-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Reduce detection engine reliance on _source #89371
Conversation
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
jenkins test this |
@elasticmachine merge upstream |
if (eventItem == null) { | ||
return true; | ||
} else if (tuple.operator === 'included') { | ||
const eventItem = item.fields ? item.fields[tuple.field] : undefined; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super nit: wonder if we're gonna be doing this a lot if it's worth just creating a tiny util to extract x
field from fields
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah if it becomes a common pattern I'd support pulling it out into a function
// only create a signal if the event is not in the value list | ||
return !tuple.matchedSet.has(JSON.stringify(eventItem)); | ||
} else if (tuple.operator === 'excluded') { | ||
if (eventItem == null) { | ||
return false; | ||
} | ||
// only create a signal if the event is in the value list | ||
return tuple.matchedSet.has(JSON.stringify(eventItem)); | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since there's only two operators, not sure this else path ever hits.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It shouldn't be hit, but since the operator is a string it's possible for it to get into an invalid state so it's good to handle that possibility. Looking at it again we'd probably want to return true
in that case so an invalid exception operator doesn't allowlist everything, but I think that's an issue for a separate PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Wonder if we'd want to log there too. Worry about just letting through invalid states.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - really interesting reading up on runtime fields! I pulled down and tested creating various rule types. Looks great, thanks!
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…source (#89371) (#90287) * First pass at switching rules to depend on fields instead of _source * Fix tests * Change operator: excluded logic so missing fields are allowlisted Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
* master: (244 commits) [maps] Top hits per entity--change to title to use recent, minor edits (elastic#89254) [DOCS] Update installation details (elastic#90354) RFC for automatically generated typescript API documentation for every plugins public services, types, and functionality (elastic#86704) Elastic Maps Server config is `host` not `hostname` (elastic#90234) Use doc link services in index pattern management (elastic#89937) [Fleet] Managed Agent Policy (elastic#88688) [Workplace Search] Fix Source Settings bug (elastic#90242) [Enterprise Search] Refactor MockRouter test helper to not store payload (elastic#90206) Use doc link service in more Stack Monitoring pages (elastic#89050) [App Search] Relevance Tuning logic - actions and selectors only, no listeners (elastic#89313) Remove UI filters from UI (elastic#89793) Use newfeed.service config for all newsfeeds (elastic#90252) skip flaky suite (elastic#85086) Add readme to geo containment alert covering test alert setup (elastic#89625) [APM] Enabling yesterday option when 24 hours is selected (elastic#90017) Test user for maps tests under import geoJSON tests (elastic#86015) [Lens] Hide column in table (elastic#88680) [Security Solution][Detections] Reduce detection engine reliance on _source (elastic#89371) [Discover] Minor cleanup (elastic#90260) [Search Session][Management] Rename "cancel" button and delete "Reload" button (elastic#90015) ...
Summary
Changes by rule type:
fields
instead of_source
, so if the timestamp override is a runtime field then@timestamp
will be correctly populatedthreshold_result.value
now uses the bucketkey
rather than extracting the value from_source
- so if the key is a runtime field it will be correctly populated. This also fixes a bug where if the field being aggregated on was an array of values thenthreshold_result.value
would contain the full array rather than the single value from the array that was actually being used as the keyRemaining dependencies on
_source
.siem-signals
_source
-fields
flattens arrays of objects which makes it impossible to reconstruct the original array of objects_source
andfields
does not work for arrays of objects because not all objects in the array have the same set of fields. For example,would flatten to
If field2 is overwritten by a runtime field, then we don't have enough information to merge the field2 from
fields
with the array of objects from_source
.It's also possible to have runtime fields that can't be represented by a JSON structure at all.
This situation is possible to create with
field1
coming from the_source
of a document andfield1.sub_field
defined as a runtime field, however, these fields and values can't be represented as a single object.fields
that don't conflict with existing fields in_source
fields
and store those in their own section of the alert documentfields
response and then merge the runtime fields that do NOT conflict into_source
Checklist
Delete any items that are not applicable to this PR.
For maintainers