Skip to content

[Security Solution][Detections] Implement hybrid approach to writing rule execution event logs #114852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 14, 2021
Merged

[Security Solution][Detections] Implement hybrid approach to writing rule execution event logs #114852

merged 1 commit into from
Oct 14, 2021

Conversation

@xcrzx
Copy link
Contributor

@xcrzx xcrzx commented Oct 13, 2021

Related to: #106469

Summary

Implement getting statuses and metrics from the legacy rule status SOs via the new EventLogAdapter.

  • Write execution data to the legacy rule status SOs in EventLogAdapter in addition to writing execution events to the event log
  • Read execution data from the legacy status SOs in EventLogAdapter
  • With this implementation, we will have Rule Monitoring fully functional on the legacy SOs, but we'll also be writing execution events to event log under the hood

@xcrzx xcrzx added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Feature:EventLog Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. auto-backport Deprecated - use backport:version if exact versions are needed v7.16.0 Feature:Rule Monitoring Security Solution Detection Rule Monitoring area Team:Detection Rule Management Security Detection Rule Management Team labels Oct 13, 2021
@xcrzx xcrzx self-assigned this Oct 13, 2021
@xcrzx xcrzx requested a review from a team as a code owner October 13, 2021 16:23
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 13, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 13, 2021

Pinging @elastic/security-detections-response (Team:Detections and Resp)

banderror
banderror approved these changes Oct 13, 2021
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Mostly nitpicking, but I left one suggestion for fixing the sum(undefined). I'd ideally fix it this PR, but I could do it in a follow-up myself.

Approving so you could merge at will. Thank you!

...lution/server/lib/detection_engine/rule_execution_log/event_log_adapter/event_log_adapter.ts Outdated
Copy link
Contributor

@banderror banderror Oct 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: can be imported as src/core/server or kibana/server. I think kibana/server is stricter in terms of what can be imported for some reason.

Copy link
Contributor Author

@xcrzx xcrzx Oct 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I usually don't write import statements manually. Instead, VS Code adds them automatically. In this case it thinks that '../../../../../../../../src/core/server' is the best place to import SavedObjectsClientContract from, so who am I to argue 🙂

@kibanamachine
Copy link
Contributor

kibanamachine commented Oct 13, 2021

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

  • 💚 Build #160580 succeeded 189a0852f85594ac5256c54f973249bf7cf940ad

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @xcrzx

@xcrzx xcrzx merged commit b64604a into elastic:master Oct 14, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Oct 14, 2021
@xcrzx @kibanamachine
Implement hybrid approach to writing rule execution event logs (elast…
d076a05 
…ic#114852)
@kibanamachine kibanamachine mentioned this pull request Oct 14, 2021
Merged
@kibanamachine
Copy link
Contributor

kibanamachine commented Oct 14, 2021

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

@xcrzx xcrzx deleted the hybrid-exec-log branch October 14, 2021 08:20
kibanamachine added a commit that referenced this pull request Oct 14, 2021
@kibanamachine @xcrzx
Implement hybrid approach to writing rule execution event logs (#114852
2c16a72 
…) (#114955)

Co-authored-by: Dmitry Shevchenko <dmshevch@gmail.com>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Oct 14, 2021
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into reporting-exa…
3c27f35 
…mple/introduce-baseline-tests

* 'master' of github.com:elastic/kibana: (55 commits)
  [Fleet] Improve Functionality around Managed Package Policies (elastic#114526)
  cleanup (elastic#114902)
  remove stray semicolon (elastic#114969)
  [Security Solution] Edit host isolation exception IP UI (elastic#114279)
  [ML] APM Correlations: Round duration values to be used in range aggregations. (elastic#114833)
  [Index Management] Added `data-test-subj` values to the index context menu buttons (elastic#114900)
  [Stack monitoring] Fix logstash functional tests for react (elastic#114819)
  Implement hybrid approach to writing rule execution event logs (elastic#114852)
  [Detection Rules] Add 7.16 rules (elastic#114939)
  Fixing exceptions export format (elastic#114920)
  Clean up inaccurate comments (elastic#114935)
  chore(NA): fixes a typo on persist_bazel_cache.sh comment (elastic#114943)
  [ci] Fixes Bazel cache writes (elastic#114915)
  fix package.json: (elastic#114936)
  [Controls] Redux Toolkit and Embeddable Redux Wrapper (elastic#114371)
  [APM] Fixes incorrect index config names (elastic#114901) (elastic#114904)
  [Workplace Search] Fix button order and remove extra source name label (elastic#114899)
  [Actions] Fixed actions telemetry for multiple namespaces usage (elastic#114748)
  docs: fix config names (elastic#114903)
  Update kibana to EMS 7.16 (elastic#114865)
  ...
@banderror banderror mentioned this pull request Nov 11, 2021
Open
19 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@banderror banderror banderror approved these changes

Assignees

@xcrzx xcrzx

Labels

auto-backport Deprecated - use backport:version if exact versions are needed Feature:EventLog Feature:Rule Monitoring Security Solution Detection Rule Monitoring area release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xcrzx @elasticmachine @kibanamachine @banderror