Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SecuritySolution][Detections] Add 'running' Rule status #86202

Closed
spong opened this issue Dec 16, 2020 · 3 comments · Fixed by #124194
Closed

[SecuritySolution][Detections] Add 'running' Rule status #86202

spong opened this issue Dec 16, 2020 · 3 comments · Fixed by #124194
Assignees
@banderror
Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Feature:Rule Monitoring Security Solution Detection Rule Monitoring area Team:Detection Alerts Security Detection Alerts Area Team Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: simp_prot_mgmt Security Solution Simplified Protection Management Theme v8.1.0

Comments

@spong
Copy link
Member

spong commented Dec 16, 2020

Describe the feature:
Currently Detection Rules can be in the following states:

going to run | succeeded | failed | partial failure

This feature would add a running state for when the rule is within its execution cycle (querying, creating alerts, firing action, etc).

Describe a specific use case for the feature:
With the introduction of longer running rules like Indicator Match, rules can be running for upwards a minute but will display as going to run in the UI, and make it seem to users as if the rule is stuck and isn't actually running.

Reported by community: https://discuss.elastic.co/t/stuck-on-going-to-run/258262
@spong spong added enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Dec 16, 2020
@peluja1012 peluja1012 added Feature:Rule Monitoring Security Solution Detection Rule Monitoring area Team:Detection Rule Management Security Detection Rule Management Team labels Sep 17, 2021
@jethr0null
Copy link

@mdefazio I think this was already captured in your doc related to rules statuses but here's a related issue for reference if you haven't already seen it.

@peluja1012 peluja1012 added Team:Detection Alerts Security Detection Alerts Area Team Team:Detection Rule Management Security Detection Rule Management Team Theme: simp_prot_mgmt Security Solution Simplified Protection Management Theme and removed Team:Detection Rule Management Security Detection Rule Management Team labels Oct 21, 2021
@banderror banderror mentioned this issue Feb 1, 2022
Merged
@banderror banderror self-assigned this Feb 1, 2022
spong pushed a commit that referenced this issue Feb 2, 2022
@banderror
[Security Solution][Detections] Rule execution logging overhaul follo…
20e8381 
…w-up (#124194)

**Related to:** #121644
**Addresses:** #86202

## Summary

Done in this PR:

- Removed the deprecated `warning` rule execution status ([comment](#121644 (comment))).
- Added a new `running` status ([ticket](#86202)).
- Simplified the internal implementation of the `rule_execution_log` folder. Hopefully naming of folders, files and interfaces is clearer now as well. ([comment](#121644 (comment)), [comment](#121644 (comment)))
- Added APM measurements with `withSecuritySpan`.
- Added rule id to the react-query key used for loading last rule failures ([comment](#124198 (comment)))
- Addressed most of the `// TODO: https://github.com/elastic/kibana/pull/121644` comments

In the next PR that could be merged after the FF I'd address the rest of the stuff:

- Add comments to all the interfaces and methods in the `rule_execution_log` folder. Write a readme for it.
- Address the remaining of the `// TODO: https://github.com/elastic/kibana/pull/121644` comments. All of them are related to tests.
- Fix for the gap column ([comment](#121644 (comment)))
@banderror banderror linked a pull request Feb 2, 2022 that will close this issue
[Security Solution][Detections] Rule execution logging overhaul follow-up #124194
Merged
@banderror
Copy link
Contributor

Implemented in #124194

This PR removed the deprecated warning status and added a new running status. The new status looks exactly the same as going to run (same "health" indicator’s color, just different text). With this PR, rules stopped writing the going to run and started writing the new running status instead. The legacy going to run status is left in the codebase for backward compatibility with rules that have been writing it to Event Log in the prior versions of Kibana (since 7.16).

@banderror
Copy link
Contributor

@yiyangliu9286 @jethr0null I'm gonna close this ticket for now. If you'd like to change the color of the running status or anything else related, just lemme know. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@banderror banderror

Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Feature:Rule Monitoring Security Solution Detection Rule Monitoring area Team:Detection Alerts Security Detection Alerts Area Team Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: simp_prot_mgmt Security Solution Simplified Protection Management Theme v8.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution][Detections] Rule execution logging overhaul follow-up banderror/kibana
4 participants
@peluja1012 @jethr0null @spong @banderror