Skip to content

Commit

Permalink
Merge branch 'master' into implement/ts-optimizer-limits-config-path
Browse files Browse the repository at this point in the history
  • Loading branch information
kibanamachine authored Mar 2, 2021
2 parents fe53ea0 + 2903844 commit 94ad6c3
Show file tree
Hide file tree
Showing 72 changed files with 1,932 additions and 683 deletions.
20 changes: 20 additions & 0 deletions docs/settings/alert-action-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ You can configure the following settings in the `kibana.yml` file.

[cols="2*<"]
|===
| `xpack.actions.enabled`
| Feature toggle that enables Actions in {kib}. Defaults to `true`.

| `xpack.actions.allowedHosts` {ess-icon}
| A list of hostnames that {kib} is allowed to connect to when built-in actions are triggered. It defaults to `[*]`, allowing any host, but keep in mind the potential for SSRF attacks when hosts are not explicitly added to the allowed hosts. An empty list `[]` can be used to block built-in actions from making any external connections. +
Expand All @@ -51,6 +53,24 @@ You can configure the following settings in the `kibana.yml` file.
+
Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in {kib} and will not function.

| `xpack.actions.preconfigured`
| Specifies preconfigured action IDs and configs. Defaults to {}.

| `xpack.actions.proxyUrl` {ess-icon}
| Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.

| `xpack.actions.proxyHeaders` {ess-icon}
| Specifies HTTP headers for the proxy, if using a proxy for actions. Defaults to {}.

a|`xpack.actions.`
`proxyRejectUnauthorizedCertificates` {ess-icon}
| Set to `false` to bypass certificate validation for the proxy, if using a proxy for actions. Defaults to `true`.

| `xpack.actions.rejectUnauthorized` {ess-icon}
| Set to `false` to bypass certificate validation for actions. Defaults to `true`. +
+
As an alternative to setting both `xpack.actions.proxyRejectUnauthorizedCertificates` and `xpack.actions.rejectUnauthorized`, you can point the OS level environment variable `NODE_EXTRA_CA_CERTS` to a file that contains the root CAs needed to trust certificates.

|===

[float]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ This example shows a preconfigured action type with one out-of-the box connector
name: 'Server log #xyz'
```

<1> `enabledActionTypes` excludes the preconfigured action type to prevent creating and deleting connectors.
<1> `enabledActionTypes` prevents the preconfigured action type from creating and deleting connectors. For more details, check <<action-settings, Action settings>>.
<2> `preconfigured` is the setting for defining the list of available connectors for the preconfigured action type.

[[managing-pre-configured-action-types]]
Expand Down
2 changes: 1 addition & 1 deletion docs/user/alerting/alert-types.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ For domain-specific alerts, refer to the documentation for that app.
* {observability-guide}/create-alerts.html[Observability alerts]
* {security-guide}/prebuilt-rules.html[Security alerts]
* <<geo-alerting, Maps alerts>>
* <<xpack-ml, ML alerts>>
* {ml-docs}/ml-configuring-alerts.html[{ml-cap} alerts]

[NOTE]
==============================================
Expand Down
4 changes: 2 additions & 2 deletions docs/user/alerting/alerting-getting-started.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@

--

Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[*Observability*], {security-guide}/prebuilt-rules.html[*Security*], <<geo-alerting,*Maps*>> and <<xpack-ml,*ML*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.
Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[*Observability*], {security-guide}/prebuilt-rules.html[*Security*], <<geo-alerting,*Maps*>> and {ml-docs}/ml-configuring-alerts.html[*{ml-app}*], can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> (known as stack alerts) for you to use.

image::images/alerting-overview.png[Alerts and actions UI]

Expand Down Expand Up @@ -157,7 +157,7 @@ Pre-packaged *alert types* simplify setup, hide the details complex domain-speci

If you are using an *on-premises* Elastic Stack deployment:

* In the kibana.yml configuration file, add the <<alert-action-settings-kb,`xpack.encryptedSavedObjects.encryptionKey`>> setting.
* In the kibana.yml configuration file, add the <<general-alert-action-settings,`xpack.encryptedSavedObjects.encryptionKey`>> setting.
* For emails to have a footer with a link back to {kib}, set the <<server-publicBaseUrl, `server.publicBaseUrl`>> configuration setting.

If you are using an *on-premises* Elastic Stack deployment with <<using-kibana-with-security, *security*>>:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,17 @@
[[alerting-production-considerations]]
== Production considerations

{kib} alerting run both alert checks and actions as persistent background tasks managed by the Kibana Task Manager. This has two major benefits:
{kib} alerting runs both alert checks and actions as persistent background tasks managed by the Kibana Task Manager. This has two major benefits:

* *Persistence*: all task state and scheduling is stored in {es}, so if {kib} is restarted, alerts and actions will pick up where they left off. Task definitions for alerts and actions are stored in the index specified by `xpack.task_manager.index` (defaults to `.kibana_task_manager`). It is important to have at least 1 replica of this index for production deployments, since if you lose this index all scheduled alerts and actions are also lost.
* *Persistence*: all task state and scheduling is stored in {es}, so if you restart {kib}, alerts and actions will pick up where they left off. Task definitions for alerts and actions are stored in the index specified by <<task-manager-settings, `xpack.task_manager.index`>>. The default is `.kibana_task_manager`. You must have at least one replica of this index for production deployments. If you lose this index, all scheduled alerts and actions are lost.
* *Scaling*: multiple {kib} instances can read from and update the same task queue in {es}, allowing the alerting and action load to be distributed across instances. In cases where a {kib} instance no longer has capacity to run alert checks or actions, capacity can be increased by adding additional {kib} instances.

[float]
=== Running background alert checks and actions

{kib} background tasks are managed by:

* Polling an {es} task index for overdue tasks at 3 second intervals. This interval can be changed using the `xpack.task_manager.poll_interval` setting.
* Polling an {es} task index for overdue tasks at 3 second intervals. You can change this interval using the <<task-manager-settings, `xpack.task_manager.poll_interval`>> setting.
* Tasks are then claiming them by updating them in the {es} index, using optimistic concurrency control to prevent conflicts. Each {kib} instance can run a maximum of 10 concurrent tasks, so a maximum of 10 tasks are claimed each interval.
* Tasks are run on the {kib} server.
* In the case of alerts which are recurring background checks, upon completion the task is scheduled again according to the <<defining-alerts-general-details, check interval>>.
Expand All @@ -32,4 +32,4 @@ For details on the settings that can influence the performance and throughput of
[float]
=== Deployment considerations

{es} and {kib} instances use the system clock to determine the current time. To ensure schedules are triggered when expected, you should synchronize the clocks of all nodes in the cluster using a time service such as http://www.ntp.org/[Network Time Protocol].
{es} and {kib} instances use the system clock to determine the current time. To ensure schedules are triggered when expected, you should synchronize the clocks of all nodes in the cluster using a time service such as http://www.ntp.org/[Network Time Protocol].
24 changes: 2 additions & 22 deletions docs/user/alerting/defining-alerts.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
[[defining-alerts]]
== Defining alerts

{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<metrics-app,*Metrics*>>, <<xpack-siem,*Security*>>, <<uptime-app,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-ml,*{ml-app}*>>, <<metrics-app,*Metrics*>>, <<xpack-siem,*Security*>>, <<uptime-app,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.

[float]
=== Alert flyout
Expand Down Expand Up @@ -101,29 +101,9 @@ image::images/alert-flyout-add-action.png[You can add multiple actions on an ale

[NOTE]
==============================================
Actions are not required on alerts. In some cases you may want to run an alert without actions first to understand its behavior, and configure actions later.
Actions are not required on alerts. You can run an alert without actions to understand its behavior, and then <<action-settings, configure actions>> later.
==============================================

[float]
[[actions-configuration]]
=== Global actions configuration
Some actions configuration options apply to all actions.
If you are using an *on-prem* Elastic Stack deployment, you can set these in the kibana.yml file.
If you are using a cloud deployment, you can set these via the console.

Here's a list of the available global configuration options and an explanation of what each one does:

* `xpack.actions.enabled`: Feature toggle that enables Actions in {kib}. Default: `true`
* `xpack.actions.allowedHosts`: Specifies an array of host names which actions such as email, Slack, PagerDuty, and webhook can connect to. An element of * indicates any host can be connected to. An empty array indicates no hosts can be connected to. Default: [ {asterisk} ]
* `xpack.actions.enabledActionTypes`: Specifies an array of action types that are enabled. An {asterisk} indicates all action types registered are enabled. The action types that {kib} provides are `.email`, `.index`, `.jira`, `.pagerduty`, `.resilient`, `.server-log`, `.servicenow`, `.servicenow-sir`, `.slack`, `.teams`, and `.webhook`. Default: [ {asterisk} ]
* `xpack.actions.preconfigured`: Specifies preconfigured action IDs and configs. Default: {}
* `xpack.actions.proxyUrl`: Specifies the proxy URL to use, if using a proxy for actions.
* `xpack.actions.proxyHeader`: Specifies HTTP headers for proxy, if using a proxy for actions.
* `xpack.actions.proxyRejectUnauthorizedCertificates`: Set to `false` to bypass certificate validation for proxy, if using a proxy for actions.
* `xpack.actions.rejectUnauthorized`: Set to `false` to bypass certificate validation for actions.

*NOTE:* As an alternative to both `xpack.actions.proxyRejectUnauthorizedCertificates` and `xpack.actions.rejectUnauthorized`, the OS level environment variable `NODE_EXTRA_CA_CERTS` can be set to point to a file that contains the root CA(s) needed for certificates to be trusted.

[float]
=== Managing alerts

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,45 @@ function getShortGroupId(errorGroupId?: string) {
return errorGroupId.slice(0, 5);
}

function ErrorGroupHeader({
groupId,
isUnhandled,
}: {
groupId: string;
isUnhandled?: boolean;
}) {
return (
<>
<ApmHeader>
<EuiFlexGroup alignItems="center">
<EuiFlexItem grow={false}>
<EuiTitle>
<h1>
{i18n.translate('xpack.apm.errorGroupDetails.errorGroupTitle', {
defaultMessage: 'Error group {errorGroupId}',
values: {
errorGroupId: getShortGroupId(groupId),
},
})}
</h1>
</EuiTitle>
</EuiFlexItem>
{isUnhandled && (
<EuiFlexItem grow={false}>
<EuiBadge color="warning">
{i18n.translate('xpack.apm.errorGroupDetails.unhandledLabel', {
defaultMessage: 'Unhandled',
})}
</EuiBadge>
</EuiFlexItem>
)}
</EuiFlexGroup>
</ApmHeader>
<SearchBar />
</>
);
}

type ErrorGroupDetailsProps = RouteComponentProps<{
groupId: string;
serviceName: string;
Expand Down Expand Up @@ -101,7 +140,7 @@ export function ErrorGroupDetails({ location, match }: ErrorGroupDetailsProps) {
useTrackPageview({ app: 'apm', path: 'error_group_details', delay: 15000 });

if (!errorGroupData || !errorDistributionData) {
return null;
return <ErrorGroupHeader groupId={groupId} />;
}

// If there are 0 occurrences, show only distribution chart w. empty message
Expand All @@ -114,32 +153,7 @@ export function ErrorGroupDetails({ location, match }: ErrorGroupDetailsProps) {

return (
<>
<ApmHeader>
<EuiFlexGroup alignItems="center">
<EuiFlexItem grow={false}>
<EuiTitle>
<h1>
{i18n.translate('xpack.apm.errorGroupDetails.errorGroupTitle', {
defaultMessage: 'Error group {errorGroupId}',
values: {
errorGroupId: getShortGroupId(groupId),
},
})}
</h1>
</EuiTitle>
</EuiFlexItem>
{isUnhandled && (
<EuiFlexItem grow={false}>
<EuiBadge color="warning">
{i18n.translate('xpack.apm.errorGroupDetails.unhandledLabel', {
defaultMessage: 'Unhandled',
})}
</EuiBadge>
</EuiFlexItem>
)}
</EuiFlexGroup>
</ApmHeader>
<SearchBar />
<ErrorGroupHeader groupId={groupId} isUnhandled={isUnhandled} />
<EuiPage>
<EuiPageBody>
<EuiPanel>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ export function ErrorGroupOverview({ serviceName }: ErrorGroupOverviewProps) {
useTrackPageview({ app: 'apm', path: 'error_group_overview', delay: 15000 });

if (!errorDistributionData || !errorGroupListData) {
return null;
return <SearchBar />;
}

return (
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ export interface TimelineEventsDetailsItem {
values?: Maybe<string[]>;
// eslint-disable-next-line @typescript-eslint/no-explicit-any
originalValue?: Maybe<any>;
isObjectArray: boolean;
}

export interface TimelineEventsDetailsStrategyResponse extends IEsSearchResponse {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ import {
} from '../../tasks/create_new_rule';
import { saveEditedRule, waitForKibana } from '../../tasks/edit_rule';
import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login';
import { activatesRule } from '../../tasks/rule_details';

import { DETECTIONS_URL } from '../../urls/navigation';

Expand Down Expand Up @@ -308,6 +309,21 @@ describe('Custom detection rules deletion and edition', () => {
reload();
});

it('Only modifies rule active status on enable/disable', () => {
activatesRule();

cy.intercept('GET', `/api/detection_engine/rules?id=`).as('fetchRuleDetails');

goToRuleDetails();

cy.wait('@fetchRuleDetails').then(({ response }) => {
cy.wrap(response!.statusCode).should('eql', 200);

cy.wrap(response!.body.max_signals).should('eql', existingRule.maxSignals);
cy.wrap(response!.body.enabled).should('eql', false);
});
});

it('Allows a rule to be edited', () => {
editFirstRule();
waitForKibana();
Expand Down Expand Up @@ -347,8 +363,17 @@ describe('Custom detection rules deletion and edition', () => {
goToAboutStepTab();
cy.get(TAGS_CLEAR_BUTTON).click({ force: true });
fillAboutRule(editedRule);

cy.intercept('GET', '/api/detection_engine/rules?id').as('getRule');

saveEditedRule();

cy.wait('@getRule').then(({ response }) => {
cy.wrap(response!.statusCode).should('eql', 200);
// ensure that editing rule does not modify max_signals
cy.wrap(response!.body.max_signals).should('eql', existingRule.maxSignals);
});

cy.get(RULE_NAME_HEADER).should('have.text', `${editedRule.name}`);
cy.get(ABOUT_RULE_DESCRIPTION).should('have.text', editedRule.description);
cy.get(ABOUT_DETAILS).within(() => {
Expand Down
10 changes: 10 additions & 0 deletions x-pack/plugins/security_solution/cypress/objects/rule.ts
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ export interface CustomRule {
runsEvery: Interval;
lookBack: Interval;
timeline: CompleteTimeline;
maxSignals: number;
}

export interface ThresholdRule extends CustomRule {
Expand Down Expand Up @@ -174,6 +175,7 @@ export const newRule: CustomRule = {
runsEvery,
lookBack,
timeline,
maxSignals: 100,
};

export const existingRule: CustomRule = {
Expand All @@ -192,6 +194,9 @@ export const existingRule: CustomRule = {
runsEvery,
lookBack,
timeline,
// Please do not change, or if you do, needs
// to be any number other than default value
maxSignals: 500,
};

export const newOverrideRule: OverrideRule = {
Expand All @@ -213,6 +218,7 @@ export const newOverrideRule: OverrideRule = {
runsEvery,
lookBack,
timeline,
maxSignals: 100,
};

export const newThresholdRule: ThresholdRule = {
Expand All @@ -232,6 +238,7 @@ export const newThresholdRule: ThresholdRule = {
runsEvery,
lookBack,
timeline,
maxSignals: 100,
};

export const machineLearningRule: MachineLearningRule = {
Expand Down Expand Up @@ -265,6 +272,7 @@ export const eqlRule: CustomRule = {
runsEvery,
lookBack,
timeline,
maxSignals: 100,
};

export const eqlSequenceRule: CustomRule = {
Expand All @@ -285,6 +293,7 @@ export const eqlSequenceRule: CustomRule = {
runsEvery,
lookBack,
timeline,
maxSignals: 100,
};

export const newThreatIndicatorRule: ThreatIndicatorRule = {
Expand All @@ -304,6 +313,7 @@ export const newThreatIndicatorRule: ThreatIndicatorRule = {
indicatorMapping: 'agent.id',
indicatorIndexField: 'agent.threat',
timeline,
maxSignals: 100,
};

export const severitiesOverride = ['Low', 'Medium', 'High', 'Critical'];
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ export const createCustomRuleActivated = (rule: CustomRule, ruleId = '1') =>
language: 'kuery',
enabled: true,
tags: ['rule1'],
max_signals: 500,
},
headers: { 'kbn-xsrf': 'cypress-creds' },
failOnStatusCode: false,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,6 @@ export const activatesRule = () => {
});
};

export const deactivatesRule = () => {
cy.get(RULE_SWITCH).should('be.visible');
cy.get(RULE_SWITCH).click();
};

export const addsException = (exception: Exception) => {
cy.get(LOADING_SPINNER).should('exist');
cy.get(LOADING_SPINNER).should('not.exist');
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,9 @@ export const CaseComponent = React.memo<CaseProps>(
caseFields={caseData.connector.fields}
connectors={connectors}
disabled={!userCanCrud}
hideConnectorServiceNowSir={
subCaseId != null || caseData.type === CaseType.collection
}
isLoading={isLoadingConnectors || (isLoading && updateKey === 'connector')}
onSubmit={onSubmitConnector}
selectedConnector={caseData.connector.id}
Expand Down
Loading

0 comments on commit 94ad6c3

Please sign in to comment.