. E.g. the duration fields, you can mark them as 
|
|
Thanks for the suggestion @philippkahr, I think this could be a nice usability enhancement. Would you mind opening an issue in https://github.com/elastic/kibana for that? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Epic: https://github.com/elastic/security-team/issues/6032 (internal)
Summary
This PR adds a new
[Elastic Security] Detection rule monitoringKibana dashboard and a newPOST /internal/detection_engine/health/_setupAPI endpoint.Dashboard
The dashboard can be helpful for monitoring the health and performance of Security detection rules. Users of the dashboard must have read access to the
.kibana-event-log-*index (see below for exact requirements). The dashboard is automatically installed into the current Kibana space when a user visits a page in Security Solution - similar to how we install the Fleet package with prebuilt detection rules.API endpoint
The PR also adds a new endpoint for setting up anything related to monitoring rules and the health of the Detection Engine. If you call the endpoint, it will install the new dashboard to the Default Kibana space:
In order to install the dashboard to a different Kibana space, you will need to call it like that:
RBAC requirements
For installing the dashboard
The user calling the
POST /internal/detection_engine/health/_setupendpoint must have at leastReadaccess to Security Solution. No additional privileges are required, because the endpoint installs the dashboard on behalf of the internal user (kibana_system).For viewing the dashboard
In order to be able to view the dashboard, users will need to have at least the following 2 privileges:
Readaccess to Kibana dashboards (Analytics->Dashboard:Read)readaccess to the.kibana-event-log-*index.Checklist
Detection rule monitoringdashboard security-docs#3478