[Security Solution][Detections] Reduce detection engine reliance on _source #89371
Conversation
marshallmain
added
Feature:Detection Rules
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
marshallmain
added
release_note:enhancement
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
jenkins test this |
|
@elasticmachine merge upstream |
| if (eventItem == null) { | ||
| return true; | ||
| } else if (tuple.operator === 'included') { | ||
| const eventItem = item.fields ? item.fields[tuple.field] : undefined; |
There was a problem hiding this comment.
Super nit: wonder if we're gonna be doing this a lot if it's worth just creating a tiny util to extract x field from fields.
There was a problem hiding this comment.
Yeah if it becomes a common pattern I'd support pulling it out into a function
| // only create a signal if the event is not in the value list | ||
| return !tuple.matchedSet.has(JSON.stringify(eventItem)); | ||
| } else if (tuple.operator === 'excluded') { | ||
| if (eventItem == null) { | ||
| return false; | ||
| } | ||
| // only create a signal if the event is in the value list | ||
| return tuple.matchedSet.has(JSON.stringify(eventItem)); | ||
| } else { |
There was a problem hiding this comment.
Since there's only two operators, not sure this else path ever hits.
There was a problem hiding this comment.
It shouldn't be hit, but since the operator is a string it's possible for it to get into an invalid state so it's good to handle that possibility. Looking at it again we'd probably want to return true in that case so an invalid exception operator doesn't allowlist everything, but I think that's an issue for a separate PR.
There was a problem hiding this comment.
👍 Wonder if we'd want to log there too. Worry about just letting through invalid states.
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…source (#89371) (#90287) * First pass at switching rules to depend on fields instead of _source * Fix tests * Change operator: excluded logic so missing fields are allowlisted Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* master: (244 commits) [maps] Top hits per entity--change to title to use recent, minor edits (elastic#89254) [DOCS] Update installation details (elastic#90354) RFC for automatically generated typescript API documentation for every plugins public services, types, and functionality (elastic#86704) Elastic Maps Server config is `host` not `hostname` (elastic#90234) Use doc link services in index pattern management (elastic#89937) [Fleet] Managed Agent Policy (elastic#88688) [Workplace Search] Fix Source Settings bug (elastic#90242) [Enterprise Search] Refactor MockRouter test helper to not store payload (elastic#90206) Use doc link service in more Stack Monitoring pages (elastic#89050) [App Search] Relevance Tuning logic - actions and selectors only, no listeners (elastic#89313) Remove UI filters from UI (elastic#89793) Use newfeed.service config for all newsfeeds (elastic#90252) skip flaky suite (elastic#85086) Add readme to geo containment alert covering test alert setup (elastic#89625) [APM] Enabling yesterday option when 24 hours is selected (elastic#90017) Test user for maps tests under import geoJSON tests (elastic#86015) [Lens] Hide column in table (elastic#88680) [Security Solution][Detections] Reduce detection engine reliance on _source (elastic#89371) [Discover] Minor cleanup (elastic#90260) [Search Session][Management] Rename "cancel" button and delete "Reload" button (elastic#90015) ...
Summary
Changes by rule type:
fieldsinstead of_source, so if the timestamp override is a runtime field then@timestampwill be correctly populatedthreshold_result.valuenow uses the bucketkeyrather than extracting the value from_source- so if the key is a runtime field it will be correctly populated. This also fixes a bug where if the field being aggregated on was an array of values thenthreshold_result.valuewould contain the full array rather than the single value from the array that was actually being used as the keyRemaining dependencies on
_source.siem-signals_source-fieldsflattens arrays of objects which makes it impossible to reconstruct the original array of objects_sourceandfieldsdoes not work for arrays of objects because not all objects in the array have the same set of fields. For example,would flatten to
If field2 is overwritten by a runtime field, then we don't have enough information to merge the field2 from
fieldswith the array of objects from_source.It's also possible to have runtime fields that can't be represented by a JSON structure at all.
This situation is possible to create with
field1coming from the_sourceof a document andfield1.sub_fielddefined as a runtime field, however, these fields and values can't be represented as a single object.fieldsthat don't conflict with existing fields in_sourcefieldsand store those in their own section of the alert documentfieldsresponse and then merge the runtime fields that do NOT conflict into_sourceChecklist
Delete any items that are not applicable to this PR.
For maintainers