Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][RAC] Flatten alert fields / Require Owner and Space ID fields #107581

Merged
merged 18 commits into from
Aug 5, 2021
Merged

[Security Solution][RAC] Flatten alert fields / Require Owner and Space ID fields #107581

merged 18 commits into from
Aug 5, 2021

Conversation

madirey
Copy link
Contributor

@madirey madirey commented Aug 3, 2021
edited
Loading

Summary

This PR flattens the kibana.alert.rule.* fields in the alerts generated from buildAlert. This is for compatibility with the Fields API and general consistency across the RAC implementation.

Additionally, tests have been added for buildAlert and a function getF is introduced to allow us to more easily test alert values across the different implementations while the feature flag is in place for rule_registry.

Finally, we add the kibana.alert.owner and kibana.space_ids fields to the alerts generated from the detection engine.

Checklist

Delete any items that are not applicable to this PR.

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk Probability Severity Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space. Low High Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. High Low Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled. Medium High Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

@madirey madirey requested a review from a team as a code owner August 3, 2021 19:29
@madirey madirey added v7.15.0 Feature:RAC label obsolete release_note:skip Skip the PR/issue when compiling release notes labels Aug 3, 2021
@madirey madirey requested review from marshallmain and ecezalp August 4, 2021 13:29
@madirey madirey added the Team:Detections and Resp Security Detection Response Team label Aug 4, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@madirey madirey enabled auto-merge (squash) August 4, 2021 13:29
@madirey madirey requested a review from dhurley14 August 4, 2021 14:27
ecezalp
ecezalp approved these changes Aug 4, 2021
View reviewed changes
Copy link
Contributor

@ecezalp ecezalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...ns/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.ts Outdated Show resolved Hide resolved
...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts Outdated Show resolved Hide resolved
...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts Outdated Show resolved Hide resolved
...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts Outdated Show resolved Hide resolved
...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts Outdated Show resolved Hide resolved
...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts
export const removeClashes = (doc: SimpleHit) => {
if (isWrappedSignalHit(doc)) {
invariant(doc._source, '_source field not found');
const { signal, ...noSignal } = doc._source;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we call noSignal source as that's where it seems to be going

...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts Outdated Show resolved Hide resolved
.../plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/flatten.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/signals/types.ts Show resolved Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts Outdated Show resolved Hide resolved
@botelastic botelastic bot added the Team:APM All issues that need APM UI Team support label Aug 4, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@madirey madirey requested a review from a team as a code owner August 4, 2021 16:26
dhurley14
dhurley14 approved these changes Aug 4, 2021
View reviewed changes
Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the additional changes to ensure we are creating alerts with all the required fields for RBAC.

...gins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts Outdated
'kibana.alert.ancestors': ancestors as object[],
return ({
'@timestamp': new Date().toISOString(),
[ALERT_OWNER]: 'siem',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be replaced with the const defined here

kibana/x-pack/plugins/security_solution/common/constants.ts

Line 13 in a89f6a1

export const SERVER_APP_ID = 'siem';

@madirey madirey changed the title [Security Solution][RAC] Flatten alert fields [Security Solution][RAC] Flatten alert fields / Require Owner and Space ID fields Aug 4, 2021
@madirey
Copy link
Contributor Author

madirey commented Aug 4, 2021

@elasticmachine merge upstream

dhurley14
dhurley14 reviewed Aug 5, 2021
View reviewed changes
x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts Outdated
};

export const isWrappedSignalHit = (event: SimpleHit): event is WrappedSignalHit => {
return (event as WrappedSignalHit)._source.signal != null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return (event as WrappedSignalHit)._source.signal != null;
return (event as WrappedSignalHit)?._source?.signal != null;

dhurley14
dhurley14 reviewed Aug 5, 2021
View reviewed changes
x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts Outdated
};

export const isWrappedRACAlert = (event: SimpleHit): event is WrappedRACAlert => {
return (event as WrappedRACAlert)._source['kibana.rac.alert.id'] != null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return (event as WrappedRACAlert)._source['kibana.rac.alert.id'] != null;
return (event as WrappedRACAlert)?._source?.['kibana.rac.alert.id'] != null;

@peluja1012 peluja1012 requested a review from smith August 5, 2021 02:19
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
apm 4.3MB 4.3MB +24.0B
observability 507.8KB 508.0KB +224.0B
securitySolution 6.4MB 6.4MB +200.0B
total +448.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
apm 44.4KB 44.6KB +200.0B
infra 149.2KB 149.4KB +200.0B
uptime 34.7KB 34.9KB +200.0B
total +600.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@madirey madirey merged commit d34cd91 into elastic:master Aug 5, 2021
@madirey madirey mentioned this pull request Aug 6, 2021
Merged
madirey added a commit to madirey/kibana that referenced this pull request Aug 6, 2021
@madirey
[Security Solution][RAC] Flatten alert fields (elastic#107581)
0ce8db9 
* incremental changes

* No more type errors

* Type guards

* Begin adding tests

* Flatten

* Reduce scope of branch

* Remove extraneous argument to filter_duplicate_signals
madirey added a commit that referenced this pull request Aug 6, 2021
@madirey
[Security Solution][RAC] Flatten alert fields (#107581) (#107832)
c172563 
* incremental changes

* No more type errors

* Type guards

* Begin adding tests

* Flatten

* Reduce scope of branch

* Remove extraneous argument to filter_duplicate_signals
streamich pushed a commit to vadimkibana/kibana that referenced this pull request Aug 8, 2021
@madirey @vadimkibana
[Security Solution][RAC] Flatten alert fields (elastic#107581)
bed62aa 
* incremental changes

* No more type errors

* Type guards

* Begin adding tests

* Flatten

* Reduce scope of branch

* Remove extraneous argument to filter_duplicate_signals
@dhurley14 dhurley14 mentioned this pull request Aug 9, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhurley14 dhurley14 dhurley14 approved these changes

@ecezalp ecezalp ecezalp approved these changes

@dgieselaar dgieselaar dgieselaar approved these changes

@marshallmain marshallmain Awaiting requested review from marshallmain

@smith smith Awaiting requested review from smith

Assignees
No one assigned
Labels
Feature:RAC label obsolete release_note:skip Skip the PR/issue when compiling release notes Team:APM All issues that need APM UI Team support Team:Detections and Resp Security Detection Response Team v7.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@madirey @elasticmachine @kibanamachine @dgieselaar @dhurley14 @ecezalp