search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.69k stars 8.24k forks source link

[Security Solution] Related Integrations title doesn't always match title shown in Fleet Integrations UI #152408

Open spong opened 1 year ago

spong commented 1 year ago

As discussed in https://github.com/elastic/kibana/pull/152055#discussion_r1120335363, now that we're querying for all the packages, we should be able to resolve the appropriate Package/Integration Title within the Related Integrations UI in Security.

Currently we're trying to reconstruct it from the policy_template, and this doesn't always match what is displayed in the Fleet Integration UI. For example, the o365-1.3.0 package displays as Office 365 Logs in Fleet:

However we resolve it as O365 in our UI's:

Note: This fix could be more involved if assuming a large number of uninstalled integrations. Probably not reasonable to return titles for all integrations(?), so may need to pass the rule's integrations to our API and only return those? Alternatively, perhaps we just need to add them to the prebuilt rules?

elasticmachine commented 1 year ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

banderror commented 1 year ago

Here's a note about that from the epic:

If a related integration is not installed, we might show an incorrect title. We get integration titles from Fleet via our installed integrations endpoint. If an integration is not installed, we don't return its data => don't get the correct title.

Now that we fetch all existing Fleet integrations (bot installed and not installed) in this endpoint, we could:

  1. Either return all of them in the response
  2. Or, as @spong suggested in the description, pass package names in the request parameters to this endpoint, so that it will return info about all their integrations.

I'd vote for the 2nd option.

Also, for the Rule Management page, we could do it a bit differently. When fetching integration data on the Management page, we could omit passing any package names in the request parameters. Then, the endpoint would find the names of all related packages of all rules in the current Kibana space (we can do this now efficiently because we have support for aggregations in the RulesClient). Using these package names, fetch data for all those packages and their integrations.

I think this would also fix https://github.com/elastic/kibana/issues/134625