Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Integration tests for simple diff algorithm #184889

Merged
merged 14 commits into from
Jun 13, 2024

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Jun 6, 2024

Summary

Completes related tickets: #180160 and #180158

Switches fields to use the diff algorithms assigned to them in the related tickets

Adds integration tests in accordance to #184484 for the upgrade/_review API endpoint for the simple diff algorithm.

Also changes logic in the upgrade/_review API endpoint to return user customized fields in the diffs even if there was not an update for that field. This new logic is described in #180154. We filter out the fields that fall under this new logic so that they are only returned from the API but not displayed in the per-field rule diff flyout as the current UI cannot support them. They are utilized in testing logic and will be implemented in the UI at a later date

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dplumlee dplumlee added test release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area v8.15.0 labels Jun 6, 2024
@dplumlee dplumlee self-assigned this Jun 6, 2024
@dplumlee dplumlee requested a review from a team as a code owner June 6, 2024 02:51
@dplumlee dplumlee requested a review from nikitaindik June 6, 2024 02:51
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@kibanamachine
Copy link
Contributor

Flaky Test Runner Stats

🎉 All tests passed! - kibana-flaky-test-suite-runner#6224

[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed.
[✅] x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/serverless.config.ts: 100/100 tests passed.

see run history

@dplumlee dplumlee requested a review from a team as a code owner June 10, 2024 20:12
@dplumlee dplumlee requested a review from dhurley14 June 10, 2024 20:12
@@ -217,7 +217,7 @@ export const schema: FormSchema<AboutStepRule> = {
label: i18n.translate(
'xpack.securitySolution.detectionEngine.createRule.stepAboutRule.fieldMitreThreatLabel',
{
defaultMessage: 'MITRE ATT&CK\\u2122',
defaultMessage: 'MITRE ATT&CK\u2122',
Copy link
Contributor Author

@dplumlee dplumlee Jun 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I was doing some testing, I noticed this was returning with the literal string both in the diffing UI and in the rule forms, probably caused by the big i18n update that got merged in a couple weeks ago. This fixes the unicode to display correctly.

Screenshot 2024-06-10 at 11 20 17 AM

Copy link
Contributor

@nikitaindik nikitaindik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dplumlee! I have taken a look. Left some comments.

name: {
current_version: 'B',
diff_outcome: ThreeWayDiffOutcome.StockValueCanUpdate,
has_conflict: false,
Copy link
Contributor

@nikitaindik nikitaindik Jun 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this actually be has_conflict: true? The test plan mentions that there should be a conflict, and I think it makes sense.

Let's say you have a rule with a customized field value, then the base version gets removed somehow. In such case I think we shouldn't automatically choose the target version, but force the user to make this choice.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I agree, I'll change the logic of what we're returning to match this output

Copy link
Contributor Author

@dplumlee dplumlee Jun 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this poses another question actually. Currently, whenever the base_version is missing, we assume the rule is not customized giving us the diff outcomes of StockValueNoUpdate for the -AA situation and StockValueCanUpdate for the -AB situation. Here is where that logic occurs in the code

Should we be instead assuming both are customized and the fallback for an undefined base_version would be to return the field and let users decide if they want to keep or update the field?

In this scenario we would return CustomizedValueSameUpdate for the now assumed -BB outcome and CustomizedValueCanUpdate for the -BC outcome.

The only downside I can think of for this would be we'd return all the fields for an entire rule no matter what if the base_version was unavailable which could be overwhelming.

cc: @banderror @nikitaindik

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's okay to return a bunch of fields in this edge case, since it should only happen once. Base version would get created if you upgrade a rule, right? Otherwise we run the risk of removing user's custom value with no way to return to it.

This was my line of thinking:
If we have the -AA situation this could mean one of:

  • AAA -> no conflict, pick target
  • ABB -> no conflict, pick target
    Since we don't know which case it is, we can assume the most complex scenario (ABB) and return ThreeWayDiffOutcome.CustomizedValueSameUpdate. Then indeed we'll return every field in response.

If we have the -AB situation this could mean one of:

  • AAB -> no conflict, pick target
  • ABC -> has conflict, user has to choose
    Again, I would assume the "worst" (ABC) and return CustomizedValueCanUpdate. Then the field would also have has_conflict: true and the user would have to make a choice.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can merge this as is for now and wait until folks come back from vacations to discuss with them. Looking at the comment here, perhaps there was an idea behind the current behaviour 🤷 .

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have read the thread and agree with the compromise logic option. Does it make sense to inform the user about missing the base version when this happens?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@approksiu I think it's probably a good idea, not sure if that's in the UI plans yet or not

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll discuss with @ARWNightingale.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback @approksiu, we'll go with option 3 then.

Does it make sense to inform the user about missing the base version when this happens?
not sure if that's in the UI plans yet or not

It would be a rare edge case to handle. It's not planned. I think it might be useful eventually, especially when we reach that 15k limit, but at this point I would not include this into Milestone 3. I opened a #186880 that we can consider adding to Milestone 4.

cc @dplumlee @jpdjere @xcrzx @nikitaindik

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, definitely in Milestone 3. Thanks for adding the issue!

Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left my thoughts on the -AA and -AB question.

I'd like to take a deeper look at the added tests next week. Please merge w/o waiting for me though when the PR is reviewed and ready, I can take a look post-merge.

name: {
current_version: 'B',
diff_outcome: ThreeWayDiffOutcome.StockValueCanUpdate,
has_conflict: false,
Copy link
Contributor

@banderror banderror Jun 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikitaindik @dplumlee This is a great catch, thank you both!

We have a technical and a UX sides of the question.

Technically, your above comments make sense that if we treat -AA as ABB and -AB as ABC, we would need to adjust the returned ThreeWayDiffOutcome values accordingly.

From the UX perspective, we have a trade-off:

  • 1st option is to treat -AA as ABB and -AB as ABC. The trade-off is safety at the cost of usability. In practice, all -AA and -AB fields would be shown in the rule upgrade flyout, with -AB fields shown as conflicting. This might look confusing, dangerous and overwhelming, especially if the user has never customized their installed rules and just lost some of the prebuilt rule assets.
  • 2nd option is to treat -AA as AAA and -AB as AAB. The trade-off is usability at the cost of safety. In practice, all -AA fields would not be shown in the rule upgrade flyout, and -AB fields would be shown in the flyout as auto-accepted, thus significantly saving the time to upgrade the rules. This might be dangerous for those rules that had been customized by the user, then Elastic published a new package with updates to those rules, and the user lost some of the prebuilt rule assets (-AB situation).

There can be a few ways to loose rule assets partially:

  • By manually deleting some of them using a script, or dev tools, etc. I think chances are very low, and that would be the shooting yourself in the foot type of case.
  • By installing a new package version where some of the historical rule versions will be missing. We have a hard limit of 15000 rule versions per package. We haven't reached it yet, but reaching it is a matter of time. When the TRaDE team reaches it, they will need to come up with an algorithm for evicting old rule versions from the package. Our upgrade logic should work well regardless of existence or non-existence of certain historical versions. What are the chances for the user to find themselves in this situation? I think it will depend on this eviction algorithm in the future, but currently I think it's 0.

The 1st option would be a fool-proof and safe way of handling the two situations above, the 2nd option would be a quick-and-easy way.

Probably there can be a 3rd, compromise option:

  • Treat -AA as AAA and NO_CONFLICT for increased usability.
  • Treat -AB as ABC and SOLVABLE_CONFLICT for safety. In this case, we would successfully auto-merge the change and return a merged_version: 'C', but mark it as SOLVABLE_CONFLICT according to the idea of solvable and non-solvable conflicts described in the RFC and this ticket. In this case, users would need to manually accept the auto-merged value in the upgrade flyout.

I agree that we should hold off changing the current logic until all people are back from vacations 👍

@nikitaindik nikitaindik self-requested a review June 13, 2024 09:52
Copy link
Contributor

@nikitaindik nikitaindik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing my comments @dplumlee! The PR LGTM now!

@dplumlee
Copy link
Contributor Author

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.6MB 13.6MB +2.0KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dplumlee

Copy link
Contributor

@vitaliidm vitaliidm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detection Engine changes LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. test v8.15.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants