[Security Solution] refactor alerts page

[PhilippeOberti]

Context

This PR aims at breaking down the very complex detection_engine.tsx file responsible for the rendering of the alerts page. Back in 2021, we wrote this comment at the top of the file, so this refactor is long overdue!

// No bueno, I know! Encountered when reverting RBAC work post initial BCs
// Don't want to include large amounts of refactor in this temporary workaround
// TODO: Refactor code - component can be broken apart

Warning

Yes the PR is bigger than I hoped, but there are so many pieces of the page that are related to each other, than as soon as I started extracting some code it was a snowball effect and every part of the page got impacted. Also, a lot of the lines added are unit tests that didn't exist before.

Note

• As you can see, apart from a couple of data-test-subj value changed, none of the Cypress tests have been modified, which should give confidence in the fact that the refactor didn't introduce any drastic UI or behavior changes.
• While there are nearly exactly 1000 lines added by this PR, these are primarily Jest tests, which we were awfully lacking before.
• The folder and file structure follows what was done for the AI4DSOC effort. Codeowners have been updated accordingly. Under the folders (components, hooks...) within the detections folder, we now have an alerts folder living next to the already existing alert_summary folder.\

Summary

Like mentioned above, this PR breaks down the alerts page code in many small components:

• this allows for much easier testing of each section of the page.
• it also allows us to render different sections only when they need to be rendered.

Note

Apart from the loading screen (which I'll explain below), the page structure or UI has not been impacted by this PR!

The page is now broken down in the following files:

• the most top level (detections/pages/alerts/alerts.tsx) only takes care of showing the multiple error messages and callouts (see screenshots below)
• the second level (detections/components/alerts/wrapper.tsx) makes sure to have a valid dataView before rendering the actual content of the page. While the dataView is being retrieved, we show a loading skeleton mimicking the layout of the alerts page (see the screenshot below)
• the third and last level renders the actual content. It is now divided into multiple sections:
  • search section: renders the global kql bar
  • header section: renders the title and the assignee and manage rules buttons
  • filter section: renders the page filters
  • kpi section: renders the KPI graphs
  • table section: renders the grouped alerts table

Note

Very little to no application code was modified. Most of the work consisted of moving code around, cleaning up when obvious and/or necessary, changing component and variable names...

Different states of the alerts page

Tip

This PR introduces 2 different levels of loading states.
This first state already existed prior to this PR, but we're introducing a second one while dataView is being fetched that renders a nice skeleton of the alerts page.

Expand to see screenshots

First loading screen appears while user and privilege data

Second loading screen appears while we fetch the dataView information that will be used on the page

Tip

This PR separates and cleans the code for the error states, but the UI and UX remains unchanged.

Expand to see screenshots

If the user isn't authenticated, we show an error message

If the user does not have the correct permissions, we show an error message

If the user does not have the correct privileges, we show an error message

Tip

This PR separates and cleans the code for the different callouts, but the UI and UX remains unchanged.

Expand to see screenshots

If the user is missing the api integration key, we show this callout at the top of the page

Depending on the user's role and index privileges, we might show the following callout at the top of the page

Depending on the user's index and feature privileges, we might show the following callout at the top of the page

How to test

As almost no UIUX should be introduced by this PR (outside of loading states), the best way to test this PR is to do smoke testing of the alerts page. All the interactions between the different components on that page should behave EXACTLY the same as they are today. The Cypress tests have not been modified (outside of dataTestSubj name changes), which should provide confidence in the changes.

Files by Code Owner

Expand to see files by code owner

elastic/kibana-cases

• x-pack/solutions/security/plugins/security_solution/public/cases/pages/index.tsx

elastic/kibana-localization

• x-pack/platform/plugins/private/translations/translations/de-DE.json
• x-pack/platform/plugins/private/translations/translations/fr-FR.json
• x-pack/platform/plugins/private/translations/translations/ja-JP.json
• x-pack/platform/plugins/private/translations/translations/zh-CN.json

elastic/security-defend-workflows

• x-pack/platform/plugins/shared/osquery/cypress/tasks/login.ts
• x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/e2e.ts
• x-pack/solutions/security/test/security_solution_endpoint/apps/endpoint/endpoint_permissions.ts

elastic/security-detection-rule-management

• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/pages/add_rules/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/pages/rule_management/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/comma_separated_values.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/missing_privileges_callout.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/missing_privileges_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_callout/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_callout/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_callout/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_rules_callout.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_rules_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_callout/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_callout/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_callout/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_key_callout.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_key_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alerts/use_missing_privileges.ts

elastic/security-engineering-productivity

• x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/ml/ml_conditional_links.cy.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/urls/state.cy.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/investigations/alerts/page_filters/kqlbar_interactions.cy.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/screens/alerts.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/screens/security_header.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/security_header.ts

elastic/security-entity-analytics

• x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/missing_privileges_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/risk_engine_privileges_callout/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/top_risk_score_contributors_alerts/index.tsx
• x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/ml/ml_conditional_links.cy.ts

elastic/security-generative-ai

• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alerts_preview/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alerts_preview/index.tsx

elastic/security-solution

• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/attack_discovery_panel/tabs/alerts_tab/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alerts_preview/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/settings_flyout/alerts_preview/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/cases/pages/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/pages/add_rules/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/pages/rule_management/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alert_summary/wrapper.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/content.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/content.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/empty_pages/no_index_empty_page.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/empty_pages/no_index_empty_page.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/empty_pages/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/empty_pages/user_unauthenticated_empty_page.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/empty_pages/user_unauthenticated_empty_page.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/filters/filters_section.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/filters/filters_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/filters/page_filters.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/filters/page_filters.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/header/header_section.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/header/header_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/kpis/kpis_section.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/kpis/kpis_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/search_bar/search_bar_section.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/search_bar/search_bar_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/table/table_section.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/table/table_section.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/wrapper.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts/wrapper.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/alerts_grouping.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/comma_separated_values.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/missing_privileges_callout.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/missing_privileges_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_callout/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_callout/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_callout/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_rules_callout.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/need_admin_for_update_rules_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_callout/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_callout/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_callout/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_key_callout.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/no_api_integration_key_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alerts/use_missing_privileges.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alerts/use_missing_privileges.ts
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/alert_details_redirect.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/alerts.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/alerts.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_no_index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_no_index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_user_unauthenticated.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_user_unauthenticated.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/missing_privileges_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/risk_engine_privileges_callout/translations.tsx
• x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/top_risk_score_contributors_alerts/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/e2e.ts
• x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/pages/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/pages/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/pages/missing_privileges_callout.tsx
• x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/body/constants.ts

elastic/security-threat-hunting

• x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/pages/index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/pages/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/pages/missing_privileges_callout.tsx

elastic/security-threat-hunting-investigations

• x-pack/solutions/security/plugins/security_solution/public/cases/pages/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alert_summary/wrapper.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/alerts_grouping.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/alert_details_redirect.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/alerts.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/alerts.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_no_index.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_no_index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_user_unauthenticated.test.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine_user_unauthenticated.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/index.tsx
• x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/translations.ts
• x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/body/constants.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/explore/urls/state.cy.ts
• x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/investigations/alerts/page_filters/kqlbar_interactions.cy.ts

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

#232914

[hop-dev]

Great work! 🚀

[NicholasPeretti]

Great job! Thank you for finding the time to refactor this code 🎉

[NicholasPeretti]

Very nice and readable! Great job! ☺️

[maximpn]

@PhilippeOberti Well done with this refactoring 🎉

It's a pleasure seeing functionality split in smaller components placed in separate files. It's much easier to navigate through the code and reason about the functionality.

I've smoke tested the alerts table mostly on the rule's details page and haven't found any issues. Filtering, table interaction, KQL query for filtering and actions on the alerts work as expected.

There are non-critical comments so I approve the PR and trust you to address my comments accordingly. Code ownership related one is the most important.

Interesting that checking File filter -> Only files owned by you I see almost the same diff though CODEOWNERS file doesn't have Rule Management assigned to these files 😅

[maximpn]

nit: There is a simple trick on how to provide component's name for debug purposes and use React.memo in a single line

export const AlertsPageContent = memo(function AlertsPageContent({
  dataView,
  oldSourcererDataViewSpec,
  runtimeMappings,
}: AlertsPageContentProps): JSX.Element {
 ...
});

It's applicable here and for the other components.

[PhilippeOberti]

While I agree, I'd like to keep it as it is now for consistency with pretty much all the other components we have in the detections folder :)

[maximpn]

nit: Functions in JS/TS are first class citizen so may be passed as parameters to the other functions which is actively used in functional programming. So useMemo could be simplified to

const getTable = useMemo(dataTableSelectors.getTableByIdSelector, []);

There are multiple spots in the PR diff where this comment is applicable.

[PhilippeOberti]

hmmm 🤔 when I try this WebStorm is throwing an eslint error:
ESLint: React Hook useMemo received a function whose dependencies are unknown. Pass an inline function instead. (react-hooks/exhaustive-deps)

[maximpn]

Is there a plan to replace styled components with emotion later on?

[PhilippeOberti]

Definitely! I've actually had this PR that you reviewed open for too long 😆 .
Once this one is merged I'll revive the other one and get it over the finish line!

[maximpn]

Sometimes lists index creation may fail due to legit failure reasons leading to failed tests. In case on transient errors tests depending on the lists index existence could be flaky. However, troubleshooting such flaky tests is tricky and overcomplicated by failOnStatusCode: false since it requires to look at the wider area of the code.

The ideal approach would be having logging based on the response code and exit with an error when unexpected HTTP response code is returned. Mostly we could expect HTTP 200 and 409 (or some other 4xx HTTP error code designating the lists index already exists). But HTTP 500 isn't expected here and should lead to immediate test failure.

It's worth to mention that Cypress logs aren't visible in CI but we have been working on making them available in the scope of #229688. So there is nothing bad in having verbose logging.

[PhilippeOberti]

Honestly I copied this from our Security Solution Cypress setup... I spent many hours trying to fix the OSQuery Cypress tests without success.
For some reason, some OSQuery Cypress tests navigate first to the alerts page right after logging in, then they navigate to the page that the test is actually testing. With the refactor I did, those tests were basically stuck in an infinite loop refresh the page, over and over again... I"m not sure why the Cypress setup is different from ours in Security Solution, but i saw a 404 on the list/index api, which triggered the loop. In our Cypress tests the same call just returns 200...

I just copied the code over as it's been running fine for us for many years... 😆

[maximpn]

Should we have an early exit here to avoid nested if?

[PhilippeOberti]

Good catch, done!

[maximpn]

It doesn't look like need_admin_for_update_rules_callout.tsx belongs to this folder. It's mostly used in Rule Management components and reused on Alerts table. The proper location would be x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/callouts (callouts subfolder doesn't exit but it could be created). The same for missing_privileges_callout.tsx.

After need_admin_for_update_rules_callout.tsx and missing_privileges_callout.tsx are moved out of x-pack/solutions/security/plugins/security_solution/public/detections/components/callouts Rule Management team could be removed from the code owners for the callouts folder under detections.

[PhilippeOberti]

Good point, I originally didn't want to do too many changes as the PR is already big enough, but I'll take care of it now!

[PhilippeOberti]

I moved the 2 components as well as the related hook, translations to the rule_management folder!

[PhilippeOberti]

OK slight change of plans. While moving the files it added a new codeowners to the PR. It's ready to go so I just reverted the changes after shelving them locally, so I can do those in a separate PR :)

[PhilippeOberti]

@maximpn just FYI I have a draft PR up for that change, I'll ping you when ready to review. I'm close.

[PhilippeOberti]

@maximpn as promised, the PR to moves the files around and update the CODEOWNERS file is up and ready for review!

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 68bdbf0

Failed CI Steps

• FTR Configs #85

Test Failures

• [job] [logs] FTR Configs #85 / Observability AI Assistant Functional tests knowledge_base_management/index.spec.ts Knowledge management tab Bulk import knowledge base entries successfully imports multiple entries from a NDJSON file

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	7952	7958	+6

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	10.3MB	10.3MB	+2.5KB

Count of Enzyme imports

Enzyme is no longer supported, and we should switch to @testing-library/react instead.

id	before	after	diff
securitySolution	188	184	-4

Unknown metric groups

References to deprecated APIs

id	before	after	diff
securitySolution	384	383	-1

History

• 💛 Build #333492 was flaky 31fd9b9