[SecuritySolutions] Update risk score docs and add links to existing workflows#166741
[SecuritySolutions] Update risk score docs and add links to existing workflows#166741machadoum wants to merge 1 commit intoelastic:mainfrom
Conversation
c1eb20b to
0183038
Compare
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
There was a problem hiding this comment.
@machadoum thanks for making these changes!
The risk scores on alerts flyout (old and new) do not have the "learn more about risk score" tooltip. it will be best to stay consistent if this is the new standard
x-pack/plugins/security_solution/public/flyout/right/components/host_entity_overview.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/flyout/right/components/user_entity_overview.tsx
Outdated
Show resolved
Hide resolved
...ns/security_solution/public/detections/pages/alert_details/tabs/summary/host_panel/index.tsx
Outdated
Show resolved
Hide resolved
...ns/security_solution/public/detections/pages/alert_details/tabs/summary/user_panel/index.tsx
Outdated
Show resolved
Hide resolved
|
Hey @machadoum , the implementation looks fine, LGTM. Just found some UI inconsistency we could confirm them with PM and UX. 
In host overview we have no information icon: The contents in the tooltips are different: 
In host risk table we have colour and risk level with a hover action 
In alerts table, the behaviour host risk classification seems to have different behaviour: We have host classification here but no hover action to filter by severity: |
Hey Angela! Thank you for the attentive review. I created an issue for the reported UI inconsistencies and I will address them with Product and UX. |
b1fdf18 to
f6ad671
Compare
|
@elasticmachine merge upstream |
This is great catch @angorayc, the tech preview tooltip exists in the old alerts flyout (to see old flyout, add an alert to timeline and expand alert details in timeline - see screenshot below). At the time, risk score showed tech preview badge in some places, and we weren't sure if the badge can be dropped. To maintain consistency, a similar tech preview was added in the new expandable alerts view. @machadoum appreciate you creating the ticket, let me know if you have any updates from product and UX :)
|
|
@machadoum an additional item to track if we create a follow-up GH issue along with these inconsistencies:
We use the term Please lmk if you need additional contexts. Thanks! |
|
@SourinPaul @christineweng Here is the ticket for inconsistencies: #167143 |
|
@elasticmachine merge upstream |
83f1218 to
c9773c3
Compare
|
@christineweng I updated all places where risk score fields are displayed to have the tooltip (except for tables). Could you please take a second look? I also extracted the tooltip content to a component so we can reuse it. 
|
ef97478 to
bf6d618
Compare
christineweng
left a comment
There was a problem hiding this comment.
LGTM 🚀 Thank you for making the changes!
nkhristinin
left a comment
There was a problem hiding this comment.
Detection-engine changes look good to me, but I am confused in the text that we query "open" alerts, and I am not sure that it's true for new algo.
@rylnd do we have this filter for alerts?
3fc37ce to
04a600e
Compare
💔 Build Failed
Failed CI StepsMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: cc @machadoum |
04a600e to
ad23238
Compare
|
The changes in this PR have widely diverged from the code reviewed code. I am closing this PR and opening a new one that only contains the final changes. |
…e in-app docs (#167638) issue: #166717 original PR: #166741 ## Summary General * Add the "How is risk score calculated?" button to the entity analytics dashboard and risk score tab on the Host/User page. * ~Add risk score hover action to the user/host overview component.~ Add a tooltip with link to risk score external doc. * Update risk score in-app doc * Update the field name “classification” to “level” everywhere the risk score is displayed * Update the “tech preview” label to “beta” everywhere the risk score is displayed * Rename Learn More to "How is host/user risk score calculated?" and link to External Docs * Add Beta tag to the settings page EA Dashboard: (User and Host) * Retain panel tooltip - Remove “Tech Preview” * Learn more link -> In Product flyout * Learn More (in Flyout) -> Add link to external docs page * Remove the tooltip from *Risk Classification column Alert Page -> Insights: * Change Tooltip on *Classification field -> How is Risk Score Calculated link Host/User Pages-> Risk Score Tab * Retain panel tool-tip * Add "How is Risk Score Calculated" similar to Dashboard * Remove tooltip from "Risk Classification" column Host/User Details: * Change Tooltip on "Classification field -> How is Risk Score Calculated link * Move score over time "learn more" link to the table header * Don't show the dashboard link when risk engine is enabled. ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
issue: #166717
Summary
TODO
Checklist
Delete any items that are not applicable to this PR.