[Security Solution] [Endpoint] Add endpoint details activity log#99795
[Security Solution] [Endpoint] Add endpoint details activity log#99795ashokaditya merged 34 commits intoelastic:masterfrom ashokaditya:sec-team-1105/endpoint-details-activity-log
Conversation
this is work in progress with dummy data
x-pack/plugins/security_solution/common/endpoint/types/index.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/reducer.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
paul-tavares
left a comment
There was a problem hiding this comment.
Some feedback left. I did not check it out, but its looking good.
Just FYI - I'm also making changes to the endpoint details in support of Host Isolation, so you, me or both might encounter some merge conflicts
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/action.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/index.test.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/index.test.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/middleware.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/selectors.ts
Outdated
Show resolved
Hide resolved
...urity_solution/public/management/pages/endpoint_hosts/view/details/endpoint_activity_log.tsx
Outdated
Show resolved
Hide resolved
...urity_solution/public/management/pages/endpoint_hosts/view/details/endpoint_activity_log.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/endpoint/routes/actions/audit_log.ts
Outdated
Show resolved
Hide resolved
| const esClient = context.core.elasticsearch.client.asCurrentUser; | ||
| let result; | ||
| try { | ||
| result = await esClient.search({ |
There was a problem hiding this comment.
This is a simple one, but if it get a bit more complicated we should consider moving the retrieval, status code validation of the result mapping to a service and leave the route handler as light as possible.
There was a problem hiding this comment.
I'm inclined to move it to a service already. Also cause I'm doing a bunch of refactoring already.
x-pack/plugins/security_solution/server/endpoint/routes/actions/audit_log_handler.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
in order to use it in endpoint_hosts as well as in trusted _apps review suggestion
review suggestion
review suggestion
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
this needs to be fleshed out in a later PR
pzl
left a comment
There was a problem hiding this comment.
This doesn't seem to include action-responses yet, is that going to be a different PR?
There was a problem hiding this comment.
can either leave this off this PR until we add the query definition, or at least add a comment saying this is for yet-to-come pagination query params
There was a problem hiding this comment.
getting a bit long. Can probably refactor ( ['...',].includes(value) is probably fine, or extract up if it makes sense)
There was a problem hiding this comment.
This doesn't seem to include action-responses yet, is that going to be a different PR?
Yes, I'll do that in the PR for the API that we discussed. Else the types were getting complex and hence more changes in this PR.
paul-tavares
left a comment
There was a problem hiding this comment.
Provided some comments and will wait to hear from you on them.
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/store/selectors.ts
Show resolved
Hide resolved
| if ( | ||
| value === 'policy_response' || | ||
| value === 'details' || | ||
| value === 'activity-log' || |
There was a problem hiding this comment.
perhaps it does not matter - but for the most part, we been using _ in values like this instead of -.
There was a problem hiding this comment.
Indeed. Let's keep it consistent with naming conventions. Snake case it is. 👍
| import { EuiAvatar, EuiComment, EuiText } from '@elastic/eui'; | ||
| import { Immutable, EndpointAction } from '../../../../../../../common/endpoint/types'; | ||
|
|
||
| export const TimelineEntry = memo( |
There was a problem hiding this comment.
Not for this PR.
The naming "timeline" might get confusing in our code based because we actually have an entire section of security solution named timeline. My suggestion would be to rename anything with timeline to a more specific name - like log_entry?
There was a problem hiding this comment.
That makes sense 👍 I'd change that.
|
|
||
| const StyledEuiTabbedContent = styled(EuiTabbedContent)` | ||
| overflow: hidden; | ||
| padding-bottom: 48px; |
There was a problem hiding this comment.
We should not be using hard coded px values (or colors), but rather grabbing these values from the theme variable that is available when you defined the value here as a code function in the string template. Example:
| padding-bottom: 48px; | |
| padding-bottom: {(props) => props.theme.eui.paddingSizes.xl}; |
In this case, it seems as if you need a padding value that might not exist. I would work with Bonnie to see if we can keep to defined sizes (xs, s, m, l, xl). If not then this might work (never tried it):
padding-bottom: calc( {(props) => props.theme.eui.paddingSizes.l} + {(props) => props.theme.eui.paddingSizes.l} );
styled components might also already provide some calc like functions - not sure.
There was a problem hiding this comment.
FYI - a while back I created this gist for my use in trying to understand what's available for use in the theme.eui:
https://gist.github.com/paul-tavares/303d718ac7f514d6ee681a3851407a7e
There was a problem hiding this comment.
I agree that hardcoded values are not maintainable. I'm quite sure this won't be needed when we refactor the tabs component to use the flyout#more-complicated-flyout component version. I'll change this to use the xl padding for now.
| <EuiComment | ||
| type={commentType} | ||
| username={endpointAction.user_id} | ||
| timestamp={moment(endpointAction['@timestamp']).fromNow().toString()} |
There was a problem hiding this comment.
We should be using our own relative date component -
Looks like timestamp prop accepts a ReactNode, so there should be no problem defining a component here
...urity_solution/public/management/pages/endpoint_hosts/view/details/endpoint_activity_log.tsx
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/endpoint_hosts/view/details/index.tsx
Show resolved
Hide resolved
| import { FlyoutBodyNoTopPadding } from './components/flyout_body_no_top_padding'; | ||
| import { getEndpointListPath } from '../../../../common/routing'; | ||
|
|
||
| const contentLoadingMarkup = ( |
There was a problem hiding this comment.
Instead of a singleton, can you either convert this to a function (or Component) or defined inside of EndpointDetailsFlyout using useMemo().
Just not sure that we want to reuse the same JSX across multiple instances of EndpointDetailsFlyout
| }); | ||
| } | ||
| if (result?.statusCode !== 200) { | ||
| return res.customError({ |
There was a problem hiding this comment.
No need to use customError() - kibana takes care of 500 errors if you just throw.
Suggestion:
throw new Error(`Error fetching actions log for agent_id ${req.params.agent_id}`);Also, since this is a controlled failure and we're not returning anything about the actual error that happen in elasticsearch, you should log the error to kibana logs. You can get a logger instance from the endpoint context I think.
There was a problem hiding this comment.
Does Kibana take care of 4xx errors as well?
|
@elasticmachine merge upstream |
review changes
review change
review change
review changes
review changes
|
expected head sha didn’t match current head ref. |
|
@elasticmachine merge upstream |
paul-tavares
left a comment
There was a problem hiding this comment.
🔥 🔥 🔥
Left minor comments, but nothing that should hold this up. I'm good if you merge it. Great Job on this. Looks awesome.
| import { EndpointAction } from '../../../../../common/endpoint/types'; | ||
|
|
||
| export const mockActivityLogResponse = (agentId: string): EndpointAction[] => { | ||
| const activityLog: EndpointAction[] = [ |
There was a problem hiding this comment.
ℹ️ we also now have an Action generator, case that helps here in minimizing amount of mocks. See:
If you do end up using it, I would suggest you initialize the class instance with a seed (argument to the class constructor)
| export const FormattedDateAndTime: React.FC<{ date: Date }> = ({ date }) => { | ||
| export const FormattedDateAndTime: React.FC<{ date: Date; showRelativeTime?: boolean }> = ({ | ||
| date, | ||
| showRelativeTime = false, |
There was a problem hiding this comment.
Why add the new prop? do you want relative time to always be shown? if so, you might just want to use <FormattedRelativeTime> directly in your component. But if that is the case, I would also talk to Bonnie about that - always showing relative time (IMO) is not a good after the first 1h.
There was a problem hiding this comment.
Ah, I see what you mean. I guess I misunderstood you earlier. I assumed that we always want to show relative time. At least that's what it looked like in the mocks. This UX is still going to be worked on more in subsequent PRs. So we've time to make this slicker. 🙏
| const activityLog: EndpointAction[] = [ | ||
| { | ||
| action_id: `${agentId}-action_id`, | ||
| '@timestamp': new Date().toJSON(), |
There was a problem hiding this comment.
👏 did not know about the .toJSON() method of the Date class 👍
| defaultMessage: 'Could not find activity log for host', | ||
| }), | ||
| text: i18n.translate('xpack.securitySolution.endpoint.activityLog.errorBody', { | ||
| defaultMessage: 'Please exit the flyout and select another host with actions.', |
There was a problem hiding this comment.
ℹ️ Seems a bit weird to me that we're instructing the user to go find another host with actions. I don't think that is an activity that the user is normally doing across hosts (or is it? 🤔 😄 ). If they came to the actions log for the host it is because they are investigating this particular host.
cc/ @bfishel
There was a problem hiding this comment.
Indeed. This is going to be part of the empty state and the not-found details banner that we saw the other day. Not sure if we've nailed it down yet. So the idea is if we don't have a host then we also won't have host actions log.
Here's the link https://www.figma.com/file/BeTJy7bpHRPtHiNJtWU7Pj/OLM-7.12%2B?node-id=4476%3A0
review changes
|
@kibanamachine merge upstream |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: |
…stic#99795) * WIP add tabs for endpoint details * fetch activity log for endpoint this is work in progress with dummy data * refactor to hold host details and activity log within endpointDetails * api for fetching actions log * add a selector for getting selected agent id * use the new api to show actions log * review changes * move util function to common/utils in order to use it in endpoint_hosts as well as in trusted _apps review suggestion * use util function to get API path review suggestion * sync url params with details active tab review suggestion * fix types due to merge commit refs 3722552 * use AsyncResourseState type review suggestions * sort entries chronologically with recent at the top * adjust icon sizes within entries to match mocks * remove endpoint list paging stuff (not for now) * fix import after sync with master * make the search bar work (sort of) this needs to be fleshed out in a later PR * add tests to middleware for now * use snake case for naming routes review changes * rename and use own relative time function review change * use euiTheme tokens review change * add a comment review changes * log errors to kibana log and unwind stack review changes * use FleetActionGenerator for mocking data review changes Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
) (#101244) * WIP add tabs for endpoint details * fetch activity log for endpoint this is work in progress with dummy data * refactor to hold host details and activity log within endpointDetails * api for fetching actions log * add a selector for getting selected agent id * use the new api to show actions log * review changes * move util function to common/utils in order to use it in endpoint_hosts as well as in trusted _apps review suggestion * use util function to get API path review suggestion * sync url params with details active tab review suggestion * fix types due to merge commit refs 3722552 * use AsyncResourseState type review suggestions * sort entries chronologically with recent at the top * adjust icon sizes within entries to match mocks * remove endpoint list paging stuff (not for now) * fix import after sync with master * make the search bar work (sort of) this needs to be fleshed out in a later PR * add tests to middleware for now * use snake case for naming routes review changes * rename and use own relative time function review change * use euiTheme tokens review change * add a comment review changes * log errors to kibana log and unwind stack review changes * use FleetActionGenerator for mocking data review changes Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Ashokaditya <am.struktr@gmail.com>
add tabs for endpoint details
Summary
Checklist
Delete any items that are not applicable to this PR.
For maintainers