[AI4DSOC] Alert summary page routing and initialization #214889
Merged
+512
−51
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PhilippeOberti
added
release_note:skip
|
Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations) |
juliaElastic
approved these changes
Mar 18, 2025
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
PhilippeOberti
force-pushed
the
alerty-summary-initialization
branch
4 times, most recently
from
f3a4072 to
030aa78
Compare
2 tasks
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
History
|
2 tasks
logeekal
reviewed
Mar 20, 2025
There was a problem hiding this comment.
Overall PR looks good 👏 .
One more small question. If I am adding below lines, i still do not get access to complete security but only to ai_soc. Do we know the reason to this?
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
{ product_line: 'security', product_tier: 'complete' },
]
...ity/plugins/security_solution/public/common/components/security_route_page_wrapper/index.tsx
Show resolved
Hide resolved
...ity/plugins/security_solution/public/common/components/security_route_page_wrapper/index.tsx
Outdated
Show resolved
Hide resolved
...ty/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts
Show resolved
Hide resolved
...solutions/security/plugins/security_solution/public/detections/pages/alert_summary/index.tsx
Outdated
Show resolved
Hide resolved
I kinda makes sense to me as you can't have those 2 tiers living next to each other. You're either |
logeekal
approved these changes
Mar 20, 2025
PhilippeOberti
force-pushed
the
alerty-summary-initialization
branch
from
030aa78 to
50e0e3c
Compare
christineweng
approved these changes
Mar 20, 2025
PhilippeOberti
added a commit
that referenced
this pull request
Mar 21, 2025
## Summary This PR continues the work done in #214889 and implements the landing page for the new alert summary page. This landing page should only be visible by users if none of the AI for SOC integrations have been installed (more info in [the previous PR](#214889)). The landing page consist of 2 main sections: - the top section with a title and an image - the bottom section where we list the top 2 AI for SOC integrations - Splunk and GoogleSecOps - which are clickable and will redirect the users to the respective integration detail pages, as well as a `View all integrations` button which will redirect the users to the integrations page.  https://github.com/user-attachments/assets/0d15a65d-7f2e-4e2d-9919-896f5532f08c Link to mocks: https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=4408-128249&t=GaxMP8OEZ9Qsjl0R-0 ### Notes - The current image is only temporary and acts as a placeholder while the UIUX team is creating a gif or video (no ETA on when it will be available). - The integration links are subject to change in the future, but that work is handled by a different team and as not being completed yet ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Contributes to elastic/security-team#11979
PhilippeOberti
added a commit
that referenced
this pull request
Mar 21, 2025
## Summary This PR continues and finalizes the pre-work done in #214889. Once this PR is merged, the actual alert summary page content implementation will begin. We need a dataView to be created before being able to fetch any data. The `wrapper.tsx` component creates a dataView. - While the dataView is being created, a loading skeleton mimicking the future layout of the alert summary page is rendered. - If the dataView fails to be correctly created (meaning if it comes back undefined or without an id) we show an error message. - If the dataView is correctly created, we continue to the alert summary page (currently just a div) https://github.com/user-attachments/assets/f1c8f63e-30a0-4186-94b6-f18a18a89218  ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Notes You'll need to either have some AI for SOC integrations installed, or more easily you can change the `alert_summary.tsx` line 38 from `if (installedPackages.length === 0) {` to `if (installedPackages.length > 0) {` to force the wrapper component to render. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this pull request
Mar 24, 2025
## Summary This PR is the setting the foundations for the AI for SOC Alert summary page. It has very little UI, instead it focuses on the following: - add routing for the `alert_summary` page - fetches the integrations, filters them to only keep the ones related to AI for SOC, then decides what to render depending on if some AI for SOC packages have been installed or not The PR also makes a small change to the `SecurityRoutePageWrapper` component, to allow us to redirect to the Security Solution HomePage instead of the NoPrivilegesPage. While this might not be a long term solution, it is the easiest path forward. In the future, AI for SOC will most likely be its own plugin (leaving outside of Security Solution) hence this will not be needed anymore. Here's the basic behavior of the Alert summary page: - The `Landing page` will be shown if none of the hardcoded AI for SOC packages are installed (these values are hardcoded as we currently do not have a way to filter integrations for the AI for SOC ones only): - splunk // doesnt yet exist - google_secops - microsoft_sentinel - sentinel_one - crowdstrike - The `Wrapper` component will only be shown if you have at least one of the above AI for SOC packages installed. ### Very limited UI added in this PR | Loading integrations | No installed packages | Some installed packages | | ------------- | ------------- | ------------- | |  |  |  | ### Notes We need to remove the section at the top of the page that currently shows the `Add integrations` button. A follow PR will take care of that. [This](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/app/home/index.tsx#L54) is where that bar is being added. We will have to find a way to not show that for the AI for SOC tier. ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` The Alert summary navigation will NOT be shown for the following Serverless users: `viewer`, `t1_analyst`. and `t2_analyst`. For those, the navigation entry is not present, and navigating to the url directly will automatically re-route to the Security home page. Currently, retrieving the integrations (via the `fleet/epm/packages` endpoint) is also unauthorized for the following users: `editor`, `t3_analyst`, `threat_intelligence_analyst`, `rule_author`, `soc_manager` and `detections_admin`. This means that the only users that can be currently used to test this PR are: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Will help close elastic/security-team#11954 as well as elastic/security-team#11979.
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this pull request
Mar 24, 2025
## Summary This PR continues the work done in elastic#214889 and implements the landing page for the new alert summary page. This landing page should only be visible by users if none of the AI for SOC integrations have been installed (more info in [the previous PR](elastic#214889)). The landing page consist of 2 main sections: - the top section with a title and an image - the bottom section where we list the top 2 AI for SOC integrations - Splunk and GoogleSecOps - which are clickable and will redirect the users to the respective integration detail pages, as well as a `View all integrations` button which will redirect the users to the integrations page.  https://github.com/user-attachments/assets/0d15a65d-7f2e-4e2d-9919-896f5532f08c Link to mocks: https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=4408-128249&t=GaxMP8OEZ9Qsjl0R-0 ### Notes - The current image is only temporary and acts as a placeholder while the UIUX team is creating a gif or video (no ETA on when it will be available). - The integration links are subject to change in the future, but that work is handled by a different team and as not being completed yet ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Contributes to elastic/security-team#11979
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this pull request
Mar 24, 2025
## Summary This PR continues and finalizes the pre-work done in elastic#214889. Once this PR is merged, the actual alert summary page content implementation will begin. We need a dataView to be created before being able to fetch any data. The `wrapper.tsx` component creates a dataView. - While the dataView is being created, a loading skeleton mimicking the future layout of the alert summary page is rendered. - If the dataView fails to be correctly created (meaning if it comes back undefined or without an id) we show an error message. - If the dataView is correctly created, we continue to the alert summary page (currently just a div) https://github.com/user-attachments/assets/f1c8f63e-30a0-4186-94b6-f18a18a89218  ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Notes You'll need to either have some AI for SOC integrations installed, or more easily you can change the `alert_summary.tsx` line 38 from `if (installedPackages.length === 0) {` to `if (installedPackages.length > 0) {` to force the wrapper component to render. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR is the setting the foundations for the AI for SOC Alert summary page. It has very little UI, instead it focuses on the following:
alert_summarypageThe PR also makes a small change to the
SecurityRoutePageWrappercomponent, to allow us to redirect to the Security Solution HomePage instead of the NoPrivilegesPage. While this might not be a long term solution, it is the easiest path forward. In the future, AI for SOC will most likely be its own plugin (leaving outside of Security Solution) hence this will not be needed anymore.Here's the basic behavior of the Alert summary page:
Landing pagewill be shown if none of the hardcoded AI for SOC packages are installed (these values are hardcoded as we currently do not have a way to filter integrations for the AI for SOC ones only):Wrappercomponent will only be shown if you have at least one of the above AI for SOC packages installed.Very limited UI added in this PR
Notes
We need to remove the section at the top of the page that currently shows the
Add integrationsbutton. A follow PR will take care of that. This is where that bar is being added. We will have to find a way to not show that for the AI for SOC tier.How to test
This needs to be ran in Serverless:
yarn es serverless --projectType securityyarn serverless-security --no-base-pathYou also need to enable the AI for SOC tier, by adding the following to your
serverless.security.dev.yamlfile:The Alert summary navigation will NOT be shown for the following Serverless users:
viewer,t1_analyst.and
t2_analyst. For those, the navigation entry is not present, and navigating to the url directly will automatically re-route to the Security home page.Currently, retrieving the integrations (via the
fleet/epm/packagesendpoint) is also unauthorized for the following users:editor,t3_analyst,threat_intelligence_analyst,rule_author,soc_manageranddetections_admin.This means that the only users that can be currently used to test this PR are:
platform_engineerendpoint_operations_analystendpoint_policy_manageradminsystem_indices_superuserChecklist
Will help close https://github.com/elastic/security-team/issues/11954 as well as https://github.com/elastic/security-team/issues/11979.