-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Sourcerer docs #129670
Conversation
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
@@ -31,7 +31,7 @@ export const postSourcererDataView = async ({ | |||
signal, | |||
}); | |||
|
|||
export const getSourcererDataview = async ( | |||
export const getSourcererDataView = async ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a capitalization update for consistency
# Sourcerer Component | ||
|
||
## Default Sourcerer | ||
![](../../images/default.png) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
idk why these images aren't showing?? should i upload them to github like the gifs are below? I copied those gifs from a PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if once it's merged if they'll show? You can see the pngs below... ???
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good news, if you click "View File" the images show there so I guess it's just a code review thing?
![f6](https://user-images.githubusercontent.com/6935300/144764146-6e0ac904-4a8e-4a4c-bf4f-c43db07e5a79.gif) | ||
### Flow 7 | ||
Error state, not expected | ||
![f7](https://user-images.githubusercontent.com/6935300/144874843-ff3e5d1a-3436-41f6-97af-cad3431b83cc.gif) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These flows explanations are very useful and must be included to the user docs. Just wonder why we don't have it there...
What do you think, will it be useful to provide information about the component interface itself: props and how to add the component? I'm thinking also about the describing the relation between all the parts (container, store and server) to help the engineers to understand how to use, support or refactor this component.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where should i put the readme.md that would explain the connection between the 3 readme files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where should i put the readme.md that would explain the connection between the 3 readme files?
I think adding it here will be clear enough, because the store and API doesn't make a lot of usage by itself.
x-pack/plugins/security_solution/public/common/store/sourcerer/readme.md
Outdated
Show resolved
Hide resolved
The sourcerer API has one route with 2 methods | ||
|
||
1. POST - `createSourcererDataViewRoute` | ||
1. This route is called from `security_solution/public/plugin.tsx` on app load. It passes an argument of `patternList` which is an array of the config index patterns defined in Stack Management > Advanced Settings > Security Solution > Elasticsearch indices along with the default signal index |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it worth to add that the numerated steps under the POST method describes the server side logic for createSourcererDataViewRoute
and add the description for the request/response as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thats what steps 3-8 describe
@elasticmachine merge upstream |
x-pack/plugins/security_solution/public/common/components/sourcerer/readme.md
Show resolved
Hide resolved
|
||
## Detections Sourcerer | ||
![](../../images/alerts.png) | ||
- The detections sourcerer is locked to the signals index, and has an "Alerts" flag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the alerts page, do we still load all the data view index fields or just the selected index (the alerts index in this case)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, all of the index fields are loaded by the data view id, not according to the index pattern
|
||
### Flow 1 | ||
**Note:** i paused the most in this flow so y'all can ready the copy, the rest of the flows go quicker | ||
Legacy Timeline includes an active index pattern that is not included in the default data view, user decides to update data view. Page refresh is prompted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this create a new data view that now includes the active index that was not included in the data view? Or by "not included" are you saying the index is part of the data view, but just was hidden or something by default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes it does include that, that is what Flow 6 describes. not included meaning the index pattern is not in the data view
patternList: string[]; | ||
/** | ||
* title of Kibana Data View | ||
* title also serves as "all pattern list", including inactive |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a user uses the api to edit their data view, does the name/title also automatically update? Trying to understand if this is 100% always a reliable source for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it updates when they visit the security solution app again. a diff check is run to see if the pattern has updated. that is what step #6 describes below on L45
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Steph for adding these docs. I left a couple of questions but feel free to comment if they're better just addressed during the code overview session as opposed to needing to modify the docs here.
Only other thing I was wondering was if there are any past tickets that would be useful for devs to review when reading the docs to understand some of the context (like any where the design/architecture was discussed).
LGTM - thanks so much again.
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
* api docs done * more readme * docs improvements * more * add about index fields Co-authored-by: Kibana Machine <[email protected]>
* api docs done * more readme * docs improvements * more * add about index fields Co-authored-by: Kibana Machine <[email protected]>
Summary
Adds documentation for sourcerer for hand-off from Explore team to Security Solution Platform Team.