Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hiding building block rules in "Security/Overview" #99841

Closed
srikwit opened this issue May 11, 2021 · 7 comments
Closed

Hiding building block rules in "Security/Overview" #99841

srikwit opened this issue May 11, 2021 · 7 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Alerts Security Solution Detection Alerts Feature impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0

Comments

@srikwit
Copy link
Contributor

srikwit commented May 11, 2021

Dear Team,

As per the docs at "https://www.elastic.co/guide/en/security/current/building-block-rule.html":
Create building-block rules when you do not want to see their generated alerts in the UI.

However, this feature is only allowed in the detections tab but not in the Overview tab. Due to this the alerts visualization generated from building blocks can overwhelm other critical alerts.

Requesting you to add the following filter for the Overview page:
image

@tvernum
Copy link
Contributor

tvernum commented May 11, 2021

@jmikell821 I think this belongs in https://github.com/elastic/security-docs, but since I don't have write access there, I can't transfer it across.
Are you able to?

@jmikell821
Copy link
Contributor

Hi @tvernum - thanks for passing along. This, however, is an enhancement/feature request for Elastic Security as opposed to a documentation issue, so I'm going to transfer this to Kibana and tag the Detections & Response team.

@jmikell821 jmikell821 transferred this issue from elastic/elasticsearch May 11, 2021
@botelastic botelastic bot added the needs-team Issues missing a team label label May 11, 2021
@jmikell821 jmikell821 added Feature:Detection Alerts Security Solution Detection Alerts Feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detections and Resp Security Detection Response Team and removed needs-team Issues missing a team label labels May 11, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong added bug Fixes for quality problems that affect the customer experience triage_needed labels May 12, 2021
@MadameSheema MadameSheema added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. v7.14.0 and removed triage_needed labels May 12, 2021
@banderror
Copy link
Contributor

Hi @srikwit. First of all, thank you for your suggestions!

Hiding building block alerts on the Security Overview page is addressed in this bugfix: #105611

I'm not sure about adding the corresponding filter on the Security Overview page though. To my mind, users are able to navigate from Overview to Alerts and have all the slice-and-dice functionality in the Alerts table there. Filters applied to the Alerts table are synchronised with the Alerts Trend histogram. This way we could have finer grained controls on the Alerts page and leave the Overview page much lighter, giving just the overview of the whole system as the name stands for.

Any thoughts from the UX side would be appreciated @yiyangliu9286.

@yiyangliu9286
Copy link

@banderror Thanks for tagging!

Re: the information that has shared via bugfix: #105611, if there's other technical consideration around the implementation for adding a filter on the Security Overview page in the future; maybe a quick UX fix for now would be giving users the context on where they would find and view the building block alerts once they have the filter turned on in the Alerts table (wanted to let them know these alerts show only in the Alerts table but not the Overview page).

An Info EuiToast can be used here to give users extra context:
Alerts_Info toast

  • Some additional UX question: why is there a yellow blocking shadow on the background of the Include building block alerts checkbox? Is this an intentional design?

@spong
Copy link
Member

spong commented Jul 22, 2021

Some additional UX question: why is there a yellow blocking shadow on the background of the Include building block alerts checkbox? Is this an intentional design?

@yiyangliu9286 Yeah, this was the intended original design for conveying how building block alerts are shown within the Alerts/Timeline tables. Was added as part of #79049. This is probably worth revisiting along with other markers (like the yellow left border signifying an event of kind:alert) and where/what the appropriate legend is for users to make this association, so any thoughts you have here would be greatly appreciated 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Alerts Security Solution Detection Alerts Feature impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0
Projects
None yet
Development

No branches or pull requests

8 participants