Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discuss] Sort and filter options in the alert management view #58366

Open
alexfrancoeur opened this issue Feb 24, 2020 · 18 comments
Open

[Discuss] Sort and filter options in the alert management view #58366

alexfrancoeur opened this issue Feb 24, 2020 · 18 comments
Labels
discuss Feature:Alerting/RulesManagement Issues related to the Rules Management UX Feature:Alerting Meta Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@alexfrancoeur
Copy link

I spun up the SIEM dev environment and noticed that the rules created end up taking over the alert management UI.

Screen Shot 2020-02-24 at 11 09 42 AM

Some issues that I came across below:

  • I couldn't easily tell which alerts were enabled or disabled, nor could I filter on these
  • I wasn't able to understand which alerts had been triggered or ran recently
  • There seems to be no way to prioritize one type of alert over another, all are created equal. I don't really know if this is the right approach, but should "manually" created alerts be prioritized over "system generated" alerts?
  • You can add tags in the index threshold UI, but you can't easily filter by them from within the list view. Should we add a filter dropdown for tags?
  • Should tags be more pill form within the table UI? It's difficult to read them and if they were in pill form, you could quickly "click to filter".
  • None of the columns are sortable
  • There is no filter on "No actions" (SIEM signals do no initially produce actions) (related bug Filtering actions on alerts without any actions #58362)
  • Do we need to show internal tags? If so, should we add a show / hide option similar to system indices in the index pattern creation flow?

Some suggestions that might make this experience easier

  • Filter by status - enabled, disabled, active alert, inactive alert
  • Sort my last ran and / or last triggered
  • For columns that can be sorted, we should make them sortable

cc: @mdefazio @arisonl @peterschretlen

@alexfrancoeur alexfrancoeur added discuss Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Feb 24, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@peterschretlen
Copy link
Contributor

I think the filter by status should be handled by this related issue: #51099
which will cover disabled vs different enabled states (active, no data, ok, error)
This will also give a visual cue as to the status.

At some I think we were able to filter by tag (#51727) , perhaps we suppressed it along the way.

@mdefazio
Copy link
Contributor

mdefazio commented Mar 2, 2020

An updated list view of the Alert management view:
Alerts--Main

I couldn't easily tell which alerts were enabled or disabled, nor could I filter on these

Added in switches so its easier to see which are enabled

I wasn't able to understand which alerts had been triggered or ran recently

I think the table can by default be sorted by last fired.

The tags are back to simple text from the previous mockup shown in #58493 since we wanted to explore if it was possible to show them inline. This may clutter up the rows a bit (bagdes/pills did so even more) and I believe the filtering for these works slightly differently than the others—so we could go back to including these in the expanded row view to allow for more flexibility.

@arisonl
Copy link
Contributor

arisonl commented Mar 6, 2020

Alex has captured the most important aspects. I am adding a few thoughts, building on his comments (and possibly stretching it a bit):

  • Ability to rearrange/organise the list manually. This is something that has come up in the context of saved objects as well, when you have a lot of them.
  • Sort by most and least triggered
  • Alphabetical sorting and pagination
  • Should tags be searchable as well?
  • When you filter by type selecting a type with zero alerts, you get to "create new". The only way to return to the list view is to hit the "alerts and actions" option in the management side-bar. First, do we want types with zero alerts in the filter options? If yes, should we make returning from that state easier? Second, if you continue and hit "create new", should we customise the flyout, depending on the selected filter (e.g. surface the corresponding types only)?

@mdefazio
Copy link
Contributor

mdefazio commented Mar 6, 2020

Ability to rearrange/organise the list manually. This is something that has come up in the context of saved objects as well, when you have a lot of them.

Can you expand a bit on this? Curious why people would want to do this and how it persists after interacting with other filters

Sort by most and least triggered

This is a good point and wondering if this warrants more attention in the alert detail view as well.

Alphabetical sorting and pagination

I apologize for my mockup not accurately showing the sorting. Click the name column should sort alphabetically by alert name

Should tags be searchable as well?

Yes, I think so

To your last point, we've tried tackling some of the filter issues here: #58362. As you mentioned, types with zero alerts should not appear in the filter options, or at least be disabled to avoid this scenario

@arisonl
Copy link
Contributor

arisonl commented Mar 6, 2020

@mdefazio many thanks for the quick response and link. This might not be applicable here or it might be of low priority for future consideration, but in the context of saved objects where there is a similar list view, I've seen users wanting the ability to arrange the list of objects manually so that the most important ones are in direct reach, remain on top etc (in the presence of many objects) or have another means of organising (e.g. folders). We have tags here, which is great.

@arisonl
Copy link
Contributor

arisonl commented Mar 14, 2020

@mdefazio UX question on the order of the columns in this view. More specifically, the mute and enable toggles controls are indistinguishable but work in the opposite direction (you need one of them enabled and the other disabled in order for the alert instances to come up). Which is fine but looking at each individual row, you really need to check the status field, which I believe is linked to these toggles, or even worse the header of the alerts list. Curious whether the toggles should live next to the status, since they are linked.

@mdefazio
Copy link
Contributor

Good catch. I'll reorder the columns so they are next to the status. Perhaps using a checkbox for the mute option will help this read easier?

@arisonl
Copy link
Contributor

arisonl commented Mar 16, 2020

Checkbox makes sense, also if we prefer to keep the toggle we could add a muted icon next to it when enabled. Whatever you think makes the most sense from a UX perspective. Btw, what are the possible statuses, have we defined them all? Curious how the enable and mute actions map to them.

@peterschretlen
Copy link
Contributor

  • When you filter by type selecting a type with zero alerts, you get to "create new". The only way to return to the list view is to hit the "alerts and actions" option in the management side-bar. First, do we want types with zero alerts in the filter options? If yes, should we make returning from that state easier? Second, if you continue and hit "create new", should we customise the flyout, depending on the selected filter (e.g. surface the corresponding types only)?

This on is covered in #59964 and should be fixed in 7.7

@peterschretlen
Copy link
Contributor

Here is a summary of the feedback covered here and links to the issues covering them:

Description Issue
Alert status including the ability to sort and filter by status #51099
Filtering alerts by tag #51727
Sorting alerts by name #60584
Filtering alerts that have no actions #58362
Removing internal tags from display in UI #58417
Applying filters that return no alerts gives the first-time creation view #59964

@mikecote
Copy link
Contributor

I had a chat with @mdefazio on the default sorting that we should do on this list. Now that alert statuses is coming soon, we could sort by most severe status (ex: order by error, active, ok, no data). A secondary sort as well could be; last edit, last executed or name.

@mdefazio sorting by last edit would solve the problem where you don't see the newly created alert in the list after saving though it may not work if we primarily sort by status then last edit?

@mdefazio
Copy link
Contributor

Right, I think we stick with default sort of last edit. Then leave it up to the user to sort by status. If we have the banner or the health status bar above the table (or both) they will easily be able to see if there are any alerts with errors

@pmuellr
Copy link
Member

pmuellr commented Jun 7, 2021

I've converted the list in comment ^^^ to a task list, and added "default sort by last edit" as it was added after the list

@gmmorris gmmorris added the Feature:Alerting/RulesManagement Issues related to the Rules Management UX label Jul 1, 2021
@gmmorris
Copy link
Contributor

gmmorris commented Jul 1, 2021

@peterschretlen any news on when this might be done? ;)

@mdefazio
Copy link
Contributor

Does this issue get resolved when #104190 merges?

@mdefazio
Copy link
Contributor

After seeing the updates on siem.estc.dev, I came across a few issues:

  • There is extra spacing between the overflow menu and edit/delete icons
  • Clicking the edit icon only worked on Kibana version mismatch rule it seemed. Any others and I reached a blank screen where I had to click on a new page to do anything
  • Same with selecting edit from popover

Happy to make specific issues if others also see these

@ymao1
Copy link
Contributor

ymao1 commented Jul 29, 2021

@mdefazio Can you create a new issue for your comment?

@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discuss Feature:Alerting/RulesManagement Issues related to the Rules Management UX Feature:Alerting Meta Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
Development

No branches or pull requests

10 participants