Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] [Attack discovery] Alerts filtering #205070

Merged

Conversation

andrew-goldstein
Copy link
Contributor

@andrew-goldstein andrew-goldstein commented Dec 22, 2024

[Security Solution] [Attack discovery] Alerts filtering

00_alerts_filtering

This PR enhances Attack discovery by providing users additional control over which alerts are included as context to the large language model (LLM).

Using the new resizeable Attack discovery settings flyout, users may:

  • Filter alerts via a search bar and filters
  • Control the time window (previously fixed to Last 24 hrs)

Before (feature flag disabled)

Previously, users could only set the number of alerts sent as context to the LLM via a modal:

01_before_full_page

After (feature flag enabled)

The new Attack discovery settings flyout replaces the modal:

02_alert_summary_full_page

It has two tabs, Alert summary and Alerts preview.

Alert summary

The Alert summary Lens embeddable counts the selected field name via an ES|QL query:

03_alert_summary_cropped

The Alert summary query is an aggregation. It does NOT display the details of individual alerts.

Alerts preview

The Alerts preview Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:

05_alerts_preview_cropped

Users may resize the settings flyout to view all the fields in the Alerts preview.

Feature flag

Enable the attackDiscoveryAlertFiltering feature flag via the following setting in kibana.dev.yml:

xpack.securitySolution.enableExperimental:
  - 'attackDiscoveryAlertFiltering'

Enabling the feature flag:

  • Replaces the Settings modal with the Attack discovery settings flyout
  • Includes additional start, end, and filters parameters in requests to generate Attack discoveries
  • Enables new loading messages

Details

Loading messages

The loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:

  1. The default date range (Last 24 hours), which displays the same message seen in previous versions:

06_loading_default_date_range

  1. Relative date ranges:

07_loading_relative_date_range

  1. Absolute date ranges:

08_loading_absolute_date_range

Filtering preferences

Alert filtering preferences are stored in local storage.

This PR adds the following new local storage keys:

elasticAssistantDefault.attackDiscovery.default.end
elasticAssistantDefault.attackDiscovery.default.filters
elasticAssistantDefault.attackDiscovery.default.query
elasticAssistantDefault.attackDiscovery.default.start

Users may use the Reset button in the Attack discovery settings flyout to restore the above to their defaults.

Known limitations

The following known limitations in this PR may be mitigated in follow-up PRs:

Table cell hover actions are disabled

Table cell actions, i.e. Filter for and Filter out are disabled in the Alert summary and Alerts preview tables.

The actions are disabled because custom cell hover actions registered in x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's Dashboard app.

Default table sort indicators are hidden

The Alert summary and Alerts preview tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.

The tables should display default sort indicators, as illustrated by the screenshots below:

09_alert_summary_with_sort_indicator

10_alerts_preview_with_sort_indicator

The default indicators are hidden in this PR as a workaround for an error that occurs in EuiDataGrid when switching tabs when the column sort indicators are enabled:

TypeError: Cannot read properties of undefined (reading 'split')

To re-enable the sort indicators, DEFAULT_ALERT_SUMMARY_SORT and DEFAULT_ALERTS_PREVIEW_SORT must respectively be passed as the sorting prop to the PreviewTab in x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx, as illustrated by the following code:

  <PreviewTab
    dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}
    embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}
    end={end}
    filters={filters}
    getLensAttributes={getAlertSummaryLensAttributes}
    getPreviewEsqlQuery={getAlertSummaryEsqlQuery}
    maxAlerts={maxAlerts}
    query={query}
    setTableStackBy0={setAlertSummaryStackBy0}
    start={start}
    sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator
    tableStackBy0={alertSummaryStackBy0}
  />
Selected date range not persisted

The start and end date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.

@andrew-goldstein andrew-goldstein added release_note:enhancement v9.0.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. ci:cloud-deploy Create or update a Cloud deployment ci:cloud-persist-deployment Persist cloud deployment indefinitely Team:Security Generative AI Security Generative AI backport:version Backport to applied version labels v8.18.0 labels Dec 22, 2024
@andrew-goldstein andrew-goldstein self-assigned this Dec 22, 2024
@andrew-goldstein andrew-goldstein requested review from a team as code owners December 22, 2024 23:44
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@e40pud
Copy link
Contributor

e40pud commented Dec 23, 2024

Tested locally, everything works great! Found a few things we might want to have a look into:

1. Seems like data-test-subj="superDatePickerApplyTimeButton" button does not refresh data

When I update a query without pressing Enter and instead use a refresh button next to the time-range selector the new changes won't apply. Even when I select a different timeframe the new query won't affect results. (you can see at the end of the video, I go back to the query bar and press Enter and only after that correct alerts are fetched).

Screen.Recording.2024-12-23.at.11.20.07.mov

2. Error within timeline while generating discoveries

If there are no generated discoveries and user opens the timeline, the first thing we will show is the unexpected error from elasticsearch. I guess this is not a bug really, but maybe this could be improved.

Screen.Recording.2024-12-23.at.11.33.52.mov

3. Can see results of the canceled discovery generation

When I start generating discoveries with certain filter, then cancel it, then update filter and save it and then start generating discoveries again, after some time I see the results of the canceled generation and then it is being updated to the correct one.

Screen.Recording.2024-12-23.at.12.00.41.mov

Will be looking into code changes now.

Copy link
Contributor

@e40pud e40pud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks and works great! Left a few comments (nothing major).

);

// search bar query:
const [query, setQuery] = // useState<Query>(getDefaultQuery());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we still need // useState<Query>(getDefaultQuery());?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved by commit 4e43e1a

setApproximateFutureTime(null);

// call the internal API to generate attack discoveries:
const rawResponse = await http.fetch('/internal/elastic_assistant/attack_discovery', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: any reason not to use http.post here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved by commit 8469846 and commit 05d6d35

const { theme } = useKibana().services;
const dateFormat = useDateFormat();
const timeZone = useTimeZone();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious why we would want to use time zone. Might be wrong, but if I remember correctly we do not use it in other places where we deal with alerts in security solution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved by commit fdc75d0

@andrew-goldstein andrew-goldstein force-pushed the attack_discovery_filtering branch from d7ff8bb to 05d6d35 Compare December 24, 2024 01:38
@andrew-goldstein
Copy link
Contributor Author

Tested locally, everything works great! Found a few things we might want to have a look into:

1. Seems like data-test-subj="superDatePickerApplyTimeButton" button does not refresh data

When I update a query without pressing Enter and instead use a refresh button next to the time-range selector the new changes won't apply. Even when I select a different timeframe the new query won't affect results. (you can see at the end of the video, I go back to the query bar and press Enter and only after that correct alerts are fetched).

Great catch, thank you @e40pud!

✅ Resolved by commit 1dca994

In the commit above, users accumulate an "unsubmitted" query as they type in the search bar, but have not pressed the Enter key to submit the query, (which would call onQuerySubmit).

To match the behavior of Discover, setQuery is called with the unSubmittedQuery query when:

  1. The user selects a new time range
  2. The user clicks the refresh button

Also to match the behavior of Discover, we do NOT call setQuery with the unSubmittedQuery query when the user clicks the Save button button.

2. Error within timeline while generating discoveries

If there are no generated discoveries and user opens the timeline, the first thing we will show is the unexpected error from elasticsearch. I guess this is not a bug really, but maybe this could be improved.

This timeline error does not appear to to be related to Attack discovery. It is reproducible on any other Security Solution page that includes Timeline, i.e. Alerts.

3. Can see results of the canceled discovery generation

When I start generating discoveries with certain filter, then cancel it, then update filter and save it and then start generating discoveries again, after some time I see the results of the canceled generation and then it is being updated to the correct one.

At the time of this writing, Kibana Tasks are only canceled on a timeout or Kibana shutdown. As a result, [Security solution] Attack discovery background task and persistence does not use tasks for cancellation; there is potential for race conditions like the one you observed.

In the short term, we may be able to reduce or eliminate the issue you observed using Elasticsearch's document versioning feature.

@jamesspi let's include this in the refactoring of background tasks, per our recent offline discussion. Thank you.

@andrew-goldstein
Copy link
Contributor Author

/ci

@elastic elastic deleted a comment from elasticmachine Dec 24, 2024
@andrew-goldstein
Copy link
Contributor Author

/ci

Copy link
Contributor

@e40pud e40pud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my comments, looks great!

// 2) The user clicks the refresh button
//
// Also to match the behavior of Discover, we must NOT call `setQuery` with
// the `unSubmittedQuery` query when the user clicks the `Save` button button.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// the `unSubmittedQuery` query when the user clicks the `Save` button button.
// the `unSubmittedQuery` query when the user clicks the `Save` button.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved by commit 4f83f49

// call the internal API to generate attack discoveries:
const rawResponse = await http.post('/internal/elastic_assistant/attack_discovery', {
body: JSON.stringify(bodyWithOverrides),
method: 'POST',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: I believe we don't need method: 'POST' when we use http.post explicitly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved by commit 4f83f49

![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)

This PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).

Using the new resizeable _Attack discovery settings flyout_, users may:

- Filter alerts via a search bar and filters
- Control the time window (previously fixed to `Last 24 hrs`)

### Before (feature flag disabled)

Previously, users could only set the number of alerts sent as context to the LLM via a modal:

![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)

### After (feature flag enabled)

The new Attack discovery settings flyout replaces the modal:

![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)

It has two tabs, _Alert summary_ and _Alerts preview_.

### Alert summary

The _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:

![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)

The Alert summary query is an aggregation. It does NOT display the details of individual alerts.

### Alerts preview

The _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:

![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)

Users may resize the settings flyout to view all the fields in the Alerts preview.

### Feature flag

Enable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:

```yaml
xpack.securitySolution.enableExperimental:
  - 'attackDiscoveryAlertFiltering'
```

Enabling the feature flag:

- Replaces the `Settings` modal with the `Attack discovery settings` flyout
- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries
- Enables new loading messages

### Details

#### Loading messages

The loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:

1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:

![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)

2) Relative date ranges:

![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)

3) Absolute date ranges:

![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)

#### Filtering preferences

Alert filtering preferences are stored in local storage.

This PR adds the following new local storage keys:

```
elasticAssistantDefault.attackDiscovery.default.end
elasticAssistantDefault.attackDiscovery.default.filters
elasticAssistantDefault.attackDiscovery.default.query
elasticAssistantDefault.attackDiscovery.default.start
```

Users may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.

#### Known limitations

The following known limitations in this PR may be mitigated in follow-up PRs:

#### Table cell hover actions are disabled

Table cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.

The actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.

##### Default table sort indicators are hidden

The `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.

The tables _should_ display default sort indicators, as illustrated by the screenshots below:

![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)

![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)

The default indicators are hidden in this PR as a workaround for an  error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:

```
TypeError: Cannot read properties of undefined (reading 'split')
```

To re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:

```typescript
  <PreviewTab
    dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}
    embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}
    end={end}
    filters={filters}
    getLensAttributes={getAlertSummaryLensAttributes}
    getPreviewEsqlQuery={getAlertSummaryEsqlQuery}
    maxAlerts={maxAlerts}
    query={query}
    setTableStackBy0={setAlertSummaryStackBy0}
    start={start}
    sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator
    tableStackBy0={alertSummaryStackBy0}
  />
```

##### Selected date range not persisted

The `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.
…ar, and call `setQuery` with it when the user 1) selects a new time range, or 2) clicks the refresh button.
@andrew-goldstein andrew-goldstein force-pushed the attack_discovery_filtering branch from a89113b to 4f83f49 Compare December 24, 2024 09:11
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 24, 2024

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 6483 6507 +24

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/elastic-assistant 141 145 +4
@kbn/elastic-assistant-common 405 410 +5
total +9

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 21.4MB 21.4MB +21.4KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 88.2KB 88.2KB +33.0B
Unknown metric groups

API count

id before after diff
@kbn/elastic-assistant 170 174 +4
@kbn/elastic-assistant-common 442 447 +5
total +9

History

cc @andrew-goldstein

@andrew-goldstein andrew-goldstein merged commit 681d40e into elastic:main Dec 24, 2024
8 checks passed
@andrew-goldstein andrew-goldstein deleted the attack_discovery_filtering branch December 24, 2024 10:49
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12480699902

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 24, 2024
## [Security Solution] [Attack discovery] Alerts filtering

![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)

This PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).

Using the new resizeable _Attack discovery settings flyout_, users may:

- Filter alerts via a search bar and filters
- Control the time window (previously fixed to `Last 24 hrs`)

### Before (feature flag disabled)

Previously, users could only set the number of alerts sent as context to the LLM via a modal:

![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)

### After (feature flag enabled)

The new Attack discovery settings flyout replaces the modal:

![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)

It has two tabs, _Alert summary_ and _Alerts preview_.

### Alert summary

The _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:

![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)

The Alert summary query is an aggregation. It does NOT display the details of individual alerts.

### Alerts preview

The _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:

![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)

Users may resize the settings flyout to view all the fields in the Alerts preview.

### Feature flag

Enable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:

```yaml
xpack.securitySolution.enableExperimental:
  - 'attackDiscoveryAlertFiltering'
```

Enabling the feature flag:

- Replaces the `Settings` modal with the `Attack discovery settings` flyout
- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries
- Enables new loading messages

### Details

#### Loading messages

The loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:

1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:

![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)

2) Relative date ranges:

![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)

3) Absolute date ranges:

![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)

#### Filtering preferences

Alert filtering preferences are stored in local storage.

This PR adds the following new local storage keys:

```
elasticAssistantDefault.attackDiscovery.default.end
elasticAssistantDefault.attackDiscovery.default.filters
elasticAssistantDefault.attackDiscovery.default.query
elasticAssistantDefault.attackDiscovery.default.start
```

Users may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.

#### Known limitations

The following known limitations in this PR may be mitigated in follow-up PRs:

#### Table cell hover actions are disabled

Table cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.

The actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.

##### Default table sort indicators are hidden

The `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.

The tables _should_ display default sort indicators, as illustrated by the screenshots below:

![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)

![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)

The default indicators are hidden in this PR as a workaround for an  error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:

```
TypeError: Cannot read properties of undefined (reading 'split')
```

To re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:

```typescript
  <PreviewTab
    dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}
    embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}
    end={end}
    filters={filters}
    getLensAttributes={getAlertSummaryLensAttributes}
    getPreviewEsqlQuery={getAlertSummaryEsqlQuery}
    maxAlerts={maxAlerts}
    query={query}
    setTableStackBy0={setAlertSummaryStackBy0}
    start={start}
    sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator
    tableStackBy0={alertSummaryStackBy0}
  />
```

##### Selected date range not persisted

The `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.

(cherry picked from commit 681d40e)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 24, 2024
… (#205137)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] [Attack discovery] Alerts filtering
(#205070)](#205070)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Andrew
Macri","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-24T10:49:10Z","message":"[Security
Solution] [Attack discovery] Alerts filtering (#205070)\n\n## [Security
Solution] [Attack discovery] Alerts
filtering\r\n\r\n![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)\r\n\r\nThis
PR enhances _Attack discovery_ by providing users additional control
over which alerts are included as context to the large language model
(LLM).\r\n\r\nUsing the new resizeable _Attack discovery settings
flyout_, users may:\r\n\r\n- Filter alerts via a search bar and
filters\r\n- Control the time window (previously fixed to `Last 24
hrs`)\r\n\r\n### Before (feature flag disabled)\r\n\r\nPreviously, users
could only set the number of alerts sent as context to the LLM via a
modal:\r\n\r\n![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)\r\n\r\n###
After (feature flag enabled)\r\n\r\nThe new Attack discovery settings
flyout replaces the
modal:\r\n\r\n![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)\r\n\r\nIt
has two tabs, _Alert summary_ and _Alerts preview_.\r\n\r\n### Alert
summary\r\n\r\nThe _Alert summary_ Lens embeddable counts the selected
field name via an ES|QL
query:\r\n\r\n![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)\r\n\r\nThe
Alert summary query is an aggregation. It does NOT display the details
of individual alerts.\r\n\r\n### Alerts preview\r\n\r\nThe _Alerts
preview_ Lens embeddable shows a preview of the actual alerts that will
be sent as context via an ES|QL
query:\r\n\r\n![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)\r\n\r\nUsers
may resize the settings flyout to view all the fields in the Alerts
preview.\r\n\r\n### Feature flag\r\n\r\nEnable the
`attackDiscoveryAlertFiltering` feature flag via the following setting
in
`kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental:\r\n
- 'attackDiscoveryAlertFiltering'\r\n```\r\n\r\nEnabling the feature
flag:\r\n\r\n- Replaces the `Settings` modal with the `Attack discovery
settings` flyout\r\n- Includes additional `start`, `end`, and `filters`
parameters in requests to generate Attack discoveries\r\n- Enables new
loading messages\r\n\r\n### Details\r\n\r\n#### Loading
messages\r\n\r\nThe loading messages displayed when generating Attack
discoveries were updated to render three types of date ranges:\r\n\r\n1)
The default date range (`Last 24 hours`), which displays the same
message seen in previous
versions:\r\n\r\n![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)\r\n\r\n2)
Relative date
ranges:\r\n\r\n![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)\r\n\r\n3)
Absolute date
ranges:\r\n\r\n![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)\r\n\r\n####
Filtering preferences\r\n\r\nAlert filtering preferences are stored in
local storage.\r\n\r\nThis PR adds the following new local storage
keys:\r\n\r\n```\r\nelasticAssistantDefault.attackDiscovery.default.end\r\nelasticAssistantDefault.attackDiscovery.default.filters\r\nelasticAssistantDefault.attackDiscovery.default.query\r\nelasticAssistantDefault.attackDiscovery.default.start\r\n```\r\n\r\nUsers
may use the `Reset` button in the Attack discovery settings flyout to
restore the above to their defaults.\r\n\r\n#### Known
limitations\r\n\r\nThe following known limitations in this PR may be
mitigated in follow-up PRs:\r\n\r\n#### Table cell hover actions are
disabled\r\n\r\nTable cell actions, i.e. `Filter for` and `Filter out`
are disabled in the `Alert summary` and `Alerts preview`
tables.\r\n\r\nThe actions are disabled because custom cell hover
actions registered in
`x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts`
do NOT appear to receive field metadata (i.e. the name of the field
being hovered over) when the action is triggered. This limitation also
appears to apply to ad hoc ES|QL visualizations created via Lens in
Kibana's _Dashboard_ app.\r\n\r\n##### Default table sort indicators are
hidden\r\n\r\nThe `Alert summary` and `Alerts preview` tables are sorted
descending by Count, and Risk score, respectively, via their ES|QL
queries.\r\n\r\nThe tables _should_ display default sort indicators, as
illustrated by the screenshots
below:\r\n\r\n![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)\r\n\r\n![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)\r\n\r\nThe
default indicators are hidden in this PR as a workaround for an error
that occurs in `EuiDataGrid` when switching tabs when the column sort
indicators are enabled:\r\n\r\n```\r\nTypeError: Cannot read properties
of undefined (reading 'split')\r\n```\r\n\r\nTo re-enable the sort
indicators, `DEFAULT_ALERT_SUMMARY_SORT` and
`DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the
`sorting` prop to the `PreviewTab` in
`x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`,
as illustrated by the following code:\r\n\r\n```typescript\r\n
<PreviewTab\r\n dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}\r\n
embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}\r\n end={end}\r\n
filters={filters}\r\n
getLensAttributes={getAlertSummaryLensAttributes}\r\n
getPreviewEsqlQuery={getAlertSummaryEsqlQuery}\r\n
maxAlerts={maxAlerts}\r\n query={query}\r\n
setTableStackBy0={setAlertSummaryStackBy0}\r\n start={start}\r\n
sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort
indicator\r\n tableStackBy0={alertSummaryStackBy0}\r\n
/>\r\n```\r\n\r\n##### Selected date range not persisted\r\n\r\nThe
`start` and `end` date range selected when a user starts generation are
not (yet) persisted in Elasticsearch. As a result, the loading message
always displays the currently configured range, rather than the range
selected at the start of
generation.","sha":"681d40eee64316bea85d04077f918bd7121988b9","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team:
SecuritySolution","ci:cloud-deploy","ci:cloud-persist-deployment","Team:Security
Generative AI","backport:version","v8.18.0"],"title":"[Security
Solution] [Attack discovery] Alerts
filtering","number":205070,"url":"https://github.com/elastic/kibana/pull/205070","mergeCommit":{"message":"[Security
Solution] [Attack discovery] Alerts filtering (#205070)\n\n## [Security
Solution] [Attack discovery] Alerts
filtering\r\n\r\n![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)\r\n\r\nThis
PR enhances _Attack discovery_ by providing users additional control
over which alerts are included as context to the large language model
(LLM).\r\n\r\nUsing the new resizeable _Attack discovery settings
flyout_, users may:\r\n\r\n- Filter alerts via a search bar and
filters\r\n- Control the time window (previously fixed to `Last 24
hrs`)\r\n\r\n### Before (feature flag disabled)\r\n\r\nPreviously, users
could only set the number of alerts sent as context to the LLM via a
modal:\r\n\r\n![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)\r\n\r\n###
After (feature flag enabled)\r\n\r\nThe new Attack discovery settings
flyout replaces the
modal:\r\n\r\n![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)\r\n\r\nIt
has two tabs, _Alert summary_ and _Alerts preview_.\r\n\r\n### Alert
summary\r\n\r\nThe _Alert summary_ Lens embeddable counts the selected
field name via an ES|QL
query:\r\n\r\n![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)\r\n\r\nThe
Alert summary query is an aggregation. It does NOT display the details
of individual alerts.\r\n\r\n### Alerts preview\r\n\r\nThe _Alerts
preview_ Lens embeddable shows a preview of the actual alerts that will
be sent as context via an ES|QL
query:\r\n\r\n![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)\r\n\r\nUsers
may resize the settings flyout to view all the fields in the Alerts
preview.\r\n\r\n### Feature flag\r\n\r\nEnable the
`attackDiscoveryAlertFiltering` feature flag via the following setting
in
`kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental:\r\n
- 'attackDiscoveryAlertFiltering'\r\n```\r\n\r\nEnabling the feature
flag:\r\n\r\n- Replaces the `Settings` modal with the `Attack discovery
settings` flyout\r\n- Includes additional `start`, `end`, and `filters`
parameters in requests to generate Attack discoveries\r\n- Enables new
loading messages\r\n\r\n### Details\r\n\r\n#### Loading
messages\r\n\r\nThe loading messages displayed when generating Attack
discoveries were updated to render three types of date ranges:\r\n\r\n1)
The default date range (`Last 24 hours`), which displays the same
message seen in previous
versions:\r\n\r\n![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)\r\n\r\n2)
Relative date
ranges:\r\n\r\n![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)\r\n\r\n3)
Absolute date
ranges:\r\n\r\n![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)\r\n\r\n####
Filtering preferences\r\n\r\nAlert filtering preferences are stored in
local storage.\r\n\r\nThis PR adds the following new local storage
keys:\r\n\r\n```\r\nelasticAssistantDefault.attackDiscovery.default.end\r\nelasticAssistantDefault.attackDiscovery.default.filters\r\nelasticAssistantDefault.attackDiscovery.default.query\r\nelasticAssistantDefault.attackDiscovery.default.start\r\n```\r\n\r\nUsers
may use the `Reset` button in the Attack discovery settings flyout to
restore the above to their defaults.\r\n\r\n#### Known
limitations\r\n\r\nThe following known limitations in this PR may be
mitigated in follow-up PRs:\r\n\r\n#### Table cell hover actions are
disabled\r\n\r\nTable cell actions, i.e. `Filter for` and `Filter out`
are disabled in the `Alert summary` and `Alerts preview`
tables.\r\n\r\nThe actions are disabled because custom cell hover
actions registered in
`x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts`
do NOT appear to receive field metadata (i.e. the name of the field
being hovered over) when the action is triggered. This limitation also
appears to apply to ad hoc ES|QL visualizations created via Lens in
Kibana's _Dashboard_ app.\r\n\r\n##### Default table sort indicators are
hidden\r\n\r\nThe `Alert summary` and `Alerts preview` tables are sorted
descending by Count, and Risk score, respectively, via their ES|QL
queries.\r\n\r\nThe tables _should_ display default sort indicators, as
illustrated by the screenshots
below:\r\n\r\n![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)\r\n\r\n![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)\r\n\r\nThe
default indicators are hidden in this PR as a workaround for an error
that occurs in `EuiDataGrid` when switching tabs when the column sort
indicators are enabled:\r\n\r\n```\r\nTypeError: Cannot read properties
of undefined (reading 'split')\r\n```\r\n\r\nTo re-enable the sort
indicators, `DEFAULT_ALERT_SUMMARY_SORT` and
`DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the
`sorting` prop to the `PreviewTab` in
`x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`,
as illustrated by the following code:\r\n\r\n```typescript\r\n
<PreviewTab\r\n dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}\r\n
embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}\r\n end={end}\r\n
filters={filters}\r\n
getLensAttributes={getAlertSummaryLensAttributes}\r\n
getPreviewEsqlQuery={getAlertSummaryEsqlQuery}\r\n
maxAlerts={maxAlerts}\r\n query={query}\r\n
setTableStackBy0={setAlertSummaryStackBy0}\r\n start={start}\r\n
sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort
indicator\r\n tableStackBy0={alertSummaryStackBy0}\r\n
/>\r\n```\r\n\r\n##### Selected date range not persisted\r\n\r\nThe
`start` and `end` date range selected when a user starts generation are
not (yet) persisted in Elasticsearch. As a result, the loading message
always displays the currently configured range, rather than the range
selected at the start of
generation.","sha":"681d40eee64316bea85d04077f918bd7121988b9"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/205070","number":205070,"mergeCommit":{"message":"[Security
Solution] [Attack discovery] Alerts filtering (#205070)\n\n## [Security
Solution] [Attack discovery] Alerts
filtering\r\n\r\n![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)\r\n\r\nThis
PR enhances _Attack discovery_ by providing users additional control
over which alerts are included as context to the large language model
(LLM).\r\n\r\nUsing the new resizeable _Attack discovery settings
flyout_, users may:\r\n\r\n- Filter alerts via a search bar and
filters\r\n- Control the time window (previously fixed to `Last 24
hrs`)\r\n\r\n### Before (feature flag disabled)\r\n\r\nPreviously, users
could only set the number of alerts sent as context to the LLM via a
modal:\r\n\r\n![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)\r\n\r\n###
After (feature flag enabled)\r\n\r\nThe new Attack discovery settings
flyout replaces the
modal:\r\n\r\n![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)\r\n\r\nIt
has two tabs, _Alert summary_ and _Alerts preview_.\r\n\r\n### Alert
summary\r\n\r\nThe _Alert summary_ Lens embeddable counts the selected
field name via an ES|QL
query:\r\n\r\n![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)\r\n\r\nThe
Alert summary query is an aggregation. It does NOT display the details
of individual alerts.\r\n\r\n### Alerts preview\r\n\r\nThe _Alerts
preview_ Lens embeddable shows a preview of the actual alerts that will
be sent as context via an ES|QL
query:\r\n\r\n![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)\r\n\r\nUsers
may resize the settings flyout to view all the fields in the Alerts
preview.\r\n\r\n### Feature flag\r\n\r\nEnable the
`attackDiscoveryAlertFiltering` feature flag via the following setting
in
`kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental:\r\n
- 'attackDiscoveryAlertFiltering'\r\n```\r\n\r\nEnabling the feature
flag:\r\n\r\n- Replaces the `Settings` modal with the `Attack discovery
settings` flyout\r\n- Includes additional `start`, `end`, and `filters`
parameters in requests to generate Attack discoveries\r\n- Enables new
loading messages\r\n\r\n### Details\r\n\r\n#### Loading
messages\r\n\r\nThe loading messages displayed when generating Attack
discoveries were updated to render three types of date ranges:\r\n\r\n1)
The default date range (`Last 24 hours`), which displays the same
message seen in previous
versions:\r\n\r\n![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)\r\n\r\n2)
Relative date
ranges:\r\n\r\n![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)\r\n\r\n3)
Absolute date
ranges:\r\n\r\n![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)\r\n\r\n####
Filtering preferences\r\n\r\nAlert filtering preferences are stored in
local storage.\r\n\r\nThis PR adds the following new local storage
keys:\r\n\r\n```\r\nelasticAssistantDefault.attackDiscovery.default.end\r\nelasticAssistantDefault.attackDiscovery.default.filters\r\nelasticAssistantDefault.attackDiscovery.default.query\r\nelasticAssistantDefault.attackDiscovery.default.start\r\n```\r\n\r\nUsers
may use the `Reset` button in the Attack discovery settings flyout to
restore the above to their defaults.\r\n\r\n#### Known
limitations\r\n\r\nThe following known limitations in this PR may be
mitigated in follow-up PRs:\r\n\r\n#### Table cell hover actions are
disabled\r\n\r\nTable cell actions, i.e. `Filter for` and `Filter out`
are disabled in the `Alert summary` and `Alerts preview`
tables.\r\n\r\nThe actions are disabled because custom cell hover
actions registered in
`x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts`
do NOT appear to receive field metadata (i.e. the name of the field
being hovered over) when the action is triggered. This limitation also
appears to apply to ad hoc ES|QL visualizations created via Lens in
Kibana's _Dashboard_ app.\r\n\r\n##### Default table sort indicators are
hidden\r\n\r\nThe `Alert summary` and `Alerts preview` tables are sorted
descending by Count, and Risk score, respectively, via their ES|QL
queries.\r\n\r\nThe tables _should_ display default sort indicators, as
illustrated by the screenshots
below:\r\n\r\n![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)\r\n\r\n![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)\r\n\r\nThe
default indicators are hidden in this PR as a workaround for an error
that occurs in `EuiDataGrid` when switching tabs when the column sort
indicators are enabled:\r\n\r\n```\r\nTypeError: Cannot read properties
of undefined (reading 'split')\r\n```\r\n\r\nTo re-enable the sort
indicators, `DEFAULT_ALERT_SUMMARY_SORT` and
`DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the
`sorting` prop to the `PreviewTab` in
`x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`,
as illustrated by the following code:\r\n\r\n```typescript\r\n
<PreviewTab\r\n dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}\r\n
embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}\r\n end={end}\r\n
filters={filters}\r\n
getLensAttributes={getAlertSummaryLensAttributes}\r\n
getPreviewEsqlQuery={getAlertSummaryEsqlQuery}\r\n
maxAlerts={maxAlerts}\r\n query={query}\r\n
setTableStackBy0={setAlertSummaryStackBy0}\r\n start={start}\r\n
sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort
indicator\r\n tableStackBy0={alertSummaryStackBy0}\r\n
/>\r\n```\r\n\r\n##### Selected date range not persisted\r\n\r\nThe
`start` and `end` date range selected when a user starts generation are
not (yet) persisted in Elasticsearch. As a result, the loading message
always displays the currently configured range, rather than the range
selected at the start of
generation.","sha":"681d40eee64316bea85d04077f918bd7121988b9"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Andrew Macri <[email protected]>
stratoula pushed a commit to stratoula/kibana that referenced this pull request Jan 2, 2025
## [Security Solution] [Attack discovery] Alerts filtering

![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)

This PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).

Using the new resizeable _Attack discovery settings flyout_, users may:

- Filter alerts via a search bar and filters
- Control the time window (previously fixed to `Last 24 hrs`)

### Before (feature flag disabled)

Previously, users could only set the number of alerts sent as context to the LLM via a modal:

![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)

### After (feature flag enabled)

The new Attack discovery settings flyout replaces the modal:

![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)

It has two tabs, _Alert summary_ and _Alerts preview_.

### Alert summary

The _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:

![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)

The Alert summary query is an aggregation. It does NOT display the details of individual alerts.

### Alerts preview

The _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:

![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)

Users may resize the settings flyout to view all the fields in the Alerts preview.

### Feature flag

Enable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:

```yaml
xpack.securitySolution.enableExperimental:
  - 'attackDiscoveryAlertFiltering'
```

Enabling the feature flag:

- Replaces the `Settings` modal with the `Attack discovery settings` flyout
- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries
- Enables new loading messages

### Details

#### Loading messages

The loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:

1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:

![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)

2) Relative date ranges:

![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)

3) Absolute date ranges:

![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)

#### Filtering preferences

Alert filtering preferences are stored in local storage.

This PR adds the following new local storage keys:

```
elasticAssistantDefault.attackDiscovery.default.end
elasticAssistantDefault.attackDiscovery.default.filters
elasticAssistantDefault.attackDiscovery.default.query
elasticAssistantDefault.attackDiscovery.default.start
```

Users may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.

#### Known limitations

The following known limitations in this PR may be mitigated in follow-up PRs:

#### Table cell hover actions are disabled

Table cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.

The actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.

##### Default table sort indicators are hidden

The `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.

The tables _should_ display default sort indicators, as illustrated by the screenshots below:

![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)

![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)

The default indicators are hidden in this PR as a workaround for an  error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:

```
TypeError: Cannot read properties of undefined (reading 'split')
```

To re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:

```typescript
  <PreviewTab
    dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}
    embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}
    end={end}
    filters={filters}
    getLensAttributes={getAlertSummaryLensAttributes}
    getPreviewEsqlQuery={getAlertSummaryEsqlQuery}
    maxAlerts={maxAlerts}
    query={query}
    setTableStackBy0={setAlertSummaryStackBy0}
    start={start}
    sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator
    tableStackBy0={alertSummaryStackBy0}
  />
```

##### Selected date range not persisted

The `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.
benakansara pushed a commit to benakansara/kibana that referenced this pull request Jan 2, 2025
## [Security Solution] [Attack discovery] Alerts filtering

![00_alerts_filtering](https://github.com/user-attachments/assets/1a81413b-b8f4-4965-a006-25fb529668a6)

This PR enhances _Attack discovery_ by providing users additional control over which alerts are included as context to the large language model (LLM).

Using the new resizeable _Attack discovery settings flyout_, users may:

- Filter alerts via a search bar and filters
- Control the time window (previously fixed to `Last 24 hrs`)

### Before (feature flag disabled)

Previously, users could only set the number of alerts sent as context to the LLM via a modal:

![01_before_full_page](https://github.com/user-attachments/assets/65eaf604-3bdf-41bd-a726-f03ba5d630d5)

### After (feature flag enabled)

The new Attack discovery settings flyout replaces the modal:

![02_alert_summary_full_page](https://github.com/user-attachments/assets/613c292b-c6ec-4dc6-aea3-b2eddbacd614)

It has two tabs, _Alert summary_ and _Alerts preview_.

### Alert summary

The _Alert summary_ Lens embeddable counts the selected field name via an ES|QL query:

![03_alert_summary_cropped](https://github.com/user-attachments/assets/6f5de0e4-3da6-4937-a3cd-9a0f80df16b6)

The Alert summary query is an aggregation. It does NOT display the details of individual alerts.

### Alerts preview

The _Alerts preview_ Lens embeddable shows a preview of the actual alerts that will be sent as context via an ES|QL query:

![05_alerts_preview_cropped](https://github.com/user-attachments/assets/6db23931-3fe6-46d2-8b9a-6cc7a9d8720c)

Users may resize the settings flyout to view all the fields in the Alerts preview.

### Feature flag

Enable the `attackDiscoveryAlertFiltering` feature flag via the following setting in `kibana.dev.yml`:

```yaml
xpack.securitySolution.enableExperimental:
  - 'attackDiscoveryAlertFiltering'
```

Enabling the feature flag:

- Replaces the `Settings` modal with the `Attack discovery settings` flyout
- Includes additional `start`, `end`, and `filters` parameters in requests to generate Attack discoveries
- Enables new loading messages

### Details

#### Loading messages

The loading messages displayed when generating Attack discoveries were updated to render three types of date ranges:

1) The default date range (`Last 24 hours`), which displays the same message seen in previous versions:

![06_loading_default_date_range](https://github.com/user-attachments/assets/b376a87c-b4b8-42d8-bcbf-ddf79cc82800)

2) Relative date ranges:

![07_loading_relative_date_range](https://github.com/user-attachments/assets/d0b6bddd-7722-4181-a99c-7450d07a6624)

3) Absolute date ranges:

![08_loading_absolute_date_range](https://github.com/user-attachments/assets/a542a921-eeaa-4ced-9568-25e63a47d42d)

#### Filtering preferences

Alert filtering preferences are stored in local storage.

This PR adds the following new local storage keys:

```
elasticAssistantDefault.attackDiscovery.default.end
elasticAssistantDefault.attackDiscovery.default.filters
elasticAssistantDefault.attackDiscovery.default.query
elasticAssistantDefault.attackDiscovery.default.start
```

Users may use the `Reset` button in the Attack discovery settings flyout to restore the above to their defaults.

#### Known limitations

The following known limitations in this PR may be mitigated in follow-up PRs:

#### Table cell hover actions are disabled

Table cell actions, i.e. `Filter for` and `Filter out` are disabled in the `Alert summary` and `Alerts preview` tables.

The actions are disabled because custom cell hover actions registered in `x-pack/solutions/security/plugins/security_solution/public/app/actions/register.ts` do NOT appear to receive field metadata (i.e. the name of the field being hovered over) when the action is triggered. This limitation also appears to apply to ad hoc ES|QL visualizations created via Lens in Kibana's _Dashboard_ app.

##### Default table sort indicators are hidden

The `Alert summary` and `Alerts preview` tables are sorted descending by Count, and Risk score, respectively, via their ES|QL queries.

The tables _should_ display default sort indicators, as illustrated by the screenshots below:

![09_alert_summary_with_sort_indicator](https://github.com/user-attachments/assets/c4e78144-f516-40f8-b6da-7c8c808841c4)

![10_alerts_preview_with_sort_indicator](https://github.com/user-attachments/assets/c0061134-4734-462f-8eb0-978b2b02fb1e)

The default indicators are hidden in this PR as a workaround for an  error that occurs in `EuiDataGrid` when switching tabs when the column sort indicators are enabled:

```
TypeError: Cannot read properties of undefined (reading 'split')
```

To re-enable the sort indicators, `DEFAULT_ALERT_SUMMARY_SORT` and `DEFAULT_ALERTS_PREVIEW_SORT` must respectively be passed as the `sorting` prop to the `PreviewTab` in `x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alert_selection/helpers/get_tabs/index.tsx`, as illustrated by the following code:

```typescript
  <PreviewTab
    dataTestSubj={ALERT_SUMMARY_TEST_SUBJ}
    embeddableId={SUMMARY_TAB_EMBEDDABLE_ID}
    end={end}
    filters={filters}
    getLensAttributes={getAlertSummaryLensAttributes}
    getPreviewEsqlQuery={getAlertSummaryEsqlQuery}
    maxAlerts={maxAlerts}
    query={query}
    setTableStackBy0={setAlertSummaryStackBy0}
    start={start}
    sorting={DEFAULT_ALERT_SUMMARY_SORT} // <-- enables the sort indicator
    tableStackBy0={alertSummaryStackBy0}
  />
```

##### Selected date range not persisted

The `start` and `end` date range selected when a user starts generation are not (yet) persisted in Elasticsearch. As a result, the loading message always displays the currently configured range, rather than the range selected at the start of generation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:version Backport to applied version labels ci:cloud-deploy Create or update a Cloud deployment ci:cloud-persist-deployment Persist cloud deployment indefinitely release_note:enhancement Team:Security Generative AI Security Generative AI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants