Refine filter mechanism

[asteriscos]

Wazuh	Rev
4.9.0	00

Description

After testing all main features integrated we detected some odd behaviors that need fixing.

Tasks

• Server management / Cluster applies any previous pinned agent and it shouldn't Remove the pinned agent filter in the cluster dashboard #6681
• Server management / Statistics applies any previous pinned agent and it shouldn't Statistics remove pinned agent #6682
• When changing the API selected to a Wazuh server with cluster mode disabled the filter value is "disabled" Fix cluster status response #6675
• In the Vulnerabilities module, when we change the index pattern the view doesn't render any Fix filters are cleaned when navigate throw the modules #6674
• Remove Wazuh server link (000) from alerts tables Remove link to agent 000 in Threat Hunting table #6679
• Add link to agent id and name in discover table (in progress) Add link to agent id and name in discover table #6677
• Check remove filter icon disappears when you unpin an agent Fix remove filter icon visibility when pin and unpin agent #6685
• Check the order in which filters are rendered Change the order of filters #6684
• When navigating to the home page if there is a pinned agent you should keep it. Add to the url of overview the parameter agentId #6686
• Check the flyout of the discover table. Fix discover flyout and improve events columns #6691
• Fix modules redirections with predefined filters via URL Fix modules redirects with pre-defined filters #6712
• Fix pinned agent filter when unpin and change pinned agent. Fixed pinned agent filter when unpin and change pinned agent #6734
• Generate URL with predefined filters #6739
• Index Pattern with different ID than name not filtering in dashboards #6742

[Machi3mfl]

In the Vulnerabilities module, when we change the index pattern the view doesn't render any visualization

#6674

Before

Screen.Recording.2024-05-15.at.11.39.19.mov

This error

After

Screen.Recording.2024-05-15.at.11.45.17.mov

[Machi3mfl]

Fix modules redirections with predefined filters via URL

Tasks

• Create a mechanism to make a redirect with filters by default.
• Add to the current solution the possibility to add filters that will be applied when entering the module.

Current solution

1. Using the getUrlForApp to get the redirect href

<EuiButtonEmpty
                iconType='popout'
                aria-label='popout'
                href={getCore().application.getUrlForApp(threatHunting.id, {
                  path: `#/overview/?tab=general&tabView=panels&addRuleFilter=1001`
                })}
                target='blank'
              >
                View alerts of this Rule
              </EuiButtonEmpty>

2. In plugins/wazuh/public/services/common-data.js, globally check the URL query, search the addRuleFilter and add directly to the filter manager the filter

const regex = new RegExp('addRuleFilter=' + '[^&]*');
      const match = this.$window.location.href.match(regex);
      if (match && match[0]) {
        const id = match[0].split('=')[1];
        let filter = filterHandler.ruleIdQuery(id);
        filter.$state.isImplicit = false;
        filters.push(filter);
        this.$window.location.href = this.$window.location.href.replace(
          regex,
          '',
        );
      }

Disadvantages

• Not scalable, for every filter that we want to add we must add a condition to check the param received, like for example, the addRuleFilter param.
• To many responsibilities, the redirect touches the filter manager directly

# Possible solutions

• Encapsulate the getCore().application.getUrlForApp method and create a function that creates the redirect URL with all the necessary params like:

  • panel
  • tab
  • predefined filters (one or more)

  For instance:

     // redirect manager or something 
     
    redirector.redirectToApp({
      tab: 'general',
      tabView: 'panels',
     applicationId: 'threat-hunting',
    filters: [{ key: 'rule.id', value: '1001' }]
    })

Then this service construct the URL with the params like:

• ruleId=1001 or inner a_ filters query

Problem

When the URL is refreshed using enter or F5 the a_ content is cleaned

• Use the same solution, adding custom query params manually and evaluate this query params in the data-source-pattern-filter-manager and add the filters

For instance:

getCore().application.getUrlForApp(threatHunting.id, {
                  path: `#/overview/?tab=general&tabView=panels&filters='ruleId=1001&ruleMitreId=T100`
                })

Then, when the data source is loaded the data source filter manager gets the query params, creates the filters and add on it.

[lucianogorza]

Proposals to display implicit filters in the search bar

Currently, to display the implicit filters, the search bar component native to OpenSearch is manipulated and the close buttons for the filter badges are removed. This practice sometimes results in incorrect functionality because we are interfering with the behavior of a component outside our control.

To achieve a stable behavior for displaying implicit filters, the following alternatives are proposed.

All options have the same technical solution but with different visual proposals.

Option 1: Show all implicit filters without the close button

This option, visually, is identical to how it is currently displayed, but technically the solution is different. We would be hiding the implicit filters from the native search bar and adding them as components of our application outside the bar in the DOM.

Option 2: Show all implicit filters without the close button and with another background color

Option 3: Hide the implicit filters and show a Tooltip to display the info

Option 4: Hide the implicit filters and show a Popover to display the info

Due to the scope and size of the proposed solution, we decided to create another issue to continue the development: #6711