<!-- The first four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> As a security operations engineer or a security analyst, I need a place where I can review and triage high priority alerts, so that I can decide how best to respond. ### Intended users <!-- Who will use this feature? If known, include any of the following: types of users (e.g. Developer), personas, or specific company roles (e.g. Release Manager). It's okay to write "Unknown" and fill this field in later. Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ * [Cameron (Compliance Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#cameron-compliance-manager) * [Parker (Product Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#parker-product-manager) * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Presley (Product Designer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#presley-product-designer) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Rachel (Release Manager)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#rachel-release-manager) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test) * [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) * [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer) * [Dana (Data Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#dana-data-analyst) --> * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### User experience goal <!-- What is the single user experience workflow this problem addresses? For example, "The user should be able to use the UI/API/.gitlab-ci.yml with GitLab to <perform a specific task>" https://about.gitlab.com/handbook/engineering/ux/ux-research-training/user-story-mapping/ --> Users will be able to view a summary of all Cilium (and in the future other types of) alerts that have been generated within a project. The user will be able to dismiss alerts once they are no longer relevant. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> Note: We will want the dashboard to be generic enough to include alerts from all security products. For now, we are starting with only displaying Cilium alerts. Note: Additional actions (beyond just dismissing an alert) will be added at a later time and are out of scope for this iteration. 1. Users will be able to configure Cilium Network Policies to trigger an alert (separate from generating a log) 1. Users will be able view a dashboard at the project level that will display a list of all Cilium alerts across all environments/clusters for the project 1. The date and time at which the alert occurred will be visible 1. The name of the alert will be visible and will correspond to the name of the policy that triggered the alert 1. The environment(s) in which the alert occurred will be visible 1. Users will be able to filter by environment and policy name 1. Users will be able to dismiss alerts 1. When users attempt to create a policy that generates an Alert, if they do not have AgentK configured for their project then a warning will be displayed that redirects the user to the documentation for installing AgentK ### Experience * Table displays: date and time of alert, name of alert, environment name (styling consistent with [operations > alerts](https://gitlab.com/gitlab-org/monitor/tanuki-inc/-/alert_management)) * Ability to sort date and time column * Defaults to show all alerts, with ability to multi select filter data by: 1) environment and 2) policy name * Interaction: on `<tr>` hover display `dismiss` action. If clicked: apply 50% opacity to the row content and action changes to `Undo dismiss`. It won't show on the next visit, unless user opts to display dismissed... * Default to `hide dismissed alerts`, if user uncheck this it display the dismissed alerts  :film_projector: [prototype walkthrough](https://youtu.be/HuZgaMKdJF0) :file_folder: design file/[prototype](https://www.figma.com/proto/PLflliDoD2mso7ceH7WGW3/network_policies?node-id=160%3A0&scaling=min-zoom) ### Further details <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> For many customers, keeping a production environment up and running is the top priority. For that reason, they are often hesitant to block suspicious activity or network traffic. At the same time, while it is common to have a large volume of activity logged in case there is a need for deeper review, users have a limited number of hours in their day to review logged activity. Consequently, there is a need for a 'middle ground' between blocking and logging. Alerts fill that gap by identifying activities that are cause for a significant level of concern, yet are not clearly malicious enough to warrant an automatic block action. For these types of alerts, users often need to drill in deeper to get the details and context of the event before determining the appropriate course of action. ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)?--> Users must be either a Maintainer or Owner on the project to use the alert dashboard. ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> To be added ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> To be added ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ~"GitLab Ultimate" ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references 1. [Hubble](https://cilium.io/blog/2019/11/19/announcing-hubble/), [Hubble concepts](https://github.com/cilium/hubble/blob/master/Documentation/concepts.md) 1. [Follow-up epic](https://gitlab.com/groups/gitlab-org/-/epics/5041)