Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x] [Security] Investigate in Resolver Timeline Integration (#70111) #70136

Merged
merged 1 commit into from
Jun 27, 2020
Merged

[7.x] [Security] Investigate in Resolver Timeline Integration (#70111) #70136

merged 1 commit into from
Jun 27, 2020

Commits on Jun 26, 2020

  1. [Security] Investigate in Resolver Timeline Integration (elastic#70111 

    )

## [Security] `Investigate in Resolver` Timeline Integration

This PR adds a new `Investigate in Resolver` action to the Timeline, and all timeline-based views, including:

- Timeline
- Alert list (i.e. Signals)
- Hosts > Events
- Hosts > External alerts
- Network > External alerts

![investigate-in-resolver-action](https://user-images.githubusercontent.com/4459398/85886173-c40d1c80-b7a2-11ea-8011-0221fef95d51.png)

### Resolver Overlay

When the `Investigate in Resolver` action is clicked, Resolver is displayed in an overlay over the events. The screenshot below has placeholder text where Resolver will be rendered:

![resolver-overlay](https://user-images.githubusercontent.com/4459398/85886309-10f0f300-b7a3-11ea-95cb-0117207e4890.png)

The Resolver overlay is closed by clicking the `< Back to events` button shown in the screenshot above.

The state of the timeline is restored when the overlay is closed. The scroll position (within the events), any expanded events, etc, will appear exactly as they were before the Resolver overlay was displayed.

### Case Integration

Users may link directly to a Timeline Resolver view from cases via the `Attach to new case` and `Attach to existing case...` actions show in the screenshot below:

![case-integration](https://user-images.githubusercontent.com/4459398/85886773-e3587980-b7a3-11ea-87b6-b098ea14bc5f.png)

![investigate-in-resolver](https://user-images.githubusercontent.com/4459398/85885618-daff3f00-b7a1-11ea-9356-2e8a1291f213.gif)

When users click the link in a case, Timeline will automatically open to the Resolver view in the link.

### URL State

Users can directly share Resolver views (in saved Timelines) with other users by copying the Kibana URL to the clipboard when Resolver is open.

When another user pastes the URL in their browser, Timeline will automatically open and display the Resolver view in the URL.

### Enabling the `Investigate in Resolver` action

In this PR, the `Investigate in Resolver` action is only enabled for events where all of the following are true:

- `agent.type` is `endpoint`
- `process.entity_id` exists

### Context passed to Resolver

The only context passed to `Resolver` is the `_id` of the event (when the user clicks `Investigate in Resolver`)

### What's next?

- @oatkiller will replace the placeholder text shown in the screenshots above with the actual call to Resolver in a separate PR
- I will follow-up this PR with additional tests
- The action text `Investigate in Resolver` may be changed in a future PR
- Hide the `Add to case` action in timeline-based views (it's currently visible, but disabled)
    @andrew-goldstein
    andrew-goldstein committed Jun 26, 2020
    Configuration menu
    Copy the full SHA
    384ff47 View commit details
    Browse the repository at this point in the history