[Security Solution] Write and read Rule Execution Logs from rule instead of saved object #147035
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jpdjere
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
931279d
to
c0407b1
Compare
jpdjere
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
fb7c12f
to
604ec4a
Compare
jpdjere
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
c09ed3e
to
1ca9b7f
Compare
jpdjere
force-pushed
the
expand-rule-monitoring-security-solution
branch
2 times, most recently
from
31a7159
to
9718858
Compare
jpdjere
commented
Dec 29, 2022
jpdjere
changed the title
jpdjere
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
7239852
to
2928e87
Compare
maximpn
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
8318023
to
95dc24d
Compare
maximpn
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
a38fcd4
to
9d60a59
Compare
maximpn
added
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
maximpn
added
backport:skip
maximpn
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
24c831c
to
01b52fe
Compare
banderror
approved these changes
Jan 27, 2023
There was a problem hiding this comment.
Awesome, thanks for the fixes @maximpn! 🚀
Just one nit here for your consideration: #147035 (comment)
maximpn
force-pushed
the
expand-rule-monitoring-security-solution
branch
from
53466b1
to
8f0a58c
Compare
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Saved Objects .kibana field count
Unknown metric groupsReferences to deprecated APIs
History
To update your PR or re-run it, just comment with: |
4 tasks
7 tasks
maximpn
added a commit
that referenced
this pull request
Feb 2, 2023
## Summary It fixes a problem of exporting `execution_summary` field while exporting detection rules which was introduce in #147035. Presence of that field make importing of just exported rule failing. Tests to cover this fix will come in a separate PR.
ogupte
pushed a commit
to ogupte/kibana
that referenced
this pull request
Feb 3, 2023
…150097) ## Summary It fixes a problem of exporting `execution_summary` field while exporting detection rules which was introduce in elastic#147035. Presence of that field make importing of just exported rule failing. Tests to cover this fix will come in a separate PR.
kqualters-elastic
pushed a commit
to kqualters-elastic/kibana
that referenced
this pull request
Feb 6, 2023
…ead of saved object (elastic#147035) **Addresses:** elastic#130966 **Based on:** elastic#135127 ## Summary This PR deprecates the Sidecar SO of type `siem-detection-engine-rule-execution-info` in favour of storing Rule Execution Logging data within the rule itself, making use of the work previously done in the Alerting Framework: - elastic#140882 - elastic#147278 Work done: - **Pass execution statuses and metrics from rule executors to the Framework:** through the use of `RuleMonitoringService` and `RuleResultService` from within the rule execution log client for executor. `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.ts` - **Fetch execution statuses and metrics from rules themselves instead of the sidecar `siem-detection-engine-rule-execution-info` saved objects**: through the use of the new function `createRuleExecutionSummary` in `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/create_rule_execution_summary.ts`, which extracts last execution information from the rule itself. - **Remove the siem-detection-engine-rule-execution-info saved objects type from the codebase. Mark it as deleted in Kibana Core:** added `siem-detection-engine-rule-execution-info` to `packages/core/saved-objects/core-saved-objects-migration-server-internal/src/core/unused_types.ts`; and got rid of the related Saved Object client. - **Make sure to keep backward compatibility in the Detection API endpoints and rule execution events we write into the Event Log**: API compatibility is maintained. No breaking changes. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
darnautov
pushed a commit
to darnautov/kibana
that referenced
this pull request
Feb 7, 2023
…ead of saved object (elastic#147035) **Addresses:** elastic#130966 **Based on:** elastic#135127 ## Summary This PR deprecates the Sidecar SO of type `siem-detection-engine-rule-execution-info` in favour of storing Rule Execution Logging data within the rule itself, making use of the work previously done in the Alerting Framework: - elastic#140882 - elastic#147278 Work done: - **Pass execution statuses and metrics from rule executors to the Framework:** through the use of `RuleMonitoringService` and `RuleResultService` from within the rule execution log client for executor. `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.ts` - **Fetch execution statuses and metrics from rules themselves instead of the sidecar `siem-detection-engine-rule-execution-info` saved objects**: through the use of the new function `createRuleExecutionSummary` in `x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/create_rule_execution_summary.ts`, which extracts last execution information from the rule itself. - **Remove the siem-detection-engine-rule-execution-info saved objects type from the codebase. Mark it as deleted in Kibana Core:** added `siem-detection-engine-rule-execution-info` to `packages/core/saved-objects/core-saved-objects-migration-server-internal/src/core/unused_types.ts`; and got rid of the related Saved Object client. - **Make sure to keep backward compatibility in the Detection API endpoints and rule execution events we write into the Event Log**: API compatibility is maintained. No breaking changes. ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
darnautov
pushed a commit
to darnautov/kibana
that referenced
this pull request
Feb 7, 2023
…150097) ## Summary It fixes a problem of exporting `execution_summary` field while exporting detection rules which was introduce in elastic#147035. Presence of that field make importing of just exported rule failing. Tests to cover this fix will come in a separate PR.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses: #130966
Based on: #135127
Summary
This PR deprecates the Sidecar SO of type
siem-detection-engine-rule-execution-infoin favour of storing Rule Execution Logging data within the rule itself, making use of the work previously done in the Alerting Framework:Work done:
RuleMonitoringServiceandRuleResultServicefrom within the rule execution log client for executor.x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/client_for_executors/client.tssiem-detection-engine-rule-execution-infosaved objects: through the use of the new functioncreateRuleExecutionSummaryinx-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/create_rule_execution_summary.ts, which extracts last execution information from the rule itself.siem-detection-engine-rule-execution-infotopackages/core/saved-objects/core-saved-objects-migration-server-internal/src/core/unused_types.ts; and got rid of the related Saved Object client.Checklist