[Security Solution][Detections] Adds rule execution log table #126215
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spong
added
Feature:Rule Monitoring
Closed
2 tasks
This was referenced Mar 9, 2022
|
Sometimes filter by status behaves a bit strangely. When selecting "Partial failure," the table still shows "Failed" executions. I guess that happens because, despite the final "failed" status, there were warnings during executions? Screen.Recording.2022-03-28.at.19.53.20.mov |
💚 Build SucceededMetrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @spong |
xcrzx
approved these changes
Mar 28, 2022
...y_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx
Show resolved
Hide resolved
...y_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.tsx
Show resolved
Hide resolved
...ecurity_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts
Show resolved
Hide resolved
...olution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts
Show resolved
Hide resolved
...olution/server/lib/detection_engine/rule_execution_log/client_for_routes/client_interface.ts
Show resolved
Hide resolved
...curity_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts
Show resolved
Hide resolved
...curity_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts
Show resolved
Hide resolved
...r/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts
Show resolved
Hide resolved
Comment on lines
+88
to
+96
| for (const field of sortFields) { | ||
| if (!Object.keys(SORT_FIELD_TO_AGG_MAPPING).includes(field)) { | ||
| throw new BadRequestError( | ||
| `Invalid sort field "${field}" - must be one of [${Object.keys( | ||
| SORT_FIELD_TO_AGG_MAPPING | ||
| ).join(',')}]` | ||
| ); | ||
| } | ||
| } |
There was a problem hiding this comment.
Probably we should move this input validation to the route handler level 🤔 Ideally, helper functions like getExecutionEventAggregation shouldn't be aware of their execution context, i.e., they shouldn't throw BadRequestError errors.
There was a problem hiding this comment.
I was following a similar pattern that the ResponseOps folks did in their PR where they still validated inputs at the getAggs layer in case anyone else consumed this function without validating their inputs. That said, I am throwing the wrong error here so if we want to keep this logic we should change this to a different error type. Btw, When switching to Decoded we'll have input validation at the route handler, so will be covered there 👍
| } | ||
| } | ||
|
|
||
| return { |
There was a problem hiding this comment.
I found this aggregation query pretty hard to follow. Maybe we can make it more readable by splitting it into multiple queries? As practice shows, there is no significant performance difference in executing one big aggregation vs. multiple smaller ones. But readability could be improved a lot.
We don't need to do anything with this query right now, but maybe that's something we should consider in the future.
There was a problem hiding this comment.
Yeah, definitely agree with you that it's a monster agg -- I tried to help it with comments, but those can only do so much; a logical summary comment would be helpful here too so I'll add one of those. As for breaking it up into multiple queries, how could this be achieved while still maintaining functional sorting since there's two nested aggs that take the sort params (terms/bucket_sort for pagination)? And wouldn't you end back up with some in-memory aggs logic?
I might be missing something here, but am happy to rework this to multiple queries if we can -- let me know your thoughts!
|
Thank you for the thorough review @xcrzx! I'm going to go ahead and merge as to not battle any flake getting a greenlight on CI again with the requested changes. Will post to each comment on this PR with the commit resolving it when ready. Thanks again! |
Hrmm, perhaps? Usually the only time you should see weirdness here is with partial events as an execution is occurring (would like to resolve that case as well), but I'll take a peek and try to repro 👍 |
spong
added a commit
that referenced
this pull request
Mar 30, 2022
…n on Rule Execution Log (#128843) ## Summary One-liner fix for the `Show alerts for execution` action on the Rule Execution Log table. Had the wrong key after changing the response interface. Working on the follow-up feedback PR from #126215, and will be including additional test coverage there, but wanted to get this in before the first BC for testing purposes. <p align="center"> <img width="700" src="https://user-images.githubusercontent.com/2946766/160720595-f00280d1-3928-4511-8e74-2f5d50b103e9.gif" /> </p>
kibanamachine
added
the
backport missing
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
spong
added
needs_docs
backport:skip
12 tasks
spong
added a commit
that referenced
this pull request
Apr 5, 2022
…#129003) ## Summary Addresses feedback and fixes identified in #126215 Feedback addressed includes: * Adds route validation via io-ts decode and schema tests * Fixed styling of max execution events error by wrapping text (#129321) * Fixed types within `view alerts for execution` action onClick * Caps auto-refresh minimum to `1min` (#129332) * Adds cardinality aggs to initial `execution_uuid` query to properly report total counts when filtering by status * Disabled `View Alerts from Execution` action as current UX was too cumbersome with erasing users existing filters --- Additional follow-ups for another PR: - [ ] UI Unit tests - [ ] Finalize API Integration tests for gap remediation events - [ ] Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page - [ ] Update global DatePicker to daterange of execution for `view alerts for execution` action (and clear all other filters) - [ ] Support `disabled rule` platform error #126215 (comment) - [ ] Verify StatusFilter issue #126215 (comment) --- ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
kibanamachine
pushed a commit
that referenced
this pull request
Apr 5, 2022
…#129003) ## Summary Addresses feedback and fixes identified in #126215 Feedback addressed includes: * Adds route validation via io-ts decode and schema tests * Fixed styling of max execution events error by wrapping text (#129321) * Fixed types within `view alerts for execution` action onClick * Caps auto-refresh minimum to `1min` (#129332) * Adds cardinality aggs to initial `execution_uuid` query to properly report total counts when filtering by status * Disabled `View Alerts from Execution` action as current UX was too cumbersome with erasing users existing filters --- Additional follow-ups for another PR: - [ ] UI Unit tests - [ ] Finalize API Integration tests for gap remediation events - [ ] Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page - [ ] Update global DatePicker to daterange of execution for `view alerts for execution` action (and clear all other filters) - [ ] Support `disabled rule` platform error #126215 (comment) - [ ] Verify StatusFilter issue #126215 (comment) --- ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) (cherry picked from commit bc413c6)
kibanamachine
added a commit
that referenced
this pull request
Apr 5, 2022
…#129003) (#129518) ## Summary Addresses feedback and fixes identified in #126215 Feedback addressed includes: * Adds route validation via io-ts decode and schema tests * Fixed styling of max execution events error by wrapping text (#129321) * Fixed types within `view alerts for execution` action onClick * Caps auto-refresh minimum to `1min` (#129332) * Adds cardinality aggs to initial `execution_uuid` query to properly report total counts when filtering by status * Disabled `View Alerts from Execution` action as current UX was too cumbersome with erasing users existing filters --- Additional follow-ups for another PR: - [ ] UI Unit tests - [ ] Finalize API Integration tests for gap remediation events - [ ] Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page - [ ] Update global DatePicker to daterange of execution for `view alerts for execution` action (and clear all other filters) - [ ] Support `disabled rule` platform error #126215 (comment) - [ ] Verify StatusFilter issue #126215 (comment) --- ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) (cherry picked from commit bc413c6) Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
4 tasks
spong
added a commit
that referenced
this pull request
May 4, 2022
… Part Deux (#130072) ## Summary Addresses feedback and fixes identified in #126215 & #129003 ##### Feedback addressed includes: * Adds toast for restoring global query state after performing `view alerts for execution` action <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" /> </p> * Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters) * See above gif * Remove redundant `RuleExecutionStatusType` (#129003 (comment)) * Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" /> </p> * Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`) <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" /> </p> * Support `disabled rule` platform error (#126215 (comment)) * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" /> </p> * Verify StatusFilter issue #126215 (comment) * Unable to reproduce, I believe the query updates around first querying for status may've fixed this? * Provide helpful defaults for `to`/`from` and support datemath strings again (#129003 (comment)) * Created enhancement for this here: #131095 * Adds UI Unit tests for RuleExecutionLog Table * Finalize API Integration tests for gap remediation events * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc. * Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0` * Fixes restore filters action to restore either absolute or relative datepicker as it originally was * Resolves #130946 * Adds `min-height` to tab container * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log --- ##### Remaining follow-ups: None! 🎉 ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
spong
added a commit
to spong/kibana
that referenced
this pull request
May 4, 2022
… Part Deux (elastic#130072) ## Summary Addresses feedback and fixes identified in elastic#126215 & elastic#129003 ##### Feedback addressed includes: * Adds toast for restoring global query state after performing `view alerts for execution` action <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" /> </p> * Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters) * See above gif * Remove redundant `RuleExecutionStatusType` (elastic#129003 (comment)) * Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" /> </p> * Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`) <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" /> </p> * Support `disabled rule` platform error (elastic#126215 (comment)) * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" /> </p> * Verify StatusFilter issue elastic#126215 (comment) * Unable to reproduce, I believe the query updates around first querying for status may've fixed this? * Provide helpful defaults for `to`/`from` and support datemath strings again (elastic#129003 (comment)) * Created enhancement for this here: elastic#131095 * Adds UI Unit tests for RuleExecutionLog Table * Finalize API Integration tests for gap remediation events * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc. * Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0` * Fixes restore filters action to restore either absolute or relative datepicker as it originally was * Resolves elastic#130946 * Adds `min-height` to tab container * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log --- ##### Remaining follow-ups: None! 🎉 ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) (cherry picked from commit 683463e) # Conflicts: # x-pack/plugins/security_solution/cypress/tasks/alerts.ts # x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx # x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts # x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts # x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts # x-pack/test/detection_engine_api_integration/utils/index_event_log_execution_events.ts
spong
added a commit
that referenced
this pull request
May 5, 2022
… Fixes Part Deux (#130072) (#131574) * [Security Solution][Detections] Rule Execution Log Feedback and Fixes Part Deux (#130072) ## Summary Addresses feedback and fixes identified in #126215 & #129003 ##### Feedback addressed includes: * Adds toast for restoring global query state after performing `view alerts for execution` action <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" /> </p> * Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters) * See above gif * Remove redundant `RuleExecutionStatusType` (#129003 (comment)) * Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" /> </p> * Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`) <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" /> </p> * Support `disabled rule` platform error (#126215 (comment)) * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" /> </p> * Verify StatusFilter issue #126215 (comment) * Unable to reproduce, I believe the query updates around first querying for status may've fixed this? * Provide helpful defaults for `to`/`from` and support datemath strings again (#129003 (comment)) * Created enhancement for this here: #131095 * Adds UI Unit tests for RuleExecutionLog Table * Finalize API Integration tests for gap remediation events * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc. * Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0` * Fixes restore filters action to restore either absolute or relative datepicker as it originally was * Resolves #130946 * Adds `min-height` to tab container * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log --- ##### Remaining follow-ups: None! 🎉 ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) (cherry picked from commit 683463e) # Conflicts: # x-pack/plugins/security_solution/cypress/tasks/alerts.ts # x-pack/plugins/security_solution/public/detections/pages/detection_engine/rules/details/execution_log_table/execution_log_columns.tsx # x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/event_log_reader.ts # x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.test.ts # x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/event_log/get_execution_event_aggregation/index.ts # x-pack/test/detection_engine_api_integration/utils/index_event_log_execution_events.ts * Fixing import
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
May 24, 2022
… Part Deux (elastic#130072) ## Summary Addresses feedback and fixes identified in elastic#126215 & elastic#129003 ##### Feedback addressed includes: * Adds toast for restoring global query state after performing `view alerts for execution` action <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511565-b77d3dc8-a8b5-4927-a947-54966a58c74f.gif" /> </p> * Updates global SuperDatePicker to daterange of execution (+/- day) for `view alerts for execution` action (and clear all other filters) * See above gif * Remove redundant `RuleExecutionStatusType` (elastic#129003 (comment)) * Persist table state (DatePicker/StatusFilter/SortField/SortOrder/Pagination) when navigating to other tabs on the same page <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164512498-59416601-d967-4a27-b0cc-0715cc0662c0.gif" /> </p> * Fix duration hours bug (`7 hours (25033167ms)` as `06:417:13:000`) <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164511478-bf0bb6d8-d8b7-4c86-8fbd-b60090f00555.png" /> </p> * Support `disabled rule` platform error (elastic#126215 (comment)) * Updated `getAggregateExecutionEvents` to fallback to platform status from `event.outcome` if `security_status` is empty, and also falls back to `error.message` is `security_message` is empty. This also now queries for corresponding `event.outcome` if filter is provided so that platform-only events can still be displayed when filtering. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/164510056-1e0bce86-8360-4d46-b591-2041457e3244.png" /> </p> * Verify StatusFilter issue elastic#126215 (comment) * Unable to reproduce, I believe the query updates around first querying for status may've fixed this? * Provide helpful defaults for `to`/`from` and support datemath strings again (elastic#129003 (comment)) * Created enhancement for this here: elastic#131095 * Adds UI Unit tests for RuleExecutionLog Table * Finalize API Integration tests for gap remediation events * Test methods developed for injecting arbitrary execution events while still working with event-log RBAC. See last [API integration test](https://github.com/elastic/kibana/blob/22cc0c8dbd2a1300675caf4c6d471d211ed44858/x-pack/test/detection_engine_api_integration/security_and_spaces/tests/get_rule_execution_events.ts#L121-L166) for technique. This can further be used to inject many execution events and expand tests around pagination, sorting, filters, etc. * Fixes `gap_duration`'s of `1-499`ms showing up as `-` instead of `0` * Fixes restore filters action to restore either absolute or relative datepicker as it originally was * Resolves elastic#130946 * Adds `min-height` to tab container * Removes scroll-pane from ExceptionsViewer to match Alerts/Execution Log --- ##### Remaining follow-ups: None! 🎉 ### Checklist Delete any items that are not applicable to this PR. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [X] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #119598, #119599, #101014
Test plan (internal doc)
Adds
Rule Execution Logtable to Rule Details page:Implementation notes
The useful metrics within
event-logfor a given rule execution are spread between a few different platform (execute-start,execute) and security (execution-metrics,status-change) events. In effort to provide consolidated metrics per rule execution (and avoiding a lot of empty cells and mis-matched statuses like in the image below)these rule execution events are aggregated by their
executionId, and then fields are merged from each different event. This PR was re-worked to take advantage of the new event-log aggregation support added in #126948, and is no longer implemented as an in-memory aggregation server side.Due to restrictions around supplying search filters that may match multiple sub-agg buckets and missing data (see discussion here), it was decided that we'd disable the search bar for the time being. We have both a near-term (writing single rollup event) and long-term (ES|QL) solution that will allow us to re-enable this functionality.
Note, since a
termsagg is used to fetch all execution events, an upper bound must be set. See this discussion for more details, but setting this max to1000events for the time being, and returning total cardinality of execution events back withintotalto allow the UI to inform the user that they should narrow their search further to better isolate and find possible issues. This should be a be a reasonable constraint for most all rules as a rule executing every 5 minutes, 1000 executions would cover over 3 days of execution time.The
Filter for alertsaction will be available on allSucceeded/Partial Failureexecutions even if there weren't alerts generated until #126210 is merged and we can start returning the alert count, at which point we can programmatically enabled/disable this action based on alert count.Todo:
Checklist
Delete any items that are not applicable to this PR.