[Security Solution] Pass rule execution statuses and metrics to Alerting Framework #130966
Comments
banderror
added
Team:Detections and Resp
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pushing the implementation of adding alerts created/detected metrics till we have an API for returning execution metrics at the end of rule execution. Please see this previous PR as an example for adding these metrics: #126210 |
banderror
changed the title
|
@peluja1012 @jethr0null and CC @banderror As part of the effort to get rid of the sidecar saved object and move the rule’s execution results to the rule object itself, we had to slightly alter the way in which the execution results are stored. Before, during rule execution we wrote multiple times to the saved object: for example, once when the rule started running, another time for any warnings that would be reported and finally once more for final errors when execution ended. This allowed us to log intermediate execution statuses which we would temporarily show in the Rules table and the Rule Details page - until the rule would write its final execution status. Examples of such intermediate statuses are:
Now, all status updates are stored in memory during execution and once execution is over we write the results to the rule objects only once. Which means we can't show the intermediate statuses in the UI. To be super-clear, in most cases the warnings mentioned above will be final execution statuses. The only way they could be intermediate is when some error happens after them, which should happen less often. @jethr0null Could you help us understand if that represents a problem from the product perspective? Options we see:
Below is an example of what the hacky workaround (2.1) could look like. It shows the Rule Details page for a rule that executed and generated an intermediate warning, and then failed with an error (all during the same rule execution). In order to be able to display both the warning and the error message we had to concatenate them and then format them in the UI to display as separate warnings.
And below you can see an example of the same workaround but with the same warning and error being displayed in the tooltip for Last Response column for the Rules table:
Notice the Let us know which option you'd prefer or if you have any other ideas. |
I'm ok with option 1.1 given the above statement. To be honest, I thought we only wrote the final status in our current implementation. |
@peluja1012 No, that's still not the case. Our rule executors (mostly the "security wrapper" function) need to be adjusted to commit a status update only once at the end of the execution. Currently, they do it from multiple places in the code and sometimes it leads to logging intermediate statuses. Besides the example above, a "gap detected" failure can be an intermediate status in some conditions, so the status updates during a single execution may look like that: running -> failed (gap detected) -> warning (no timestamp field) -> failed (exception list not found) Instead of logging intermediate warnings and errors as status updates, we should log them as simple message events in the Event Log. |
…ead of saved object (#147035) **Addresses:** #130966 **Based on:** #135127 ## Summary This PR deprecates the Sidecar SO of type `siem-detection-engine-rule-execution-info` in favour of storing Rule Execution Logging data within the rule itself, making use of the work previously done in the Alerting Framework: - #140882 - #147278 Work done: - **Pass execution statuses and metrics from rule executors to the Framework:** through the use of `RuleMonitoringService` and `RuleResultService` from within the rule execution log client for executor. `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.ts` - **Fetch execution statuses and metrics from rules themselves instead of the sidecar `siem-detection-engine-rule-execution-info` saved objects**: through the use of the new function `createRuleExecutionSummary` in `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/create_rule_execution_summary.ts`, which extracts last execution information from the rule itself. - **Remove the siem-detection-engine-rule-execution-info saved objects type from the codebase. Mark it as deleted in Kibana Core:** added `siem-detection-engine-rule-execution-info` to `packages/core/saved-objects/core-saved-objects-migration-server-internal/src/core/unused_types.ts`; and got rid of the related Saved Object client. - **Make sure to keep backward compatibility in the Detection API endpoints and rule execution events we write into the Event Log**: API compatibility is maintained. No breaking changes. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
|
Addressed in #147035 |
…ead of saved object (elastic#147035) **Addresses:** elastic#130966 **Based on:** elastic#135127 ## Summary This PR deprecates the Sidecar SO of type `siem-detection-engine-rule-execution-info` in favour of storing Rule Execution Logging data within the rule itself, making use of the work previously done in the Alerting Framework: - elastic#140882 - elastic#147278 Work done: - **Pass execution statuses and metrics from rule executors to the Framework:** through the use of `RuleMonitoringService` and `RuleResultService` from within the rule execution log client for executor. `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.ts` - **Fetch execution statuses and metrics from rules themselves instead of the sidecar `siem-detection-engine-rule-execution-info` saved objects**: through the use of the new function `createRuleExecutionSummary` in `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/create_rule_execution_summary.ts`, which extracts last execution information from the rule itself. - **Remove the siem-detection-engine-rule-execution-info saved objects type from the codebase. Mark it as deleted in Kibana Core:** added `siem-detection-engine-rule-execution-info` to `packages/core/saved-objects/core-saved-objects-migration-server-internal/src/core/unused_types.ts`; and got rid of the related Saved Object client. - **Make sure to keep backward compatibility in the Detection API endpoints and rule execution events we write into the Event Log**: API compatibility is maintained. No breaking changes. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Depends on: #135127, #112193
Summary
We're consolidating rule execution statuses and metrics between Security Solution and Alerting Framework (see #112193 and internal RFC). When this is done and we have an API for passing statuses and metrics from our rule executors to the Framework, we will integrate with it and stop using our sidecar saved objects for storing this data.
siem-detection-engine-rule-execution-infosaved objects.siem-detection-engine-rule-execution-infosaved objects type from the codebase. Mark it as deleted in Kibana Core.The text was updated successfully, but these errors were encountered: