[Security Solution] Add host.os.name.caseless mapping and runtime field #111455
Conversation
|
@elasticmachine merge upstream |
| maxVersion: 45, | ||
| mapping: { | ||
| runtime: { | ||
| 'host.os.name.caseless': { |
There was a problem hiding this comment.
Do we wanna move this out into its own json file or const just so we can add future fields without mixing all the data and logic together?
There was a problem hiding this comment.
We shouldn't be adding any future fields within this object, any future migrations would be separate objects at the top level of this array. And right now the field aliases are built dynamically from another JSON file, so we'd have to rework that logic to create the aliases at build time. It could be nice, but right now it's covered with a unit test against a snapshot.
| { | ||
| minVersion: 0, | ||
| // Version 45 shipped with 7.14 | ||
| maxVersion: 45, |
There was a problem hiding this comment.
is there a central point we can pull this number from so we don't have to change it piecewise every update?
There was a problem hiding this comment.
This number should never change, as any future indices won't need this migration. The next migration will be a separate object and may have a different maxVersion, but we'll leave this migration the same.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
marshallmain
added
auto-backport
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
As this PR is fixing a possible blocker issue, I did a bit of exploratory testing on it. I would deeply appreciate it if you can check my results since I'm not familiar with Endpoint alerts/exceptions so I'm not sure if the results are the expected ones or not:
Result:
Result:
Result:
|
|
Thanks for testing it @MadameSheema! Those results are what I would expect. |
…ld (elastic#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <[email protected]>
…ld (elastic#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <[email protected]>
…-link-to-kibana-app * 'master' of github.com:elastic/kibana: (120 commits) [TSVB] Support custom field format (elastic#101245) [VisEditors] Add code ownership to the functional tests (elastic#111680) [Lens] Make Lens saved object share-capable (elastic#111403) [Graph] Make Graph saved object share-capable (elastic#111404) [Stack Monitoring] Add breadcrumb support (elastic#111850) Update Jira Cloud to use OAuth2.0 (elastic#111493) Show warning message when attempting to create an APM alert in stack management (elastic#111781) Skip suite blocking ES snapshot promotion (elastic#111907) Respect `auth_provider_hint` if session is not authenticated. (elastic#111521) Added in 'Responses' field in alert telemetry & updated test (elastic#111892) [Usage collection] refactor cloud detector collector (elastic#110439) Make classnames a shared dep (elastic#111636) Fix link to e2e tests in APM testing.md (elastic#111869) [Security Solution] Add host.os.name.caseless mapping and runtime field (elastic#111455) [APM] Removes the beta label from APM tutorial (elastic#111499) (elastic#111828) [RAC] [Observability] Expand Observability alerts page functional tests (elastic#111297) Fix extra white space on the alert table whe page size is 50 or 100 (elastic#111568) [Metrics UI] Add Inventory Timeline open/close state to context and URL state (elastic#111034) [Graph] Switch to SavedObjectClient.resolve (elastic#109617) [APM] Adding lambda icon (elastic#111834) ... # Conflicts: # x-pack/plugins/reporting/public/management/__snapshots__/report_listing.test.tsx.snap
…ld (#111455) (#111872) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Marshall Main <[email protected]>
…ld (elastic#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <[email protected]>
…ime field (#111455) (#112050) * [Security Solution] Add host.os.name.caseless mapping and runtime field (#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <[email protected]> * Skip failing test Co-authored-by: Kibana Machine <[email protected]>
Summary
Closes #110130
Elastic Endpoint only recently started populating
host.os.type, and instead was populatinghost.os.name. The logs-endpoint indices hadhost.os.name.caselessas a multifield onhost.os.namewith a lowercase normalizer. Endpoint exceptions were recently fixed to add a filter based on the os_type (linux|macos|windows), and that filter checks bothhost.os.typeandhost.os.name.caselessfor the os_type to ensure it works against old Endpoint alerts that don't populatehost.os.typeand new alerts that do.However,
host.os.name.caselesswas not mapped in the signals indices so theClose all alerts matching this exceptioncheckbox will not close signals based on Endpoint alerts that don't populatehost.os.type. These signals could be existing signals from before 7.15, or they could be signals based on new alerts coming in from endpoints that haven't been upgraded to 7.15 yet. This PR fixes the issue for existing signals by creating a runtime fieldhost.os.name.caselessthat normalizes thehost.os.namefield, and also adding thehost.os.name.caselessnormalized multi-field to the signals index mapping so newly created signals will have it as well.Since runtime fields are slower than regular fields we also want to avoid adding them unnecessarily. This PR builds the appropriate mappings for each index version to make them backwards compatible. The runtime fields will only be added for indices whose
versionis <= 45 (released in 7.14), since the next release will containhost.os.name.caselessas an indexed multifield for newly written signals.There are 2 version fields on each .siem-signals index, which can be somewhat confusing.
versionis defined when the index is created and should never change. This tells us what the original mapping was on the index so we can apply the appropriate migrations/backwards compatibility mappings. This also tells us when we need to rollover and create a new index because the "regular" field mappings have changed.aliases_versionis also defined when the index is created but can change over time. This field represents whether or not an index has the latest set of aliases and runtime fields used for backwards compatibility. When we apply aliases and runtime fields to an index, this version number is updated to reflect the latest version in the source code. Even if there are no aliases or runtime fields defined for a particularversion(the staticversionabove), we still updatealiases_versionon all existing indices to mark that they have been checked and brought up to date.