-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Add host.os.name.caseless mapping and runtime field #111455
Conversation
@elasticmachine merge upstream |
maxVersion: 45, | ||
mapping: { | ||
runtime: { | ||
'host.os.name.caseless': { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we wanna move this out into its own json file or const just so we can add future fields without mixing all the data and logic together?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't be adding any future fields within this object, any future migrations would be separate objects at the top level of this array. And right now the field aliases are built dynamically from another JSON file, so we'd have to rework that logic to create the aliases at build time. It could be nice, but right now it's covered with a unit test against a snapshot.
{ | ||
minVersion: 0, | ||
// Version 45 shipped with 7.14 | ||
maxVersion: 45, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a central point we can pull this number from so we don't have to change it piecewise every update?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This number should never change, as any future indices won't need this migration. The next migration will be a separate object and may have a different maxVersion
, but we'll leave this migration the same.
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work against master and fixes the closing logic for alerts that don't have a host.os.type
field 👍
As this PR is fixing a possible blocker issue, I did a bit of exploratory testing on it. I would deeply appreciate it if you can check my results since I'm not familiar with Endpoint alerts/exceptions so I'm not sure if the results are the expected ones or not:
Result:
Result:
Result:
|
Thanks for testing it @MadameSheema! Those results are what I would expect. |
…ld (elastic#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…ld (elastic#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…-link-to-kibana-app * 'master' of github.com:elastic/kibana: (120 commits) [TSVB] Support custom field format (elastic#101245) [VisEditors] Add code ownership to the functional tests (elastic#111680) [Lens] Make Lens saved object share-capable (elastic#111403) [Graph] Make Graph saved object share-capable (elastic#111404) [Stack Monitoring] Add breadcrumb support (elastic#111850) Update Jira Cloud to use OAuth2.0 (elastic#111493) Show warning message when attempting to create an APM alert in stack management (elastic#111781) Skip suite blocking ES snapshot promotion (elastic#111907) Respect `auth_provider_hint` if session is not authenticated. (elastic#111521) Added in 'Responses' field in alert telemetry & updated test (elastic#111892) [Usage collection] refactor cloud detector collector (elastic#110439) Make classnames a shared dep (elastic#111636) Fix link to e2e tests in APM testing.md (elastic#111869) [Security Solution] Add host.os.name.caseless mapping and runtime field (elastic#111455) [APM] Removes the beta label from APM tutorial (elastic#111499) (elastic#111828) [RAC] [Observability] Expand Observability alerts page functional tests (elastic#111297) Fix extra white space on the alert table whe page size is 50 or 100 (elastic#111568) [Metrics UI] Add Inventory Timeline open/close state to context and URL state (elastic#111034) [Graph] Switch to SavedObjectClient.resolve (elastic#109617) [APM] Adding lambda icon (elastic#111834) ... # Conflicts: # x-pack/plugins/reporting/public/management/__snapshots__/report_listing.test.tsx.snap
…ld (#111455) (#111872) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
…ld (elastic#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…ime field (#111455) (#112050) * [Security Solution] Add host.os.name.caseless mapping and runtime field (#111455) * Add host.os.name.caseless field and runtime field * Tests * Only add backwards compatibility mappings to old indices by version * Always update aliases_version field even if there are no compat mappings * Add test for newest index version * More comments Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> * Skip failing test Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
Closes #110130
Elastic Endpoint only recently started populating
host.os.type
, and instead was populatinghost.os.name
. The logs-endpoint indices hadhost.os.name.caseless
as a multifield onhost.os.name
with a lowercase normalizer. Endpoint exceptions were recently fixed to add a filter based on the os_type (linux
|macos
|windows
), and that filter checks bothhost.os.type
andhost.os.name.caseless
for the os_type to ensure it works against old Endpoint alerts that don't populatehost.os.type
and new alerts that do.However,
host.os.name.caseless
was not mapped in the signals indices so theClose all alerts matching this exception
checkbox will not close signals based on Endpoint alerts that don't populatehost.os.type
. These signals could be existing signals from before 7.15, or they could be signals based on new alerts coming in from endpoints that haven't been upgraded to 7.15 yet. This PR fixes the issue for existing signals by creating a runtime fieldhost.os.name.caseless
that normalizes thehost.os.name
field, and also adding thehost.os.name.caseless
normalized multi-field to the signals index mapping so newly created signals will have it as well.Since runtime fields are slower than regular fields we also want to avoid adding them unnecessarily. This PR builds the appropriate mappings for each index version to make them backwards compatible. The runtime fields will only be added for indices whose
version
is <= 45 (released in 7.14), since the next release will containhost.os.name.caseless
as an indexed multifield for newly written signals.There are 2 version fields on each .siem-signals index, which can be somewhat confusing.
version
is defined when the index is created and should never change. This tells us what the original mapping was on the index so we can apply the appropriate migrations/backwards compatibility mappings. This also tells us when we need to rollover and create a new index because the "regular" field mappings have changed.aliases_version
is also defined when the index is created but can change over time. This field represents whether or not an index has the latest set of aliases and runtime fields used for backwards compatibility. When we apply aliases and runtime fields to an index, this version number is updated to reflect the latest version in the source code. Even if there are no aliases or runtime fields defined for a particularversion
(the staticversion
above), we still updatealiases_version
on all existing indices to mark that they have been checked and brought up to date.