Open rylnd opened 2 months ago
Pinging @elastic/security-detection-engine (Team:Detection Engine)
Update: after some discussion we've elected to spike out the following: ML rules will use the alerts index fields for its autopopulation. If that's relatively straightforward, it will satisfy the second issue listed above, and we can split off a separate "ML autocomplete doesn't include anomaly fields" issue as needed.
After some discussion I was pointed to the fact that the useRuleIndices
hook already contains this logic (most of which was added in https://github.com/elastic/kibana/pull/133494), and is used in the expected places on the rule UI.
There are currently two issues with this implementation:
Update: we have addressed the majority of concerns in rylnd/kibana#9, and that will soon be merged to main via https://github.com/elastic/kibana/pull/181926.
@yctercero I think once that's merged we can close this, and perhaps open a broader ticket for a more formal integration with ML?
Amazing! That sounds good. @approksiu and @ARWNightingale are working through new create rule flows. It may be great to sync up on the particularities of ML.
This was addressed (in part) by #181926, which added a new hook useRuleFields
to retrieve the correct fields for a particular rule (including ML rules). It has only been applied to the ML Suppression fields, however, and so that new hook still needs to be leveraged by the other relevant UI fields.
Summary
There are several fields that leverage autocomplete on the rule forms:
However, in the case of ML rules, there is no underlying "data source" associated with the rule (at least as far as the UI is concerned), which leads to some interesting behaviors:
In both of the above scenarios, workarounds are limited since it isn't possible to manually add a field to those autocomplete components (as far as I am aware).
Steps to reproduce:
Expected behavior: At the very least, I should be able to manually add fields to these components. Ideally, that process is aided by autocompleting from the ML indices directly, or else a static list of ECS fields.
Screenshots:
Any additional context: This behavior looks to be as old as ML rules, which predate many of the autocomplete fields the rule creation/edit UI use.
This also relates to the recent issue with ML Rule Preview, which (with hindsight) I would now classify as a symptom of this broader issue: preview was based on the presence of an
index
argument (aka a data source), for which ML rules don't have an official concept.