Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Risk engine initialisation, update from legacy risk engine workflow and status change #162400

Merged
merged 54 commits into from
Aug 4, 2023
Merged

Risk engine initialisation, update from legacy risk engine workflow and status change #162400

merged 54 commits into from
Aug 4, 2023

Conversation

nkhristinin
Copy link
Contributor

@nkhristinin nkhristinin commented Jul 24, 2023
edited
Loading

Risk engine initialisation, update from legacy risk engine workflow and status change

Screen.Recording.2023-08-01.at.15.00.35.mov

Green areas it is what was implemented
Screenshot 2023-08-01 at 15 07 01

This pr has:

  • Upgrade workflow. If the user has a risk host or user transforms, we will show the panel with a call to action for the upgrade.
  • Introduce new Saved object to save the configuration of risk engine
  • API which is described bellow

It required experiment enabled - riskScoringRoutesEnabled

New API

/engine/status

GET

Get the status of the Risk Engine

Description:

Returns the status of both the legacy transform-based risk engine, as well as the new risk engine

Responses
{
  "legacy_risk_engine_status": "NOT_INSTALLED" , "ENABLED"
  ,
  "risk_engine_status": "NOT_INSTALLED" , "ENABLED" , "DISABLED"
}

/engine/init

POST

Initialize the Risk Engine

Description:

Initializes the Risk Engine by creating the necessary indices and mappings, removing old transforms, creating saved object configuration

Responses
{
  "result": {
    "risk_engine_enabled": true,
    "risk_engine_resources_installed": true,
    "risk_engine_configuration_created": true,
    "legacy_risk_engine_disabled": true,
    "errors": [
      "string"
    ]
  }
}

/engine/enable

POST

Enable the Risk Engine

Description:

Change saved object configuration and in the future here we will start task

/engine/disable

POST

Disable the Risk Engine
Change saved object configuration and in the future here we will stop task

@nkhristinin nkhristinin force-pushed the enable-risk-score branch 3 times, most recently from b473ff4 to f9c2c02 Compare July 28, 2023 10:11
rylnd
rylnd reviewed Jul 28, 2023
View reviewed changes
x-pack/plugins/security_solution/public/entity_analytics/api/api.ts
/**
* Fetches risks engine status
*/
export const fetchRiskEngineStatus = async ({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed this with your previous PR, but: can you explain the logic behind the folder naming here? Explore team originally introduced risk_score folders, and I tried to generalize that to risk_engine stuff, but now it seems like we're broadening that to entity_analytics, here? Not a judgement, I'm just trying to understand the intention and keep things consistent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My original idea was to introduce the new public folder, for all things related to EA (watchlist, etc)

If you think we should rename/move things please let me know

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds reasonable; thanks for the explanation. Perhaps as we move the client code to pull from the new risk score data, we can move those files/folders under entity_analytics ?

x-pack/plugins/security_solution/common/risk_engine/types.ts Outdated
}

export interface InitRiskEngineResult {
leggacyRiskEngineDisabled: boolean;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
leggacyRiskEngineDisabled: boolean;
legacyRiskEngineDisabled: boolean;

...gins/security_solution/public/entity_analytics/api/hooks/use_disable_risk_engine_mutation.ts Show resolved Hide resolved
...k/plugins/security_solution/public/entity_analytics/components/risk_score_enable_section.tsx Show resolved Hide resolved
...k/plugins/security_solution/public/entity_analytics/components/risk_score_enable_section.tsx Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/risk_engine/risk_engine_data_client.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/risk_engine/schema/risk_score_apis.yml Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/risk_engine/schema/risk_score_apis.yml Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/risk_engine/routes/risk_engine_init_route.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/risk_engine/schema/risk_score_apis.yml Outdated Show resolved Hide resolved
@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin nkhristinin requested a review from a team as a code owner August 3, 2023 14:05
dmlemeshko
dmlemeshko approved these changes Aug 3, 2023
View reviewed changes
Copy link
Member

@dmlemeshko dmlemeshko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appex QA changes LGTM

@nkhristinin nkhristinin requested a review from machadoum August 3, 2023 17:05
tomsonpl
tomsonpl reviewed Aug 3, 2023
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job 👍
I left just one question as a Defend Workflows review :)

x-pack/plugins/security_solution/public/management/links.ts Outdated Show resolved Hide resolved
rylnd added 2 commits August 3, 2023 12:39
@rylnd
Merge branch 'main' into enable-risk-score
ddbe593
@rylnd
Simplify logic for showing EA management page
1bc3314 
Trial licenses are included in `.isPlatinumPlus`, we don't need to check
that ourselves.
tomsonpl
tomsonpl approved these changes Aug 3, 2023
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defend Workflows lgtm 👍

@machadoum
Copy link
Member

threat-hunting-explore changes LGTM!

You need to check for entity-analytics UI privileges to hide the new page and the update panel for serverless essentials.

Screenshot 2023-08-03 at 12 07 59

Hey!
I took a second look and the call to action on the entity analytics page is still showing for serverless essentials.

@nkhristinin nkhristinin enabled auto-merge (squash) August 4, 2023 10:24
@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@nkhristinin nkhristinin merged commit 2bd52fc into elastic:main Aug 4, 2023
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Defend Workflows Cypress Tests #1 / Endpoint Policy Response from Endpoint List page should display policy response with errors should display policy response with errors
  • [job] [logs] Defend Workflows Cypress Tests #1 / Endpoint Policy Response from Fleet Agent Details page should display policy response with errors should display policy response with errors
  • [job] [logs] Defend Workflows Endpoint Cypress Tests #6 / Response console document signing should fail if data tampered should fail if data tampered

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 4360 4365 +5

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 15.5MB 15.5MB +7.7KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 57.8KB 58.0KB +233.0B
Unknown metric groups

References to deprecated APIs

id before after diff
securitySolution 622 625 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@nkhristinin
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

ignoring request to update branch, pull request is closed

@kibanamachine kibanamachine added v8.10.0 backport:skip This commit does not require backporting labels Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craig-abbott craig-abbott craig-abbott left review comments

@SourinPaul SourinPaul SourinPaul left review comments

@marshallmain marshallmain marshallmain left review comments

@rylnd rylnd rylnd approved these changes

@MadameSheema MadameSheema MadameSheema approved these changes

@tomsonpl tomsonpl tomsonpl approved these changes

@dmlemeshko dmlemeshko dmlemeshko approved these changes

@jloleysens jloleysens jloleysens approved these changes

@jbudz jbudz jbudz approved these changes

@machadoum machadoum machadoum approved these changes

@pzl pzl pzl approved these changes

@ashokaditya ashokaditya Awaiting requested review from ashokaditya ashokaditya was automatically assigned from elastic/security-defend-workflows

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:feature Makes this part of the condensed release notes v8.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.