[Security Solution][Detections] Rule execution logging overhaul follow-up #124194
Conversation
banderror
added
refactoring
technical debt
banderror
force-pushed
the
rule-execution-logging-overhaul-follow-up
branch
2 times, most recently
from
7996a79
to
d2f73fc
Compare
banderror
force-pushed
the
rule-execution-logging-overhaul-follow-up
branch
from
d2f73fc
to
773ee38
Compare
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Came across an app crash in initial testing when visiting a Rule Details page for an
And non-minified stacktrace -- looks like we're not short circuiting soon enough and trying to fill in the severityMappings with an empty mapping. Must be an underlying type issue lingering in there?
Just verified this exists on the |
x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts
Show resolved
Hide resolved
| export const getStatusText = (value: RuleExecutionStatus | null | undefined): string | null => { | ||
| if (value == null) { | ||
| return null; | ||
| } | ||
| if (value === RuleExecutionStatus['partial failure']) { | ||
| return 'warning'; | ||
| } | ||
| return value; | ||
| }; |
There was a problem hiding this comment.
Clearer name, and easier to immediately grok without the nested ternary (same with getStatusColor), thanks you! 🎉
| @@ -109,3 +109,10 @@ export const RELOAD_MISSING_PREPACKAGED_RULES_AND_TIMELINES = ( | |||
| 'Install {missingRules} Elastic prebuilt {missingRules, plural, =1 {rule} other {rules}} and {missingTimelines} Elastic prebuilt {missingTimelines, plural, =1 {timeline} other {timelines}} ', | |||
| } | |||
| ); | |||
|
|
|||
| export const RULE_EXECUTION_EVENTS_FETCH_FAILURE = i18n.translate( | |||
| 'xpack.securitySolution.containers.detectionEngine.ruleExecutionEventsFetchFailDescription', | |||
There was a problem hiding this comment.
Slightly different keys than in my branch -- I'll be sure to run scripts/i18n_check.js --fix once we merge so there aren't any leftover unused keys. 👍
| export const useRuleExecutionEvents = (ruleId: string) => { | ||
| const { addError } = useAppToasts(); | ||
|
|
||
| return useQuery( | ||
| 'ruleExecutionEvents', | ||
| ['ruleExecutionEvents', ruleId], |
|
In testing saw an issue where the alerts table loader would stay present on
|
| @@ -118,7 +118,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper = | |||
| let wroteWarningStatus = false; | |||
|
|
|||
| await ruleExecutionLogger.logStatusChange({ | |||
| newStatus: RuleExecutionStatus['going to run'], | |||
| newStatus: RuleExecutionStatus.running, | |||
There was a problem hiding this comment.
I'm wondering if it's even necessary to write a running status change event from security (to event-log at least). By and large the execute-start event is going to represent the same and even contain additional data (schedule datetime, and so schedule delay as well). We would still need to write to the executionSO for latest status on the Rules/Monitoring tables.
Is there some case where going to run captures a unique series of events that execute-start can't be used for?
|
Build is hung up on one failing cypress test (
Resolved in 28e0892 w/ an additional wait to ensure the table loader is complete before fetching the page 2 value. I added the wait inline to the test, but it looked like it may be a better fit at the end of and return a Promise? @MadameSheema |
There was a problem hiding this comment.
Checked out locally, desk tested, and code reviewed -- LGTM! 👍 Found a couple potential bugs (commented), but doesn't look to be caused by this changeset.
Thanks for looping back around and addressing all the cleanup here @banderror! 
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @banderror |
Related to: #121644
Addresses: #86202
Summary
Done in this PR:
warningrule execution status (comment).runningstatus (ticket).rule_execution_logfolder. Hopefully naming of folders, files and interfaces is clearer now as well. (comment, comment)withSecuritySpan.// TODO: https://github.com/elastic/kibana/pull/121644commentsIn the next PR that could be merged after the FF I'd address the rest of the stuff:
rule_execution_logfolder. Write a readme for it.// TODO: https://github.com/elastic/kibana/pull/121644comments. All of them are related to tests.