[7.x] [Security] Investigate in Resolver Timeline Integration (#70111)
#70136
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
) ## [Security] `Investigate in Resolver` Timeline Integration This PR adds a new `Investigate in Resolver` action to the Timeline, and all timeline-based views, including: - Timeline - Alert list (i.e. Signals) - Hosts > Events - Hosts > External alerts - Network > External alerts  ### Resolver Overlay When the `Investigate in Resolver` action is clicked, Resolver is displayed in an overlay over the events. The screenshot below has placeholder text where Resolver will be rendered:  The Resolver overlay is closed by clicking the `< Back to events` button shown in the screenshot above. The state of the timeline is restored when the overlay is closed. The scroll position (within the events), any expanded events, etc, will appear exactly as they were before the Resolver overlay was displayed. ### Case Integration Users may link directly to a Timeline Resolver view from cases via the `Attach to new case` and `Attach to existing case...` actions show in the screenshot below:   When users click the link in a case, Timeline will automatically open to the Resolver view in the link. ### URL State Users can directly share Resolver views (in saved Timelines) with other users by copying the Kibana URL to the clipboard when Resolver is open. When another user pastes the URL in their browser, Timeline will automatically open and display the Resolver view in the URL. ### Enabling the `Investigate in Resolver` action In this PR, the `Investigate in Resolver` action is only enabled for events where all of the following are true: - `agent.type` is `endpoint` - `process.entity_id` exists ### Context passed to Resolver The only context passed to `Resolver` is the `_id` of the event (when the user clicks `Investigate in Resolver`) ### What's next? - @oatkiller will replace the placeholder text shown in the screenshots above with the actual call to Resolver in a separate PR - I will follow-up this PR with additional tests - The action text `Investigate in Resolver` may be changed in a future PR - Hide the `Add to case` action in timeline-based views (it's currently visible, but disabled)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backports the following commits to 7.x:
Investigate in ResolverTimeline Integration ([Security] Investigate in Resolver Timeline Integration #70111)