[Cloud Security] Added graph visualization in alert's flyout#196034
Merged
kfirpeled merged 45 commits intoelastic:mainfrom Oct 25, 2024
Merged
[Cloud Security] Added graph visualization in alert's flyout#196034kfirpeled merged 45 commits intoelastic:mainfrom
kfirpeled merged 45 commits intoelastic:mainfrom
Conversation
- Changed structure of nodes so measurement of node's height will include its label
kfirpeled
commented
Oct 13, 2024
| /** | ||
| * Enables graph visualization in alerts flyout | ||
| */ | ||
| graphVisualizationInFlyoutEnabled: false, |
Contributor
Author
There was a problem hiding this comment.
I'm open for better naming suggestions
Contributor
There was a problem hiding this comment.
@kfirpeled thank you for bringing it up. There is an advanced setting that enables the Visualize section, and it is referred to as visualizationInFlyoutEnabled. To avoid confusion on the flags, what do you think about making it more specific to alert graph, like alertGraphInFlyoutEnabled?
Contributor
Author
There was a problem hiding this comment.
I attached new videos to the PR's description, you can see now alert's preview and hosts having graph preview
kfirpeled
commented
Oct 13, 2024
...ecurity_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
Outdated
Show resolved
Hide resolved
PhilippeOberti
approved these changes
Oct 21, 2024
Contributor
PhilippeOberti
left a comment
There was a problem hiding this comment.
left some commented code to remove when you have the chance. Also I had a question regarding the automatic resizing of the text within the graph: is UIUX aware of this? When resizing the flyout the text goes sometimes very small (unreadable) and sometimes pretty big that it looks odd next to the rest of the flyout's content...
Screen.Recording.2024-10-21.at.10.36.52.AM.mov
Approving to not block merging this as the functionality is behind a feature flag. Thanks for making all the changes!
...ecurity_solution/public/flyout/document_details/right/components/graph_preview_container.tsx
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
appreciate you adding the docs and examples!
.../plugins/security_solution/public/flyout/document_details/right/components/graph_preview.tsx
Outdated
Show resolved
Hide resolved
Contributor
Author
Thanks for catching this one @PhilippeOberti , I changed the default behaviour and the zoom is now set from 2 to 1.3 |
Contributor
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
async chunk count
ESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
|
Contributor
|
Starting backport for target branches: 8.x |
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 25, 2024
…#196034) ## Summary Enables a new experimental feature. To visualize an alert/event by a graph. When the alert/event does not contain the relevant data the graph preview will not be visible (confirmed by @tinnytintin10) To enable the feature through kibana's config: ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` <details> <summary>Event's graph visualization: 🎥 </summary> https://github.com/user-attachments/assets/4cee2032-173e-4b44-b371-a8e187763764 </details> <details> <summary>Alert's graph visualization: 🎥 </summary> https://github.com/user-attachments/assets/4fb942d0-6704-4c79-862c-956821ce59b6 </details> <details> <summary>Alert in rule preview: 🎥 </summary> https://github.com/user-attachments/assets/4f8d086e-1ee4-414f-8efa-4715c1d5e1f6 </details> **List of TODO's** - Add FTR test to host's flyout - Add FTR test to alerts preview - Enhance graph_preview_container UT to cover all edge cases - Enhance visualization_section UT to cover all edge cases **List of open issues (will be tracked in a different ticket):** - Graph preview search on the past 60 days, which can lead to an empty graph - API should return 404 when the feature is not enabled - ~Empty state message~ Not showing the graph preview instead. **How to test:** First, enable the feature, add to `config/kibana.dev.yml`: ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` Second, load mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 1. Go to the alerts page 2. Change the query time range to show alerts from the 13th of October 2024 3. Open the alerts flyout 4. Scroll to see the graph visualization : D ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit b4a80d8)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 25, 2024
…ut (#196034) (#197837) # Backport This will backport the following commits from `main` to `8.x`: - [[Cloud Security] Added graph visualization in alert's flyout (#196034)](#196034) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kfir Peled","email":"61654899+kfirpeled@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-10-25T14:30:15Z","message":"[Cloud Security] Added graph visualization in alert's flyout (#196034)\n\n## Summary\r\n\r\nEnables a new experimental feature. To visualize an alert/event by a\r\ngraph.\r\n\r\nWhen the alert/event does not contain the relevant data the graph\r\npreview will not be visible (confirmed by @tinnytintin10)\r\n\r\nTo enable the feature through kibana's config:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\n<details>\r\n<summary>Event's graph visualization: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4cee2032-173e-4b44-b371-a8e187763764\r\n\r\n</details>\r\n\r\n\r\n<details>\r\n<summary>Alert's graph visualization: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4fb942d0-6704-4c79-862c-956821ce59b6\r\n\r\n</details>\r\n\r\n<details>\r\n<summary>Alert in rule preview: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4f8d086e-1ee4-414f-8efa-4715c1d5e1f6\r\n\r\n</details>\r\n\r\n**List of TODO's**\r\n- Add FTR test to host's flyout\r\n- Add FTR test to alerts preview\r\n- Enhance graph_preview_container UT to cover all edge cases\r\n- Enhance visualization_section UT to cover all edge cases\r\n\r\n**List of open issues (will be tracked in a different ticket):**\r\n\r\n- Graph preview search on the past 60 days, which can lead to an empty\r\ngraph\r\n- API should return 404 when the feature is not enabled\r\n- ~Empty state message~ Not showing the graph preview instead.\r\n\r\n**How to test:**\r\n\r\nFirst, enable the feature, add to `config/kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\nSecond, load mocked data\r\n\r\n```bash\r\nnode scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \\ \r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n --kibana-url http://elastic:changeme@localhost:5601\r\n\r\nnode scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \\\r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n --kibana-url http://elastic:changeme@localhost:5601\r\n```\r\n\r\n1. Go to the alerts page\r\n2. Change the query time range to show alerts from the 13th of October\r\n2024\r\n3. Open the alerts flyout\r\n4. Scroll to see the graph visualization : D\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [x] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"b4a80d8d506dd474b4dfb599fc123cb612a5d79b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor"],"title":"[Cloud Security] Added graph visualization in alert's flyout","number":196034,"url":"https://github.com/elastic/kibana/pull/196034","mergeCommit":{"message":"[Cloud Security] Added graph visualization in alert's flyout (#196034)\n\n## Summary\r\n\r\nEnables a new experimental feature. To visualize an alert/event by a\r\ngraph.\r\n\r\nWhen the alert/event does not contain the relevant data the graph\r\npreview will not be visible (confirmed by @tinnytintin10)\r\n\r\nTo enable the feature through kibana's config:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\n<details>\r\n<summary>Event's graph visualization: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4cee2032-173e-4b44-b371-a8e187763764\r\n\r\n</details>\r\n\r\n\r\n<details>\r\n<summary>Alert's graph visualization: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4fb942d0-6704-4c79-862c-956821ce59b6\r\n\r\n</details>\r\n\r\n<details>\r\n<summary>Alert in rule preview: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4f8d086e-1ee4-414f-8efa-4715c1d5e1f6\r\n\r\n</details>\r\n\r\n**List of TODO's**\r\n- Add FTR test to host's flyout\r\n- Add FTR test to alerts preview\r\n- Enhance graph_preview_container UT to cover all edge cases\r\n- Enhance visualization_section UT to cover all edge cases\r\n\r\n**List of open issues (will be tracked in a different ticket):**\r\n\r\n- Graph preview search on the past 60 days, which can lead to an empty\r\ngraph\r\n- API should return 404 when the feature is not enabled\r\n- ~Empty state message~ Not showing the graph preview instead.\r\n\r\n**How to test:**\r\n\r\nFirst, enable the feature, add to `config/kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\nSecond, load mocked data\r\n\r\n```bash\r\nnode scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \\ \r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n --kibana-url http://elastic:changeme@localhost:5601\r\n\r\nnode scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \\\r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n --kibana-url http://elastic:changeme@localhost:5601\r\n```\r\n\r\n1. Go to the alerts page\r\n2. Change the query time range to show alerts from the 13th of October\r\n2024\r\n3. Open the alerts flyout\r\n4. Scroll to see the graph visualization : D\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [x] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"b4a80d8d506dd474b4dfb599fc123cb612a5d79b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196034","number":196034,"mergeCommit":{"message":"[Cloud Security] Added graph visualization in alert's flyout (#196034)\n\n## Summary\r\n\r\nEnables a new experimental feature. To visualize an alert/event by a\r\ngraph.\r\n\r\nWhen the alert/event does not contain the relevant data the graph\r\npreview will not be visible (confirmed by @tinnytintin10)\r\n\r\nTo enable the feature through kibana's config:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\n<details>\r\n<summary>Event's graph visualization: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4cee2032-173e-4b44-b371-a8e187763764\r\n\r\n</details>\r\n\r\n\r\n<details>\r\n<summary>Alert's graph visualization: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4fb942d0-6704-4c79-862c-956821ce59b6\r\n\r\n</details>\r\n\r\n<details>\r\n<summary>Alert in rule preview: 🎥 </summary>\r\n\r\n\r\nhttps://github.com/user-attachments/assets/4f8d086e-1ee4-414f-8efa-4715c1d5e1f6\r\n\r\n</details>\r\n\r\n**List of TODO's**\r\n- Add FTR test to host's flyout\r\n- Add FTR test to alerts preview\r\n- Enhance graph_preview_container UT to cover all edge cases\r\n- Enhance visualization_section UT to cover all edge cases\r\n\r\n**List of open issues (will be tracked in a different ticket):**\r\n\r\n- Graph preview search on the past 60 days, which can lead to an empty\r\ngraph\r\n- API should return 404 when the feature is not enabled\r\n- ~Empty state message~ Not showing the graph preview instead.\r\n\r\n**How to test:**\r\n\r\nFirst, enable the feature, add to `config/kibana.dev.yml`:\r\n\r\n```yaml\r\nxpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\nSecond, load mocked data\r\n\r\n```bash\r\nnode scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \\ \r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n --kibana-url http://elastic:changeme@localhost:5601\r\n\r\nnode scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \\\r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n --kibana-url http://elastic:changeme@localhost:5601\r\n```\r\n\r\n1. Go to the alerts page\r\n2. Change the query time range to show alerts from the 13th of October\r\n2024\r\n3. Open the alerts flyout\r\n4. Scroll to see the graph visualization : D\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [x] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"b4a80d8d506dd474b4dfb599fc123cb612a5d79b"}}]}] BACKPORT--> Co-authored-by: Kfir Peled <61654899+kfirpeled@users.noreply.github.com>
This was referenced Nov 5, 2024
kfirpeled
added a commit
that referenced
this pull request
Nov 11, 2024
## Summary
Enhances the graph API to support filtering by bool query.
Graph API is an internal API that hasn't been released yet to ESS, and
is not available yet on serverless (behind a feature-flag in
kibana.config) due to the above I don't consider it a breaking change.
Previous API request body:
```js
query: schema.object({
actorIds: schema.arrayOf(schema.string()),
eventIds: schema.arrayOf(schema.string()),
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
```
New API request body:
```js
nodesLimit: schema.maybe(schema.number()), // Maximum number of nodes in the graph (currently the graph doesn't handle very well graph with over 100 nodes)
showUnknownTarget: schema.maybe(schema.boolean()), // Whether or not to return events that miss target.entity.id
query: schema.object({
eventIds: schema.arrayOf(schema.string()), // Event ids that triggered the alert, would be marked in red
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
esQuery: schema.maybe( // elasticsearch's dsl bool query
schema.object({
bool: schema.object({
filter: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
should: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must_not: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
}),
})
```
New field to the graph API response (pseudo):
```js
messages?: ApiMessageCode[]
enum ApiMessageCode {
ReachedNodesLimit = 'REACHED_NODES_LIMIT',
}
```
### How to test
Toggle feature flag in kibana.dev.yml
```yaml
xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']
```
To test through the UI you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
1. Go to the alerts page
2. Change the query time range to show alerts from the 13th of October
2024 (**IMPORTANT**)
3. Open the alerts flyout
5. Scroll to see the graph visualization : D
To test **only** the API you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_api/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
And through dev tools:
```
POST kbn:/internal/cloud_security_posture/graph?apiVersion=1
{
"query": {
"eventIds": [],
"start": "now-1y/y",
"end": "now/d",
"esQuery": {
"bool": {
"filter": [
{
"match_phrase": {
"actor.entity.id": "admin@example.com"
}
}
]
}
}
}
}
```
### Related PRs
- #196034
- #195307
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 11, 2024
## Summary
Enhances the graph API to support filtering by bool query.
Graph API is an internal API that hasn't been released yet to ESS, and
is not available yet on serverless (behind a feature-flag in
kibana.config) due to the above I don't consider it a breaking change.
Previous API request body:
```js
query: schema.object({
actorIds: schema.arrayOf(schema.string()),
eventIds: schema.arrayOf(schema.string()),
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
```
New API request body:
```js
nodesLimit: schema.maybe(schema.number()), // Maximum number of nodes in the graph (currently the graph doesn't handle very well graph with over 100 nodes)
showUnknownTarget: schema.maybe(schema.boolean()), // Whether or not to return events that miss target.entity.id
query: schema.object({
eventIds: schema.arrayOf(schema.string()), // Event ids that triggered the alert, would be marked in red
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
esQuery: schema.maybe( // elasticsearch's dsl bool query
schema.object({
bool: schema.object({
filter: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
should: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must_not: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
}),
})
```
New field to the graph API response (pseudo):
```js
messages?: ApiMessageCode[]
enum ApiMessageCode {
ReachedNodesLimit = 'REACHED_NODES_LIMIT',
}
```
### How to test
Toggle feature flag in kibana.dev.yml
```yaml
xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']
```
To test through the UI you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
1. Go to the alerts page
2. Change the query time range to show alerts from the 13th of October
2024 (**IMPORTANT**)
3. Open the alerts flyout
5. Scroll to see the graph visualization : D
To test **only** the API you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_api/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
And through dev tools:
```
POST kbn:/internal/cloud_security_posture/graph?apiVersion=1
{
"query": {
"eventIds": [],
"start": "now-1y/y",
"end": "now/d",
"esQuery": {
"bool": {
"filter": [
{
"match_phrase": {
"actor.entity.id": "admin@example.com"
}
}
]
}
}
}
}
```
### Related PRs
- elastic#196034
- elastic#195307
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 160e626)
4 tasks
kfirpeled
added a commit
that referenced
this pull request
Nov 12, 2024
## Summary Added popover support to the graph component. In order to scale the rendering component of nodes, we prefer not to add popover per node but to manage a single popover for each use-case. In the popover stories you can see an example of two different popovers being triggered by different buttons on the node. <details> <summary>Popover support 📹 </summary> https://github.com/user-attachments/assets/cb5bc2ce-037a-4f9b-b71a-f95a9362dde0 </details> <details> <summary>Dark mode support 📹 </summary> https://github.com/user-attachments/assets/a55f2a88-ed07-40e2-9404-30a2042bf4fc </details> ### How to test To test this PR you can run ``` yarn storybook cloud_security_posture_packages ``` And to test the alerts flyout (for regression test): Toggle feature flag in kibana.dev.yml ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` Load mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 1. Go to the alerts page 2. Change the query time range to show alerts from the 13th of October 2024 (**IMPORTANT**) 3. Open the alerts flyout 5. Scroll to see the graph visualization : D ### Related PRs - #196034 - #195307 ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 12, 2024
…99053) ## Summary Added popover support to the graph component. In order to scale the rendering component of nodes, we prefer not to add popover per node but to manage a single popover for each use-case. In the popover stories you can see an example of two different popovers being triggered by different buttons on the node. <details> <summary>Popover support 📹 </summary> https://github.com/user-attachments/assets/cb5bc2ce-037a-4f9b-b71a-f95a9362dde0 </details> <details> <summary>Dark mode support 📹 </summary> https://github.com/user-attachments/assets/a55f2a88-ed07-40e2-9404-30a2042bf4fc </details> ### How to test To test this PR you can run ``` yarn storybook cloud_security_posture_packages ``` And to test the alerts flyout (for regression test): Toggle feature flag in kibana.dev.yml ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` Load mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 1. Go to the alerts page 2. Change the query time range to show alerts from the 13th of October 2024 (**IMPORTANT**) 3. Open the alerts flyout 5. Scroll to see the graph visualization : D ### Related PRs - elastic#196034 - elastic#195307 ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) (cherry picked from commit f3de593)
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Nov 18, 2024
…99053) ## Summary Added popover support to the graph component. In order to scale the rendering component of nodes, we prefer not to add popover per node but to manage a single popover for each use-case. In the popover stories you can see an example of two different popovers being triggered by different buttons on the node. <details> <summary>Popover support 📹 </summary> https://github.com/user-attachments/assets/cb5bc2ce-037a-4f9b-b71a-f95a9362dde0 </details> <details> <summary>Dark mode support 📹 </summary> https://github.com/user-attachments/assets/a55f2a88-ed07-40e2-9404-30a2042bf4fc </details> ### How to test To test this PR you can run ``` yarn storybook cloud_security_posture_packages ``` And to test the alerts flyout (for regression test): Toggle feature flag in kibana.dev.yml ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` Load mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 1. Go to the alerts page 2. Change the query time range to show alerts from the 13th of October 2024 (**IMPORTANT**) 3. Open the alerts flyout 5. Scroll to see the graph visualization : D ### Related PRs - elastic#196034 - elastic#195307 ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Nov 18, 2024
## Summary
Enhances the graph API to support filtering by bool query.
Graph API is an internal API that hasn't been released yet to ESS, and
is not available yet on serverless (behind a feature-flag in
kibana.config) due to the above I don't consider it a breaking change.
Previous API request body:
```js
query: schema.object({
actorIds: schema.arrayOf(schema.string()),
eventIds: schema.arrayOf(schema.string()),
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
```
New API request body:
```js
nodesLimit: schema.maybe(schema.number()), // Maximum number of nodes in the graph (currently the graph doesn't handle very well graph with over 100 nodes)
showUnknownTarget: schema.maybe(schema.boolean()), // Whether or not to return events that miss target.entity.id
query: schema.object({
eventIds: schema.arrayOf(schema.string()), // Event ids that triggered the alert, would be marked in red
// TODO: use zod for range validation instead of config schema
start: schema.oneOf([schema.number(), schema.string()]),
end: schema.oneOf([schema.number(), schema.string()]),
esQuery: schema.maybe( // elasticsearch's dsl bool query
schema.object({
bool: schema.object({
filter: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
should: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
must_not: schema.maybe(schema.arrayOf(schema.object({}, { unknowns: 'allow' }))),
}),
})
```
New field to the graph API response (pseudo):
```js
messages?: ApiMessageCode[]
enum ApiMessageCode {
ReachedNodesLimit = 'REACHED_NODES_LIMIT',
}
```
### How to test
Toggle feature flag in kibana.dev.yml
```yaml
xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled']
```
To test through the UI you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
1. Go to the alerts page
2. Change the query time range to show alerts from the 13th of October
2024 (**IMPORTANT**)
3. Open the alerts flyout
5. Scroll to see the graph visualization : D
To test **only** the API you can use the mocked data
```bash
node scripts/es_archiver load x-pack/test/cloud_security_posture_api/es_archives/logs_gcp_audit \
--es-url http://elastic:changeme@localhost:9200 \
--kibana-url http://elastic:changeme@localhost:5601
```
And through dev tools:
```
POST kbn:/internal/cloud_security_posture/graph?apiVersion=1
{
"query": {
"eventIds": [],
"start": "now-1y/y",
"end": "now/d",
"esQuery": {
"bool": {
"filter": [
{
"match_phrase": {
"actor.entity.id": "admin@example.com"
}
}
]
}
}
}
}
```
### Related PRs
- elastic#196034
- elastic#195307
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Nov 18, 2024
…99053) ## Summary Added popover support to the graph component. In order to scale the rendering component of nodes, we prefer not to add popover per node but to manage a single popover for each use-case. In the popover stories you can see an example of two different popovers being triggered by different buttons on the node. <details> <summary>Popover support 📹 </summary> https://github.com/user-attachments/assets/cb5bc2ce-037a-4f9b-b71a-f95a9362dde0 </details> <details> <summary>Dark mode support 📹 </summary> https://github.com/user-attachments/assets/a55f2a88-ed07-40e2-9404-30a2042bf4fc </details> ### How to test To test this PR you can run ``` yarn storybook cloud_security_posture_packages ``` And to test the alerts flyout (for regression test): Toggle feature flag in kibana.dev.yml ```yaml xpack.securitySolution.enableExperimental: ['graphVisualizationInFlyoutEnabled'] ``` Load mocked data ```bash node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 1. Go to the alerts page 2. Change the query time range to show alerts from the 13th of October 2024 (**IMPORTANT**) 3. Open the alerts flyout 5. Scroll to see the graph visualization : D ### Related PRs - elastic#196034 - elastic#195307 ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Enables a new experimental feature. To visualize an alert/event by a graph.
When the alert/event does not contain the relevant data the graph preview will not be visible (confirmed by @tinnytintin10)
To enable the feature through kibana's config:
Event's graph visualization: 🎥
Screen.Recording.2024-10-16.at.10.40.15.mov
Alert's graph visualization: 🎥
Screen.Recording.2024-10-13.at.22.40.48.mov
Alert in rule preview: 🎥
Screen.Recording.2024-10-16.at.10.45.10.mov
List of TODO's
List of open issues (will be tracked in a different ticket):
Empty state messageNot showing the graph preview instead.How to test:
First, enable the feature, add to
config/kibana.dev.yml:Second, load mocked data
node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/test/cloud_security_posture_functional/es_archives/security_alerts \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601Checklist
Delete any items that are not applicable to this PR.