[Cloud Security] Show related alert's when fetching CDR graph #224783
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kfirpeled
added
backport:skip
3 tasks
kfirpeled
added
the
release_note:skip
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
2 tasks
This reverts commit 8a24d97.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security) |
Flaky Test Runner Stats🟠 Some tests failed. - kibana-flaky-test-suite-runner#9067[✅] x-pack/solutions/security/test/cloud_security_posture_api/config.ts: 25/25 tests passed. |
PhilippeOberti
approved these changes
Aug 8, 2025
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#9069[✅] x-pack/solutions/security/test/cloud_security_posture_functional/config.ts: 25/25 tests passed. |
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
History
|
|
|
||
| // Single alert contains both event's document data and alert's document data. | ||
| if (node.documentsData.find((doc) => doc.type === 'alert') && node.documentsData.length < 2) { | ||
| if (node.documentsData.find((doc) => doc.type === 'alert') && node.documentsData.length <= 2) { |
There was a problem hiding this comment.
@kfirpeled why did you change it to <=2?
There was a problem hiding this comment.
in a single alert use case, you can have a correlated event that the alert was triggered upon. So eventually you will have 2 documents data
| } | ||
|
|
||
| // For single-alert we might have both event and alert documents. We prefer to return the alert document if it exists. | ||
| const documentData = |
There was a problem hiding this comment.
so we are going to store in the documentsData array the event itself which we get from the log-* and also the alert we found in the alerts-* index?
What is the id of the node going to be? the event id we constructed a(something)-b(something1)?
There was a problem hiding this comment.
so we are going to store in the documentsData array the event itself which we get from the log-* and also the alert we found in the alerts-* index?
correct
What is the id of the node going to be? the event id we constructed a(something)-b(something1)?
correct, that wasn't changed as part of this PR
| "ignore_malformed": false, | ||
| "type": "date" | ||
| }, | ||
| "actor": { |
There was a problem hiding this comment.
@kfirpeled is this what we expect to be added to ecs?
There was a problem hiding this comment.
no
while a decision wasn't made yet for where these fields gonna be in ECS. We know that actor and target won't be approved to be top level fields.
There was a problem hiding this comment.
so actor and target are currently temporary and part of a technical preview fields. Sadly it broke the ECS guidelines and once we will revert it, it will cause a breaking chnage
alexreal1314
approved these changes
Aug 10, 2025
albertoblaz
reviewed
Aug 11, 2025
| await networkEventsPage.flyout.assertPreviewPanelIsOpen('event'); | ||
| }); | ||
|
|
||
| it('show related alerts', async () => { |
There was a problem hiding this comment.
nit:
Suggested change
| it('show related alerts', async () => { | |
| it('show related events', async () => { |
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
…c#224783) ## Summary Closes elastic#221037 , shows alerts on the graph by querying both the logs and the alerts indices - [x] Graph API - new optional `indexPatterns` parameters to switch data views (not in use in the UI atm). Defaults to `.alerts-security.alerts-<spaceId>, logs-*` - [x] Visualize loaded alerts that are identified with alerts in graph preview and graph investigation ~Depends on elastic#224483 `actor` and `target` are not part of ECS yet. And to ease our development process we wish to push forward with this feature in mind. This feature supports both cases when alert's index mappings contains definition for `actor` and `target`, and also when its not. In this PR, we add mappings of `actor` and `target` to the es_archive of the alerts. This way we are able to test the functionality of this feature instead of being blocked by elastic#224483. <details> <summary>Video 🎥 </summary> https://github.com/user-attachments/assets/bcc86214-6e88-46f3-a990-300bbdc28125 </details> <details> <summary>Screenshots 📸 </summary> **Before (ignore label alignments - screenshot is from a local environment)**  **After (another event is identified with alert - marking it as such and expands the _alert_ details)**  **Before network page - preview**  **After network page - preview identifies if event contains alert**  </details> ### How to test locally 1. Edit `kibana.dev.yml` and add: ```yml uiSettings.overrides.securitySolution:enableGraphVisualization: true ``` 2. Start elasticsearch and kibana locally 3. To add mock data run the following: ```bash node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/security_alerts_modified_mappings \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 3. Open `Alerts` page in kibana. Update the date-picker to include data from a year ago. Then check one of the alerts details opening the right-side flyout and find the "Graph preview" section in it. 4. Expand graph to show related alerts 5. Enable Asset Inventory in the `Inventory` page (if you don't see the page enable the feature flag in the advanced settings) 6. Add entities mock data ``` node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 7. Open `Alerts` page in kibana. Check that the graph shows the admin entity with it's label ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Aug 26, 2025
…c#224783) ## Summary Closes elastic#221037 , shows alerts on the graph by querying both the logs and the alerts indices - [x] Graph API - new optional `indexPatterns` parameters to switch data views (not in use in the UI atm). Defaults to `.alerts-security.alerts-<spaceId>, logs-*` - [x] Visualize loaded alerts that are identified with alerts in graph preview and graph investigation ~Depends on elastic#224483 `actor` and `target` are not part of ECS yet. And to ease our development process we wish to push forward with this feature in mind. This feature supports both cases when alert's index mappings contains definition for `actor` and `target`, and also when its not. In this PR, we add mappings of `actor` and `target` to the es_archive of the alerts. This way we are able to test the functionality of this feature instead of being blocked by elastic#224483. <details> <summary>Video 🎥 </summary> https://github.com/user-attachments/assets/bcc86214-6e88-46f3-a990-300bbdc28125 </details> <details> <summary>Screenshots 📸 </summary> **Before (ignore label alignments - screenshot is from a local environment)**  **After (another event is identified with alert - marking it as such and expands the _alert_ details)**  **Before network page - preview**  **After network page - preview identifies if event contains alert**  </details> ### How to test locally 1. Edit `kibana.dev.yml` and add: ```yml uiSettings.overrides.securitySolution:enableGraphVisualization: true ``` 2. Start elasticsearch and kibana locally 3. To add mock data run the following: ```bash node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/security_alerts_modified_mappings \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 3. Open `Alerts` page in kibana. Update the date-picker to include data from a year ago. Then check one of the alerts details opening the right-side flyout and find the "Graph preview" section in it. 4. Expand graph to show related alerts 5. Enable Asset Inventory in the `Inventory` page (if you don't see the page enable the feature flag in the advanced settings) 6. Add entities mock data ``` node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store \ --es-url http://elastic:changeme@localhost:9200 \ --kibana-url http://elastic:changeme@localhost:5601 ``` 7. Open `Alerts` page in kibana. Check that the graph shows the admin entity with it's label ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Closes #221037 , shows alerts on the graph by querying both the logs and the alerts indices
indexPatternsparameters to switch data views (not in use in the UI atm). Defaults to.alerts-security.alerts-<spaceId>, logs-*Depends on #224483actorandtargetare not part of ECS yet. And to ease our development process we wish to push forward with this feature in mind.This feature supports both cases when alert's index mappings contains definition for
actorandtarget, and also when its not.In this PR, we add mappings of
actorandtargetto the es_archive of the alerts. This way we are able to test the functionality of this feature instead of being blocked by #224483.Video 🎥
Screen.Recording.2025-06-29.at.19.42.23.mov
Screenshots 📸
Before (ignore label alignments - screenshot is from a local environment)
After (another event is identified with alert - marking it as such and expands the alert details)
Before network page - preview
After network page - preview identifies if event contains alert
How to test locally
kibana.dev.ymland add:Alertspage in kibana. Update the date-picker to include data from a year ago. Then check one of the alerts details opening the right-side flyout and find the "Graph preview" section in it.Inventorypage (if you don't see the page enable the feature flag in the advanced settings)Alertspage in kibana. Check that the graph shows the admin entity with it's labelChecklist
release_note:*label is applied per the guidelines