[RAC][Alert Triage] Alerts Histogram Component

spong commented 3 years ago

Description

This issue is for the generification of the Alerts Histogram component used within the Alert Triage workflow on the main Security Detections page and Rule Details page. This component isn't currently planned to be used within the Observability workflow, and so its generification can be prioritized as necessary.

Interface

Inputs

Page-level KQL query, filters, and daterange
.alerts index to query against
Stack by options (and perhaps some other display configuration as required)
Outputs
Page-level KQL query, filters, and daterange (time scrubbing, and stack by quick filter hover actions)

API Requirements

Generic query API for fetching documents from the .alerts index.

Destination Plugin/Package 🏠

Perhaps alerting plugin, rac plugin, or generic shared component package, but TBD.

Existing Source

AlertsHistogramPanel (source wrapping AlertsHistogram based on EUICharts HistogramBarSeries.

Data is fetched using following hooks:

useQueryAlerts (source) - Hook for fetching Alerts from the Detection Engine API. Takes query and index, returning query results to be processed. Histogram aggregation query generated here.

elasticmachine commented 3 years ago

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

elasticmachine commented 3 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 3 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

katrin-freihofner commented 3 years ago

There are a couple of things that I hope we can improve on the histogram as we build this component.

Colors We have dedicated visualization colors in EUI. I highly recommend using them as they are well tested, accessible and themeable.

Responsive behavior In my opinion, responsive behavior is part of a high-quality UI. I also think it is especially important for these views as they are used for troubleshooting. This can happen anywhere, anytime, and on any device.
Date/Time in the tooltip is unclear To me, the date/time in the tooltip is not clear. I suggest using the standard Kibana date/time format.
User-friendly labels The field names can be hard to read. Therefore, I suggest defining labels (at least for the most important ones).
I'm not sure what this icon button is for and if we are going to need it for our use case in Observability. cc @cyrille-leclerc

cc @lindseypoli

elasticmachine commented 3 years ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elastic / kibana