[Security Solution] Sourcerer docs #129670
Conversation
stephmilovic
added
backport:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
stephmilovic
added
release_note:skip
| @@ -31,7 +31,7 @@ export const postSourcererDataView = async ({ | |||
| signal, | |||
| }); | |||
|
|
|||
| export const getSourcererDataview = async ( | |||
| export const getSourcererDataView = async ( | |||
There was a problem hiding this comment.
just a capitalization update for consistency
| # Sourcerer Component | ||
|
|
||
| ## Default Sourcerer | ||
|  |
There was a problem hiding this comment.
idk why these images aren't showing?? should i upload them to github like the gifs are below? I copied those gifs from a PR
There was a problem hiding this comment.
I wonder if once it's merged if they'll show? You can see the pngs below... ???
There was a problem hiding this comment.
Good news, if you click "View File" the images show there so I guess it's just a code review thing?
|  | ||
| ### Flow 7 | ||
| Error state, not expected | ||
|  |
There was a problem hiding this comment.
These flows explanations are very useful and must be included to the user docs. Just wonder why we don't have it there...
What do you think, will it be useful to provide information about the component interface itself: props and how to add the component? I'm thinking also about the describing the relation between all the parts (container, store and server) to help the engineers to understand how to use, support or refactor this component.
There was a problem hiding this comment.
where should i put the readme.md that would explain the connection between the 3 readme files?
There was a problem hiding this comment.
where should i put the readme.md that would explain the connection between the 3 readme files?
I think adding it here will be clear enough, because the store and API doesn't make a lot of usage by itself.
x-pack/plugins/security_solution/public/common/store/sourcerer/readme.md
Outdated
Show resolved
Hide resolved
| The sourcerer API has one route with 2 methods | ||
|
|
||
| 1. POST - `createSourcererDataViewRoute` | ||
| 1. This route is called from `security_solution/public/plugin.tsx` on app load. It passes an argument of `patternList` which is an array of the config index patterns defined in Stack Management > Advanced Settings > Security Solution > Elasticsearch indices along with the default signal index |
There was a problem hiding this comment.
I think it worth to add that the numerated steps under the POST method describes the server side logic for createSourcererDataViewRoute and add the description for the request/response as well.
There was a problem hiding this comment.
thats what steps 3-8 describe
|
@elasticmachine merge upstream |
x-pack/plugins/security_solution/public/common/components/sourcerer/readme.md
Show resolved
Hide resolved
|
|
||
| ## Detections Sourcerer | ||
|  | ||
| - The detections sourcerer is locked to the signals index, and has an "Alerts" flag |
There was a problem hiding this comment.
On the alerts page, do we still load all the data view index fields or just the selected index (the alerts index in this case)?
There was a problem hiding this comment.
yes, all of the index fields are loaded by the data view id, not according to the index pattern
|
|
||
| ### Flow 1 | ||
| **Note:** i paused the most in this flow so y'all can ready the copy, the rest of the flows go quicker | ||
| Legacy Timeline includes an active index pattern that is not included in the default data view, user decides to update data view. Page refresh is prompted |
There was a problem hiding this comment.
Does this create a new data view that now includes the active index that was not included in the data view? Or by "not included" are you saying the index is part of the data view, but just was hidden or something by default?
There was a problem hiding this comment.
yes it does include that, that is what Flow 6 describes. not included meaning the index pattern is not in the data view
| patternList: string[]; | ||
| /** | ||
| * title of Kibana Data View | ||
| * title also serves as "all pattern list", including inactive |
There was a problem hiding this comment.
If a user uses the api to edit their data view, does the name/title also automatically update? Trying to understand if this is 100% always a reliable source for now.
There was a problem hiding this comment.
it updates when they visit the security solution app again. a diff check is run to see if the pattern has updated. that is what step #6 describes below on L45
There was a problem hiding this comment.
Thanks Steph for adding these docs. I left a couple of questions but feel free to comment if they're better just addressed during the code overview session as opposed to needing to modify the docs here.
Only other thing I was wondering was if there are any past tickets that would be useful for devs to review when reading the docs to understand some of the context (like any where the design/architecture was discussed).
LGTM - thanks so much again.
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
* api docs done * more readme * docs improvements * more * add about index fields Co-authored-by: Kibana Machine <[email protected]>
* api docs done * more readme * docs improvements * more * add about index fields Co-authored-by: Kibana Machine <[email protected]>
Summary
Adds documentation for sourcerer for hand-off from Explore team to Security Solution Platform Team.