Kibana: [SIEM] [Detection Engine] [Meta] Create Detection Engine UI

Pinging @elastic/siem (Team:SIEM)

Adding my notes and action items from our signals-to-timeline workflow meeting on 12/13/2019. Feel free to add additional comments if I've missed anything. CCing @mchopda, @tsg, @andrew-goldstein, @dhurley14, @FrankHassanabad, @spong, @MikePaquette, @XavierM.

Signal tables batch action menu changes

• [x] Remove View selected in hosts and View selected in network options.
• [x] If signals generated from different rules are selected, View selected in timeline will be disabled.
• [x] View selected in timeline will bring the date range (minimum and maximum date of all selected) and rule query from those selected signals to the timeline.
• [ ] Rename View selected in timeline to clearly indicate to the user that this action will open a new timeline, not add to the currently open timeline. Perhaps something like Investigate selected in new timeline.

Signal tables row/overflow action menu changes

• [x] Remove View in hosts and View in network options.
• [x] View in timeline will bring the date range and rule query from that signal to the timeline.
• [ ] Rename View in timeline to clearly indicate to the user that this action will open a new timeline, not add to the currently open timeline. Perhaps something like Investigate in new timeline.
• [ ] @MichaelMarcialis to revisit current row/overflow menu design to address concerns that the actions might be too hidden from the user.

Timeline additions

• [ ] Provide users with a set of prefabricated timelines that would be useful to use in conjunction with a signals investigation.
  
  
  
  • Prefabricated timelines would include suggested columns and filters.
  
  

Create/edit rule changes

• [ ] Add optional field that will allow users to select from the list of available timelines in which to open signals being investigated.
  
  
  
  • Timeline selection will be treated as if it were a template. This means that when the user choosing to investigate a signal from this rule, it will create a new timeline from the selected "template" (rather than overwriting that chosen timeline).
  
  
  • If a timeline that is marked for usage by a rule is inadvertantly deleted by users, the rule should fall back to using the default empty timeline (until the user updates the timeline selection in the edit rule flow).
  
  

Closing as the Signals Histogram (https://github.com/elastic/kibana/pull/53742) was the last of the main features for this meta ticket. The remainder of @MichaelMarcialis's commentwill be taken care of as @XavierM wraps up the last bits of the send to timeline action. Great job everyone! 😀 🎉